format the repo files

disable ssh agent in desktop config

.gitattributes

@@ -0,0 +1,3 @@
+*.jpg filter=lfs diff=lfs merge=lfs -text
+*.svg filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text

CLAUDE.md

@@ -0,0 +1,108 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## What This Repo Is
+
+A NixOS flake configuration managing multiple hosts (desktops, laptops, servers). All hosts share common settings via `hosts/configuration_common.nix` and are assembled in `hosts/default.nix`.
+
+## Common Commands
+
+```bash
+# Format all nix files
+nix fmt
+
+# Build a host configuration (no activation)
+nixos-rebuild build --flake .#<host>
+
+# Switch the current host
+sudo nixos-rebuild switch --flake .#<host>
+
+# Build a custom package
+nix build .#<package>
+
+# Edit an age-encrypted secret
+agenix -e secrets/<path>.age
+
+# Re-key all secrets after adding a new host key to secrets/secrets.nix
+agenix -r
+```
+
+## Architecture
+
+### Entry Points
+
+- `flake.nix` — defines inputs (nixpkgs stable=25.11, unstable, home-manager, agenix, lanzaboote, jovian-nixos, microvm, impermanence, noctalia) and calls `hosts/default.nix` for `nixosConfigurations`
+- `hosts/default.nix` — instantiates every host via `lib.nixosSystem`; contains the `mkHM` helper that wires home-manager into a host's modules list
+
+### Host Structure
+
+Each host lives in `hosts/<name>/`:
+- `default.nix` — imports either `../../modules/desktop` or `../../modules/server`, sets the module options (`myDesktop.*` / `myServer.*`), and adds host-specific settings
+- `home.nix` — host-specific home-manager config (merged with `hosts/home.nix` for desktops or `hosts/home_server.nix` for servers)
+- `hardware-configuration.nix` — generated hardware config
+
+Shared host-level files:
+- `hosts/configuration_common.nix` — applied to every host: SSH (key-only, no root), locale, nix GC/settings, zsh, fonts, auto-upgrade flake URL
+- `hosts/home.nix` — desktop home-manager base
+- `hosts/home_server.nix` — server home-manager base
+
+### Module System
+
+Two top-level NixOS modules expose all major knobs as typed options:
+
+**`modules/desktop/default.nix`** — `myDesktop.*`
+- `windowManager`: `"niri"` (default) | `"sway"` | `"kde"`
+- `cpu`: `"amd"` | `"intel"` | `"none"` — selects KVM kernel params
+- `virtualisation.enable` — podman (docker-compat) + qemu/libvirt + virt-manager
+- `syncthing.{enable,devices,folders}`
+- `openrgb.{enable,motherboard}`
+- `laptop.{enable,lidSwitch,hibernateDelaySec}`
+- `nitrokey.enable`
+- `niri.hotkeyVariant`: `"default"` | `"lifebook"`
+- `git.signingKey` — SSH key for commit signing
+- `extraSystemPackages`
+
+**`modules/server/default.nix`** — `myServer.*`
+- `sshPort` (default 2220)
+- `virtualisation.{enable,cpu}` — podman only (no libvirt)
+- `fail2ban.enable`
+- `autoUpgrade.enable` (default true)
+- `uid`, `sudoRequiresPassword`, `extraGroups`, `extraSystemPackages`
+
+Service bundles are imported as lists in host `default.nix`:
+- `modules/services/server/` — kabtop services (gitea, nextcloud, matrix, coturn, hydra, mealie, etc.)
+- `modules/services/nas/` — jupiter services (nfs, vaultwarden, syncthing, paperless)
+- `modules/services/dmz/` — dmz services (gitea runner microVM)
+- `modules/services/kabtopci/` — kabtopci services (hydra, gitea runner)
+- `modules/services/nasbackup/` — nasbak backup jobs
+
+### Secrets (agenix)
+
+`secrets/secrets.nix` declares which age public keys (users + host SSH keys) can decrypt each `.age` file. Add a new host: add its `ssh-ed25519` host key to `secrets/secrets.nix` in the relevant groups, then run `agenix -r` to re-key.
+
+### Custom Packages & Overlays
+
+- `packages/` — custom packages (e.g. `corosync-qdevice`), imported at `flake.nix` level
+- `overlays/` — nixpkgs overlays applied globally
+- Per-host overlays: set `nixpkgs.overlays` inside the host's `default.nix` so only that host is affected
+
+### Disk Layouts
+
+`disko/` contains reusable disko modules: `btrfs.nix`, `btrfs_luks.nix`, `nas_luks.nix` — referenced during initial install.
+
+## Active Hosts
+
+| Host | Role | WM / Notes |
+|---|---|---|
+| hades | Desktop | niri, AMD, Secure Boot (lanzaboote) |
+| lifebook | Laptop | niri, Intel, Secure Boot |
+| steamdeck | Gaming | KDE/Jovian-NixOS, Secure Boot |
+| kabtop | Main server | gitea, nextcloud, matrix+bridges, coturn, hydra, mealie |
+| kabtopci | CI server | hydra, nix-serve |
+| jupiter | NAS | nfs, vaultwarden, syncthing, paperless |
+| dmz | DMZ | gitea Actions homerunner microVM |
+| nasbak | NAS backup | — |
+| kubemaster-1 | K8s master | — |
+
+See `SERVICES.md` for port-level service details per host.

disko/btrfs.nix

@@ -13,7 +13,7 @@
               content = {
                 type = "filesystem";
                 format = "vfat";
-                extraArgs = [ "-n NIXBOOT" ];
+                extraArgs = ["-n" "NIXBOOT"];
                 mountpoint = "/boot";
                 mountOptions = [
                   "defaults"
@@ -24,31 +24,31 @@
               size = "100%";
               content = {
                 type = "btrfs";
-                extraArgs = [ "-f -L NIXROOT" ];
+                extraArgs = ["-f" "-L" "NIXROOT"];
                 subvolumes = {
                   "@" = {
                     mountpoint = "/";
-                    mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
+                    mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
                   };
                   "@home" = {
                     mountpoint = "/home";
-                    mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
+                    mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
                   };
                   "@nix" = {
                     mountpoint = "/nix";
-                    mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
+                    mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
                   };
                   "@snapshots" = {
                     mountpoint = "/mnt";
-                    mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
+                    mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
                   };
                   "@srv" = {
                     mountpoint = "/srv";
-                    mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
+                    mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
                   };
                   "@var" = {
                     mountpoint = "/var";
-                    mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
+                    mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
                   };
                   "@swap" = {
                     mountpoint = "/swap";

disko/btrfs_luks.nix

@@ -13,7 +13,7 @@
               content = {
                 type = "filesystem";
                 format = "vfat";
-                extraArgs = [ "-n NIXBOOT" ];
+                extraArgs = ["-n NIXBOOT"];
                 mountpoint = "/boot";
                 mountOptions = [
                   "defaults"
@@ -33,31 +33,35 @@
                 };
                 content = {
                   type = "btrfs";
-                  extraArgs = [ "-f -L NIXROOT" ];
+                  extraArgs = ["-f -L NIXROOT"];
                   subvolumes = {
                     "@" = {
                       mountpoint = "/";
-                      mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
+                      mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
                     };
                     "@home" = {
                       mountpoint = "/home";
-                      mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
+                      mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
                     };
                     "@nix" = {
                       mountpoint = "/nix";
-                      mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
+                      mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
+                    };
+                    "@opt" = {
+                      mountpoint = "/opt";
+                      mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
                     };
                     "@snapshots" = {
                       mountpoint = "/mnt";
-                      mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
+                      mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
                     };
                     "@srv" = {
                       mountpoint = "/srv";
-                      mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
+                      mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
                     };
                     "@var" = {
                       mountpoint = "/var";
-                      mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
+                      mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
                     };
                     "@swap" = {
                       mountpoint = "/swap";

disko/mount.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+disk="/dev/vda"
+mountpoint="/mnt"
+
+mount $disk $mountpoint -o compress=zstd,noatime,ssd,space_cache=v2,subvol=@
+mount $disk $mountpoint/home -o compress=zstd,noatime,ssd,space_cache=v2,subvol=@home
+mount $disk $mountpoint/var -o compress=zstd,noatime,ssd,space_cache=v2,subvol=@var
+mount $disk $mountpoint/srv -o compress=zstd,noatime,ssd,space_cache=v2,subvol=@srv
+mount $disk $mountpoint/nix -o compress=zstd,noatime,ssd,space_cache=v2,subvol=@nix
+mount $disk $mountpoint/swap -o compress=zstd,noatime,ssd,space_cache=v2,subvol=@swap

flake.lock

@@ -10,11 +10,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1715290355,
-        "narHash": "sha256-2T7CHTqBXJJ3ZC6R/4TXTcKoXWHcvubKNj9SfomURnw=",
+        "lastModified": 1770165109,
+        "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "8d37c5bdeade12b6479c85acd133063ab53187a0",
+        "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
         "type": "github"
       },
       "original": {
@@ -24,18 +24,12 @@
       }
     },
     "crane": {
-      "inputs": {
-        "nixpkgs": [
-          "lanzaboote",
-          "nixpkgs"
-        ]
-      },
       "locked": {
-        "lastModified": 1711299236,
-        "narHash": "sha256-6/JsyozOMKN8LUGqWMopKTSiK8N79T8Q+hcxu2KkTXg=",
+        "lastModified": 1776635034,
+        "narHash": "sha256-OEOJrT3ZfwbChzODfIH4GzlNTtOFuZFWPtW7jIeR8xU=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "880573f80d09e18a11713f402b9e6172a085449f",
+        "rev": "dc7496d8ea6e526b1254b55d09b966e94673750f",
         "type": "github"
       },
       "original": {
@@ -52,11 +46,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1700795494,
-        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
         "type": "github"
       },
       "original": {
@@ -66,212 +60,27 @@
         "type": "github"
       }
     },
-    "devshell": {
-      "inputs": {
-        "flake-utils": "flake-utils_3",
-        "nixpkgs": [
-          "nixvim",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1713532798,
-        "narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=",
-        "owner": "numtide",
-        "repo": "devshell",
-        "rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "devshell",
-        "type": "github"
-      }
-    },
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
+        "lastModified": 1767039857,
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
+        "owner": "NixOS",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
         "type": "github"
       },
       "original": {
-        "owner": "edolstra",
+        "owner": "NixOS",
         "repo": "flake-compat",
         "type": "github"
       }
     },
-    "flake-compat_2": {
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "revCount": 57,
-        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
-      }
-    },
-    "flake-compat_3": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "lanzaboote",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1709336216,
-        "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-parts_2": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "nixvim",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1715865404,
-        "narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-root": {
-      "locked": {
-        "lastModified": 1713493429,
-        "narHash": "sha256-ztz8JQkI08tjKnsTpfLqzWoKFQF4JGu2LRz8bkdnYUk=",
-        "owner": "srid",
-        "repo": "flake-root",
-        "rev": "bc748b93b86ee76e2032eecda33440ceb2532fcd",
-        "type": "github"
-      },
-      "original": {
-        "owner": "srid",
-        "repo": "flake-root",
-        "type": "github"
-      }
-    },
-    "flake-utils": {
-      "inputs": {
-        "systems": "systems_2"
-      },
-      "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_2": {
-      "inputs": {
-        "systems": "systems_3"
-      },
-      "locked": {
-        "lastModified": 1705309234,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_3": {
-      "inputs": {
-        "systems": "systems_4"
-      },
-      "locked": {
-        "lastModified": 1701680307,
-        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
     "gitignore": {
       "inputs": {
         "nixpkgs": [
           "lanzaboote",
-          "pre-commit-hooks-nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1709087332,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "type": "github"
-      }
-    },
-    "gitignore_2": {
-      "inputs": {
-        "nixpkgs": [
-          "nixvim",
-          "pre-commit-hooks",
+          "pre-commit",
           "nixpkgs"
         ]
       },
@@ -297,11 +106,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1703113217,
-        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
         "type": "github"
       },
       "original": {
@@ -317,11 +126,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715930644,
-        "narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=",
+        "lastModified": 1777086106,
+        "narHash": "sha256-hlNpIN18pw3xo34Lsrp6vAMUPn0aB/zFBqL0QXI1Pmk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d",
+        "rev": "5826802354a74af18540aef0b01bc1320f82cc17",
         "type": "github"
       },
       "original": {
@@ -337,16 +146,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1715381426,
-        "narHash": "sha256-wPuqrAQGdv3ISs74nJfGb+Yprm23U/rFpcHFFNWgM94=",
+        "lastModified": 1775425411,
+        "narHash": "sha256-KY6HsebJHEe5nHOWP7ur09mb0drGxYSzE3rQxy62rJo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "ab5542e9dbd13d0100f8baae2bc2d68af901f4b4",
+        "rev": "0d02ec1d0a05f88ef9e74b516842900c41f0f2fe",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-23.11",
+        "ref": "release-25.11",
         "repo": "home-manager",
         "type": "github"
       }
@@ -354,16 +163,16 @@
     "home-manager_3": {
       "inputs": {
         "nixpkgs": [
-          "nixvim",
+          "impermanence",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1715930644,
-        "narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=",
+        "lastModified": 1768598210,
+        "narHash": "sha256-kkgA32s/f4jaa4UG+2f8C225Qvclxnqs76mf8zvTVPg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d",
+        "rev": "c47b2cc64a629f8e075de52e4742de688f930dc6",
         "type": "github"
       },
       "original": {
@@ -373,12 +182,16 @@
       }
     },
     "impermanence": {
+      "inputs": {
+        "home-manager": "home-manager_3",
+        "nixpkgs": "nixpkgs"
+      },
       "locked": {
-        "lastModified": 1708968331,
-        "narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=",
+        "lastModified": 1769548169,
+        "narHash": "sha256-03+JxvzmfwRu+5JafM0DLbxgHttOQZkUtDWBmeUkN8Y=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30",
+        "rev": "7b1d382faf603b6d264f58627330f9faa5cba149",
         "type": "github"
       },
       "original": {
@@ -395,11 +208,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716107076,
-        "narHash": "sha256-aB15oIMUv6N/UFsLHzgcGRUvU4YfOjE3gEirIP/k82s=",
+        "lastModified": 1776962372,
+        "narHash": "sha256-Y2imW4kyIhupx8myNSeNCzDbEx2X+h+AmhNjWXA/7Yw=",
         "owner": "Jovian-Experiments",
         "repo": "Jovian-NixOS",
-        "rev": "e8de93b7b4c384650977a20c1f192e23c6e7a12f",
+        "rev": "ee3a1184a978e311194a2d3d352c5e6aba67a4b5",
         "type": "github"
       },
       "original": {
@@ -411,21 +224,18 @@
     "lanzaboote": {
       "inputs": {
         "crane": "crane",
-        "flake-compat": "flake-compat",
-        "flake-parts": "flake-parts",
-        "flake-utils": "flake-utils",
         "nixpkgs": [
           "nixpkgs"
         ],
-        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "pre-commit": "pre-commit",
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1713369831,
-        "narHash": "sha256-G4OGxvlIIjphpkxcRAkf1QInYsAeqbfNh6Yl1JLy2uM=",
+        "lastModified": 1776797459,
+        "narHash": "sha256-utv296Xwk0PwjONe9dsyKx+9Z5xAB70aAsMI//aakpg=",
         "owner": "nix-community",
         "repo": "lanzaboote",
-        "rev": "850f27322239f8cfa56b122cc9a278ab99a49015",
+        "rev": "4eda91dd5abd2157a2c7bfb33142fc64da668b0a",
         "type": "github"
       },
       "original": {
@@ -437,47 +247,25 @@
     },
     "microvm": {
       "inputs": {
-        "flake-utils": "flake-utils_2",
         "nixpkgs": [
           "nixpkgs"
         ],
         "spectrum": "spectrum"
       },
       "locked": {
-        "lastModified": 1715787097,
-        "narHash": "sha256-TPp2j0ttvBvkk4oXidvo8Y071zEab0BtcNsC3ZEkluI=",
-        "owner": "astro",
+        "lastModified": 1776340739,
+        "narHash": "sha256-s4FDictJlPtY6Shd6scG5hgrDMiHth09+svtvTA5NLA=",
+        "owner": "microvm-nix",
         "repo": "microvm.nix",
-        "rev": "fa673bf8656fe6f28253b83971a36999bc9995d2",
+        "rev": "2f2f62fdfdca2750e3399f66bd03986ab967e5ca",
         "type": "github"
       },
       "original": {
-        "owner": "astro",
+        "owner": "microvm-nix",
         "repo": "microvm.nix",
         "type": "github"
       }
     },
-    "nix-darwin": {
-      "inputs": {
-        "nixpkgs": [
-          "nixvim",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1715901937,
-        "narHash": "sha256-eMyvWP56ZOdraC2IOvZo0/RTDcrrsqJ0oJWDC76JTak=",
-        "owner": "lnl7",
-        "repo": "nix-darwin",
-        "rev": "ffc01182f90118119930bdfc528c1ee9a39ecef8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lnl7",
-        "repo": "nix-darwin",
-        "type": "github"
-      }
-    },
     "nix-github-actions": {
       "inputs": {
         "nixpkgs": [
@@ -486,11 +274,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1690328911,
-        "narHash": "sha256-fxtExYk+aGf2YbjeWQ8JY9/n9dwuEt+ma1eUFzF8Jeo=",
+        "lastModified": 1729697500,
+        "narHash": "sha256-VFTWrbzDlZyFHHb1AlKRiD/qqCJIripXKiCSFS8fAOY=",
         "owner": "zhaofengli",
         "repo": "nix-github-actions",
-        "rev": "96df4a39c52f53cb7098b923224d8ce941b64747",
+        "rev": "e418aeb728b6aa5ca8c5c71974e7159c2df1d8cf",
         "type": "github"
       },
       "original": {
@@ -502,11 +290,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1716034089,
-        "narHash": "sha256-QBfab6V4TeQ6Y4NiXVrEATdQuhCNFNaXt/L1K/Zw+zc=",
+        "lastModified": 1776983936,
+        "narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "b55712de78725c8fcde422ee0a0fe682046e73c3",
+        "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
         "type": "github"
       },
       "original": {
@@ -518,43 +306,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1716061101,
-        "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-23.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1710695816,
-        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-23.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-unstable": {
-      "locked": {
-        "lastModified": 1715961556,
-        "narHash": "sha256-+NpbZRCRisUHKQJZF3CT+xn14ZZQO+KjxIIanH3Pvn4=",
+        "lastModified": 1768564909,
+        "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4a6b83b05df1a8bd7d99095ec4b4d271f2956b64",
+        "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f",
         "type": "github"
       },
       "original": {
@@ -564,84 +320,97 @@
         "type": "github"
       }
     },
-    "nixvim": {
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1776877367,
+        "narHash": "sha256-EHq1/OX139R1RvBzOJ0aMRT3xnWyqtHBRUBuO1gFzjI=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "0726a0ecb6d4e08f6adced58726b95db924cef57",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1776734388,
+        "narHash": "sha256-vl3dkhlE5gzsItuHoEMVe+DlonsK+0836LIRDnm6MXQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "10e7ad5bbcb421fe07e3a4ad53a634b0cd57ffac",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "noctalia": {
       "inputs": {
-        "devshell": "devshell",
-        "flake-compat": "flake-compat_2",
-        "flake-parts": "flake-parts_2",
-        "flake-root": "flake-root",
-        "home-manager": "home-manager_3",
-        "nix-darwin": "nix-darwin",
         "nixpkgs": [
-          "nixpkgs-unstable"
+          "nixpkgs"
         ],
-        "pre-commit-hooks": "pre-commit-hooks",
+        "noctalia-qs": "noctalia-qs"
+      },
+      "locked": {
+        "lastModified": 1777079905,
+        "narHash": "sha256-TvYEXwkZnRFQRuFyyqTNSfPnU2tMdhtiBOXSk2AWLJA=",
+        "owner": "noctalia-dev",
+        "repo": "noctalia-shell",
+        "rev": "a50c92167c8d438000270f7eca36f6eea74f388e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "noctalia-dev",
+        "repo": "noctalia-shell",
+        "type": "github"
+      }
+    },
+    "noctalia-qs": {
+      "inputs": {
+        "nixpkgs": [
+          "noctalia",
+          "nixpkgs"
+        ],
+        "systems": "systems_2",
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1716125991,
-        "narHash": "sha256-PmB9vmp383foiVi64RawbnkC+6SiYiWUjdzw2xgl3eM=",
-        "owner": "nix-community",
-        "repo": "nixvim",
-        "rev": "88ade1dfaa017499326103a078c66dd5d4d0606e",
+        "lastModified": 1776585574,
+        "narHash": "sha256-j35EWhKoGhKrfcXcAOpoRVgXEPQt41Eukji/h59cnjk=",
+        "owner": "noctalia-dev",
+        "repo": "noctalia-qs",
+        "rev": "75d180c28a9ab4470e980f3d6f706ad6c5213add",
         "type": "github"
       },
       "original": {
-        "owner": "nix-community",
-        "repo": "nixvim",
+        "owner": "noctalia-dev",
+        "repo": "noctalia-qs",
         "type": "github"
       }
     },
-    "pre-commit-hooks": {
+    "pre-commit": {
       "inputs": {
-        "flake-compat": "flake-compat_3",
-        "gitignore": "gitignore_2",
-        "nixpkgs": [
-          "nixvim",
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": [
-          "nixvim",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1715870890,
-        "narHash": "sha256-nacSOeXtUEM77Gn0G4bTdEOeFIrkCBXiyyFZtdGwuH0=",
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "rev": "fa606cccd7b0ccebe2880051208e4a0f61bfc8c1",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "type": "github"
-      }
-    },
-    "pre-commit-hooks-nix": {
-      "inputs": {
-        "flake-compat": [
-          "lanzaboote",
-          "flake-compat"
-        ],
-        "flake-utils": [
-          "lanzaboote",
-          "flake-utils"
-        ],
+        "flake-compat": "flake-compat",
         "gitignore": "gitignore",
         "nixpkgs": [
           "lanzaboote",
           "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        ]
       },
       "locked": {
-        "lastModified": 1710923068,
-        "narHash": "sha256-6hOpUiuxuwpXXc/xfJsBUJeqqgGI+JMJuLo45aG3cKc=",
+        "lastModified": 1775585728,
+        "narHash": "sha256-8Psjt+TWvE4thRKktJsXfR6PA/fWWsZ04DVaY6PUhr4=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "e611897ddfdde3ed3eaac4758635d7177ff78673",
+        "rev": "580633fa3fe5fc0379905986543fd7495481913d",
         "type": "github"
       },
       "original": {
@@ -660,28 +429,24 @@
         "lanzaboote": "lanzaboote",
         "microvm": "microvm",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable": "nixpkgs-unstable",
-        "nixvim": "nixvim"
+        "noctalia": "noctalia"
       }
     },
     "rust-overlay": {
       "inputs": {
-        "flake-utils": [
-          "lanzaboote",
-          "flake-utils"
-        ],
         "nixpkgs": [
           "lanzaboote",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1711246447,
-        "narHash": "sha256-g9TOluObcOEKewFo2fR4cn51Y/jSKhRRo4QZckHLop0=",
+        "lastModified": 1776741231,
+        "narHash": "sha256-k9G98qzn+7npROUaks8VqCFm7cFtEG8ulQLBBo5lItg=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "dcc802a6ec4e9cc6a1c8c393327f0c42666f22e4",
+        "rev": "02061303f7c4c964f7b4584dabd9e985b4cd442b",
         "type": "github"
       },
       "original": {
@@ -693,11 +458,11 @@
     "spectrum": {
       "flake": false,
       "locked": {
-        "lastModified": 1708358594,
-        "narHash": "sha256-e71YOotu2FYA67HoC/voJDTFsiPpZNRwmiQb4f94OxQ=",
+        "lastModified": 1772189877,
+        "narHash": "sha256-i1p90Rgssb//aNiTDFq46ZG/fk3LmyRLChtp/9lddyA=",
         "ref": "refs/heads/main",
-        "rev": "6d0e73864d28794cdbd26ab7b37259ab0e1e044c",
-        "revCount": 614,
+        "rev": "fe39e122d898f66e89ffa17d4f4209989ccb5358",
+        "revCount": 1255,
         "type": "git",
         "url": "https://spectrum-os.org/git/spectrum"
       },
@@ -723,62 +488,33 @@
     },
     "systems_2": {
       "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "lastModified": 1689347949,
+        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
         "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "repo": "default-linux",
+        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
         "type": "github"
       },
       "original": {
         "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_3": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_4": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
+        "repo": "default-linux",
         "type": "github"
       }
     },
     "treefmt-nix": {
       "inputs": {
         "nixpkgs": [
-          "nixvim",
+          "noctalia",
+          "noctalia-qs",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1715940852,
-        "narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=",
+        "lastModified": 1775636079,
+        "narHash": "sha256-pc20NRoMdiar8oPQceQT47UUZMBTiMdUuWrYu2obUP0=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "2fba33a182602b9d49f0b2440513e5ee091d838b",
+        "rev": "790751ff7fd3801feeaf96d7dc416a8d581265ba",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,73 +2,110 @@
 #  https://github.com/MatthiasBenaets/nixos-config
 #  https://www.youtube.com/watch?v=AGVXJ-TIv3Y
 #
-#  flake.nix *             
+#  flake.nix *
 #   ├─ ./hosts
 #   │   └─ default.nix
-
 {
-  description = "Kabbone's peronal NixOS Flake config";
+  description = "Kabbone's personal NixOS Flake config";
 
-  inputs =                                                                  # All flake references used to build my NixOS setup. These are dependencies.
-    {
-      nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";                  # Nix Packages
-      nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
-      nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+  inputs = {
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; # Nix Packages
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
 
-      microvm = {
-        url = "github:astro/microvm.nix";
-        inputs.nixpkgs.follows = "nixpkgs";
-      };
-
-      impermanence.url = "github:nix-community/impermanence";
-
-      home-manager = {                                                      # User Package Management
-        url = "github:nix-community/home-manager/release-23.11";
-        inputs.nixpkgs.follows = "nixpkgs";
-      };
-
-      home-manager-unstable = {                                                      # User Package Management
-        url = "github:nix-community/home-manager";
-        inputs.nixpkgs.follows = "nixpkgs-unstable";
-      };
-
-      agenix = {
-        url = "github:ryantm/agenix";
-        inputs.nixpkgs.follows = "nixpkgs";
-      };
-
-      jovian-nixos = {
-          url = "github:Jovian-Experiments/Jovian-NixOS";
-          inputs.nixpkgs.follows = "nixpkgs-unstable";
-      };
-
-      lanzaboote = {
-          url = "github:nix-community/lanzaboote/master";
-          inputs.nixpkgs.follows = "nixpkgs";
-       };
-
-       nixvim = {
-           url = "github:nix-community/nixvim";
-           inputs.nixpkgs.follows = "nixpkgs-unstable";
-       };
+    microvm = {
+      url = "github:microvm-nix/microvm.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
     };
 
-  outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, nixos-hardware, home-manager, home-manager-unstable, agenix, jovian-nixos, microvm, impermanence, lanzaboote, nixvim, ... }:   # Function that tells my flake which to use and what do what to do with the dependencies.
-    let                                                                     # Variables that can be used in the config files
-      user = "kabbone";
-      userdmz = "diablo";
-      userserver = "mephisto";
-      location = "$HOME/.setup";
-    in                                                                      # Use above variables in ...
-    {
-      nixosConfigurations = (                                               # NixOS configurations
-        import ./hosts {                                                    # Imports ./hosts/default.nix
-          inherit (nixpkgs) lib;
-          inherit inputs nixpkgs nixpkgs-unstable nixos-hardware home-manager home-manager-unstable user userdmz userserver location agenix jovian-nixos microvm impermanence lanzaboote nixvim;   # Also inherit home-manager so it does not need to be defined here.
-          nix.allowedUsers = [ "@wheel" ];
-          security.sudo.execWheelOnly = true;
-        }
-      );
+    impermanence.url = "github:nix-community/impermanence";
+
+    home-manager = {
+      # User Package Management
+      url = "github:nix-community/home-manager/release-25.11";
+      inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    home-manager-unstable = {
+      # User Package Management
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    jovian-nixos = {
+      url = "github:Jovian-Experiments/Jovian-NixOS";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/master";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    noctalia = {
+      url = "github:noctalia-dev/noctalia-shell";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = {
+    self,
+    nixpkgs,
+    nixpkgs-unstable,
+    nixos-hardware,
+    home-manager,
+    home-manager-unstable,
+    agenix,
+    jovian-nixos,
+    microvm,
+    impermanence,
+    lanzaboote,
+    noctalia,
+    ...
+  } @ inputs: let
+    systems = [
+      #      "aarch64-linux"
+      "x86_64-linux"
+    ];
+    forAllSystems = nixpkgs.lib.genAttrs systems;
+  in {
+    # Your custom packages
+    # Accessible through 'nix build', 'nix shell', etc
+    packages = forAllSystems (system: import ./packages {pkgs = nixpkgs.legacyPackages.${system};});
+    # Formatter for your nix files, available through 'nix fmt'
+    # Other options beside 'alejandra' include 'nixpkgs-fmt'
+    formatter = forAllSystems (system: nixpkgs.legacyPackages.${system}.alejandra);
+
+    # Your custom packages and modifications, exported as overlays
+    overlays = import ./overlays {inherit inputs;};
+    # Reusable nixos modules you might want to export
+    # These are usually stuff you would upstream into nixpkgs
+    #nixosModules = import ./modules/kabbone;
+    # Reusable home-manager modules you might want to export
+    # These are usually stuff you would upstream into home-manager
+    #homeManagerModules = import ./modules/home-manager;
+
+    nixosConfigurations = ( # NixOS configurations
+      import ./hosts {
+        # Imports ./hosts/default.nix
+        inherit (nixpkgs) lib;
+        inherit inputs nixpkgs nixpkgs-unstable nixos-hardware home-manager home-manager-unstable agenix jovian-nixos microvm impermanence lanzaboote; # Also inherit home-manager so it does not need to be defined here.
+      }
+    );
+
+    hydraJobs = {
+      "steamdeck" = self.nixosConfigurations.steamdeck.config.system.build.toplevel;
+      "hades" = self.nixosConfigurations.hades.config.system.build.toplevel;
+      "nasbak" = self.nixosConfigurations.nasbak.config.system.build.toplevel;
+      "jupiter" = self.nixosConfigurations.jupiter.config.system.build.toplevel;
+      "lifebook" = self.nixosConfigurations.lifebook.config.system.build.toplevel;
+      "kabtop" = self.nixosConfigurations.kabtop.config.system.build.toplevel;
+      "dmz" = self.nixosConfigurations.dmz.config.system.build.toplevel;
+    };
+  };
 }

hosts/configuration_common.nix

@@ -0,0 +1,132 @@
+#
+#  Common configuration shared by all hosts (desktop and server).
+#  Imported by configuration_desktop.nix and configuration_server.nix.
+#
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  user,
+  location,
+  agenix,
+  ...
+}: {
+  imports = [
+    ../modules/hardware/hydraCache.nix
+  ];
+
+  users.users.${user} = {
+    shell = pkgs.zsh;
+    openssh.authorizedKeys.keys = [
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc"
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIgo4IP8ISUohyAMiDc3zEe6ESUE3un7eN5FhVtxZHmcAAAABHNzaDo= kabbone@kabc"
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKVDApb3vZ+i97V4xLJh8rUF6z5OVYfORlXYbLhdQO15AAAABHNzaDo= kabbone@hades.home.opel-online.de"
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB0q++epdX7feQxvmC2m/CJEoJbkqtAJy6Ml6WKHxryZAAAABHNzaDo= kabbone@hades.home.opel-online.de"
+    ];
+  };
+
+  time.timeZone = "Europe/Berlin";
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    extraLocaleSettings = {
+      LC_TIME = "de_DE.UTF-8";
+      LC_MONETARY = "de_DE.UTF-8";
+    };
+  };
+
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "us";
+  };
+
+  fonts.packages = with pkgs; [
+    carlito
+    vegur
+    source-code-pro
+    font-awesome
+    hack-font
+    corefonts
+    intel-one-mono
+    cascadia-code
+  ];
+
+  environment = {
+    variables = {
+      TERMINAL = "alacritty";
+      EDITOR = "nvim";
+      VISUAL = "nvim";
+      BROWSER = "firefox";
+    };
+    systemPackages = with pkgs; [
+      vim
+      git
+      killall
+      pciutils
+      usbutils
+      wget
+      bind
+      dig
+      agenix.packages.${pkgs.system}.default
+      cryptsetup
+      powerline
+      powerline-fonts
+      powerline-symbols
+      tree
+      direnv
+      linuxPackages_latest.cpupower
+      btop
+    ];
+  };
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+    };
+  };
+
+  programs.zsh.enable = true;
+
+  nix = {
+    settings = {
+      auto-optimise-store = true;
+      allowed-users = ["@wheel"];
+    };
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 7d";
+    };
+    package = pkgs.nixVersions.stable;
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+  };
+
+  nixpkgs.config.allowUnfree = true;
+  nixpkgs.config.permittedInsecurePackages = [
+    "olm-3.2.16"
+  ];
+
+  security = {
+    sudo.execWheelOnly = true;
+    pki.certificateFiles = [
+      ./rootCA.pem
+    ];
+  };
+
+  system = {
+    stateVersion = "23.05";
+    autoUpgrade = {
+      flake = "git+https://git.kabtop.de/Kabbone/nixos-config";
+      randomizedDelaySec = "5m";
+      allowReboot = true;
+      rebootWindow = {
+        lower = "02:00";
+        upper = "05:00";
+      };
+    };
+  };
+}

hosts/configuration_desktop.nix

@@ -1,200 +0,0 @@
-#
-#  Main system configuration. More information available in configuration.nix(5) man page.
-#
-#  flake.nix
-#   ├─ ./hosts
-#   │   └─ configuration.nix *
-#   └─ ./modules
-#       └─ ./editors
-#           └─ ./nvim
-#               └─ default.nix
-#
-
-{ config, lib, pkgs, inputs, user, location, agenix, ... }:
-
-{
-  imports =                                 # Import window or display manager.
-    [
-      #../modules/editors/nvim              # ! Comment this out on first install !
-    ];
-
-  users.users.${user} = {                   # System User
-    isNormalUser = true;
-    extraGroups = [ "wheel" "video" "audio" "camera" "networkmanager" "lp" "kvm" "libvirtd" "adb" "dialout" "tss" ];
-    shell = pkgs.zsh;                       # Default shell
-    uid = 2000;
-#    initialPassword = "password95";
-    openssh.authorizedKeys.keys = [
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc"
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIgo4IP8ISUohyAMiDc3zEe6ESUE3un7eN5FhVtxZHmcAAAABHNzaDo= kabbone@kabc"
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKVDApb3vZ+i97V4xLJh8rUF6z5OVYfORlXYbLhdQO15AAAABHNzaDo= kabbone@hades.home.opel-online.de"
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB0q++epdX7feQxvmC2m/CJEoJbkqtAJy6Ml6WKHxryZAAAABHNzaDo= kabbone@hades.home.opel-online.de"
-    ];
-  };
-
-  time.timeZone = "Europe/Berlin";        # Time zone and internationalisation
-  i18n = {
-    defaultLocale = "en_US.UTF-8";
-    extraLocaleSettings = {                 # Extra locale settings that need to be overwritten
-      LC_TIME = "de_DE.UTF-8";
-      LC_MONETARY = "de_DE.UTF-8";
-    };
-  };
-
-  console = {
-    font = "Lat2-Terminus16";
-    keyMap = "us";	                    # or us/azerty/etc
-  };
-
-  security = {
-    rtkit.enable = true;
-    pki.certificateFiles = [
-      ./rootCA.pem
-    ];
-    #tpm2 = {
-    #    enable = true;
-    #    pkcs11.enable = true;
-    #    tctiEnvironment.enable = true;
-    #  };
-  };
-
-  sound = {                                 # ALSA sound enable
-    #enable = true;
-    mediaKeys = {                           # Keyboard Media Keys (for minimal desktop) enable = true;
-      enable = true;
-    };
-  };
-
-  fonts.packages = with pkgs; [                # Fonts
-    carlito                                 # NixOS
-    vegur                                   # NixOS
-    source-code-pro
-    font-awesome                            # Icons
-    hack-font
-    corefonts                               # MS
-    intel-one-mono
-    cascadia-code
-    (nerdfonts.override {                   # Nerdfont Icons override
-      fonts = [
-        "FiraCode"
-      ];
-    })
-  ];
-
-  environment = {
-    variables = {
-      TERMINAL = "alacritty";
-      EDITOR = "nvim";
-      VISUAL = "nvim";
-      BROWSER = "firefox";
-    };
-    systemPackages = with pkgs; [           # Default packages install system-wide
-      vim
-      git
-      killall
-      pciutils
-      usbutils
-      wget
-      powertop
-      cpufrequtils
-      lm_sensors
-      libva-utils
-      at-spi2-core
-      bind
-      dig
-      qmk-udev-rules
-      gptfdisk
-      agenix.packages.x86_64-linux.default
-      age-plugin-yubikey
-      pwgen
-      cryptsetup
-      powerline
-      powerline-fonts
-      powerline-symbols
-      tree
-      direnv
-      linuxPackages_latest.cpupower
-      btop
-      sbctl
-    ];
-  };
-
-  services = {
-    pipewire = {                            # Sound
-      enable = true;
-      alsa = {
-        enable = true;
-      #  support32Bit = true;
-      };
-      pulse.enable = true;
-      wireplumber.enable = true;
-    };
-    openssh = {                             # SSH: secure shell (remote connection to shell of server)
-      enable = true;                        # local: $ ssh <user>@<ip>
-                                            # public:
-                                            #   - port forward 22 TCP to server
-                                            #   - in case you want to use the domain name insted of the ip:
-                                            #       - for me, via cloudflare, create an A record with name "ssh" to the correct ip without proxy
-                                            #   - connect via ssh <user>@<ip or ssh.domain>
-                                            # generating a key:
-                                            #   - $ ssh-keygen   |  ssh-copy-id <ip/domain>  |  ssh-add
-                                            #   - if ssh-add does not work: $ eval `ssh-agent -s`
-#      allowSFTP = true;                     # SFTP: secure file transfer protocol (send file to server)
-                                            # connect: $ sftp <user>@<ip/domain>
-                                            # commands:
-                                            #   - lpwd & pwd = print (local) parent working directory
-                                            #   - put/get <filename> = send or receive file
-#      extraConfig = ''
-#        HostKeyAlgorithms +ssh-rsa
-#      '';                                   # Temporary extra config so ssh will work in guacamole
-      settings.PasswordAuthentication = false;
-    };
-    pcscd.enable = true;
-    yubikey-agent.enable = true;
-    udev.packages = [ pkgs.yubikey-personalization pkgs.nitrokey-udev-rules ];
-    #flatpak.enable = true;                  # download flatpak file from website - sudo flatpak install <path> - reboot if not showing up
-                                            # sudo flatpak uninstall --delete-data <app-id> (> flatpak list --app) - flatpak uninstall --unused
-                                            # List:
-                                            # com.obsproject.Studio
-                                            # com.parsecgaming.parsec
-                                            # com.usebottles.bottles
-    gvfs.enable = true;
-    fwupd.enable = true;
-  };
-
-  #xdg.portal = {                            # Required for flatpak
-  #  enable = true;
-  #  extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
-  #};
-
-  nix = {                                   # Nix Package Manager settings
-    settings ={
-      auto-optimise-store = true;           # Optimise syslinks
-    };
-    gc = {                                  # Automatic garbage collection
-      automatic = true;
-      dates = "weekly";
-      options = "--delete-older-than 7d";
-    };
-    package = pkgs.nixVersions.stable;               # Enable nixFlakes on system
-    extraOptions = ''
-      experimental-features = nix-command flakes
-    '';
-  };
-  nixpkgs.config.allowUnfree = true;        # Allow proprietary software.
-
-  system = {                                # NixOS settings
-    autoUpgrade = {                         # Allow auto update
-      enable = true;
-      flake = "git+https://git.kabtop.de/Kabbone/nixos-config";
-      randomizedDelaySec = "5m";
-      allowReboot = true;
-      rebootWindow = {
-          lower = "02:00";
-          upper = "05:00";
-      };
-      #channel = "https://nixos.org/channels/nixos-unstable";
-    };
-    stateVersion = "23.05";
-  };
-}

hosts/configuration_server.nix

@@ -1,149 +1,44 @@
 #
-#  Main system configuration. More information available in configuration.nix(5) man page.
+#  Server configuration. Imports configuration_common.nix for shared settings.
+#  Service modules are imported per-host.
 #
-#  flake.nix
-#   ├─ ./hosts
-#   │   └─ configuration.nix *
-#   └─ ./modules
-#       └─ ./editors
-#           └─ ./nvim
-#               └─ default.nix
-#
-
-{ config, lib, pkgs, inputs, user, location, agenix, ... }:
-
 {
+  config,
+  lib,
+  pkgs,
+  inputs,
+  user,
+  location,
+  agenix,
+  ...
+}: {
+  imports = [
+    ./configuration_common.nix
+  ];
 
-
-  imports =                                 # Import window or display manager.
-    [
-     #../modules/editors/nvim              # ! Comment this out on first install !
-    ];
-
-  users.users.${user} = {                   # System User
+  users.users.${user} = {
     isNormalUser = true;
-    extraGroups = [ "wheel" "networkmanager" "kvm" "libvirtd" ];
-    shell = pkgs.zsh;                       # Default shell
     uid = 3000;
-#    initialPassword = "password95";
-    openssh.authorizedKeys.keys = [
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc"
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIgo4IP8ISUohyAMiDc3zEe6ESUE3un7eN5FhVtxZHmcAAAABHNzaDo= kabbone@kabc"
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKVDApb3vZ+i97V4xLJh8rUF6z5OVYfORlXYbLhdQO15AAAABHNzaDo= kabbone@hades.home.opel-online.de"
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB0q++epdX7feQxvmC2m/CJEoJbkqtAJy6Ml6WKHxryZAAAABHNzaDo= kabbone@hades.home.opel-online.de"
-    ];
-  };
-  security.sudo.wheelNeedsPassword = true; # User does not need to give password when using sudo.
-
-  time.timeZone = "Europe/Berlin";        # Time zone and internationalisation
-  i18n = {
-    defaultLocale = "en_US.UTF-8";
-    extraLocaleSettings = {                 # Extra locale settings that need to be overwritten
-      LC_TIME = "de_DE.UTF-8";
-      LC_MONETARY = "de_DE.UTF-8";
-    };
+    extraGroups = ["wheel" "networkmanager" "kvm" "libvirtd"];
   };
 
-  console = {
-    font = "Lat2-Terminus16";
-    keyMap = "us";	                    # or us/azerty/etc
-  };
+  security.sudo.wheelNeedsPassword = true;
 
-  security.rtkit.enable = true;
-  security.pki.certificateFiles = [
-      ./rootCA.pem
+  environment.systemPackages = with pkgs; [
+    ffmpeg
+    smartmontools
+    htop
   ];
 
-  fonts.packages = with pkgs; [                # Fonts
-    carlito                                 # NixOS
-    vegur                                   # NixOS
-    source-code-pro
-    cascadia-code
-    font-awesome                            # Icons
-    hack-font
-    corefonts                               # MS
-    (nerdfonts.override {                   # Nerdfont Icons override
-      fonts = [
-        "FiraCode"
-      ];
-    })
-  ];
-
-  environment = {
-    variables = {
-      TERMINAL = "alacritty";
-      EDITOR = "nvim";
-      VISUAL = "nvim";
-    };
-    systemPackages = with pkgs; [           # Default packages install system-wide
-      vim
-      git
-      killall
-      pciutils
-      usbutils
-      wget
-      powertop
-      cpufrequtils
-      lm_sensors
-      bind
-      dig
-      agenix.packages.x86_64-linux.default
-      ffmpeg
-      smartmontools
-      powerline
-      powerline-fonts
-      powerline-symbols
-      tree
-      btop
-      htop
-      direnv
-    ];
+  services.openssh = {
+    ports = [2220];
+    openFirewall = true;
   };
 
-  services = {
-    openssh = {                             # SSH: secure shell (remote connection to shell of server)
-      enable = true;                        # local: $ ssh <user>@<ip>
-      settings = {
-        PasswordAuthentication = false;
-        PermitRootLogin = "no";
-      };
-      ports = [ 2220 ];
-      openFirewall = true;
-    };
+  nix.extraOptions = ''
+    keep-outputs          = true
+    keep-derivations      = true
+  '';
 
-    #flatpak.enable = true;                  # download flatpak file from website - sudo flatpak install <path> - reboot if not showing up
-                                            # sudo flatpak uninstall --delete-data <app-id> (> flatpak list --app) - flatpak uninstall --unused
-  };
-
-  nix = {                                   # Nix Package Manager settings
-    settings ={
-      auto-optimise-store = true;           # Optimise syslinks
-    };
-    gc = {                                  # Automatic garbage collection
-      automatic = true;
-      dates = "weekly";
-      options = "--delete-older-than 7d";
-    };
-    package = pkgs.nixVersions.stable;               # Enable nixFlakes on system
-    extraOptions = ''
-      experimental-features = nix-command flakes
-      keep-outputs          = true
-      keep-derivations      = true
-    '';
-  };
-  nixpkgs.config.allowUnfree = true;        # Allow proprietary software.
-
-  system = {                                # NixOS settings
-    autoUpgrade = {                         # Allow auto update
-      enable = true;
-      flake = "git+https://git.kabtop.de/Kabbone/nixos-config";
-      randomizedDelaySec = "5m";
-      allowReboot = true;
-      rebootWindow = {
-          lower = "02:00";
-          upper = "05:00";
-      };
-    };
-    stateVersion = "23.05";
-  };
+  system.autoUpgrade.enable = true;
 }

hosts/default.nix

@@ -1,230 +1,252 @@
 #
 #  These are the different profiles that can be used when building NixOS.
 #
-#  flake.nix 
-#   └─ ./hosts  
+#  flake.nix
+#   └─ ./hosts
 #       ├─ default.nix *
-#       ├─ configuration.nix
+#       ├─ configuration_common.nix
+#       ├─ configuration_desktop.nix
+#       ├─ configuration_server.nix
 #       ├─ home.nix
 #       └─ ./desktop OR ./laptop OR ./vm
 #            ├─ ./default.nix
-#            └─ ./home.nix 
+#            └─ ./home.nix
 #
+{
+  lib,
+  inputs,
+  nixpkgs,
+  nixpkgs-unstable,
+  nixos-hardware,
+  home-manager,
+  home-manager-unstable,
+  agenix,
+  jovian-nixos,
+  microvm,
+  impermanence,
+  lanzaboote,
+  ...
+}: let
+  # Default user — desktop hosts share this; server hosts may override per-host
+  # by passing a different `user` value in their own specialArgs block.
+  defaultUser = "kabbone";
+  location = builtins.getEnv "HOME" + "/.setup";
 
-{ lib, inputs, nixpkgs, nixpkgs-unstable, nixos-hardware, home-manager, home-manager-unstable, user, userdmz, userserver, location, agenix, jovian-nixos, microvm, impermanence, lanzaboote, nixvim, ... }:
+  system = "x86_64-linux";
 
-let
-  system = "x86_64-linux";                                  # System architecture
+  pkgs-unstable = import nixpkgs-unstable {
+    inherit system;
+    config.allowUnfree = true;
+  };
+
+  pkgs-kabbone = import ../packages {
+    inherit system;
+    pkgs = import nixpkgs {
+      inherit system;
+      config.allowUnfree = true;
+    };
+  };
 
   pkgs = import nixpkgs {
     inherit system;
-    config.allowUnfree = true;                              # Allow proprietary software
+    config.allowUnfree = true;
+    # Prefer host-specific overlays over a global one here.
+    # Set nixpkgs.overlays inside the host's own module (e.g. hosts/desktop/default.nix)
+    # so only that host's pkgs is affected. Packages can be imported inline —
+    # no specialArgs needed. See hosts/desktop/default.nix for an example.
   };
 
-  lib = nixpkgs.lib;
-  users.defaultShell = "pkgs.zsh";
-
-in
-{
-  desktop = lib.nixosSystem {                                # Desktop profile
+  # Helper: returns [hm-module, config-attrset] for the modules list.
+  # hm        - the home-manager flake input to use (stable or unstable)
+  # user      - the username whose home-manager config to build
+  # hmImports - list of home.nix paths for this host
+  mkHM = hm: user: hmImports: [
+    hm.nixosModules.home-manager
+    {
+      home-manager.useGlobalPkgs = true;
+      home-manager.useUserPackages = true;
+      home-manager.extraSpecialArgs = {inherit user;};
+      home-manager.users.${user}.imports = hmImports;
+    }
+  ];
+in {
+  hades = lib.nixosSystem {
+    # Desktop profile
     inherit system;
-    specialArgs = { inherit inputs user location nixos-hardware agenix microvm nixpkgs lanzaboote nixvim; };
-    modules = [
-      agenix.nixosModules.default
-      microvm.nixosModules.host
-      lanzaboote.nixosModules.lanzaboote
-      #nixvim.nixosModules.nixvim
-      ./desktop
-      ./configuration_desktop.nix
-      ../modules/hardware/remoteBuilder.nix
-      nixos-hardware.nixosModules.common-cpu-amd
-      nixos-hardware.nixosModules.common-gpu-amd
-      nixos-hardware.nixosModules.common-pc-ssd
-      
-
-      home-manager.nixosModules.home-manager {
-        home-manager.useGlobalPkgs = true;
-        home-manager.useUserPackages = true;
-        home-manager.extraSpecialArgs = { inherit user; };
-        home-manager.users.${user} = {
-        imports = [(import ./home.nix)] ++ [(import ./desktop/home.nix)];
-        };
-      }
-    ];
+    specialArgs = {
+      inherit inputs location nixos-hardware agenix microvm nixpkgs lanzaboote;
+      user = defaultUser;
+    };
+    modules =
+      [
+        agenix.nixosModules.default
+        microvm.nixosModules.host
+        lanzaboote.nixosModules.lanzaboote
+        ./desktop # myDesktop options set inside
+        ./configuration_common.nix
+        ../modules/hardware/remoteBuilder.nix
+        nixos-hardware.nixosModules.common-cpu-amd
+        nixos-hardware.nixosModules.common-gpu-amd
+        nixos-hardware.nixosModules.common-pc-ssd
+      ]
+      ++ (mkHM home-manager defaultUser [./home.nix ./desktop/home.nix]);
   };
 
-  laptop = lib.nixosSystem {                                # Laptop profile
+  lifebook = lib.nixosSystem {
+    # Laptop profile
     inherit system;
-    specialArgs = { inherit inputs user location nixos-hardware agenix; };
-    modules = [
-      agenix.nixosModules.default
-      ./laptop
-      ./configuration_desktop.nix
-      ../modules/hardware/remoteClient.nix
-      nixos-hardware.nixosModules.common-cpu-intel
-      nixos-hardware.nixosModules.common-gpu-intel
-      nixos-hardware.nixosModules.common-pc-ssd
-
-      home-manager.nixosModules.home-manager {
-        home-manager.useGlobalPkgs = true;
-        home-manager.useUserPackages = true;
-        home-manager.extraSpecialArgs = { inherit user; };
-        home-manager.users.${user} = {
-        imports = [(import ./home.nix)] ++ [(import ./laptop/home.nix)];
-        };
-      }
-    ];
+    specialArgs = {
+      inherit inputs location nixos-hardware agenix lanzaboote;
+      user = defaultUser;
+    };
+    modules =
+      [
+        agenix.nixosModules.default
+        lanzaboote.nixosModules.lanzaboote
+        ./lifebook # myDesktop options set inside
+        ./configuration_common.nix
+        nixos-hardware.nixosModules.common-cpu-intel
+        nixos-hardware.nixosModules.common-pc-ssd
+      ]
+      ++ (mkHM home-manager defaultUser [./home.nix ./lifebook/home.nix]);
   };
 
-  steamdeck = nixpkgs-unstable.lib.nixosSystem {            # steamdeck profile
+  steamdeck = nixpkgs-unstable.lib.nixosSystem {
+    # steamdeck profile
     inherit system;
-    specialArgs = { inherit inputs user location nixos-hardware agenix jovian-nixos lanzaboote; };
-    modules = [
-      agenix.nixosModules.default
-      jovian-nixos.nixosModules.default
-      lanzaboote.nixosModules.lanzaboote
-      ./steamdeck
-      ./configuration_desktop.nix
-      ../modules/hardware/remoteClient.nix
-      nixos-hardware.nixosModules.common-cpu-amd
-      nixos-hardware.nixosModules.common-gpu-amd
-      nixos-hardware.nixosModules.common-pc-ssd
-
-      home-manager-unstable.nixosModules.home-manager {
-        home-manager.useGlobalPkgs = true;
-        home-manager.useUserPackages = true;
-        home-manager.extraSpecialArgs = { inherit user; };
-        home-manager.users.${user} = {
-        imports = [(import ./home.nix)] ++ [(import ./steamdeck/home.nix)];
-        };
-      }
-    ];
+    specialArgs = {
+      inherit inputs location nixos-hardware agenix jovian-nixos lanzaboote;
+      user = defaultUser;
+    };
+    modules =
+      [
+        agenix.nixosModules.default
+        jovian-nixos.nixosModules.default
+        lanzaboote.nixosModules.lanzaboote
+        ./steamdeck
+        ./configuration_common.nix
+      ]
+      ++ (mkHM home-manager-unstable defaultUser [./home.nix ./steamdeck/home.nix]);
   };
 
-  server = lib.nixosSystem {                                # Desktop profile
+  kabtop = lib.nixosSystem {
+    # Server profile
     inherit system;
-    specialArgs = { inherit inputs user location nixos-hardware agenix nixpkgs impermanence; };
-    modules = [
-      agenix.nixosModules.default
-      microvm.nixosModules.host
-      ./server
-      ./configuration_server.nix
-      nixos-hardware.nixosModules.common-cpu-amd
-      nixos-hardware.nixosModules.common-pc-ssd
-
-      home-manager.nixosModules.home-manager {
-        home-manager.useGlobalPkgs = true;
-        home-manager.useUserPackages = true;
-        home-manager.extraSpecialArgs = { inherit user; };
-        home-manager.users.${user} = {
-        imports = [(import ./home_server.nix)] ++ [(import ./server/home.nix)];
-        };
-      }
-    ];
+    specialArgs = {
+      inherit inputs location nixos-hardware agenix impermanence;
+      user = defaultUser;
+    };
+    modules =
+      [
+        agenix.nixosModules.default
+        microvm.nixosModules.host
+        ./kabtop
+        ./configuration_common.nix
+        nixos-hardware.nixosModules.common-cpu-amd
+        nixos-hardware.nixosModules.common-pc-ssd
+      ]
+      ++ (mkHM home-manager defaultUser [./home_server.nix ./kabtop/home.nix]);
   };
 
-  kabtop = lib.nixosSystem {                                # Desktop profile
+  nasbak = lib.nixosSystem {
+    # Server profile
     inherit system;
-    specialArgs = { inherit inputs user location nixos-hardware agenix nixpkgs impermanence; };
-    modules = [
-      agenix.nixosModules.default
-      microvm.nixosModules.host
-      ./kabtop
-      ./configuration_server.nix
-      nixos-hardware.nixosModules.common-cpu-amd
-      nixos-hardware.nixosModules.common-pc-ssd
-
-      home-manager.nixosModules.home-manager {
-        home-manager.useGlobalPkgs = true;
-        home-manager.useUserPackages = true;
-        home-manager.extraSpecialArgs = { inherit user; };
-        home-manager.users.${user} = {
-        imports = [(import ./home_server.nix)] ++ [(import ./server/home.nix)];
-        };
-      }
-    ];
+    specialArgs = {
+      inherit inputs location nixos-hardware agenix;
+      user = defaultUser;
+    };
+    modules =
+      [
+        agenix.nixosModules.default
+        ./nasbackup
+        ./configuration_common.nix
+        nixos-hardware.nixosModules.common-cpu-intel
+        nixos-hardware.nixosModules.common-pc-ssd
+      ]
+      ++ (mkHM home-manager defaultUser [./home_server.nix ./nasbackup/home.nix]);
   };
 
-  nasbak = lib.nixosSystem {                                # Desktop profile
+  jupiter = lib.nixosSystem {
+    # Server profile
     inherit system;
-    specialArgs = { inherit inputs user location nixos-hardware agenix; };
-    modules = [
-      agenix.nixosModules.default
-      ./nasbackup
-      ./configuration_desktop.nix
-      ../modules/hardware/remoteClient.nix
-      nixos-hardware.nixosModules.common-cpu-intel
-      nixos-hardware.nixosModules.common-pc-ssd
-
-      home-manager.nixosModules.home-manager {
-        home-manager.useGlobalPkgs = true;
-        home-manager.useUserPackages = true;
-        home-manager.extraSpecialArgs = { inherit user; };
-        home-manager.users.${user} = {
-        imports = [(import ./home_server.nix)] ++ [(import ./nasbackup/home.nix)];
-        };
-      }
-    ];
+    specialArgs = {
+      inherit inputs location nixos-hardware agenix;
+      user = defaultUser;
+    };
+    modules =
+      [
+        agenix.nixosModules.default
+        ./jupiter
+        ./configuration_common.nix
+        nixos-hardware.nixosModules.common-cpu-intel
+        nixos-hardware.nixosModules.common-pc-ssd
+      ]
+      ++ (mkHM home-manager defaultUser [./home_server.nix ./jupiter/home.nix]);
   };
 
-  jupiter = lib.nixosSystem {                                # Desktop profile
+  kabtopci = lib.nixosSystem {
+    # Server profile
     inherit system;
-    specialArgs = { inherit inputs user location nixos-hardware agenix; };
-    modules = [
-      agenix.nixosModules.default
-      ./jupiter
-      ./configuration_desktop.nix
-      ../modules/hardware/remoteClient.nix
-      nixos-hardware.nixosModules.common-cpu-intel
-      nixos-hardware.nixosModules.common-pc-ssd
-
-      home-manager.nixosModules.home-manager {
-        home-manager.useGlobalPkgs = true;
-        home-manager.useUserPackages = true;
-        home-manager.extraSpecialArgs = { inherit user; };
-        home-manager.users.${user} = {
-        imports = [(import ./home_server.nix)] ++ [(import ./jupiter/home.nix)];
-        };
-      }
-    ];
+    specialArgs = {
+      inherit inputs location nixos-hardware agenix impermanence;
+      user = defaultUser;
+    };
+    modules =
+      [
+        agenix.nixosModules.default
+        microvm.nixosModules.host
+        ./kabtopci
+        ./configuration_common.nix
+        nixos-hardware.nixosModules.common-pc-ssd
+      ]
+      ++ (mkHM home-manager defaultUser [./home_server.nix ./kabtopci/home.nix]);
   };
 
-  dmz = lib.nixosSystem {                                # Desktop profile
+  kubemaster-1 = lib.nixosSystem {
+    # Server profile
     inherit system;
-    specialArgs = { inherit inputs user location nixos-hardware agenix nixpkgs impermanence; };
-    modules = [
-      agenix.nixosModules.default
-      microvm.nixosModules.host
-      ./dmz
-      ./configuration_server.nix
-      nixos-hardware.nixosModules.common-pc-ssd
-
-      home-manager.nixosModules.home-manager {
-        home-manager.useGlobalPkgs = true;
-        home-manager.useUserPackages = true;
-        home-manager.extraSpecialArgs = { inherit user; };
-        home-manager.users.${user} = {
-        imports = [(import ./home_server.nix)] ++ [(import ./dmz/home.nix)];
-        };
-      }
-    ];
+    specialArgs = {
+      inherit inputs location nixos-hardware agenix impermanence;
+      user = defaultUser;
+    };
+    modules =
+      [
+        agenix.nixosModules.default
+        microvm.nixosModules.host
+        ./kubemaster-1
+        ./configuration_common.nix
+        nixos-hardware.nixosModules.common-cpu-intel
+        nixos-hardware.nixosModules.common-pc-ssd
+      ]
+      ++ (mkHM home-manager defaultUser [./home_server.nix ./kubemaster-1/home.nix]);
   };
 
-#  vm = lib.nixosSystem {                                    # VM profile
-#    inherit system;
-#    specialArgs = { inherit inputs user location; };
-#    modules = [
-#      ./vm
-#      ./configuration.nix
-#
-#      home-manager.nixosModules.home-manager {
-#        home-manager.useGlobalPkgs = true;
-#        home-manager.useUserPackages = true;
-#        home-manager.extraSpecialArgs = { inherit user; }; 
-#        home-manager.users.${user} = {
-#          imports = [(import ./home.nix)] ++ [(import ./vm/home.nix)];
-#        };
-#      }
-#    ];
-#  };
+  dmz = lib.nixosSystem {
+    # Server profile
+    inherit system;
+    specialArgs = {
+      inherit inputs location nixos-hardware agenix impermanence;
+      user = defaultUser;
+    };
+    modules =
+      [
+        agenix.nixosModules.default
+        microvm.nixosModules.host
+        ./dmz
+        ./configuration_common.nix
+        nixos-hardware.nixosModules.common-pc-ssd
+      ]
+      ++ (mkHM home-manager defaultUser [./home_server.nix ./dmz/home.nix]);
+  };
+
+  #  vm = lib.nixosSystem {                                    # VM profile
+  #    inherit system;
+  #    specialArgs = { inherit inputs user location; };
+  #    modules = [
+  #      ./vm
+  #      ./configuration.nix
+  #
+  #      (mkHM home-manager [ ./home.nix ./vm/home.nix ])
+  #    ];
+  #  };
 }

hosts/desktop/default.nix

@@ -1,103 +1,62 @@
 #
-#  Specific system configuration settings for desktop
+#  Hades desktop — system configuration
 #
-#  flake.nix
-#   ├─ ./hosts
-#   │   └─ ./laptop
-#   │        ├─ default.nix *
-#   │        └─ hardware-configuration.nix       
-#   └─ ./modules
-#       ├─ ./desktop
-#       │   └─ ./hyprland
-#       │       └─ hyprland.nix
-#       ├─ ./modules
-#       │   └─ ./programs
-#       │       └─ waybar.nix
-#       └─ ./hardware
-#           └─ default.nix
-#
-
-{ config, nixpkgs, pkgs, user, lib, nixvim, ... }:
-
 {
-  imports =                                                         # For now, if applying to other system, swap files
-    [(import ./hardware-configuration.nix)] ++                      # Current system hardware config @ /etc/nixos/hardware-configuration.nix
-    [(import ../../modules/wm/sway/default.nix)] ++         # Window Manager
-    (import ../../modules/wm/virtualisation) ++             # libvirt + Docker
-    [(import ../../modules/wm/virtualisation/kvm-amd.nix)] ++   # kvm module options
-    (import ../../modules/hardware);                             # Hardware devices
+  lib,
+  pkgs,
+  inputs,
+  ...
+}: {
+  # Example: host-specific overlays — only hades gets these packages in its pkgs.
+  # nixpkgs.overlays = [
+  #   (final: prev: {
+  #     # pull a single package from unstable (no specialArgs needed)
+  #     firefox          = inputs.nixpkgs-unstable.legacyPackages.${prev.system}.firefox;
+  #     # pull a package from pkgs-kabbone (inline import, no specialArgs needed)
+  #     corosync-qdevice = (import ../../packages { pkgs = prev; }).corosync-qdevice;
+  #   })
+  # ];
 
-  boot = {                                  # Boot options
+  imports = [
+    ./hardware-configuration.nix
+    ../../modules/desktop
+  ];
+
+  # ── Desktop module options ──────────────────────────────────────────────
+  myDesktop.windowManager = "niri";
+  myDesktop.cpu = "amd";
+  myDesktop.virtualisation.enable = true;
+
+  myDesktop.openrgb.enable = true;
+  myDesktop.openrgb.motherboard = "amd";
+
+  myDesktop.syncthing.enable = true;
+  myDesktop.syncthing.devices = {
+    "jupiter.home.opel-online.de" = {id = "T53WU6Z-3NT74ZE-PZVZB2N-7FBTZ5K-HESC2ZM-W4ABDAS-NWXHTGI-ST4CDQR";};
+    "lifebook.home.opel-online.de" = {id = "RKPZG3H-BDUZID3-DV26MKR-UOARIQC-JBCAFXP-J5QFM4H-5EGBSM5-VEGXHQ4";};
+  };
+  myDesktop.syncthing.folders = {
+    "Sync" = {
+      path = "/home/kabbone/Sync";
+      devices = ["jupiter.home.opel-online.de" "lifebook.home.opel-online.de"];
+      ignorePerms = false;
+    };
+  };
+
+  # ── Host-specific settings ──────────────────────────────────────────────
+  boot = {
     kernelPackages = pkgs.linuxPackages_latest;
-
-    loader = {                              # EFI Boot
+    loader = {
       systemd-boot.enable = lib.mkForce false;
-      efi = {
-        canTouchEfiVariables = true;
-        efiSysMountPoint = "/boot";
-      };
-      timeout = 1;                          # Grub auto select time
+      efi.canTouchEfiVariables = true;
+      efi.efiSysMountPoint = "/boot";
+      timeout = 1;
     };
-
     lanzaboote = {
-        enable = true;
-        pkiBundle = "/etc/secureboot";
-    };
-  };
-
-#  hardware.sane = {                           # Used for scanning with Xsane
-#    enable = false;
-#    extraBackends = [ pkgs.sane-airscan ];
-#  };
-#  hardware = {
-#    nitrokey.enable = true;
-#  };
-
-#  environment = {
-#    systemPackages = with pkgs; [
-##      simple-scan
-##       intel-media-driver
-##       alacritty
-#    ];
-#  };
-
-  programs = {                              # No xbacklight, this is the alterantive
-    zsh.enable = true;
-    dconf.enable = true;
-    ssh.startAgent = false;
-    gnupg.agent = {
       enable = true;
-      enableSSHSupport = true;
-      pinentryFlavor = "curses";
+      pkiBundle = "/etc/secureboot";
     };
   };
 
-  services = {
-    #auto-cpufreq.enable = true;
-    blueman.enable = true;
-    printing = {                            # Printing and drivers for TS5300
-      enable = true;
-      drivers = [ pkgs.gutenprint ];
-    };
-    #avahi = {                               # Needed to find wireless printer
-    #  enable = true;
-    #  nssmdns = true;
-    #  publish = {                           # Needed for detecting the scanner
-    #    enable = true;
-    #    addresses = true;
-    #    userServices = true;
-    #  };
-    #};
-    hardware.openrgb = {
-        enable = true;
-        motherboard = "amd";
-    };
-
-  };
-
-  #temporary bluetooth fix
-#  systemd.tmpfiles.rules = [
-#    "d /var/lib/bluetooth 700 root root - -"
-#  ];
-#  systemd.targets."bluetooth".after = ["systemd-tmpfiles-setup.service"];
+  environment.systemPackages = [pkgs.linux-firmware];
 }

hosts/desktop/hardware-configuration.nix

@@ -10,17 +10,21 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
   imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")] ++
-      [( import ../../modules/hardware/backup.nix )];
+    [(modulesPath + "/installer/scan/not-detected.nix")]
+    ++ [(import ../../modules/hardware/backup.nix)];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
-  boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ];
-  boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
+  boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
+  boot.kernelModules = ["kvm-amd" "nct6775"];
+  boot.extraModulePackages = [];
   boot.tmp.useTmpfs = false;
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
@@ -34,109 +38,148 @@
   };
 
   services.btrbk = {
-      instances = {
-          hf = {
-              onCalendar = "hourly";
-              settings = {
-                  incremental = "yes";
-                  snapshot_create = "ondemand";
-                  snapshot_dir = "@snapshots";
-                  timestamp_format = "long";
+    extraPackages = [pkgs.lz4 pkgs.mbuffer];
+    instances = {
+      hf = {
+        onCalendar = "hourly";
+        settings = {
+          incremental = "yes";
+          snapshot_create = "ondemand";
+          snapshot_dir = "@snapshots";
+          timestamp_format = "long";
 
-                  snapshot_preserve = "2m 2w 5d 5h";
-                  snapshot_preserve_min = "latest";
-                
-                  volume =  {
-                      "/mnt/snapshots/root" = {
-                          snapshot_create = "always";
-                          subvolume = {
-                              "@home" = {};
-                          };
-                      };
-                  };
+          snapshot_preserve = "2m 2w 5d 5h";
+          snapshot_preserve_min = "latest";
+
+          volume = {
+            "/mnt/snapshots/root" = {
+              snapshot_create = "always";
+              subvolume = {
+                "@home" = {};
               };
+            };
           };
+        };
       };
+      bak = {
+        onCalendar = "daily";
+        settings = {
+          stream_buffer = "256m";
+          stream_compress = "lz4";
+          incremental = "yes";
+          snapshot_create = "no";
+          snapshot_dir = "@snapshots";
+          timestamp_format = "long";
+
+          snapshot_preserve_min = "all";
+          target_preserve_min = "no";
+          target_preserve = "4w 3d";
+
+          ssh_identity = "/etc/btrbk/ssh/id_ed25519_btrbk_nas";
+          ssh_user = "btrbk";
+
+          volume = {
+            "/mnt/snapshots/root" = {
+              subvolume = {
+                "@home" = {};
+              };
+              target = "ssh://jupiter.home.opel-online.de:2220/mnt/snapshots/Mars/@snapshots/@hades";
+            };
+          };
+        };
+      };
+    };
   };
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
+  systemd.timers = {
+    btrbk-bak = {
+      after = ["network-online.target"];
+      requires = ["network-online.target"];
     };
+  };
 
-  fileSystems."/home" =
-    { device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
+  };
 
-  fileSystems."/srv" =
-    { device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
-    };
+  fileSystems."/home" = {
+    device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
+  };
 
-  fileSystems."/nix" =
-    { device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
-    };
+  fileSystems."/srv" = {
+    device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
+  };
 
-  fileSystems."/swap" =
-    { device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
-    };
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
+  };
 
-  fileSystems."/mnt/snapshots/root" =
-    { device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
-    };
+  fileSystems."/swap" = {
+    device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
+  };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part1";
-      fsType = "vfat";
-    };
+  fileSystems."/mnt/snapshots/root" = {
+    device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
+  };
 
-  fileSystems."/mnt/Pluto" =
-    { device = "jupiter:/Pluto";
-      fsType = "nfs";
-      options = [ "noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ];
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part1";
+    fsType = "vfat";
+  };
 
-  fileSystems."/mnt/Mars" =
-    { device = "jupiter:/Mars";
-      fsType = "nfs";
-      options = [ "noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ];
-    };
+  fileSystems."/mnt/Pluto" = {
+    device = "jupiter:/Pluto";
+    fsType = "nfs";
+    options = ["noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
+  };
 
+  fileSystems."/mnt/Mars" = {
+    device = "jupiter:/Mars";
+    fsType = "nfs";
+    options = ["noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
+  };
+
+  swapDevices = [{device = "/swap/swapfile";}];
 
-  swapDevices = [ { device = "/swap/swapfile"; } ];
-  
   networking = {
-    useDHCP = false;                        # Deprecated
+    useDHCP = false; # Deprecated
     hostName = "hades";
     networkmanager = {
-      enable = false;
+      enable = true;
+    };
+    firewall = {
+      enable = true;
+      allowedUDPPorts = [24727];
+      allowedTCPPorts = [24727];
     };
   };
 
-  systemd.network = {
-      enable = true;
-      networks = {
-          "10-lan" = {
-              matchConfig.Name = "enp34s0";
-              ntp = [ "192.168.2.1" ];
-              domains = [ "home.opel-online.de" ];
-              networkConfig = {
-                DHCP = "yes";
-                IPv6AcceptRA = true;
-              };
-          };
-      };
-  };
+  #  systemd.network = {
+  #      enable = true;
+  #      networks = {
+  #          "10-lan" = {
+  #              matchConfig.Name = "eno1";
+  #              ntp = [ "192.168.2.1" ];
+  #              domains = [ "home.opel-online.de" ];
+  #              networkConfig = {
+  #                DHCP = "yes";
+  #                IPv6AcceptRA = true;
+  #              };
+  #          };
+  #      };
+  #  };
 
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
   #powerManagement.powertop.enable = true;

hosts/desktop/home.nix

@@ -1,61 +1,26 @@
 #
-#  Home-manager configuration for laptop
-#
-#  flake.nix
-#   ├─ ./hosts
-#   │   └─ ./laptop
-#   │       └─ home.nix *
-#   └─ ./modules
-#       └─ ./desktop
-#           └─ ./hyprland
-#              └─ hyprland.nix
+#  Hades desktop — home-manager host-specific additions
+#  (WM home config is loaded by modules/desktop based on myDesktop.windowManager)
 #
+{pkgs, ...}: {
+  imports = [
+    ../../modules/home.nix # cmds / theme options
+  ];
 
-{ pkgs, ... }:
+  home.packages = with pkgs; [
+    chromium
+    thunderbird
+    streamlink
+    streamlink-twitch-gui-bin
+    pulsemixer
+    nitrokey-app
+    kicad
+  ];
 
-{
-  imports =
-    [
-      #../../modules/wm/hyprland/home.nix # Window Manager
-      ../../modules/wm/sway/home.nix # Window Manager
-      ../../modules/home.nix # Window Manager
-    ];
-
-  home = {                                # Specific packages for laptop
-    packages = with pkgs; [
-      # Applications
-      #freecad                         # Office packages
-      #firefox
-      chromium
-      thunderbird
-      streamlink
-      streamlink-twitch-gui-bin
-      element-desktop
-      nheko
-      pulsemixer
-      #yubioath-flutter
-      nitrokey-app
-      kicad
-      yuzu-mainline
-
-      # Display
-      #light                              # xorg.xbacklight not supported. Other option is just use xrandr.
-
-      # Power Management
-      #auto-cpufreq                       # Power management
-      #tlp                                # Power management
-    ];
-  };
-
-  programs = {
-    alacritty.settings.font.size = 11;
-  };
-
-  services = {                            # Applets
-   blueman-applet.enable = true;         # Bluetooth
-   network-manager-applet.enable = true; # Network
+  services = {
+    blueman-applet.enable = true;
+    network-manager-applet.enable = true;
   };
 
   xsession.preferStatusNotifierItems = true;
-
 }

hosts/dmz/default.nix

@@ -1,60 +1,46 @@
 #
-#  Specific system configuration settings for desktop
+#  DMZ — demilitarised zone server configuration
 #
-#  flake.nix
-#   ├─ ./hosts
-#   │   └─ ./laptop
-#   │        ├─ default.nix *
-#   │        └─ hardware-configuration.nix       
-#   └─ ./modules
-#       ├─ ./desktop
-#       │   └─ ./hyprland
-#       │       └─ hyprland.nix
-#       ├─ ./modules
-#       │   └─ ./programs
-#       │       └─ waybar.nix
-#       └─ ./hardware
-#           └─ default.nix
-#
-
-{ config, pkgs, user, agenix, impermanence, ... }:
-
 {
-  imports =                                                         # For now, if applying to other system, swap files
-    [(import ./hardware-configuration.nix)] ++                      # Current system hardware config @ /etc/nixos/hardware-configuration.nix
-    [(import ../../modules/wm/virtualisation/docker.nix)] ++   # Docker
-    [(import ../../modules/wm/virtualisation/kvm-intel.nix)] ++   # Docker
-    (import ../../modules/services/dmz) ++                       # Server Services
-    (import ../../modules/hardware);                                # Hardware devices
+  config,
+  pkgs,
+  user,
+  agenix,
+  impermanence,
+  ...
+}: {
+  imports =
+    [
+      ./hardware-configuration.nix
+      ../../modules/server
+    ]
+    ++ (import ../../modules/services/dmz);
 
-  boot = {                                  # Boot options
+  # ── Server module options ───────────────────────────────────────────────
+  myServer.virtualisation.enable = true;
+  myServer.virtualisation.cpu = "intel";
+
+  # ── Host-specific settings ──────────────────────────────────────────────
+  boot = {
     kernelPackages = pkgs.linuxPackages_latest;
-
-    loader = {                              # EFI Boot
+    loader = {
       systemd-boot.enable = true;
-      efi = {
-        canTouchEfiVariables = true;
-        efiSysMountPoint = "/boot";
-      };
-      timeout = 1;                          # Grub auto select time
+      efi.canTouchEfiVariables = true;
+      efi.efiSysMountPoint = "/boot";
+      timeout = 1;
     };
   };
 
-  programs = {                              # No xbacklight, this is the alterantive
-    zsh.enable = true;
-  };
-
   services = {
     qemuGuest.enable = true;
-    avahi = {                               # Needed to find wireless printer
+    avahi = {
       enable = true;
-      nssmdns = true;
-      publish = {                           # Needed for detecting the scanner
+      nssmdns4 = true;
+      publish = {
         enable = true;
         addresses = true;
         userServices = true;
       };
     };
   };
-
 }

hosts/dmz/hardware-configuration.nix

@@ -10,17 +10,21 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
 
-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
-  boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
+  boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk"];
+  boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
   boot.tmp.useTmpfs = false;
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
@@ -33,72 +37,74 @@
     ];
   };
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
+  };
 
-  fileSystems."/home" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
-    };
+  fileSystems."/home" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
+  };
 
-  fileSystems."/srv" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
-    };
+  fileSystems."/srv" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
+  };
 
-  fileSystems."/var" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async" ];
-    };
+  fileSystems."/var" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async"];
+  };
 
-  fileSystems."/nix" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
-    };
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
+  };
 
-  fileSystems."/swap" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
-    };
+  fileSystems."/swap" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
+  };
 
-  fileSystems."/mnt/snapshots/root" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
-    };
+  fileSystems."/mnt/snapshots/root" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
+  };
+
+  swapDevices = [];
 
-  swapDevices = [  ];
-  
   systemd.network = {
-      enable = true;
-      networks = {
-          "10-lan" = {
-              matchConfig.Name = "enp6s18";
-              ntp = [ "192.168.101.1" ];
-              domains = [ "home.opel-online.de" ];
-              networkConfig = {
-                DHCP = "yes";
-                IPv6AcceptRA = true;
-              };
-          };
+    enable = true;
+    networks = {
+      "10-lan" = {
+        matchConfig.Name = "ens18";
+        ntp = ["192.168.101.1"];
+        domains = ["home.opel-online.de"];
+        networkConfig = {
+          DHCP = "yes";
+          IPv6AcceptRA = true;
+        };
+        dns = [
+          "192.168.101.1"
+        ];
       };
+    };
   };
   networking = {
-    useDHCP = false;                        # Deprecated
+    useDHCP = false; # Deprecated
     hostName = "dmz";
     firewall = {
       enable = true;
-      allowedUDPPorts = [  ];
-      allowedTCPPorts = [  ];
+      allowedUDPPorts = [];
+      allowedTCPPorts = [80 443];
     };
   };
-
 }

hosts/dmz/home.nix

@@ -10,22 +10,16 @@
 #           └─ ./hyprland
 #              └─ hyprland.nix
 #
+{pkgs, ...}: {
+  imports = [
+    ../../modules/home.nix # Window Manager
+  ];
 
-{ pkgs, ... }:
-
-{
-  imports =
-    [
-      ../../modules/home.nix # Window Manager
-    ];
-
-  home = {                                # Specific packages for laptop
+  home = {
+    # Specific packages for laptop
     packages = with pkgs; [
       # Applications
 
-      # Display
-      #light                              # xorg.xbacklight not supported. Other option is just use xrandr.
-
       # Power Management
       #auto-cpufreq                       # Power management
       #tlp                                # Power management
@@ -35,5 +29,4 @@
   programs = {
     alacritty.settings.font.size = 11;
   };
-
 }

hosts/fuji/default.nix

@@ -0,0 +1,90 @@
+#
+#  Specific system configuration settings for desktop
+#
+#  flake.nix
+#   ├─ ./hosts
+#   │   └─ ./laptop
+#   │        ├─ default.nix *
+#   │        └─ hardware-configuration.nix
+#   └─ ./modules
+#       ├─ ./desktop
+#       │   └─ ./hyprland
+#       │       └─ hyprland.nix
+#       ├─ ./modules
+#       │   └─ ./programs
+#       │       └─ waybar.nix
+#       └─ ./hardware
+#           └─ default.nix
+#
+{
+  config,
+  nixpkgs,
+  pkgs,
+  user,
+  lib,
+  ...
+}: {
+  imports =
+    # For now, if applying to other system, swap files
+    [(import ./hardware-configuration.nix)]
+    ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix
+    [(import ../../modules/wm/sway/default.nix)]
+    ++ # Window Manager
+    (import ../../modules/wm/virtualisation)
+    ++ # libvirt + Docker
+    [(import ../../modules/wm/virtualisation/kvm-amd.nix)]
+    ++ # kvm module options
+    (import ../../modules/hardware); # Hardware devices
+
+  boot = {
+    # Boot options
+    kernelPackages = pkgs.linuxPackages_latest;
+
+    loader = {
+      # EFI Boot
+      systemd-boot.enable = lib.mkForce false;
+      efi = {
+        canTouchEfiVariables = true;
+        efiSysMountPoint = "/boot";
+      };
+      timeout = 1; # Grub auto select time
+    };
+
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+    };
+  };
+
+  #  hardware.sane = {                           # Used for scanning with Xsane
+  #    enable = false;
+  #    extraBackends = [ pkgs.sane-airscan ];
+  #  };
+  #  hardware = {
+  #    nitrokey.enable = true;
+  #  };
+
+  #  environment = {
+  #    systemPackages = with pkgs; [
+  ##      simple-scan
+  ##       intel-media-driver
+  ##       alacritty
+  #    ];
+  #  };
+
+  services = {
+    #auto-cpufreq.enable = true;
+    blueman.enable = true;
+    avahi = {
+      # Needed to find wireless printer
+      enable = true;
+      nssmdns4 = true;
+      publish = {
+        # Needed for detecting the scanner
+        enable = true;
+        addresses = true;
+        userServices = true;
+      };
+    };
+  };
+}

hosts/fuji/hardware-configuration.nix

@@ -0,0 +1,141 @@
+#
+# Hardware settings for Teclast F5 10" Laptop
+# NixOS @ sda2
+#
+# flake.nix
+#  └─ ./hosts
+#      └─ ./laptop
+#          └─ hardware-configuration.nix *
+#
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports =
+    [(modulesPath + "/installer/scan/not-detected.nix")]
+    ++ [(import ../../modules/hardware/backup.nix)];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
+  boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+  boot.tmp.useTmpfs = false;
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+
+  services.btrfs.autoScrub = {
+    enable = true;
+    interval = "monthly";
+    fileSystems = [
+      "/"
+    ];
+  };
+
+  services.btrbk = {
+    instances = {
+      hf = {
+        onCalendar = "hourly";
+        settings = {
+          incremental = "yes";
+          snapshot_create = "ondemand";
+          snapshot_dir = "@snapshots";
+          timestamp_format = "long";
+
+          snapshot_preserve = "2m 2w 5d 5h";
+          snapshot_preserve_min = "latest";
+
+          volume = {
+            "/mnt/snapshots/root" = {
+              snapshot_create = "always";
+              subvolume = {
+                "@home" = {};
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
+  };
+
+  fileSystems."/srv" = {
+    device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
+  };
+
+  fileSystems."/swap" = {
+    device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
+  };
+
+  fileSystems."/mnt/snapshots/root" = {
+    device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part1";
+    fsType = "vfat";
+  };
+
+  swapDevices = [{device = "/swap/swapfile";}];
+
+  networking = {
+    useDHCP = false; # Deprecated
+    hostName = "fuji";
+    networkmanager = {
+      enable = false;
+    };
+    firewall = {
+      enable = true;
+      #allowedUDPPorts = [ 24727 ];
+      #allowedTCPPorts = [ 24727 ];
+    };
+  };
+
+  systemd.network = {
+    enable = true;
+    networks = {
+      "10-lan" = {
+        matchConfig.Name = "eno1";
+        ntp = ["192.168.2.1"];
+        networkConfig = {
+          DHCP = "yes";
+          IPv6AcceptRA = true;
+        };
+      };
+    };
+  };
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  #powerManagement.powertop.enable = true;
+  powerManagement = {
+    scsiLinkPolicy = "med_power_with_dipm";
+  };
+}

hosts/fuji/home.nix

@@ -0,0 +1,42 @@
+#
+#  Home-manager configuration for laptop
+#
+#  flake.nix
+#   ├─ ./hosts
+#   │   └─ ./laptop
+#   │       └─ home.nix *
+#   └─ ./modules
+#       └─ ./desktop
+#           └─ ./hyprland
+#              └─ hyprland.nix
+#
+{pkgs, ...}: {
+  imports = [
+    #../../modules/wm/hyprland/home.nix # Window Manager
+    #../../modules/wm/kde/home.nix # Window Manager
+    ../../modules/home.nix # Window Manager
+  ];
+
+  home = {
+    # Specific packages for laptop
+    packages = with pkgs; [
+      # Applications
+      #firefox
+      chromium
+      thunderbird
+      streamlink
+      streamlink-twitch-gui-bin
+      element-desktop
+      #nheko
+      pulsemixer
+    ];
+  };
+
+  services = {
+    # Applets
+    #blueman-applet.enable = true;         # Bluetooth
+    network-manager-applet.enable = true; # Network
+  };
+
+  xsession.preferStatusNotifierItems = true;
+}

hosts/home.nix

@@ -14,122 +14,130 @@
 #       └─ ./shell
 #           └─ default.nix
 #
-
-{ config, lib, pkgs, user, ... }:
-
-{ 
-  imports =                                   # Home Manager Modules
-    (import ../modules/editors) ++
-    (import ../modules/programs) ++
-    (import ../modules/programs/configs) ++
-    (import ../modules/services) ++
-    (import ../modules/shell);
+{
+  config,
+  lib,
+  pkgs,
+  user,
+  ...
+}: {
+  imports =
+    (import ../modules/editors)
+    ++ (import ../modules/programs)
+    ++ (import ../modules/programs/configs)
+    ++ (import ../modules/services)
+    ++ (import ../modules/shell);
 
   home = {
     username = "${user}";
     homeDirectory = "/home/${user}";
 
     packages = with pkgs; [
-# Terminal
-      pfetch            # Minimal fetch
-      ranger            # File Manager
-      gnupg             # sign and authorize 2nd Fac
+      # Terminal
+      pfetch # Minimal fetch
+      ranger # File Manager
+      gnupg # sign and authorize 2nd Fac
 
       xdg-utils
       steam
       wakelan
 
-# dev ols
+      # dev ols
       gcc
       gnumake
       gnupatch
       gnulib
+      screen
       yubioath-flutter
       nitrokey-app
+      claude-code
 
       tailscale
       wireguard-tools
 
-# VideAudio
-      mpv               # Media Player
-      youtube-dl
+      # VideAudio
+      mpv # Media Player
 
-# Apps
-      galculator
-      tdesktop
+      # Apps
+      qalculate-qt
       hdparm
-      python3Full
+      python3
       android-tools
-      calibre
+      #calibre
       mtpfs
       vimiv-qt
       freecad
+      discord
+      vesktop
+      element-desktop
 
-# Fileanagement
-      #okular            # PDF viewer
-      #gnome.file-roller # Archive Manager
-      ark
-      pcmanfm           # File Manager
-      rsync             # Syncer $ rsync -r dir1/ dir2/
-      unzip             # Zip files
-      unrar             # Rar files
+      # Fileanagement
+      kdePackages.ark
+      pcmanfm # File Manager
+      rsync # Syncer $ rsync -r dir1/ dir2/
+      unzip # Zip files
+      unrar # Rar files
       papirus-icon-theme
+      arc-theme
 
-# Genel configuration
+      # General configuration
       keepassxc
       libreoffice
+      gimp
 
       # Flatpak
-      prusa-slicer
       #vscodium
       (vscode-with-extensions.override {
-          vscode = vscodium;
-          vscodeExtensions = with vscode-extensions; [
-            vscodevim.vim
-            github.copilot
-            #ms-python.python
-            ms-vscode.cpptools
-            dracula-theme.theme-dracula
-            catppuccin.catppuccin-vsc
-            catppuccin.catppuccin-vsc-icons
-
-          ];
+        vscode = vscodium;
+        vscodeExtensions = with vscode-extensions; [
+          vscodevim.vim
+          github.copilot
+          #ms-python.python
+          ms-vscode.cpptools
+          catppuccin.catppuccin-vsc-icons
+          catppuccin.catppuccin-vsc
+        ];
       })
+
+      sdkmanager
     ];
+
     file.".config/wall".source = ../modules/themes/wall.jpg;
     file.".config/lockwall".source = ../modules/themes/lockwall.jpg;
-    pointerCursor = {                         # This will set cursor systemwide so applications can not choose their own
-      name = "Dracula-cursors";
-      package = pkgs.dracula-theme;
-      size = 16;
-      gtk.enable = true;
-    };
+    #    pointerCursor = {                         # This will set cursor systemwide so applications can not choose their own
+    #      name = "Dracula-cursors";
+    #      package = pkgs.dracula-theme;
+    #      size = 16;
+    #      gtk.enable = true;
+    #    };
     stateVersion = "23.05";
   };
 
   programs = {
     home-manager.enable = true;
+    alacritty = {
+      settings.font.size = 11;
+    };
   };
 
-
-#  gtk = {                                     # Theming
-#    enable = true;
-#    theme = {
-#      name = "Dracula";
-#      package = pkgs.dracula-theme;
-#    };
-#    iconTheme = {
-#      name = "Papirus-Dark";
-#      package = pkgs.papirus-icon-theme;
-#    };
-#    font = {
-#      name = "Cascadia Code";         # or FiraCode Nerd Font Mono Medium
-#    };                                        # Cursor is declared under home.pointerCursor
-#  };
+  #  gtk = {                                     # Theming
+  #    enable = true;
+  #    theme = {
+  #      name = "Dracula";
+  #      package = pkgs.dracula-theme;
+  #    };
+  #    iconTheme = {
+  #      name = "Papirus-Dark";
+  #      package = pkgs.papirus-icon-theme;
+  #    };
+  #    font = {
+  #      name = "Cascadia Code";         # or FiraCode Nerd Font Mono Medium
+  #    };                                        # Cursor is declared under home.pointerCursor
+  #  };
   systemd.user.services.mpris-proxy = {
     Unit.Description = "Mpris proxy";
-    Unit.After = [ "network.target" "sound.target" ];
+    Unit.After = ["network.target" "sound.target"];
     Service.ExecStart = "${pkgs.bluez}/bin/mpris-proxy";
-    Install.WantedBy = [ "default.target" ];
+    Install.WantedBy = ["default.target"];
   };
 }

hosts/home_server.nix

@@ -14,12 +14,17 @@
 #       └─ ./shell
 #           └─ default.nix
 #
-
-{ config, lib, pkgs, user, ... }:
-
-{ 
-  imports =                                   # Home Manager Modules
-    (import ../modules/editors) ++
+{
+  config,
+  lib,
+  pkgs,
+  user,
+  ...
+}: {
+  imports =
+    # Home Manager Modules
+    (import ../modules/editors)
+    ++
     #(import ../modules/programs) ++
     #(import ../modules/programs/configs) ++
     #(import ../modules/services) ++
@@ -31,24 +36,23 @@
 
     packages = with pkgs; [
       # Terminal
-      pfetch            # Minimal fetch
-      ranger            # File Manager
-      gnupg             # sign and authorize 2nd Fac
-    
+      pfetch # Minimal fetch
+      ranger # File Manager
+      gnupg # sign and authorize 2nd Fac
+
       #xdg-utils
-      
+
       # Video/Audio
       #libva-utils       # vainfo
 
       # Apps
       hdparm
-      python3Full
+      python3
 
       # File Management
-      rsync             # Syncer $ rsync -r dir1/ dir2/
+      rsync # Syncer $ rsync -r dir1/ dir2/
       #unzip             # Zip files
       #unrar             # Rar files
-
     ];
     stateVersion = "23.11";
   };

hosts/jupiter/default.nix

@@ -1,74 +1,62 @@
 #
-#  Specific system configuration settings for desktop
+#  Jupiter — NAS server configuration
 #
-#  flake.nix
-#   ├─ ./hosts
-#   │   └─ ./laptop
-#   │        ├─ default.nix *
-#   │        └─ hardware-configuration.nix       
-#   └─ ./modules
-#       ├─ ./desktop
-#       │   └─ ./hyprland
-#       │       └─ hyprland.nix
-#       ├─ ./modules
-#       │   └─ ./programs
-#       │       └─ waybar.nix
-#       └─ ./hardware
-#           └─ default.nix
-#
-
-{ config, pkgs, user, ... }:
-
 {
-  imports =                                                         # For now, if applying to other ssystem, swap files
-    [(import ./hardware-configuration.nix)] ++                      # Current system hardware config @ /etc/nixos/hardware-configuration.nix
-    #(import ../../modules/wm/virtualisation) ++   # Docker
-    (import ../../modules/services/nas) ++                       # Server Services
-    (import ../../modules/hardware);                                # Hardware devices
+  config,
+  pkgs,
+  inputs,
+  user,
+  ...
+}: {
+  imports =
+    [
+      ./hardware-configuration.nix
+      ../../modules/server
+    ]
+    ++ (import ../../modules/services/nas);
 
-  boot = {                                  # Boot options
+  # ── Server module options ───────────────────────────────────────────────
+  # No virtualisation on the NAS
+
+  # ── Host-specific settings ──────────────────────────────────────────────
+
+  # Example: host-specific overlay — only jupiter gets these packages in its pkgs.
+  # nixpkgs.overlays = [
+  #   (final: prev: {
+  #     corosync-qdevice = (import ../../packages { pkgs = prev; }).corosync-qdevice;
+  #     firefox          = inputs.nixpkgs-unstable.legacyPackages.${prev.system}.firefox;
+  #   })
+  # ];
+
+  boot = {
     kernelPackages = pkgs.linuxPackages_latest;
-
-    loader = {                              # EFI Boot
+    loader = {
       systemd-boot.enable = true;
-      efi = {
-        canTouchEfiVariables = true;
-        efiSysMountPoint = "/boot";
-      };
-      timeout = 1;                          # Grub auto select time
+      efi.canTouchEfiVariables = true;
+      efi.efiSysMountPoint = "/boot";
+      timeout = 1;
     };
   };
 
-#  environment = {
-#    systemPackages = with pkgs; [
-##      simple-scan
-##       intel-media-driver
-##       alacritty
-#    ];
-#  };
-
-  programs = {                              # No xbacklight, this is the alterantive
-    zsh.enable = true;
+  programs = {
     ssh.startAgent = false;
     gnupg.agent = {
       enable = false;
       enableSSHSupport = true;
-      pinentryFlavor = "curses";
+      pinentryPackage = pkgs.pinentry-curses;
     };
   };
 
   services = {
     qemuGuest.enable = true;
-    avahi = {                               # Needed to find wireless printer
+    avahi = {
       enable = true;
-      nssmdns = true;
-      publish = {                           # Needed for detecting the scanner
+      nssmdns4 = true;
+      publish = {
         enable = true;
         addresses = true;
         userServices = true;
       };
     };
-
   };
-
 }

hosts/jupiter/hardware-configuration.nix

@@ -10,18 +10,22 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
   imports =
-    [(modulesPath + "/profiles/qemu-guest.nix")] ++
-    [( import ../../modules/hardware/backup.nix )];
+    [(modulesPath + "/profiles/qemu-guest.nix")]
+    ++ [(import ../../modules/hardware/backup.nix)];
 
-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
-  boot.initrd.kernelModules = [  ];
+  boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk"];
+  boot.initrd.kernelModules = [];
   boot.initrd.secrets = {
     "/root/NASKeyfile" =
-        /root/NASKeyfile;
+      /root/NASKeyfile;
   };
   boot.initrd.luks.devices = {
     NAS-RAID1 = {
@@ -33,8 +37,8 @@
       keyFile = "/root/NASKeyfile";
     };
   };
-  boot.kernelModules = [  ];
-  boot.extraModulePackages = [ ];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
   boot.tmp.useTmpfs = false;
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
@@ -50,173 +54,174 @@
   };
 
   services.btrbk = {
-      instances = {
-          hf = {
-              onCalendar = "hourly";
-              settings = {
-                  incremental = "yes";
-                  snapshot_create = "ondemand";
-                  snapshot_dir = "@snapshots";
-                  timestamp_format = "long";
+    extraPackages = [pkgs.lz4 pkgs.mbuffer];
+    instances = {
+      hf = {
+        onCalendar = "hourly";
+        settings = {
+          incremental = "yes";
+          snapshot_create = "ondemand";
+          snapshot_dir = "@snapshots";
+          timestamp_format = "long";
 
-                  snapshot_preserve = "2m 2w 5d 5h";
-                  snapshot_preserve_min = "latest";
-                
-                  volume =  {
-                      "/mnt/snapshots/root" = {
-                          snapshot_create = "always";
-                          subvolume = {
-                              "@" = {};
-                              "@home" = {};
-                          };
-                      };
-                  };
-                  volume =  {
-                      "/mnt/snapshots/Mars" = {
-                          snapshot_create = "always";
-                          subvolume = {
-                              "@nas" = {};
-                          };
-                      };
-                  };
-              };
-          };
-          lf = {
-              onCalendar = "daily";
-              settings = {
-                  incremental = "yes";
-                  snapshot_create = "ondemand";
-                  snapshot_dir = "@snapshots";
-                  timestamp_format = "long";
+          snapshot_preserve = "2w 5d 5h";
+          snapshot_preserve_min = "latest";
 
-                  snapshot_preserve = "2m 2w 5d";
-                  snapshot_preserve_min = "latest";
-                
-                  volume =  {
-                      "/mnt/snapshots/Pluto" = {
-                          snapshot_create = "always";
-                          subvolume = {
-                            "@" = {};
-                            "@/Backups" = {};
-                            "@/Games" = {};
-                            "@/IT" = {};
-                            "@/Media" = {};
-                            "@/Pictures" = {};
-                            "@/Rest" = {};
-                          };
-                      };
-                  };
+          volume = {
+            "/mnt/snapshots/root" = {
+              snapshot_create = "always";
+              subvolume = {
+                "@" = {};
+                "@home" = {};
               };
+            };
           };
+          volume = {
+            "/mnt/snapshots/Mars" = {
+              snapshot_create = "always";
+              subvolume = {
+                "@nas" = {};
+              };
+            };
+          };
+        };
       };
+      lf = {
+        onCalendar = "daily";
+        settings = {
+          incremental = "yes";
+          snapshot_create = "ondemand";
+          snapshot_dir = "@snapshots";
+          timestamp_format = "long";
+
+          snapshot_preserve = "2m 2w 5d";
+          snapshot_preserve_min = "latest";
+
+          volume = {
+            "/mnt/snapshots/Pluto" = {
+              snapshot_create = "always";
+              subvolume = {
+                "@" = {};
+                "@/Backups" = {};
+                "@/Games" = {};
+                "@/IT" = {};
+                "@/Media" = {};
+                "@/Pictures" = {};
+                "@/Rest" = {};
+              };
+            };
+          };
+        };
+      };
+    };
   };
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
+  };
 
-  fileSystems."/home" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
-    };
+  fileSystems."/home" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
+  };
 
-  fileSystems."/srv" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
-    };
+  fileSystems."/srv" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
+  };
 
-  fileSystems."/nix" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
-    };
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
+  };
 
-  fileSystems."/swap" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
-    };
+  fileSystems."/swap" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
+  };
 
-    fileSystems."/mnt/snapshots/root" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
-    };
+  fileSystems."/mnt/snapshots/root" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
+  };
 
-    fileSystems."/mnt/snapshots/Mars" =
-    { device = "/dev/disk/by-label/MARS";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
-    };
+  fileSystems."/mnt/snapshots/Mars" = {
+    device = "/dev/disk/by-label/MARS";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
+  };
 
-  fileSystems."/mnt/snapshots/Pluto" =
-    { device = "/dev/disk/by-label/NAS-RAID";
-      fsType = "btrfs";
-      options = [ "compress=zstd:8,noatime,subvolid=5" ];
-    };
+  fileSystems."/mnt/snapshots/Pluto" = {
+    device = "/dev/disk/by-label/NAS-RAID";
+    fsType = "btrfs";
+    options = ["compress=zstd:8,noatime,subvolid=5"];
+  };
 
-  fileSystems."/mnt/Pluto" =
-    { device = "/dev/disk/by-label/NAS-RAID";
-      fsType = "btrfs";
-      options = [ "compress=zstd:8,noatime,subvol=@" ];
-    };
+  fileSystems."/mnt/Pluto" = {
+    device = "/dev/disk/by-label/NAS-RAID";
+    fsType = "btrfs";
+    options = ["compress=zstd:8,noatime,subvol=@"];
+  };
 
-  fileSystems."/mnt/Mars" =
-    { device = "/dev/disk/by-label/MARS";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nas,discard=async" ];
-    };
+  fileSystems."/mnt/Mars" = {
+    device = "/dev/disk/by-label/MARS";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nas,discard=async"];
+  };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-label/NIXBOOT";
-      fsType = "vfat";
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/NIXBOOT";
+    fsType = "vfat";
+  };
 
-  fileSystems."/export/Pluto" =
-    { device = "/mnt/Pluto";
-      options = [ "bind" ];
+  fileSystems."/export/Pluto" = {
+    device = "/mnt/Pluto";
+    options = ["bind"];
+  };
+
+  fileSystems."/export/Mars" = {
+    device = "/mnt/Mars";
+    options = ["bind"];
+  };
+
+  swapDevices = [{device = "/swap/swapfile";}];
+
+  systemd.network = {
+    enable = true;
+    networks = {
+      "10-lan" = {
+        matchConfig.Name = "ens18";
+        ntp = ["192.168.2.1"];
+        domains = ["home.opel-online.de"];
+        networkConfig = {
+          DHCP = "yes";
+          IPv6AcceptRA = true;
+          IPv6PrivacyExtensions = false;
+        };
+        ipv6AcceptRAConfig = {
+          DHCPv6Client = "always";
+          UseDNS = true;
+        };
+        dhcpV4Config = {
+          UseDNS = true;
+        };
+        dhcpV6Config = {
+          UseDNS = true;
+        };
+      };
     };
- 
-  fileSystems."/export/Mars" =
-    { device = "/mnt/Mars";
-      options = [ "bind" ];
-    };
- 
-  swapDevices = [ { device = "/swap/swapfile"; } ];
-  
+  };
   networking = {
     hostName = "jupiter";
     domain = "home.opel-online.de";
-    networkmanager = {
-      enable = false;
-    };
-    timeServers = [
-        "192.168.2.1"
-    ];
-    interfaces = {
-      enp6s18 = {
-        useDHCP = true;                     # For versatility sake, manually edit IP on nm-applet.
-#        ipv4.addresses = [ {
-#            address = "45.142.114.153";
-#            prefixLength = 24;
-#        } ];
-#        ipv6.addresses = [ {
-#            address = "2a00:ccc1:101:19D::2";
-#            prefixLength = 64;
-#        } ];
-#      };
-      };
-    };
-#    defaultGateway = "45.142.114.1";
-    defaultGateway6 = {
-      address = "fe80::1";
-      interface = "enp6s18";
-    };
-#    nameservers = [ "9.9.9.9" "2620:fe::fe" ];
+    useDHCP = false; # For versatility sake, manually edit IP on nm-applet.
     #firewall = {
     #  enable = false;
     #  #allowedUDPPorts = [ 53 67 ];
@@ -228,10 +233,9 @@
   powerManagement = {
     cpuFreqGovernor = lib.mkDefault "powersave";
     powertop.enable = true;
-    scsiLinkPolicy = "med_power_with_dipm";
+    #scsiLinkPolicy = "med_power_with_dipm";
     powerUpCommands = ''
       ${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/57e6446d-faca-4b67-9063-e8d9afb80088
     '';
   };
-  
 }

hosts/jupiter/home.nix

@@ -10,22 +10,16 @@
 #           └─ ./hyprland
 #              └─ hyprland.nix
 #
+{pkgs, ...}: {
+  imports = [
+    ../../modules/home.nix # Window Manager
+  ];
 
-{ pkgs, ... }:
-
-{
-  imports =
-    [
-      ../../modules/home.nix # Window Manager
-    ];
-
-  home = {                                # Specific packages for laptop
+  home = {
+    # Specific packages for laptop
     packages = with pkgs; [
       # Applications
 
-      # Display
-      #light                              # xorg.xbacklight not supported. Other option is just use xrandr.
-
       # Power Management
       #auto-cpufreq                       # Power management
       #tlp                                # Power management
@@ -35,5 +29,4 @@
   programs = {
     alacritty.settings.font.size = 11;
   };
-
 }

hosts/kabtop/default.nix

@@ -1,112 +1,61 @@
 #
-#  Specific system configuration settings for desktop
+#  Kabtop — server configuration
 #
-#  flake.nix
-#   ├─ ./hosts
-#   │   └─ ./laptop
-#   │        ├─ default.nix *
-#   │        └─ hardware-configuration.nix       
-#   └─ ./modules
-#       ├─ ./desktop
-#       │   └─ ./hyprland
-#       │       └─ hyprland.nix
-#       ├─ ./modules
-#       │   └─ ./programs
-#       │       └─ waybar.nix
-#       └─ ./hardware
-#           └─ default.nix
-#
-
-{ config, pkgs, user, agenix, impermanence, ... }:
-
 {
-  imports =                                                         # For now, if applying to other system, swap files
-    [(import ./hardware-configuration.nix)] ++                      # Current system hardware config @ /etc/nixos/hardware-configuration.nix
-    [(import ../../modules/wm/virtualisation/docker.nix)] ++   # Docker
-    [(import ../../modules/wm/virtualisation/kvm-amd.nix)] ++  # kvm module options
-    (import ../../modules/services/server) ++                       # Server Services
-    (import ../../modules/hardware);                                # Hardware devices
+  config,
+  pkgs,
+  user,
+  agenix,
+  impermanence,
+  ...
+}: {
+  imports =
+    [
+      ./hardware-configuration.nix
+      ../../modules/server
+    ]
+    ++ (import ../../modules/services/server);
 
-  boot = {                                  # Boot options
+  # ── Server module options ───────────────────────────────────────────────
+  myServer.virtualisation.enable = true;
+  myServer.virtualisation.cpu = "amd";
+  myServer.fail2ban.enable = true;
+
+  # ── Host-specific settings ──────────────────────────────────────────────
+  boot = {
     kernelPackages = pkgs.linuxPackages_latest;
-
-    loader = {                              # EFI Boot
-    grub = {
+    loader = {
+      grub = {
         enable = true;
         device = "/dev/sda";
-    };
-      timeout = 1;                          # Grub auto select time
+      };
+      timeout = 1;
     };
   };
 
-  environment = {
-    etc = {
-      "fail2ban/filter.d/open-webui.conf" = {
-        source = ../../modules/services/server/fail2ban/filter/open-webui.conf;
-        mode = "0444";
-      };
-      "fail2ban/filter.d/gitea.conf" = {
-        source = ../../modules/services/server/fail2ban/filter/gitea.conf;
-        mode = "0444";
-      };
-      "fail2ban/filter.d/nextcloud.conf" = {
-        source = ../../modules/services/server/fail2ban/filter/nextcloud.conf;
-        mode = "0444";
-      };
+  environment.etc = {
+    "fail2ban/filter.d/open-webui.conf" = {
+      source = ../../modules/services/server/fail2ban/filter/open-webui.conf;
+      mode = "0444";
+    };
+    "fail2ban/filter.d/gitea.conf" = {
+      source = ../../modules/services/server/fail2ban/filter/gitea.conf;
+      mode = "0444";
+    };
+    "fail2ban/filter.d/nextcloud.conf" = {
+      source = ../../modules/services/server/fail2ban/filter/nextcloud.conf;
+      mode = "0444";
     };
   };
 
-  programs = {                              # No xbacklight, this is the alterantive
-    zsh.enable = true;
+  programs = {
     ssh.startAgent = false;
     gnupg.agent = {
       enable = true;
       enableSSHSupport = true;
-      pinentryFlavor = "curses";
+      pinentryPackage = pkgs.pinentry-curses;
     };
   };
 
-  services = {
-    #auto-cpufreq.enable = true;
-    qemuGuest.enable = true;
-    avahi = {                               # Needed to find wireless printer
-      enable = true;
-      nssmdns = true;
-      publish = {                           # Needed for detecting the scanner
-        enable = true;
-        addresses = true;
-        userServices = true;
-      };
-    };
-    fail2ban = {
-        enable = true;
-        maxretry = 5;
-        jails.DEFAULT.settings = {
-           findtime = "15m";
-        };
-        jails = {
-            open-webui = ''
-              enabled = true
-              filter = open-webui
-              backend = systemd
-              action = iptables-allports
-            '';
-            gitea = ''
-              enabled = true
-              filter = gitea
-              backend = systemd
-              action = iptables-allports
-            '';
-            nextcloud = ''
-              backend = auto
-              enabled = true
-              filter = nextcloud
-              logpath = /var/lib/nextcloud/data/nextcloud.log
-              action = iptables-allports
-            '';
-          };
-    };
-
-  };
-
+  services.qemuGuest.enable = true;
 }

hosts/kabtop/hardware-configuration.nix

@@ -10,17 +10,21 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
 
-  boot.initrd.availableKernelModules = [  "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "ahci" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ];
-  boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
+  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "ahci" "sd_mod" "sr_mod"];
+  boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
+  boot.kernelModules = ["kvm-amd"];
+  boot.extraModulePackages = [];
   boot.tmp.useTmpfs = false;
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
@@ -34,109 +38,112 @@
   };
 
   services.btrbk = {
-      instances = {
-          hf = {
-              onCalendar = "hourly";
-              settings = {
-                  incremental = "yes";
-                  snapshot_create = "ondemand";
-                  snapshot_dir = "@snapshots";
-                  timestamp_format = "long";
+    instances = {
+      hf = {
+        onCalendar = "hourly";
+        settings = {
+          incremental = "yes";
+          snapshot_create = "ondemand";
+          snapshot_dir = "@snapshots";
+          timestamp_format = "long";
 
-                  snapshot_preserve = "2m 2w 5d 5h";
-                  snapshot_preserve_min = "latest";
-                
-                  volume =  {
-                      "/mnt/snapshots/root" = {
-                          snapshot_create = "always";
-                          subvolume = {
-                              "@" = {};
-                              "@home" = {};
-                          };
-                      };
-                  };
+          snapshot_preserve = "2m 2w 5d 5h";
+          snapshot_preserve_min = "latest";
+
+          volume = {
+            "/mnt/snapshots/root" = {
+              snapshot_create = "always";
+              subvolume = {
+                "@" = {};
+                "@home" = {};
+                "@var" = {};
               };
+            };
           };
+        };
       };
+    };
   };
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
+  };
 
-  fileSystems."/home" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
-    };
+  fileSystems."/home" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
+  };
 
-  fileSystems."/srv" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
-    };
+  fileSystems."/srv" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
+  };
 
-  fileSystems."/var" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "space_cache=v2,ssd,noatime,subvol=@var,discard=async" ];
-    };
+  fileSystems."/var" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["space_cache=v2,ssd,noatime,subvol=@var,discard=async"];
+  };
 
-  fileSystems."/nix" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
-    };
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
+  };
 
-  fileSystems."/swap" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
-    };
-
-  fileSystems."/mnt/snapshots/root" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
-    };
+  fileSystems."/swap" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
+  };
 
+  fileSystems."/mnt/snapshots/root" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
+  };
 
   #swapDevices = [ { device = "/swap/swapfile"; } ];
-  swapDevices = [  ];
-  
+  swapDevices = [];
+
   networking = {
-    useDHCP = false;                        # Deprecated
+    useDHCP = false; # Deprecated
     hostName = "kabtop";
     domain = "kabtop.de";
     networkmanager = {
       enable = false;
     };
-    interfaces = {
-      ens18 = {
-        useDHCP = false;                     # For versatility sake, manually edit IP on nm-applet.
-        ipv4.addresses = [ {
-            address = "37.44.215.182";
-            prefixLength = 24;
-        } ];
-        ipv6.addresses = [ {
-            address = "2a13:7e80:0:ef::2";
-            prefixLength = 64;
-        } ];
-      };
-    };
-    defaultGateway = "37.44.215.1";
-    defaultGateway6 = {
-      address = "fe80::1";
-      interface = "ens18";
-    };
-
-    nameservers = [ "9.9.9.9" "2620:fe::fe" ];
     firewall = {
       enable = true;
-      allowedUDPPorts = [  ];
-      allowedTCPPorts = [ 80 443 ];
+      allowedUDPPorts = [];
+      allowedTCPPorts = [80 443];
+    };
+  };
+  systemd.network = {
+    enable = true;
+    networks = {
+      "10-lan" = {
+        matchConfig.Name = "ens18";
+
+        address = [
+          "37.44.215.182/24"
+          "2a13:7e80:0:ef::2/64"
+        ];
+
+        routes = [
+          {Gateway = "37.44.215.1";}
+          {Gateway = "fe80::1";}
+        ];
+
+        dns = [
+          "9.9.9.9"
+          "2620:fe::fe"
+        ];
+      };
     };
   };
 

hosts/kabtop/home.nix

@@ -10,22 +10,16 @@
 #           └─ ./hyprland
 #              └─ hyprland.nix
 #
+{pkgs, ...}: {
+  imports = [
+    ../../modules/home.nix # Window Manager
+  ];
 
-{ pkgs, ... }:
-
-{
-  imports =
-    [
-      ../../modules/home.nix # Window Manager
-    ];
-
-  home = {                                # Specific packages for laptop
+  home = {
+    # Specific packages for laptop
     packages = with pkgs; [
       # Applications
 
-      # Display
-      #light                              # xorg.xbacklight not supported. Other option is just use xrandr.
-
       # Power Management
       #auto-cpufreq                       # Power management
       #tlp                                # Power management
@@ -35,5 +29,4 @@
   programs = {
     alacritty.settings.font.size = 11;
   };
-
 }

hosts/kabtopci/default.nix

@@ -0,0 +1,34 @@
+#
+#  Kabtopci — CI server configuration
+#
+{
+  config,
+  pkgs,
+  user,
+  agenix,
+  impermanence,
+  ...
+}: {
+  imports =
+    [
+      ./hardware-configuration.nix
+      ../../modules/server
+    ]
+    ++ (import ../../modules/services/kabtopci);
+
+  # ── Server module options ───────────────────────────────────────────────
+  myServer.virtualisation.enable = true;
+  myServer.virtualisation.cpu = "amd";
+
+  # ── Host-specific settings ──────────────────────────────────────────────
+  boot = {
+    kernelPackages = pkgs.linuxPackages_latest;
+    loader = {
+      grub = {
+        enable = true;
+        device = "/dev/vda";
+      };
+      timeout = 1;
+    };
+  };
+}

hosts/kabtopci/hardware-configuration.nix

@@ -0,0 +1,115 @@
+#
+# Hardware settings for Teclast F5 10" Laptop
+# NixOS @ sda2
+#
+# flake.nix
+#  └─ ./hosts
+#      └─ ./laptop
+#          └─ hardware-configuration.nix *
+#
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [(modulesPath + "/installer/scan/not-detected.nix")];
+
+  boot.initrd.availableKernelModules = ["ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sr_mod" "virtio_blk"];
+  boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
+  boot.tmp.useTmpfs = false;
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+
+  services.btrfs.autoScrub = {
+    enable = true;
+    interval = "monthly";
+    fileSystems = [
+      "/"
+    ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
+  };
+
+  fileSystems."/srv" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
+  };
+
+  fileSystems."/var" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["space_cache=v2,ssd,noatime,subvol=@var,discard=async"];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd:9,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
+  };
+
+  fileSystems."/swap" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
+  };
+
+  swapDevices = [];
+
+  networking = {
+    useDHCP = false; # Deprecated
+    hostName = "kabtopci";
+    domain = "ci.kabtop.de";
+    networkmanager = {
+      enable = false;
+    };
+    interfaces = {
+      ens3 = {
+        useDHCP = false; # For versatility sake, manually edit IP on nm-applet.
+        ipv4.addresses = [
+          {
+            address = "195.90.221.87";
+            prefixLength = 22;
+          }
+        ];
+        ipv6.addresses = [
+          {
+            address = "2a00:6800:3:d5b::2";
+            prefixLength = 64;
+          }
+        ];
+      };
+    };
+    defaultGateway = "195.90.220.1";
+    defaultGateway6 = {
+      address = "2a00:6800:3::1";
+      interface = "ens3";
+    };
+
+    nameservers = ["9.9.9.9" "2620:fe::fe"];
+    firewall = {
+      enable = true;
+      allowedUDPPorts = [];
+      allowedTCPPorts = [80 443];
+    };
+  };
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/kabtopci/home.nix

@@ -10,22 +10,16 @@
 #           └─ ./hyprland
 #              └─ hyprland.nix
 #
+{pkgs, ...}: {
+  imports = [
+    ../../modules/home.nix # Window Manager
+  ];
 
-{ pkgs, ... }:
-
-{
-  imports =
-    [
-      ../../modules/home.nix # Window Manager
-    ];
-
-  home = {                                # Specific packages for laptop
+  home = {
+    # Specific packages for laptop
     packages = with pkgs; [
       # Applications
 
-      # Display
-      #light                              # xorg.xbacklight not supported. Other option is just use xrandr.
-
       # Power Management
       #auto-cpufreq                       # Power management
       #tlp                                # Power management
@@ -35,5 +29,4 @@
   programs = {
     alacritty.settings.font.size = 11;
   };
-
 }

hosts/kubemaster-1/default.nix

@@ -0,0 +1,43 @@
+#
+#  Kubemaster-1 — Kubernetes master server configuration
+#
+{
+  config,
+  pkgs,
+  user,
+  agenix,
+  impermanence,
+  ...
+}: {
+  imports =
+    [
+      ./hardware-configuration.nix
+      ../../modules/server
+    ]
+    ++ (import ../../modules/services/kubemaster);
+
+  # ── Server module options ───────────────────────────────────────────────
+  myServer.virtualisation.enable = true;
+  myServer.virtualisation.cpu = "intel";
+
+  # ── Host-specific settings ──────────────────────────────────────────────
+  boot = {
+    kernelPackages = pkgs.linuxPackages_latest;
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+      efi.efiSysMountPoint = "/boot";
+      timeout = 1;
+    };
+  };
+
+  services.avahi = {
+    enable = true;
+    nssmdns4 = true;
+    publish = {
+      enable = true;
+      addresses = true;
+      userServices = true;
+    };
+  };
+}

hosts/kubemaster-1/hardware-configuration.nix

@@ -0,0 +1,120 @@
+#
+# Hardware settings for Teclast F5 10" Laptop
+# NixOS @ sda2
+#
+# flake.nix
+#  └─ ./hosts
+#      └─ ./laptop
+#          └─ hardware-configuration.nix *
+#
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod"];
+  boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+  boot.tmp.useTmpfs = false;
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+
+  services.btrfs.autoScrub = {
+    enable = true;
+    interval = "monthly";
+    fileSystems = [
+      "/"
+    ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
+  };
+
+  fileSystems."/srv" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
+  };
+
+  fileSystems."/var" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async"];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
+  };
+
+  fileSystems."/swap" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
+  };
+
+  fileSystems."/mnt/snapshots/root" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
+  };
+
+  swapDevices = [];
+
+  systemd.network = {
+    enable = true;
+    networks = {
+      "10-lan" = {
+        matchConfig.Name = "enp0s31f6";
+        ntp = ["192.168.2.1"];
+        domains = ["home.opel-online.de"];
+        networkConfig = {
+          DHCP = "yes";
+          IPv6AcceptRA = true;
+        };
+        dns = [
+          "192.168.2.1"
+        ];
+      };
+    };
+  };
+  networking = {
+    useDHCP = false; # Deprecated
+    hostName = "kubemaster-1";
+    firewall = {
+      enable = true;
+      allowedUDPPorts = [];
+      allowedTCPPorts = [80 443];
+    };
+  };
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  powerManagement = {
+    cpuFreqGovernor = lib.mkDefault "powersave";
+    powertop.enable = true;
+    powerUpCommands = ''
+      ${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/e036f437-bc91-4398-b182-7cf5724e23a2
+    '';
+  };
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/kubemaster-1/home.nix

@@ -10,22 +10,16 @@
 #           └─ ./hyprland
 #              └─ hyprland.nix
 #
+{pkgs, ...}: {
+  imports = [
+    ../../modules/home.nix # Window Manager
+  ];
 
-{ pkgs, ... }:
-
-{
-  imports =
-    [
-      ../../modules/home.nix # Window Manager
-    ];
-
-  home = {                                # Specific packages for laptop
+  home = {
+    # Specific packages for laptop
     packages = with pkgs; [
       # Applications
 
-      # Display
-      #light                              # xorg.xbacklight not supported. Other option is just use xrandr.
-
       # Power Management
       #auto-cpufreq                       # Power management
       #tlp                                # Power management
@@ -35,5 +29,4 @@
   programs = {
     alacritty.settings.font.size = 11;
   };
-
 }

hosts/laptop/default.nix

@@ -1,105 +0,0 @@
-#
-#  Specific system configuration settings for desktop
-#
-#  flake.nix
-#   ├─ ./hosts
-#   │   └─ ./laptop
-#   │        ├─ default.nix *
-#   │        └─ hardware-configuration.nix       
-#   └─ ./modules
-#       ├─ ./desktop
-#       │   └─ ./hyprland
-#       │       └─ hyprland.nix
-#       ├─ ./modules
-#       │   └─ ./programs
-#       │       └─ waybar.nix
-#       └─ ./hardware
-#           └─ default.nix
-#
-
-{ config, pkgs, user, ... }:
-
-{
-  imports =                                                         # For now, if applying to other system, swap files
-    [(import ./hardware-configuration.nix)] ++                      # Current system hardware config @ /etc/nixos/hardware-configuration.nix
-    #[(import ../../modules/wm/hyprland/default.nix)] ++        # Window Manager
-    [(import ../../modules/wm/sway/default.nix)] ++        # Window Manager
-    [(import ../../modules/wm/virtualisation/docker.nix)] ++   # Docker
-    [(import ../../modules/wm/virtualisation/kvm-intel.nix)] ++   # kvm module options
-    (import ../../modules/hardware);                                # Hardware devices
-
-  boot = {                                  # Boot options
-    kernelPackages = pkgs.linuxPackages_latest;
-
-    loader = {                              # EFI Boot
-      systemd-boot.enable = true;
-      efi = {
-        canTouchEfiVariables = true;
-        efiSysMountPoint = "/boot";
-      };
-      timeout = 1;                          # Grub auto select time
-    };
-  };
-
-#  hardware.sane = {                           # Used for scanning with Xsane
-#    enable = false;
-#    extraBackends = [ pkgs.sane-airscan ];
-#  };
-  hardware = {
-    nitrokey.enable = true;
-  };
-
-  environment = {
-    systemPackages = with pkgs; [
-#      simple-scan
-       intel-media-driver
-#       alacritty
-    ];
-  };
-
-  programs = {                              # No xbacklight, this is the alterantive
-    zsh.enable = true;
-    dconf.enable = true;
-    light.enable = true;
-    ssh.startAgent = false;
-    gnupg.agent = {
-      enable = true;
-      enableSSHSupport = true;
-      pinentryFlavor = "curses";
-    };
-  };
-
-  services = {
-    tlp = {
-      enable = true;                      # TLP and auto-cpufreq for power management
-      settings = {
-        USB_DENYLIST="fc32:1287 1e7d:2e4a 1d5c:5500 1d5c:5510";
-      };
-    };
-
-    logind.lidSwitch = "suspend-then-hibernate";            # Laptop does not go to sleep when lid is closed
-    #auto-cpufreq.enable = true;
-    blueman.enable = true;
-    printing = {                            # Printing and drivers for TS5300
-      enable = true;
-      drivers = [ pkgs.gutenprint ];
-    };
-    avahi = {                               # Needed to find wireless printer
-      enable = true;
-      nssmdns = true;
-      publish = {                           # Needed for detecting the scanner
-        enable = true;
-        addresses = true;
-        userServices = true;
-      };
-    };
-    tailscale.enable = true;
-
-  };
-
-  #temporary bluetooth fix
-#  systemd.tmpfiles.rules = [
-#    "d /var/lib/bluetooth 700 root root - -"
-#  ];
-#  systemd.targets."bluetooth".after = ["systemd-tmpfiles-setup.service"];
-}

hosts/laptop/hardware-configuration.nix

@@ -1,169 +0,0 @@
-#
-# Hardware settings for Teclast F5 10" Laptop
-# NixOS @ sda2
-#
-# flake.nix
-#  └─ ./hosts
-#      └─ ./laptop
-#          └─ hardware-configuration.nix *
-#
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot = {
-	  initrd = {
-		  availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" "rtsx_usb_sdmmc" ];
-		  kernelModules = [ "i915" "kvm_intel" ];
-		  systemd.enable = true;
-		  luks = {
-			  devices."root" = {
-				  device = "/dev/disk/by-uuid/75eccc7f-30b0-4fe8-8f82-90edaf284cd5";
-				  allowDiscards = true;
-			  };
-		  };
-	  };
-
-	  kernelModules = [ "kvm-intel" ];
-	  extraModprobeConfig = ''
-		  options i915 enable_guc=3 enable_fbc=1 fastboot=1
-		  '';
-	  kernelParams = [ "mitigations=off" "luks.options=fido2-device=auto" ];
-	  tmp.useTmpfs = true;
-  };
-
-  zramSwap.enable = true;
-
-  services.btrfs.autoScrub = {
-    enable = true;
-    interval = "monthly";
-    fileSystems = [
-      "/"
-    ];
-  };
-
-  services.btrbk = {
-      instances = {
-          hf = {
-              onCalendar = "hourly";
-              settings = {
-                  incremental = "yes";
-                  snapshot_create = "ondemand";
-                  snapshot_dir = "@snapshots";
-                  timestamp_format = "long";
-
-                  snapshot_preserve = "2m 2w 5d 5h";
-                  snapshot_preserve_min = "latest";
-                
-                  volume =  {
-                      "/mnt/snapshots/root" = {
-                          snapshot_create = "always";
-                          subvolume = {
-                              "@home" = {};
-                          };
-                      };
-                  };
-              };
-          };
-      };
-  };
-
-  fileSystems."/" =
-    { device = "/dev/mapper/root";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
-    };
-
-  fileSystems."/home" =
-    { device = "/dev/mapper/root";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
-    };
-
-  fileSystems."/srv" =
-    { device = "/dev/mapper/root";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
-    };
-
-  fileSystems."/opt" =
-    { device = "/dev/mapper/root";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@opt,discard=async" ];
-    };
-
-  fileSystems."/nix" =
-    { device = "/dev/mapper/root";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
-    };
-
-  fileSystems."/mnt/snapshots/root" =
-    { device = "/dev/mapper/root";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-label/BOOT";
-      fsType = "vfat";
-    };
-
-  fileSystems."/mnt/Pluto" =
-    { device = "jupiter:/Pluto";
-      fsType = "nfs";
-      options = [ "noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ];
-    };
-
-  fileSystems."/mnt/Mars" =
-    { device = "jupiter:/Mars";
-      fsType = "nfs";
-      options = [ "noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ];
-    };
-
-
-  swapDevices = [ ];
-  
-
-  networking = {
-    useDHCP = false;                        # Deprecated
-    hostName = "nbf5";
-    wireless.iwd.enable = true;
-    networkmanager = {
-      enable = true;
-      wifi = {
-        backend = "iwd";
-        powersave = true;
-      };
-    };
-    interfaces = {
-      wlan0 = {
-        useDHCP = true;                     # For versatility sake, manually edit IP on nm-applet.
-        #ipv4.addresses = [ {
-        #    address = "192.168.0.51";
-        #    prefixLength = 24;
-        #} ];
-      };
-    };
-    #defaultGateway = "192.168.0.1";
-    #nameservers = [ "192.168.0.4" ];
-    firewall = {
-      checkReversePath = "loose";
-    #  enable = false;
-    #  #allowedUDPPorts = [ 53 67 ];
-    #  #allowedTCPPorts = [ 53 80 443 9443 ];
-    };
-  };
-
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-  powerManagement = {
-    cpuFreqGovernor = lib.mkDefault "schedutil";
-    powertop.enable = true;    
-  };
-}

hosts/laptop/home.nix

@@ -1,57 +0,0 @@
-#
-#  Home-manager configuration for laptop
-#
-#  flake.nix
-#   ├─ ./hosts
-#   │   └─ ./laptop
-#   │       └─ home.nix *
-#   └─ ./modules
-#       └─ ./desktop
-#           └─ ./hyprland
-#              └─ hyprland.nix
-#
-
-{ pkgs, ... }:
-
-{
-  imports =
-    [
-      #../../modules/wm/hyprland/home.nix # Window Manager
-      ../../modules/wm/sway/home.nix # Window Manager
-      ../../modules/home.nix # Window Manager
-    ];
-
-  home = {                                # Specific packages for laptop
-    packages = with pkgs; [
-      # Applications
-      libreoffice                         # Office packages
-      #firefox
-      chromium
-      thunderbird
-      streamlink
-      streamlink-twitch-gui-bin
-      element-desktop
-      intel-gpu-tools
-      pulsemixer
-      
-      # Display
-      light                              # xorg.xbacklight not supported. Other option is just use xrandr.
-
-      # Power Management
-      #auto-cpufreq                       # Power management
-      #tlp                                # Power management
-    ];
-  };
-
-  programs = {
-    alacritty.settings.font.size = 11;
-  };
-
-  services = {                            # Applets
-   blueman-applet.enable = true;         # Bluetooth
-   network-manager-applet.enable = true; # Network
-  };
-
-  xsession.preferStatusNotifierItems = true;
-
-}

hosts/lifebook/default.nix

@@ -0,0 +1,60 @@
+#
+#  Lifebook laptop — system configuration
+#
+{
+  lib,
+  pkgs,
+  user,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+    ../../modules/desktop
+  ];
+
+  # ── Desktop module options ──────────────────────────────────────────────
+  myDesktop.windowManager = "niri";
+  myDesktop.niri.hotkeyVariant = "lifebook";
+  myDesktop.cpu = "intel";
+  myDesktop.virtualisation.enable = true;
+
+  myDesktop.laptop.enable = true;
+  myDesktop.laptop.lidSwitch = "suspend-then-hibernate";
+  myDesktop.laptop.hibernateDelaySec = "1h";
+
+  myDesktop.git.signingKey = "/home/${user}/.ssh/id_ed25519_sk_rk_blackred";
+
+  myDesktop.syncthing.enable = true;
+  myDesktop.syncthing.devices = {
+    "jupiter.home.opel-online.de" = {id = "T53WU6Z-3NT74ZE-PZVZB2N-7FBTZ5K-HESC2ZM-W4ABDAS-NWXHTGI-ST4CDQR";};
+    "hades.home.opel-online.de" = {id = "3VPCBVW-RH7XKFM-TWJGQHC-ZRAQ575-CQKGGKP-NAB4VXE-KCKJFUT-AMCUQQA";};
+  };
+  myDesktop.syncthing.folders = {
+    "Sync" = {
+      path = "/home/kabbone/Sync";
+      devices = ["jupiter.home.opel-online.de" "hades.home.opel-online.de"];
+      ignorePerms = false;
+    };
+  };
+
+  myDesktop.extraSystemPackages = with pkgs; [
+    intel-media-driver
+    intel-compute-runtime
+  ];
+
+  # ── Host-specific settings ──────────────────────────────────────────────
+  boot = {
+    kernelPackages = pkgs.linuxPackages_latest;
+    initrd.prepend = ["${./patched-SSDT4}"];
+    loader = {
+      systemd-boot.enable = lib.mkForce false;
+      efi.canTouchEfiVariables = true;
+      efi.efiSysMountPoint = "/boot";
+      timeout = 1;
+    };
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+    };
+  };
+}

hosts/lifebook/hardware-configuration.nix

@@ -0,0 +1,261 @@
+#
+# Hardware settings for Teclast F5 10" Laptop
+# NixOS @ sda2
+#
+# flake.nix
+#  └─ ./hosts
+#      └─ ./laptop
+#          └─ hardware-configuration.nix *
+#
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports =
+    [(modulesPath + "/installer/scan/not-detected.nix")]
+    ++ [(import ../../modules/hardware/backup.nix)];
+
+  boot = {
+    initrd = {
+      availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "sdhci_pci"];
+      kernelModules = ["i915" "kvm_intel" "vfio_pci" "vfio" "vfio_iommu_type1"];
+      systemd.enable = true;
+      luks = {
+        devices."crypted" = {
+          device = "/dev/disk/by-partlabel/disk-nvme0n1-luks";
+          allowDiscards = true;
+          bypassWorkqueues = true;
+        };
+      };
+    };
+
+    kernelModules = ["kvm-intel"];
+    kernelParams = ["luks.options=fido2-device=auto" "sysrq_always_enabled=1" "pcie_aspm=force"];
+    extraModprobeConfig = ''
+      options i915 force_probe=!9a49
+      options xe force_probe=9a49
+    '';
+    tmp.useTmpfs = false;
+    tmp.cleanOnBoot = true;
+  };
+
+  zramSwap.enable = true;
+
+  services = {
+    btrfs.autoScrub = {
+      enable = true;
+      interval = "monthly";
+      fileSystems = [
+        "/"
+      ];
+    };
+    udev.extraRules = ''
+      ACTION=="add", SUBSYSTEM=="block", KERNEL=="mmcblk[0-9]p[0-9]", ENV{ID_FS_USAGE}=="filesystem", RUN{program}+="${pkgs.systemd}/bin/systemd-mount -o noatime,compress-force=zstd:15,ssd_spread,commit=120 --no-block --automount=yes --collect $devnode /run/media/mmcblk0p1"
+    '';
+
+    btrbk = {
+      extraPackages = [pkgs.lz4 pkgs.mbuffer];
+      instances = {
+        hf = {
+          onCalendar = "hourly";
+          settings = {
+            incremental = "yes";
+            snapshot_create = "ondemand";
+            snapshot_dir = "@snapshots";
+            timestamp_format = "long";
+
+            snapshot_preserve = "2m 2w 5d 5h";
+            snapshot_preserve_min = "latest";
+
+            volume = {
+              "/mnt/snapshots/root" = {
+                snapshot_create = "always";
+                subvolume = {
+                  "@home" = {};
+                };
+              };
+            };
+          };
+        };
+        bak = {
+          onCalendar = "daily";
+          settings = {
+            stream_buffer = "256m";
+            stream_compress = "lz4";
+            incremental = "yes";
+            snapshot_create = "no";
+            snapshot_dir = "@snapshots";
+            timestamp_format = "long";
+
+            snapshot_preserve_min = "all";
+            target_preserve_min = "no";
+            target_preserve = "4w 3d";
+
+            ssh_identity = "/etc/btrbk/ssh/id_ed25519_btrbk_nas";
+            ssh_user = "btrbk";
+
+            volume = {
+              "/mnt/snapshots/root" = {
+                subvolume = {
+                  "@home" = {};
+                };
+                target = "ssh://jupiter.home.opel-online.de:2220/mnt/snapshots/Mars/@snapshots/@lifebook";
+              };
+            };
+          };
+        };
+      };
+    };
+
+    tuned = {
+      enable = true;
+      profiles = {
+        balanced_powertop = {
+          main = {
+            include = "balanced";
+          };
+          sysfs = {
+            "/sys/class/net/wlan0/device/power/wakeup" = "enabled";
+            "/sys/bus/usb/devices/usb3/power/wakeup" = "enabled";
+            "/sys/bus/usb/devices/usb1/power/wakeup" = "enabled";
+            "/sys/bus/usb/devices/3-9/power/wakeup" = "enabled";
+            "/sys/bus/usb/devices/usb4/power/wakeup" = "enabled";
+            "/sys/bus/usb/devices/3-10/power/wakeup" = "enabled";
+            "/sys/bus/usb/devices/usb2/power/wakeup" = "enabled";
+            "/sys/bus/usb/devices/3-5/power/wakeup" = "enabled";
+          };
+        };
+        balanced-battery_powertop = {
+          main = {
+            include = "balanced-battery";
+          };
+          sysfs = {
+            "/sys/class/net/wlan0/device/power/wakeup" = "disabled";
+            "/sys/bus/usb/devices/usb3/power/wakeup" = "disabled";
+            "/sys/bus/usb/devices/usb1/power/wakeup" = "disabled";
+            "/sys/bus/usb/devices/3-9/power/wakeup" = "disabled";
+            "/sys/bus/usb/devices/usb4/power/wakeup" = "disabled";
+            "/sys/bus/usb/devices/3-10/power/wakeup" = "disabled";
+            "/sys/bus/usb/devices/usb2/power/wakeup" = "disabled";
+            "/sys/bus/usb/devices/3-5/power/wakeup" = "disabled";
+          };
+        };
+      };
+    };
+  };
+
+  systemd.timers = {
+    btrbk-bak = {
+      after = ["network-online.target"];
+      requires = ["network-online.target"];
+    };
+  };
+
+  fileSystems."/" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/NIXBOOT";
+    fsType = "vfat";
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
+  };
+
+  fileSystems."/srv" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
+  };
+
+  fileSystems."/swap" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
+  };
+
+  fileSystems."/opt" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@opt,discard=async"];
+  };
+
+  fileSystems."/var" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async"];
+  };
+
+  fileSystems."/mnt/snapshots/root" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
+  };
+
+  fileSystems."/mnt/Pluto" = {
+    device = "jupiter.home.opel-online.de:/Pluto";
+    fsType = "nfs";
+    options = ["nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
+  };
+
+  fileSystems."/mnt/Mars" = {
+    device = "jupiter.home.opel-online.de:/Mars";
+    fsType = "nfs";
+    options = ["nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
+  };
+
+  swapDevices = [{device = "/swap/swapfile";}];
+
+  networking = {
+    useDHCP = false; # Deprecated
+    hostName = "lifebook";
+    wireless.iwd.enable = true;
+    networkmanager = {
+      enable = true;
+      wifi = {
+        backend = "iwd";
+        powersave = true;
+      };
+    };
+    #    interfaces = {
+    #      wlan0 = {
+    #        useDHCP = true;                     # For versatility sake, manually edit IP on nm-applet.
+    #        #ipv4.addresses = [ {
+    #        #    address = "192.168.0.51";
+    #        #    prefixLength = 24;
+    #        #} ];
+    #      };
+    #    };
+    #defaultGateway = "192.168.0.1";
+    #nameservers = [ "192.168.0.4" ];
+    firewall = {
+      checkReversePath = false;
+      enable = true;
+      allowedUDPPorts = [24727 51820];
+      allowedTCPPorts = [24727];
+    };
+  };
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  #  powerManagement = {
+  #    powertop.enable = true;
+  #  };
+}

hosts/lifebook/home.nix

@@ -0,0 +1,26 @@
+#
+#  Lifebook laptop — home-manager host-specific additions
+#  (WM home config is loaded by modules/desktop based on myDesktop.windowManager)
+#
+{pkgs, ...}: {
+  imports = [
+    ../../modules/home.nix # cmds / theme options
+  ];
+
+  home.packages = with pkgs; [
+    libreoffice
+    chromium
+    thunderbird
+    streamlink
+    streamlink-twitch-gui-bin
+    intel-gpu-tools
+    pulsemixer
+  ];
+
+  services = {
+    blueman-applet.enable = true;
+    network-manager-applet.enable = true;
+  };
+
+  xsession.preferStatusNotifierItems = true;
+}

hosts/nas/default.nix

@@ -1,74 +0,0 @@
-#
-#  Specific system configuration settings for desktop
-#
-#  flake.nix
-#   ├─ ./hosts
-#   │   └─ ./laptop
-#   │        ├─ default.nix *
-#   │        └─ hardware-configuration.nix       
-#   └─ ./modules
-#       ├─ ./desktop
-#       │   └─ ./hyprland
-#       │       └─ hyprland.nix
-#       ├─ ./modules
-#       │   └─ ./programs
-#       │       └─ waybar.nix
-#       └─ ./hardware
-#           └─ default.nix
-#
-
-{ config, pkgs, user, ... }:
-
-{
-  imports =                                                         # For now, if applying to other system, swap files
-    [(import ./hardware-configuration.nix)] ++                      # Current system hardware config @ /etc/nixos/hardware-configuration.nix
-    (import ../../modules/wm/virtualisation) ++   # Docker
-    (import ../../modules/services/nas) ++                       # Server Services
-    (import ../../modules/hardware);                                # Hardware devices
-
-  boot = {                                  # Boot options
-    kernelPackages = pkgs.linuxPackages_latest;
-
-    loader = {                              # EFI Boot
-      systemd-boot.enable = true;
-      efi = {
-        canTouchEfiVariables = true;
-        efiSysMountPoint = "/boot";
-      };
-      timeout = 1;                          # Grub auto select time
-    };
-  };
-
-#  environment = {
-#    systemPackages = with pkgs; [
-##      simple-scan
-##       intel-media-driver
-##       alacritty
-#    ];
-#  };
-
-  programs = {                              # No xbacklight, this is the alterantive
-    zsh.enable = true;
-    ssh.startAgent = false;
-    gnupg.agent = {
-      enable = false;
-      enableSSHSupport = true;
-      pinentryFlavor = "curses";
-    };
-  };
-
-  services = {
-    #auto-cpufreq.enable = true;
-    avahi = {                               # Needed to find wireless printer
-      enable = true;
-      nssmdns = true;
-      publish = {                           # Needed for detecting the scanner
-        enable = true;
-        addresses = true;
-        userServices = true;
-      };
-    };
-
-  };
-
-}

hosts/nas/hardware-configuration.nix

@@ -1,255 +0,0 @@
-#
-# Hardware settings for Teclast F5 10" Laptop
-# NixOS @ sda2
-#
-# flake.nix
-#  └─ ./hosts
-#      └─ ./laptop
-#          └─ hardware-configuration.nix *
-#
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
-  boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ];
-  boot.initrd.secrets = {
-    "/root/NASKeyfile" =
-        /root/NASKeyfile;
-  };
-  boot.initrd.luks.devices = {
-    NAS-RAID1 = {
-      device = "/dev/disk/by-uuid/57e6446d-faca-4b67-9063-e8d9afb80088";
-      keyFile = "/root/NASKeyfile";
-    };
-    NAS-RAID2 = {
-      device = "/dev/disk/by-uuid/b9edc489-ac37-4b28-981d-442722df7ae2";
-      keyFile = "/root/NASKeyfile";
-    };
-  };
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-  boot.tmp.useTmpfs = false;
-  boot.tmp.cleanOnBoot = true;
-  zramSwap.enable = true;
-
-  services.btrfs.autoScrub = {
-    enable = true;
-    interval = "monthly";
-    fileSystems = [
-      "/"
-      "/mnt/Pluto"
-    ];
-  };
-
-  services.btrbk = {
-      instances = {
-          hf = {
-              onCalendar = "hourly";
-              settings = {
-                  incremental = "yes";
-                  snapshot_create = "ondemand";
-                  snapshot_dir = "@snapshots";
-                  timestamp_format = "long";
-
-                  snapshot_preserve = "2m 2w 5d 5h";
-                  snapshot_preserve_min = "latest";
-                
-                  volume =  {
-                      "/mnt/snapshots/root" = {
-                          snapshot_create = "always";
-                          subvolume = {
-                              "@" = {};
-                              "@home" = {};
-                              "@nas/Home" = {};
-                          };
-                      };
-                  };
-              };
-          };
-          lf = {
-              onCalendar = "daily";
-              settings = {
-                  incremental = "yes";
-                  snapshot_create = "ondemand";
-                  snapshot_dir = "@snapshots";
-                  timestamp_format = "long";
-
-                  snapshot_preserve = "2m 2w 5d";
-                  snapshot_preserve_min = "latest";
-                
-                  volume =  {
-                      "/mnt/snapshots/Pluto" = {
-                          snapshot_create = "always";
-                          subvolume = {
-                            "@" = {};
-                            "@/Backups" = {};
-                            "@/Games" = {};
-                            "@/IT" = {};
-                            "@/Media" = {};
-                            "@/Pictures" = {};
-                            "@/Rest" = {};
-                          };
-                      };
-                  };
-              };
-          };
-      };
-  };
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
-    };
-
-  fileSystems."/home" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
-    };
-
-  fileSystems."/srv" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
-    };
-
-  fileSystems."/nix" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
-    };
-
-  fileSystems."/swap" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
-    };
-
-    fileSystems."/mnt/snapshots/root" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
-    };
-
-    fileSystems."/mnt/snapshots/Mars" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
-    };
-
-  fileSystems."/mnt/snapshots/Pluto" =
-    { device = "/dev/disk/by-label/NAS-RAID";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,noatime,subvolid=5" ];
-    };
-
-  fileSystems."/mnt/Pluto" =
-    { device = "/dev/disk/by-label/NAS-RAID";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,noatime,subvol=@" ];
-    };
-
-  fileSystems."/mnt/Mars" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nas,discard=async" ];
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-label/NIXBOOT";
-      fsType = "vfat";
-    };
-
-  fileSystems."/export/Pluto" =
-    { device = "/mnt/Pluto";
-      options = [ "bind" ];
-    };
- 
-  fileSystems."/export/Mars" =
-    { device = "/mnt/Mars";
-      options = [ "bind" ];
-    };
- 
-  swapDevices = [ { device = "/swap/swapfile"; } ];
-  
-  networking = {
-    vswitches = {
-        vs0 = {
-            interfaces = {
-                enp0s31f6 = {  };
-                lo1 = {
-                    type = "internal";
-                };
-                enp0s31f6iot = {
-                    type = "internal";
-                    vlan = 100;
-                };
-            };
-        };
-    };
-    useDHCP = false;                        # Deprecated
-    hostName = "nas";
-    domain = "home.opel-online.de";
-    networkmanager = {
-      enable = false;
-    };
-    timeServers = [
-        "192.168.2.1"
-    ];
-    interfaces = {
-#      enp0s31f6 = {
-#        useDHCP = true;                     # For versatility sake, manually edit IP on nm-applet.
-#        ipv4.addresses = [ {
-#            address = "45.142.114.153";
-#            prefixLength = 24;
-#        } ];
-#        ipv6.addresses = [ {
-#            address = "2a00:ccc1:101:19D::2";
-#            prefixLength = 64;
-#        } ];
-#      };
-      lo1 = {
-        useDHCP = true;
-        macAddress = "f6:14:f3:7b:1f:f7";
-      };
-    };
-#    defaultGateway = "45.142.114.1";
-    defaultGateway6 = {
-      address = "fe80::1";
-      interface = "lo1";
-    };
-#    nameservers = [ "9.9.9.9" "2620:fe::fe" ];
-    #firewall = {
-    #  enable = false;
-    #  #allowedUDPPorts = [ 53 67 ];
-    #  #allowedTCPPorts = [ 53 80 443 9443 ];
-    #};
-  };
-
-  systemd.services = {
-    "ovsdb".partOf = [ "network-setup.service" ];
-    "ovs-vswitchd".partOf = [ "network-setup.service" ];
-    "network-addresses-lo1" = {
-        requires = [ "network-setup.service" ];
-    };
-  };
-
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-  powerManagement = {
-    cpuFreqGovernor = lib.mkDefault "powersave";
-    powertop.enable = true;
-    powerUpCommands = ''
-      ${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/57e6446d-faca-4b67-9063-e8d9afb80088
-      ${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/b9edc489-ac37-4b28-981d-442722df7ae2
-    '';
-  };
-  
-}

hosts/nasbackup/default.nix

@@ -1,66 +1,52 @@
 #
-#  Specific system configuration settings for desktop
+#  Nasbak — NAS backup server configuration
 #
-#  flake.nix
-#   ├─ ./hosts
-#   │   └─ ./laptop
-#   │        ├─ default.nix *
-#   │        └─ hardware-configuration.nix       
-#   └─ ./modules
-#       ├─ ./desktop
-#       │   └─ ./hyprland
-#       │       └─ hyprland.nix
-#       ├─ ./modules
-#       │   └─ ./programs
-#       │       └─ waybar.nix
-#       └─ ./hardware
-#           └─ default.nix
-#
-
-{ config, pkgs, user, ... }:
-
 {
-  imports =                                                         # For now, if applying to other system, swap files
-    [(import ./hardware-configuration.nix)] ++                      # Current system hardware config @ /etc/nixos/hardware-configuration.nix
-    #[(import ../../modules/wm/virtualisation/docker.nix)] ++   # Docker
-    (import ../../modules/services/nasbackup) ++                       # Server Services
-    (import ../../modules/hardware);                                # Hardware devices
+  config,
+  pkgs,
+  user,
+  ...
+}: {
+  imports =
+    [
+      ./hardware-configuration.nix
+      ../../modules/server
+    ]
+    ++ (import ../../modules/services/nasbackup);
 
-  boot = {                                  # Boot options
+  # ── Server module options ───────────────────────────────────────────────
+  # No virtualisation on the backup NAS
+
+  # ── Host-specific settings ──────────────────────────────────────────────
+  boot = {
     kernelPackages = pkgs.linuxPackages_latest;
-
-    loader = {                              # EFI Boot
+    loader = {
       systemd-boot.enable = true;
-      efi = {
-        canTouchEfiVariables = true;
-        efiSysMountPoint = "/boot";
-      };
-      timeout = 1;                          # Grub auto select time
+      efi.canTouchEfiVariables = true;
+      efi.efiSysMountPoint = "/boot";
+      timeout = 1;
     };
   };
 
-  programs = {                              # No xbacklight, this is the alterantive
-    zsh.enable = true;
+  programs = {
     ssh.startAgent = false;
     gnupg.agent = {
       enable = false;
       enableSSHSupport = true;
-      pinentryFlavor = "curses";
+      pinentryPackage = pkgs.pinentry-curses;
     };
   };
 
   services = {
     qemuGuest.enable = true;
-    avahi = {                               # Needed to find wireless printer
+    avahi = {
       enable = true;
-      nssmdns = true;
-      publish = {                           # Needed for detecting the scanner
+      nssmdns4 = true;
+      publish = {
         enable = true;
         addresses = true;
         userServices = true;
       };
     };
-
   };
-
 }

hosts/nasbackup/hardware-configuration.nix

@@ -1,4 +1,3 @@
-
 # Hardware settings for Teclast F5 10" Laptop
 # NixOS @ sda2
 #
@@ -10,18 +9,22 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
-  boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ];
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
+  boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
   boot.initrd.secrets = {
     "/root/NASKeyfile" =
-        /root/NASKeyfile;
+      /root/NASKeyfile;
   };
   boot.initrd.luks.devices = {
     NAS-RAID1 = {
@@ -35,8 +38,8 @@
       bypassWorkqueues = true;
     };
   };
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
   boot.tmp.useTmpfs = false;
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
@@ -51,182 +54,167 @@
   };
 
   services.btrbk = {
-      extraPackages = [ pkgs.lz4 ];
-      instances = {
-          hf = {
-              onCalendar = "hourly";
-              settings = {
-                  incremental = "yes";
-                  snapshot_create = "ondemand";
-                  snapshot_dir = "@snapshots";
-                  timestamp_format = "long";
+    extraPackages = [pkgs.lz4 pkgs.mbuffer];
+    instances = {
+      hf = {
+        onCalendar = "hourly";
+        settings = {
+          incremental = "yes";
+          snapshot_create = "ondemand";
+          snapshot_dir = "@snapshots";
+          timestamp_format = "long";
 
-                  snapshot_preserve = "2m 2w 5d 5h";
-                  snapshot_preserve_min = "latest";
-                
-                  volume =  {
-                      "/mnt/snapshots/root" = {
-                          snapshot_create = "always";
-                          subvolume = {
-                              "@" = {};
-                              "@home" = {};
-                          };
-                      };
-                  };
+          snapshot_preserve = "2m 2w 5d 5h";
+          snapshot_preserve_min = "latest";
+
+          volume = {
+            "/mnt/snapshots/root" = {
+              snapshot_create = "always";
+              subvolume = {
+                "@" = {};
+                "@home" = {};
               };
+            };
           };
-          bak = {
-              onCalendar = "weekly";
-              settings = {
-                  stream_compress = "lz4";
-                  incremental = "yes";
-                  snapshot_create = "no";
-                  snapshot_dir = "@snapshots";
-                  timestamp_format = "long";
-
-                  snapshot_preserve_min = "all";
-                  target_preserve_min = "no";
-                  target_preserve = "4w 2m";
-
-                  ssh_identity = "/etc/btrbk/ssh/id_ed25519_btrbk";
-                  ssh_user = "btrbk";
-                
-                  volume =  {
-                      "ssh://jupiter.home.opel-online.de/mnt/snapshots/Mars" = {
-                          target = "/mnt/nas/Backups/Mars";
-                          subvolume = {
-                              "@nas" = {};
-                          };
-                      };
-                  };
-                  volume =  {
-                      "ssh://jupiter.home.opel-online.de/mnt/snapshots/Pluto" = {
-                          target = "/mnt/nas/Backups/Pluto";
-                          subvolume = {
-                              "@/Games" = {};
-                              "@/IT" = {};
-                              "@/Media" = {};
-                              "@/Pictures" = {};
-                              "@/Rest" = {};
-                          };
-                      };
-                  };
-              };
-          };
-#          lf = {
-#              onCalendar = "daily";
-#              settings = {
-#                  incremental = "yes";
-#                  snapshot_create = "ondemand";
-#                  snapshot_dir = "@snapshots";
-#                  timestamp_format = "long";
-#
-#                  snapshot_preserve = "2m 2w 5d";
-#                  snapshot_preserve_min = "latest";
-#                
-#                  volume =  {
-#                      "/mnt/snapshots/Pluto" = {
-#                          snapshot_create = "always";
-#                          subvolume = {
-#                            "@" = {};
-#                            "@/Backups" = {};
-#                            "@/Games" = {};
-#                            "@/IT" = {};
-#                            "@/Media" = {};
-#                            "@/Pictures" = {};
-#                            "@/Rest" = {};
-#                          };
-#                      };
-#                  };
-#              };
-#          };
+        };
       };
+      bak = {
+        onCalendar = "weekly";
+        settings = {
+          stream_buffer = "265m";
+          stream_compress = "lz4";
+          incremental = "yes";
+          snapshot_create = "no";
+          snapshot_dir = "@snapshots";
+          timestamp_format = "long";
+
+          snapshot_preserve_min = "all";
+          target_preserve_min = "no";
+          target_preserve = "4w 2m";
+          archive_preserve_min = "no";
+          archive_preserve = "4w 2m";
+
+          ssh_identity = "/etc/btrbk/ssh/id_ed25519_btrbk";
+          ssh_user = "btrbk";
+
+          volume = {
+            "ssh://jupiter.home.opel-online.de:2220/mnt/snapshots/Mars" = {
+              subvolume = {
+                "@nas" = {
+                  target = "/mnt/nas/Backups/Mars";
+                };
+                "@hades/@home" = {
+                  target = "/mnt/nas/Backups/Hades";
+                  snapshot_dir = "@snapshots/@hades";
+                };
+                "@lifebook/@home" = {
+                  target = "/mnt/nas/Backups/Lifebook";
+                  snapshot_dir = "@snapshots/@lifebook";
+                };
+                #                              "@steamdeck/@home" = {
+                #				  target = "/mnt/nas/Backups/Steamdeck";
+                #				  snapshot_dir = "@snapshots/@steamdeck";
+                #			      };
+              };
+            };
+          };
+          volume = {
+            "ssh://jupiter.home.opel-online.de:2220/mnt/snapshots/Pluto" = {
+              target = "/mnt/nas/Backups/Pluto";
+              subvolume = {
+                "@/Games" = {};
+                "@/IT" = {};
+                "@/Media" = {};
+                "@/Pictures" = {};
+                "@/Rest" = {};
+              };
+            };
+          };
+        };
+      };
+    };
   };
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
+  systemd.services = {
+    btrbk-bak = {
+      after = ["network-online.target"];
+      requires = ["network-online.target"];
     };
-
-  fileSystems."/home" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
-    };
-
-  fileSystems."/srv" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
-    };
-
-  fileSystems."/nix" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
-    };
-
-  fileSystems."/swap" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
-    };
-
-  fileSystems."/mnt/snapshots/root" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
   };
 
-#  fileSystems."/mnt/snapshots/Pluto" =
-#    { device = "/dev/disk/by-label/NAS-RAID";
-#      fsType = "btrfs";
-#      options = [ "compress=zstd,space_cache=v2,noatime,subvolid=5" ];
-#    };
-#
-  fileSystems."/mnt/nas" =
-    { device = "/dev/disk/by-uuid/70523c79-ef5c-40f2-8782-60fc86bb445b";
-      fsType = "btrfs";
-      options = [ "compress=zstd:9,space_cache=v2,noatime,subvol=@nasbak" ];
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
+  };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-label/NIXBOOT";
-      fsType = "vfat";
-    };
+  fileSystems."/home" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
+  };
 
-  swapDevices = [ { device = "/swap/swapfile"; } ];
-  
+  fileSystems."/srv" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
+  };
+
+  fileSystems."/swap" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
+  };
+
+  fileSystems."/mnt/snapshots/root" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
+  };
+
+  #  fileSystems."/mnt/snapshots/Pluto" =
+  #    { device = "/dev/disk/by-label/NAS-RAID";
+  #      fsType = "btrfs";
+  #      options = [ "compress=zstd,space_cache=v2,noatime,subvolid=5" ];
+  #    };
+  #
+  fileSystems."/mnt/nas" = {
+    device = "/dev/disk/by-uuid/70523c79-ef5c-40f2-8782-60fc86bb445b";
+    fsType = "btrfs";
+    options = ["compress=zstd:9,space_cache=v2,noatime,subvol=@nasbak"];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/NIXBOOT";
+    fsType = "vfat";
+  };
+
+  swapDevices = [{device = "/swap/swapfile";}];
+
+  systemd.network = {
+    enable = true;
+    networks = {
+      "10-lan" = {
+        matchConfig.Name = "ens18";
+        ntp = ["192.168.2.1"];
+        domains = ["home.opel-online.de"];
+        networkConfig = {
+          DHCP = "yes";
+          IPv6AcceptRA = true;
+        };
+      };
+    };
+  };
   networking = {
     hostName = "nasbak";
     domain = "home.opel-online.de";
-    networkmanager = {
-      enable = false;
-    };
-    timeServers = [
-        "192.168.2.1"
-    ];
-    interfaces = {
-      enp6s18 = {
-        useDHCP = true;                     # For versatility sake, manually edit IP on nm-applet.
-#        ipv4.addresses = [ {
-#            address = "45.142.114.153";
-#            prefixLength = 24;
-#        } ];
-#        ipv6.addresses = [ {
-#            address = "2a00:ccc1:101:19D::2";
-#            prefixLength = 64;
-#        } ];
-#      };
-      };
-    };
-#    defaultGateway = "45.142.114.1";
-    defaultGateway6 = {
-      address = "fe80::1";
-      interface = "enp6s18";
-    };
-#    nameservers = [ "9.9.9.9" "2620:fe::fe" ];
+    useDHCP = false; # For versatility sake, manually edit IP on nm-applet.
     #firewall = {
     #  enable = false;
     #  #allowedUDPPorts = [ 53 67 ];
@@ -238,10 +226,9 @@
   powerManagement = {
     cpuFreqGovernor = lib.mkDefault "powersave";
     powertop.enable = true;
-#    powerUpCommands = ''
-#      ${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/57e6446d-faca-4b67-9063-e8d9afb80088
-#      ${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/b9edc489-ac37-4b28-981d-442722df7ae2
-#    '';
+    #    powerUpCommands = ''
+    #      ${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/57e6446d-faca-4b67-9063-e8d9afb80088
+    #      ${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/b9edc489-ac37-4b28-981d-442722df7ae2
+    #    '';
   };
-  
 }

hosts/nasbackup/home.nix

@@ -10,22 +10,16 @@
 #           └─ ./hyprland
 #              └─ hyprland.nix
 #
+{pkgs, ...}: {
+  imports = [
+    ../../modules/home.nix # Window Manager
+  ];
 
-{ pkgs, ... }:
-
-{
-  imports =
-    [
-      ../../modules/home.nix # Window Manager
-    ];
-
-  home = {                                # Specific packages for laptop
+  home = {
+    # Specific packages for laptop
     packages = with pkgs; [
       # Applications
 
-      # Display
-      #light                              # xorg.xbacklight not supported. Other option is just use xrandr.
-
       # Power Management
       #auto-cpufreq                       # Power management
       #tlp                                # Power management
@@ -35,5 +29,4 @@
   programs = {
     alacritty.settings.font.size = 11;
   };
-
 }

hosts/nbf5/default.nix

@@ -0,0 +1,94 @@
+#
+#  Specific system configuration settings for desktop
+#
+#  flake.nix
+#   ├─ ./hosts
+#   │   └─ ./laptop
+#   │        ├─ default.nix *
+#   │        └─ hardware-configuration.nix
+#   └─ ./modules
+#       ├─ ./desktop
+#       │   └─ ./hyprland
+#       │       └─ hyprland.nix
+#       ├─ ./modules
+#       │   └─ ./programs
+#       │       └─ waybar.nix
+#       └─ ./hardware
+#           └─ default.nix
+#
+{
+  config,
+  pkgs,
+  user,
+  ...
+}: {
+  imports =
+    # For now, if applying to other system, swap files
+    [(import ./hardware-configuration.nix)]
+    ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix
+    
+    #[(import ../../modules/wm/hyprland/default.nix)] ++        # Window Manager
+    # [(import ../../modules/wm/sway/default.nix)] ++        # Window Manager
+    [(import ../../modules/wm/virtualisation/docker.nix)]
+    ++ # Docker
+    [(import ../../modules/wm/virtualisation/kvm-intel.nix)]
+    ++ # kvm module options
+    (import ../../modules/hardware)
+    ++ (import ../../modules/services/printer); # Hardware devices
+
+  boot = {
+    # Boot options
+    kernelPackages = pkgs.linuxPackages_latest;
+
+    loader = {
+      # EFI Boot
+      systemd-boot.enable = true;
+      efi = {
+        canTouchEfiVariables = true;
+        efiSysMountPoint = "/boot";
+      };
+      timeout = 1; # Grub auto select time
+    };
+  };
+
+  environment = {
+    systemPackages = with pkgs; [
+      intel-media-driver
+    ];
+  };
+
+  programs = {
+    # No xbacklight, this is the alterantive
+    light.enable = true;
+  };
+
+  services = {
+    tlp = {
+      enable = true; # TLP and auto-cpufreq for power management
+      settings = {
+        USB_DENYLIST = "fc32:1287 1e7d:2e4a 1d5c:5500 1d5c:5510";
+      };
+    };
+
+    logind.lidSwitch = "suspend-then-hibernate"; # Laptop does not go to sleep when lid is closed
+    #auto-cpufreq.enable = true;
+    blueman.enable = true;
+    avahi = {
+      # Needed to find wireless printer
+      enable = true;
+      nssmdns4 = true;
+      publish = {
+        # Needed for detecting the scanner
+        enable = true;
+        addresses = true;
+        userServices = true;
+      };
+    };
+  };
+
+  #temporary bluetooth fix
+  #  systemd.tmpfiles.rules = [
+  #    "d /var/lib/bluetooth 700 root root - -"
+  #  ];
+  #  systemd.targets."bluetooth".after = ["systemd-tmpfiles-setup.service"];
+}

hosts/nbf5/hardware-configuration.nix

@@ -0,0 +1,160 @@
+#
+# Hardware settings for Teclast F5 10" Laptop
+# NixOS @ sda2
+#
+# flake.nix
+#  └─ ./hosts
+#      └─ ./laptop
+#          └─ hardware-configuration.nix *
+#
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = ["ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" "rtsx_usb_sdmmc"];
+      kernelModules = ["i915" "kvm_intel"];
+      systemd.enable = true;
+      luks = {
+        devices."root" = {
+          device = "/dev/disk/by-uuid/75eccc7f-30b0-4fe8-8f82-90edaf284cd5";
+          allowDiscards = true;
+        };
+      };
+    };
+
+    kernelModules = ["kvm-intel"];
+    extraModprobeConfig = ''
+      options i915 enable_guc=3 enable_fbc=1 fastboot=1
+    '';
+    kernelParams = ["mitigations=off" "luks.options=fido2-device=auto"];
+    tmp.useTmpfs = true;
+  };
+
+  zramSwap.enable = true;
+
+  services.btrfs.autoScrub = {
+    enable = true;
+    interval = "monthly";
+    fileSystems = [
+      "/"
+    ];
+  };
+
+  services.btrbk = {
+    instances = {
+      hf = {
+        onCalendar = "hourly";
+        settings = {
+          incremental = "yes";
+          snapshot_create = "ondemand";
+          snapshot_dir = "@snapshots";
+          timestamp_format = "long";
+
+          snapshot_preserve = "2m 2w 5d 5h";
+          snapshot_preserve_min = "latest";
+
+          volume = {
+            "/mnt/snapshots/root" = {
+              snapshot_create = "always";
+              subvolume = {
+                "@home" = {};
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  fileSystems."/" = {
+    device = "/dev/mapper/root";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/mapper/root";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
+  };
+
+  fileSystems."/srv" = {
+    device = "/dev/mapper/root";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
+  };
+
+  fileSystems."/opt" = {
+    device = "/dev/mapper/root";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@opt,discard=async"];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/mapper/root";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
+  };
+
+  fileSystems."/mnt/snapshots/root" = {
+    device = "/dev/mapper/root";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/BOOT";
+    fsType = "vfat";
+  };
+
+  fileSystems."/mnt/Pluto" = {
+    device = "jupiter:/Pluto";
+    fsType = "nfs";
+    options = ["noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
+  };
+
+  fileSystems."/mnt/Mars" = {
+    device = "jupiter:/Mars";
+    fsType = "nfs";
+    options = ["noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
+  };
+
+  swapDevices = [];
+
+  networking = {
+    useDHCP = false; # Deprecated
+    hostName = "nbf5";
+    wireless = {
+      iwd.enable = true;
+      interfaces = ["wlan0"];
+    };
+    interfaces = {
+      wlan0 = {
+        useDHCP = true; # For versatility sake, manually edit IP on nm-applet.
+      };
+    };
+    firewall = {
+      enable = true;
+      #allowedUDPPorts = [ 53 67 ];
+      allowedTCPPorts = [80 443];
+    };
+  };
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  powerManagement = {
+    cpuFreqGovernor = lib.mkDefault "schedutil";
+    powertop.enable = true;
+  };
+}

hosts/nbf5/home.nix

@@ -0,0 +1,48 @@
+#
+#  Home-manager configuration for laptop
+#
+#  flake.nix
+#   ├─ ./hosts
+#   │   └─ ./laptop
+#   │       └─ home.nix *
+#   └─ ./modules
+#       └─ ./desktop
+#           └─ ./hyprland
+#              └─ hyprland.nix
+#
+{pkgs, ...}: {
+  imports = [
+    #../../modules/wm/hyprland/home.nix # Window Manager
+    #../../modules/wm/sway/home.nix # Window Manager
+    ../../modules/home.nix # Window Manager
+  ];
+
+  home = {
+    # Specific packages for laptop
+    packages = with pkgs; [
+      # Applications
+      firefox
+      intel-gpu-tools
+      pulsemixer
+
+      # Display
+      light # xorg.xbacklight not supported. Other option is just use xrandr.
+
+      # Power Management
+      #auto-cpufreq                       # Power management
+      #tlp                                # Power management
+    ];
+  };
+
+  programs = {
+    alacritty.settings.font.size = 11;
+  };
+
+  services = {
+    # Applets
+    blueman-applet.enable = true; # Bluetooth
+    network-manager-applet.enable = true; # Network
+  };
+
+  xsession.preferStatusNotifierItems = true;
+}

hosts/server/default.nix

@@ -1,101 +0,0 @@
-#
-#  Specific system configuration settings for desktop
-#
-#  flake.nix
-#   ├─ ./hosts
-#   │   └─ ./laptop
-#   │        ├─ default.nix *
-#   │        └─ hardware-configuration.nix       
-#   └─ ./modules
-#       ├─ ./desktop
-#       │   └─ ./hyprland
-#       │       └─ hyprland.nix
-#       ├─ ./modules
-#       │   └─ ./programs
-#       │       └─ waybar.nix
-#       └─ ./hardware
-#           └─ default.nix
-#
-
-{ config, pkgs, user, agenix, impermanence, ... }:
-
-{
-  imports =                                                         # For now, if applying to other system, swap files
-    [(import ./hardware-configuration.nix)] ++                      # Current system hardware config @ /etc/nixos/hardware-configuration.nix
-    [(import ../../modules/wm/virtualisation/docker.nix)] ++   # Docker
-    (import ../../modules/services/server) ++                       # Server Services
-    (import ../../modules/hardware);                                # Hardware devices
-
-  boot = {                                  # Boot options
-    kernelPackages = pkgs.linuxPackages_latest;
-
-    loader = {                              # EFI Boot
-    grub = {
-        enable = true;
-        device = "/dev/sda";
-    };
-      timeout = 1;                          # Grub auto select time
-    };
-  };
-
-  environment = {
-    etc = {
-      "fail2ban/filter.d/gitea.conf" = {
-        source = ../../modules/services/server/fail2ban/filter/gitea.conf;
-        mode = "0444";
-      };
-      "fail2ban/filter.d/nextcloud.conf" = {
-        source = ../../modules/services/server/fail2ban/filter/nextcloud.conf;
-        mode = "0444";
-      };
-    };
-  };
-
-  programs = {                              # No xbacklight, this is the alterantive
-    zsh.enable = true;
-    ssh.startAgent = false;
-    gnupg.agent = {
-      enable = true;
-      enableSSHSupport = true;
-      pinentryFlavor = "curses";
-    };
-  };
-
-  services = {
-    #auto-cpufreq.enable = true;
-    qemuGuest.enable = true;
-    avahi = {                               # Needed to find wireless printer
-      enable = true;
-      nssmdns = true;
-      publish = {                           # Needed for detecting the scanner
-        enable = true;
-        addresses = true;
-        userServices = true;
-      };
-    };
-    fail2ban = {
-        enable = true;
-        maxretry = 5;
-        jails.DEFAULT.settings = {
-           findtime = "15m";
-        };
-        jails = {
-            gitea = ''
-              enabled = true
-              filter = gitea
-              backend = systemd
-              action = iptables-allports
-            '';
-            nextcloud = ''
-              backend = auto
-              enabled = true
-              filter = nextcloud
-              logpath = /var/lib/nextcloud/data/nextcloud.log
-              action = iptables-allports
-            '';
-          };
-    };
-
-  };
-
-}

hosts/server/hardware-configuration.nix

@@ -1,138 +0,0 @@
-#
-# Hardware settings for Teclast F5 10" Laptop
-# NixOS @ sda2
-#
-# flake.nix
-#  └─ ./hosts
-#      └─ ./laptop
-#          └─ hardware-configuration.nix *
-#
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [  "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "ahci" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ];
-  boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
-  boot.tmp.useTmpfs = false;
-  boot.tmp.cleanOnBoot = true;
-  zramSwap.enable = true;
-
-  services.btrfs.autoScrub = {
-    enable = true;
-    interval = "monthly";
-    fileSystems = [
-      "/"
-    ];
-  };
-
-  services.btrbk = {
-      instances = {
-          hf = {
-              onCalendar = "hourly";
-              settings = {
-                  incremental = "yes";
-                  snapshot_create = "ondemand";
-                  snapshot_dir = "@snapshots";
-                  timestamp_format = "long";
-
-                  snapshot_preserve = "2m 2w 5d 5h";
-                  snapshot_preserve_min = "latest";
-                
-                  volume =  {
-                      "/mnt/snapshots/root" = {
-                          snapshot_create = "always";
-                          subvolume = {
-                              "@" = {};
-                              "@home" = {};
-                          };
-                      };
-                  };
-              };
-          };
-      };
-  };
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
-    };
-
-  fileSystems."/home" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
-    };
-
-  fileSystems."/srv" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
-    };
-
-  fileSystems."/nix" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
-    };
-
-  fileSystems."/swap" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
-    };
-
-  fileSystems."/mnt/snapshots/root" =
-    { device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
-    };
-
-
-  #swapDevices = [ { device = "/swap/swapfile"; } ];
-  swapDevices = [  ];
-  
-  networking = {
-    useDHCP = false;                        # Deprecated
-    hostName = "kabtop";
-    domain = "kabtop.de";
-    networkmanager = {
-      enable = false;
-    };
-    interfaces = {
-      ens18 = {
-        useDHCP = false;                     # For versatility sake, manually edit IP on nm-applet.
-        ipv4.addresses = [ {
-            address = "45.142.114.153";
-            prefixLength = 24;
-        } ];
-        ipv6.addresses = [ {
-            address = "2a00:ccc1:101:19D::2";
-            prefixLength = 64;
-        } ];
-      };
-    };
-    defaultGateway = "45.142.114.1";
-    defaultGateway6 = {
-      address = "fe80::1";
-      interface = "ens18";
-    };
-
-    nameservers = [ "9.9.9.9" "2620:fe::fe" ];
-    firewall = {
-      enable = true;
-      allowedUDPPorts = [  ];
-      allowedTCPPorts = [ 80 443 ];
-    };
-  };
-
-  #hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

hosts/steamdeck/default.nix

@@ -1,92 +1,53 @@
 #
-#  Specific system configuration settings for desktop
+#  Steamdeck — system configuration
 #
-#  flake.nix
-#   ├─ ./hosts
-#   │   └─ ./laptop
-#   │        ├─ default.nix *
-#   │        └─ hardware-configuration.nix       
-#   └─ ./modules
-#       ├─ ./desktop
-#       │   └─ ./hyprland
-#       │       └─ hyprland.nix
-#       ├─ ./modules
-#       │   └─ ./programs
-#       │       └─ waybar.nix
-#       └─ ./hardware
-#           └─ default.nix
-#
-
-{ config, pkgs, user, jovian-nixos, lib, ... }:
-
 {
-  imports =                                                         # For now, if applying to other system, swap files
-    [(import ./hardware-configuration.nix)] ++                      # Current system hardware config @ /etc/nixos/hardware-configuration.nix
-    [(import ../../modules/wm/steam/default.nix)] ++            # jovian steam
-    [(import ../../modules/wm/kde/default.nix)] ++              # Window Manager
-    (import ../../modules/wm/virtualisation) ++                 # libvirt + Docker
-    [(import ../../modules/wm/virtualisation/kvm-amd.nix)] ++   # kvm module options
-    (import ../../modules/hardware);                                 # Hardware devices
+  lib,
+  pkgs,
+  user,
+  jovian-nixos,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+    ../../modules/desktop
+    ../../modules/wm/steam
+  ];
 
-  boot = {                                  # Boot options
-    loader = {                              # EFI Boot
+  # ── Desktop module options ──────────────────────────────────────────────
+  myDesktop.windowManager = "kde";
+  myDesktop.cpu = "amd";
+  myDesktop.virtualisation.enable = true;
+  myDesktop.nitrokey.enable = true;
+
+  specialisation = {
+    sway.configuration = {
+      imports = [(import ../../modules/wm/sway)];
+      jovian.steam.enable = lib.mkForce false;
+      services.desktopManager.plasma6.enable = lib.mkForce false;
+    };
+  };
+
+  # ── Host-specific settings ──────────────────────────────────────────────
+  boot = {
+    loader = {
       systemd-boot.enable = lib.mkForce false;
-      efi = {
-        canTouchEfiVariables = true;
-        efiSysMountPoint = "/boot";
-      };
-      timeout = 1;                          # Grub auto select time
+      efi.canTouchEfiVariables = true;
+      efi.efiSysMountPoint = "/boot";
+      timeout = 1;
     };
-
     lanzaboote = {
-        enable = true;
-        pkiBundle = "/etc/secureboot";
-    };
-  };
-
-#  hardware.sane = {                           # Used for scanning with Xsane
-#    enable = false;
-#    extraBackends = [ pkgs.sane-airscan ];
-#  };
-  hardware = {
-    nitrokey.enable = true;
-  };
-
-#  environment = {
-#    systemPackages = with pkgs; [
-##       alacritty
-#    ];
-#  };
-
-  programs = {                              # No xbacklight, this is the alterantive
-    zsh.enable = true;
-    dconf.enable = true;
-    light.enable = true;
-    ssh.startAgent = false;
-    gnupg.agent = {
       enable = true;
-      enableSSHSupport = true;
-      #pinentryFlavor = "curses";
+      pkiBundle = "/etc/secureboot";
     };
   };
 
-  services = {
- #   blueman.enable = true;
-    printing = {                            # Printing and drivers for TS5300
-      enable = true;
-      drivers = [ pkgs.gutenprint ];
-    };
-    avahi = {                               # Needed to find wireless printer
-      enable = true;
-      nssmdns4 = true;
-      publish = {                           # Needed for detecting the scanner
-        enable = true;
-        addresses = true;
-        userServices = true;
-      };
-    };
-    tailscale.enable = true;
-
+  services.printing = {
+    enable = true;
+    drivers = [pkgs.gutenprint];
   };
+
+  services.tailscale.enable = true;
+
   security.pam.sshAgentAuth.enable = true;
 }

hosts/steamdeck/hardware-configuration.nix

@@ -10,145 +10,180 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
 
   boot = {
-	  initrd = {
-                  availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ];
-		  kernelModules = [ ];
-		  systemd.enable = true;
-		  luks = {
-			  devices."crypted" = {
-				  device = "/dev/disk/by-partlabel/disk-nvme0n1-luks";
-				  allowDiscards = true;
-                  bypassWorkqueues = true;
-			  };
-		  };
-	  };
+    initrd = {
+      availableKernelModules = ["nvme" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci"];
+      kernelModules = [];
+      systemd.enable = true;
+      luks = {
+        devices."crypted" = {
+          device = "/dev/disk/by-partlabel/disk-nvme0n1-luks";
+          allowDiscards = true;
+          bypassWorkqueues = true;
+        };
+      };
+    };
 
-	  kernelModules = [ "kvm-amd" "amdgpu" ];
-	  kernelParams = [ "luks.options=fido2-device=auto" ];
-	  tmp.useTmpfs = false;
-	  tmp.cleanOnBoot = true;
+    kernelModules = ["kvm-amd" "amdgpu"];
+    kernelParams = ["luks.options=fido2-device=auto"];
+    tmp.useTmpfs = false;
+    tmp.cleanOnBoot = true;
   };
 
   zramSwap.enable = true;
 
   services = {
-      btrfs.autoScrub = {
-          enable = true;
-          interval = "monthly";
-          fileSystems = [
-              "/"
-          ];
-      };
-      udev.extraRules = ''
-          ACTION=="add", SUBSYSTEM=="block", KERNEL=="mmcblk[0-9]p[0-9]", ENV{ID_FS_USAGE}=="filesystem", RUN{program}+="${pkgs.systemd}/bin/systemd-mount -o noatime,compress-force=zstd:15,ssd_spread,commit=120 --no-block --automount=yes --collect $devnode /run/media/mmcblk0p1"
-          '';
-  };
+    btrfs.autoScrub = {
+      enable = true;
+      interval = "monthly";
+      fileSystems = [
+        "/"
+      ];
+    };
+    udev.extraRules = ''
+      ACTION=="add", SUBSYSTEM=="block", KERNEL=="mmcblk[0-9]p[0-9]", ENV{ID_FS_USAGE}=="filesystem", RUN{program}+="${pkgs.systemd}/bin/systemd-mount -o noatime,compress-force=zstd:15,ssd_spread,commit=120 --no-block --automount=yes --collect $devnode /run/media/mmcblk0p1"
+    '';
 
-  services.btrbk = {
+    btrbk = {
       instances = {
-          hf = {
-              onCalendar = "hourly";
-              settings = {
-                  incremental = "yes";
-                  snapshot_create = "ondemand";
-                  snapshot_dir = "@snapshots";
-                  timestamp_format = "long";
+        hf = {
+          onCalendar = "hourly";
+          settings = {
+            incremental = "yes";
+            snapshot_create = "ondemand";
+            snapshot_dir = "@snapshots";
+            timestamp_format = "long";
 
-                  snapshot_preserve = "2m 2w 5d 5h";
-                  snapshot_preserve_min = "latest";
-                
-                  volume =  {
-                      "/mnt/snapshots/root" = {
-                          snapshot_create = "always";
-                          subvolume = {
-                              "@home" = {};
-                          };
-                      };
-                  };
+            snapshot_preserve = "2m 2w 5d 5h";
+            snapshot_preserve_min = "latest";
+
+            volume = {
+              "/mnt/snapshots/root" = {
+                snapshot_create = "always";
+                subvolume = {
+                  "@home" = {};
+                };
               };
+            };
           };
+        };
+        #              bak = {
+        #                  onCalendar = "daily";
+        #                  settings = {
+        #	              stream_buffer = "256m";
+        #                      stream_compress = "lz4";
+        #                      incremental = "yes";
+        #                      snapshot_create = "no";
+        #                      snapshot_dir = "@snapshots";
+        #                      timestamp_format = "long";
+        #
+        #                      snapshot_preserve_min = "all";
+        #                      target_preserve_min = "no";
+        #                      target_preserve = "2m 4w 3d";
+        #
+        #                      ssh_identity = "/etc/btrbk/ssh/id_ed25519_btrbk_nas";
+        #                      ssh_user = "btrbk";
+        #
+        #                      volume =  {
+        #                          "/mnt/snapshots/root" = {
+        #                              subvolume = {
+        #                                  "@home" = {};
+        #                              };
+        #	                      target = "ssh://jupiter.home.opel-online.de:2220/mnt/snapshots/Mars/@snapshots/@steamdeck";
+        #                          };
+        #                      };
+        #	          };
+        #	      };
       };
+    };
+  };
+  #
+  #  systemd.timers = {
+  #      btrbk-bak = {
+  #          requires = [ "network-online.target" ];
+  #      };
+  #  };
+
+  fileSystems."/" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
   };
 
-  fileSystems."/" =
-    { device = "/dev/mapper/crypted";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/NIXBOOT";
+    fsType = "vfat";
+  };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-label/NIXBOOT";
-      fsType = "vfat";
-    };
+  fileSystems."/home" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
+  };
 
-  fileSystems."/home" =
-    { device = "/dev/mapper/crypted";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
-    };
+  fileSystems."/nix" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
+  };
 
-  fileSystems."/nix" =
-    { device = "/dev/mapper/crypted";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
-    };
+  fileSystems."/srv" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
+  };
 
-  fileSystems."/srv" =
-    { device = "/dev/mapper/crypted";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
-    };
+  fileSystems."/swap" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
+  };
 
-  fileSystems."/swap" =
-    { device = "/dev/mapper/crypted";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
-    };
+  fileSystems."/opt" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@opt,discard=async"];
+  };
 
-  fileSystems."/opt" =
-    { device = "/dev/mapper/crypted";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@opt,discard=async" ];
-    };
+  fileSystems."/mnt/snapshots/root" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
+  };
 
-  fileSystems."/mnt/snapshots/root" =
-    { device = "/dev/mapper/crypted";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
-    };
+  #  fileSystems."/sdcard" =
+  #    { device = "/dev/disk/by-label/sdcard";
+  #      fsType = "ext4";
+  #      options = [ "nofail,noauto,users,x-systemd.automount" ];
+  #    };
 
-#  fileSystems."/sdcard" =
-#    { device = "/dev/disk/by-label/sdcard";
-#      fsType = "ext4";
-#      options = [ "nofail,noauto,users,x-systemd.automount" ];
-#    };
+  fileSystems."/mnt/Pluto" = {
+    device = "jupiter:/Pluto";
+    fsType = "nfs";
+    options = ["nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
+  };
 
-  fileSystems."/mnt/Pluto" =
-    { device = "jupiter:/Pluto";
-      fsType = "nfs";
-      options = [ "nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ];
-    };
+  fileSystems."/mnt/Mars" = {
+    device = "jupiter:/Mars";
+    fsType = "nfs";
+    options = ["nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
+  };
 
-  fileSystems."/mnt/Mars" =
-    { device = "jupiter:/Mars";
-      fsType = "nfs";
-      options = [ "nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ];
-    };
-
-
-  swapDevices = [ { device = "/swap/swapfile"; } ];
-  
+  swapDevices = [{device = "/swap/swapfile";}];
 
   networking = {
-    useDHCP = false;                        # Deprecated
+    useDHCP = false; # Deprecated
     hostName = "steamdeck";
     wireless.iwd.enable = true;
     networkmanager = {
@@ -158,22 +193,22 @@
         powersave = false;
       };
     };
-#    interfaces = {
-#      wlan0 = {
-#        useDHCP = true;                     # For versatility sake, manually edit IP on nm-applet.
-#        #ipv4.addresses = [ {
-#        #    address = "192.168.0.51";
-#        #    prefixLength = 24;
-#        #} ];
-#      };
-#    };
+    #    interfaces = {
+    #      wlan0 = {
+    #        useDHCP = true;                     # For versatility sake, manually edit IP on nm-applet.
+    #        #ipv4.addresses = [ {
+    #        #    address = "192.168.0.51";
+    #        #    prefixLength = 24;
+    #        #} ];
+    #      };
+    #    };
     #defaultGateway = "192.168.0.1";
     #nameservers = [ "192.168.0.4" ];
     firewall = {
       checkReversePath = "loose";
-    #  enable = false;
-    #  #allowedUDPPorts = [ 53 67 ];
-    #  #allowedTCPPorts = [ 53 80 443 9443 ];
+      enable = true;
+      allowedUDPPorts = [24727];
+      allowedTCPPorts = [24727];
     };
   };
 

hosts/steamdeck/home.nix

@@ -1,55 +1,27 @@
 #
-#  Home-manager configuration for laptop
-#
-#  flake.nix
-#   ├─ ./hosts
-#   │   └─ ./laptop
-#   │       └─ home.nix *
-#   └─ ./modules
-#       └─ ./desktop
-#           └─ ./hyprland
-#              └─ hyprland.nix
+#  Home-manager configuration for steamdeck
 #
+{pkgs, ...}: {
+  specialisation = {
+    sway.configuration = {
+      imports = [(import ../../modules/wm/sway/home.nix)];
+    };
+  };
 
-{ pkgs, ... }:
-
-{
   imports =
-    [
-      ../../modules/wm/steam/home.nix # Window Manager
-      ../../modules/wm/kde/home.nix # Window Manager
-      ../../modules/home.nix # Window Manager
-    ];
+    [(import ../../modules/home.nix)]
+    ++ [(import ../../modules/wm/steam/home.nix)];
 
-  home = {                                # Specific packages for laptop
+  home = {
     packages = with pkgs; [
-      # Applications
-      libreoffice                         # Office packages
-      #firefox
+      libreoffice
       chromium
       thunderbird
       streamlink
       streamlink-twitch-gui-bin
-      element-desktop
       pulsemixer
-      #yuzu-early-access
-      
-      # Display
-      light                              # xorg.xbacklight not supported. Other option is just use xrandr.
-
-      # Power Management
-      #auto-cpufreq                       # Power management
-      #tlp                                # Power management
     ];
   };
 
-  programs = {
-    alacritty.settings.font.size = 11;
-  };
-
-  services = {                            # Applets
-  };
-
   xsession.preferStatusNotifierItems = true;
-
 }

hosts/vm/hardware-configuration.nix

@@ -1,36 +1,40 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
 
-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
+  boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-label/nixos";
-      fsType = "btrfs";
-      options = [ "compress=zstd,space_cache=v2,ssd,noatime" ];
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "btrfs";
+    options = ["compress=zstd,space_cache=v2,ssd,noatime"];
+  };
 
-#  fileSystems."/home" =
-#    { device = "/dev/disk/by-label/root";
-#      fsType = "btrfs";
-#      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home" ];
-#    };
+  #  fileSystems."/home" =
+  #    { device = "/dev/disk/by-label/root";
+  #      fsType = "btrfs";
+  #      options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home" ];
+  #    };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-label/BOOT";
-      fsType = "vfat";
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/BOOT";
+    fsType = "vfat";
+  };
 
-  swapDevices = [ ];
+  swapDevices = [];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's

modules/desktop/default.nix

@@ -0,0 +1,552 @@
+#
+#  Desktop module — import this instead of manual WM/virtualisation imports.
+#
+#  Usage in hosts/<hostname>/default.nix:
+#
+#    imports = [
+#      ./hardware-configuration.nix
+#      ../../modules/desktop
+#    ];
+#
+#    myDesktop.windowManager  = "niri";   # niri (default) | sway | kde
+#    myDesktop.cpu            = "amd";    # amd | intel | none (default)
+#
+#    myDesktop.virtualisation.enable = true;
+#
+#    myDesktop.syncthing.enable  = true;
+#    myDesktop.syncthing.devices = { "jupiter.home.example.de" = { id = "XXXXX-..."; }; };
+#    myDesktop.syncthing.folders = { "Sync" = { path = "/home/user/Sync"; devices = [...]; }; };
+#
+#    myDesktop.openrgb.enable      = true;
+#    myDesktop.openrgb.motherboard = "amd";   # or "intel"
+#
+#    myDesktop.laptop.enable           = true;
+#    myDesktop.laptop.lidSwitch        = "suspend-then-hibernate";
+#    myDesktop.laptop.hibernateDelaySec = "1h";
+#
+#    myDesktop.nitrokey.enable = true;
+#
+#    myDesktop.extraSystemPackages = with pkgs; [ some-tool ];
+#
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  user,
+  ...
+}: let
+  cfg = config.myDesktop;
+in {
+  # Hardware modules that are always useful on desktops (bluetooth, …)
+  imports = import ../hardware;
+
+  # ── Options ──────────────────────────────────────────────────────────────
+
+  options.myDesktop = with lib; {
+    windowManager = mkOption {
+      type = types.enum ["niri" "sway" "kde"];
+      default = "niri";
+      description = "Window manager / desktop environment for this host.";
+    };
+
+    cpu = mkOption {
+      type = types.enum ["amd" "intel" "none"];
+      default = "none";
+      description = "CPU type — selects the matching KVM kernel parameters.";
+    };
+
+    virtualisation.enable =
+      mkEnableOption "virtualisation stack (podman/docker-compat, qemu/libvirt, virt-manager)";
+
+    syncthing = {
+      enable = mkEnableOption "syncthing continuous file synchronisation";
+      devices = mkOption {
+        type = types.attrs;
+        default = {};
+        example =
+          literalExpression
+          ''{ "jupiter.home.example.de" = { id = "XXXXX-XXXXX-XXXXX-..."; }; }'';
+        description = "Syncthing peer devices.";
+      };
+      folders = mkOption {
+        type = types.attrs;
+        default = {};
+        example =
+          literalExpression
+          ''{ "Sync" = { path = "/home/user/Sync"; devices = [ "jupiter" ]; ignorePerms = false; }; }'';
+        description = "Syncthing shared folders.";
+      };
+    };
+
+    openrgb = {
+      enable = mkEnableOption "OpenRGB RGB motherboard control";
+      motherboard = mkOption {
+        type = types.str;
+        default = "amd";
+        description = "Motherboard vendor string passed to OpenRGB (amd or intel).";
+      };
+    };
+
+    laptop = {
+      enable = mkEnableOption "laptop-specific settings (lid-switch, hibernate delay)";
+      lidSwitch = mkOption {
+        type = types.str;
+        default = "suspend-then-hibernate";
+        description = "systemd-logind action on lid close.";
+      };
+      hibernateDelaySec = mkOption {
+        type = types.str;
+        default = "1h";
+        description = "Delay before transitioning from suspend to hibernate.";
+      };
+    };
+
+    nitrokey.enable = mkEnableOption "Nitrokey hardware security key support";
+
+    niri.hotkeyVariant = mkOption {
+      type = types.enum ["default" "lifebook"];
+      default = "default";
+      description = "Niri hotkey variant to deploy — selects binds/<variant>.kdl.";
+    };
+
+    git.signingKey = mkOption {
+      type = types.str;
+      default = "/home/${user}/.ssh/id_ed25519_sk_rk_red";
+      description = "SSH key used for git commit signing on this host.";
+    };
+
+    extraSystemPackages = mkOption {
+      type = types.listOf types.package;
+      default = [];
+      description = "Additional system packages specific to this host.";
+    };
+  };
+
+  # ── Configuration ────────────────────────────────────────────────────────
+
+  config = lib.mkMerge [
+    # ── Base desktop config (replaces configuration_desktop.nix) ───────────
+    {
+      users.users.${user} = {
+        isNormalUser = true;
+        uid = 2000;
+        extraGroups = [
+          "wheel"
+          "video"
+          "audio"
+          "camera"
+          "networkmanager"
+          "lp"
+          "kvm"
+          "libvirtd"
+          "adb"
+          "dialout"
+          "tss"
+        ];
+      };
+
+      security = {
+        pam.services.login.enableGnomeKeyring = true;
+        # swaylock PAM is harmless on non-sway WMs
+        pam.services.swaylock = {};
+        rtkit.enable = true;
+      };
+
+      environment.systemPackages = with pkgs;
+        [
+          file
+          powertop
+          cpufrequtils
+          lm_sensors
+          libva-utils
+          at-spi2-core
+          qmk-udev-rules
+          gptfdisk
+          age-plugin-yubikey
+          pwgen
+          sbctl
+          ausweisapp
+          e2fsprogs
+          orca-slicer
+        ]
+        ++ cfg.extraSystemPackages;
+
+      nixpkgs.config.permittedInsecurePackages = ["mbedtls-2.28.10"];
+
+      services = {
+        pipewire = {
+          enable = true;
+          alsa.enable = true;
+          pulse.enable = true;
+          wireplumber.enable = true;
+        };
+        pcscd.enable = true;
+        yubikey-agent.enable = true;
+        udev.packages = with pkgs; [yubikey-personalization nitrokey-udev-rules];
+        flatpak.enable = true;
+        gvfs.enable = true;
+        fwupd.enable = true;
+        blueman.enable = true;
+        avahi = {
+          enable = true;
+          nssmdns4 = true;
+          publish = {
+            enable = true;
+            addresses = true;
+            userServices = true;
+          };
+        };
+      };
+
+      programs.dconf.enable = true;
+      system.autoUpgrade.enable = false;
+
+      home-manager.users.${user}.programs.git.signing.key =
+        cfg.git.signingKey;
+    }
+
+    # ── Niri ───────────────────────────────────────────────────────────────
+    (lib.mkIf (cfg.windowManager == "niri") {
+      environment = {
+        systemPackages = with pkgs; [
+          alacritty
+          xdg-desktop-portal-gnome
+          xdg-desktop-portal-gtk
+          swaylock
+          swayidle
+          slurp
+          grim
+          lxqt.lxqt-openssh-askpass
+          clinfo
+          glib
+          brightnessctl
+          playerctl
+          xwayland-satellite
+          breeze-hacked-cursor-theme
+          pwvucontrol
+        ];
+        loginShellInit = ''
+          export GTK_IM_MODULE="simple"
+          export ELECTRON_OZONE_PLATFORM_HINT="auto"
+          export NIXOS_OZONE_WL="1"
+          export WLR_RENDERER="vulkan"
+          export _JAVA_AWT_WM_NONREPARENTING="1"
+        '';
+      };
+
+      services = {
+        iio-niri.enable = false;
+        greetd = {
+          enable = true;
+          useTextGreeter = true;
+          settings.default_session.command = "${pkgs.tuigreet}/bin/tuigreet --time --cmd niri-session";
+        };
+        tuned.enable = true;
+        upower.enable = true;
+      };
+
+      programs = {
+        niri.enable = true;
+        ssh.enableAskPassword = true;
+        ssh.askPassword = "${pkgs.lxqt.lxqt-openssh-askpass}/bin/lxqt-openssh-askpass";
+      };
+
+      # Noctalia shell + niri home config via home-manager
+      home-manager.users.${user} = {
+        imports = [
+          inputs.noctalia.homeModules.default
+          ../wm/niri/home.nix
+        ];
+
+        xdg.configFile."niri/binds.kdl".source =
+          ../wm/niri/binds/${cfg.niri.hotkeyVariant}.kdl;
+
+        services = {
+          mako.enable = true;
+          polkit-gnome.enable = true;
+        };
+
+        programs = {
+          fuzzel.enable = true;
+
+          noctalia-shell = {
+            enable = true;
+            settings = {
+              appLauncher.terminalCommand = "alacritty -e";
+
+              bar = {
+                density = "compact";
+                position = "top";
+                showCapsule = false;
+                widgets = {
+                  left = [
+                    {
+                      id = "ControlCenter";
+                      useDistroLogo = true;
+                    }
+                    {
+                      hideUnoccupied = false;
+                      id = "Workspace";
+                      labelMode = "index";
+                      showApplications = true;
+                    }
+                    {id = "ActiveWindow";}
+                  ];
+                  center = [
+                    {
+                      formatHorizontal = "HH:mm\\ndd-MM-yy";
+                      formatVertical = "HH mm";
+                      id = "Clock";
+                      useMonospacedFont = true;
+                      usePrimaryColor = true;
+                    }
+                  ];
+                  right = [
+                    {id = "MediaMini";}
+                    {
+                      id = "SystemMonitor";
+                      showNetworkStats = true;
+                      compactMode = false;
+                    }
+                    {id = "WiFi";}
+                    {id = "Bluetooth";}
+                    {
+                      id = "Battery";
+                      displayMode = "icon-always";
+                      hideIfNotDetected = true;
+                    }
+                    {
+                      id = "Volume";
+                      displayMode = "alwaysShow";
+                    }
+                    {
+                      id = "NotificationHistory";
+                      hideWhenZero = true;
+                    }
+                    {id = "Tray";}
+                  ];
+                };
+              };
+
+              colorSchemes.predefinedScheme = "Catppuccin";
+
+              general = {
+                avatarImage = "/home/${user}/.face";
+                radiusRatio = 0.2;
+                lockOnSusepnd = true;
+              };
+
+              location = {
+                monthBeforeDay = true;
+                name = "Munich, Germany";
+                showWeekNumberInCalendar = true;
+                firstDayOfWeek = 0;
+              };
+
+              wallpaper = {
+                enabled = true;
+                overviewEnabled = false;
+                directory = "/home/${user}/.setup/modules/themes/";
+              };
+
+              brightness = {
+                enforceMinimum = true;
+                brightnessStep = 5;
+              };
+
+              controlCenter.shortcuts.left = [
+                {id = "WiFi";}
+                {id = "Bluetooth";}
+                {id = "ScreenRecorder";}
+                {id = "PowerProfile";}
+                {id = "KeepAwake";}
+              ];
+
+              dock.enabled = false;
+              sessionMenu.enableCountdown = false;
+
+              templates = {
+                fuzzel = true;
+                alacritty = true;
+                qt = true;
+                gtk = true;
+                discord = true;
+                code = true;
+                telegram = true;
+                niri = true;
+                firefox = true;
+              };
+            };
+          };
+        };
+
+        home.file.".cache/noctalia/wallpapers.json".text = builtins.toJSON {
+          defaultWallpaper = "/home/${user}/.setup/modules/themes/wall.jpg";
+        };
+      };
+    })
+
+    # ── Sway ───────────────────────────────────────────────────────────────
+    (lib.mkIf (cfg.windowManager == "sway") {
+      environment = {
+        loginShellInit = ''
+          if [ -z $DISPLAY ] && [ $UID != 0 ] && [ "$(tty)" = "/dev/tty1" ]; then
+            exec sway
+          fi
+        '';
+        systemPackages = with pkgs; [
+          xdg-desktop-portal-wlr
+          sway
+          swaylock
+          swayidle
+          slurp
+          grim
+          bemenu
+          lxqt.lxqt-openssh-askpass
+          clinfo
+          waybar
+          glib
+        ];
+      };
+
+      programs = {
+        sway = {
+          enable = true;
+          extraSessionCommands = ''
+            export MOZ_ENABLE_WAYLAND="1"
+            export MOZ_WEBRENDER="1"
+            export WLR_RENDERER="vulkan"
+            export XDG_SESSION_TYPE="wayland"
+            export GTK_THEME="Arc"
+            export _JAVA_AWT_WM_NONREPARENTING="1"
+          '';
+        };
+        ssh.enableAskPassword = true;
+        ssh.askPassword = "${pkgs.lxqt.lxqt-openssh-askpass}/bin/lxqt-openssh-askpass";
+      };
+
+      xdg.portal = {
+        enable = true;
+        wlr.enable = true;
+        extraPortals = [pkgs.xdg-desktop-portal-gtk];
+      };
+
+      home-manager.users.${user}.imports = [
+        ../wm/sway/home.nix
+        ../wm/waybar.nix # sway uses waybar for the bar
+      ];
+    })
+
+    # ── KDE Plasma ─────────────────────────────────────────────────────────
+    (lib.mkIf (cfg.windowManager == "kde") {
+      environment.systemPackages = with pkgs; [
+        kdePackages.discover
+        maliit-keyboard
+        maliit-framework
+        kdePackages.ksshaskpass
+      ];
+
+      programs.ssh = {
+        enableAskPassword = true;
+        askPassword = lib.mkDefault "${pkgs.kdePackages.ksshaskpass}/bin/ksshaskpass";
+      };
+
+      services = {
+        packagekit.enable = true;
+        desktopManager.plasma6.enable = true;
+        udev.packages = with pkgs; [gnome-settings-daemon];
+      };
+
+      qt.platformTheme = "kde";
+
+      home-manager.users.${user}.imports = [../wm/kde/home.nix];
+    })
+
+    # ── Virtualisation (podman/docker-compat + qemu/libvirt) ───────────────
+    (lib.mkIf cfg.virtualisation.enable {
+      users.groups = {
+        docker.members = [user];
+        libvirtd.members = ["root" user];
+      };
+
+      virtualisation = {
+        podman = {
+          enable = true;
+          autoPrune.enable = true;
+          dockerCompat = true;
+        };
+        libvirtd = {
+          enable = true;
+          onShutdown = "shutdown";
+          qemu.runAsRoot = false;
+        };
+        spiceUSBRedirection.enable = true;
+      };
+
+      environment.systemPackages = with pkgs; [
+        virt-manager
+        virt-viewer
+        qemu
+        OVMF
+        OVMF-cloud-hypervisor
+        gvfs
+        cloud-hypervisor
+      ];
+    })
+
+    # ── KVM – AMD ──────────────────────────────────────────────────────────
+    (lib.mkIf (cfg.virtualisation.enable && cfg.cpu == "amd") {
+      boot.extraModprobeConfig = ''
+        options kvm_amd nested=0 avic=1 npt=1
+      '';
+    })
+
+    # ── KVM – Intel ────────────────────────────────────────────────────────
+    (lib.mkIf (cfg.virtualisation.enable && cfg.cpu == "intel") {
+      boot.extraModprobeConfig = ''
+        options kvm_intel nested=1
+        options kvm_intel emulate_invalid_guest_state=0
+        options kvm ignore_nsrs=1
+      '';
+    })
+
+    # ── Syncthing ──────────────────────────────────────────────────────────
+    (lib.mkIf cfg.syncthing.enable {
+      services.syncthing = {
+        enable = true;
+        group = "users";
+        user = user;
+        dataDir = "/home/${user}/Sync";
+        configDir = "/home/${user}/.config/syncthing";
+        overrideDevices = true;
+        overrideFolders = true;
+        openDefaultPorts = true;
+        settings = {
+          devices = cfg.syncthing.devices;
+          folders = cfg.syncthing.folders;
+        };
+      };
+    })
+
+    # ── OpenRGB ────────────────────────────────────────────────────────────
+    (lib.mkIf cfg.openrgb.enable {
+      services.hardware.openrgb = {
+        enable = true;
+        motherboard = cfg.openrgb.motherboard;
+      };
+    })
+
+    # ── Laptop ─────────────────────────────────────────────────────────────
+    (lib.mkIf cfg.laptop.enable {
+      systemd.sleep.extraConfig = "HibernateDelaySec=${cfg.laptop.hibernateDelaySec}";
+      services.logind.settings.Login.HandleLidSwitch =
+        cfg.laptop.lidSwitch;
+    })
+
+    # ── Nitrokey ───────────────────────────────────────────────────────────
+    (lib.mkIf cfg.nitrokey.enable {
+      hardware.nitrokey.enable = true;
+    })
+  ];
+}

modules/editors/default.nix

@@ -9,7 +9,6 @@
 #           └─ default.nix *
 #               └─ ...
 #
-
 [
   ./nvim
 ]

modules/editors/nvim/config/default.nix

@@ -1,16 +1,15 @@
-{ nvim, ... }:
-{
+{nvim, ...}: {
   # Import all your configuration modules here
   programs.nixvim = {
-      enable = true;
-      colorschemes.gruvbox.enable = true;
+    enable = true;
+    colorschemes.gruvbox.enable = true;
 
-      imports = [
-        ./bufferline.nix
-        ./plugins.nix
-        ./options.nix
-        ./keymaps.nix
-        ./highlight.nix
-      ];
+    imports = [
+      ./bufferline.nix
+      ./plugins.nix
+      ./options.nix
+      ./keymaps.nix
+      ./highlight.nix
+    ];
   };
 }

modules/editors/nvim/config/options.nix

@@ -1,14 +1,14 @@
 {
-    config = {
-        globals.mapleader = " ";
-        viAlias = true;
-        vimAlias = true;
+  config = {
+    globals.mapleader = " ";
+    viAlias = true;
+    vimAlias = true;
 
-        opts = {
-            number = true;         # Show line numbers
-            relativenumber = true; # Show relative line numbers
+    opts = {
+      number = true; # Show line numbers
+      relativenumber = true; # Show relative line numbers
 
-            shiftwidth = 2;        # Tab width should be 2
-        };
+      shiftwidth = 2; # Tab width should be 2
     };
+  };
 }

modules/editors/nvim/config/plugins.nix

@@ -1,51 +1,51 @@
 {
-    plugins = {
-        lualine.enable = true;
+  plugins = {
+    lualine.enable = true;
 
-        cmp = {
-            enable = true;
-            autoEnableSources = true;
-            settings = {
-                sources = [
-                  {name = "nvim_lsp";}
-                  {name = "path";}
-                  {name = "buffer";}
-                  {name = "luasnip";}
-                ];
+    cmp = {
+      enable = true;
+      autoEnableSources = true;
+      settings = {
+        sources = [
+          {name = "nvim_lsp";}
+          {name = "path";}
+          {name = "buffer";}
+          {name = "luasnip";}
+        ];
 
-                mapping = {
-                    "<C-d>" = "cmp.mapping.scroll_docs(-4)";
-                    "<C-f>" = "cmp.mapping.scroll_docs(4)";
-                    "<C-Space>" = "cmp.mapping.complete()";
-                    "<C-e>" = "cmp.mapping.close()";
-                    "<CR>" = "cmp.mapping.confirm({ select = true })";
-                    "<Tab>" = "cmp.mapping(cmp.mapping.select_next_item(), {'i', 's'})";
-                    "<S-Tab>" = "cmp.mapping(cmp.mapping.select_prev_item(), {'i', 's'})";
-                };
-            };
+        mapping = {
+          "<C-d>" = "cmp.mapping.scroll_docs(-4)";
+          "<C-f>" = "cmp.mapping.scroll_docs(4)";
+          "<C-Space>" = "cmp.mapping.complete()";
+          "<C-e>" = "cmp.mapping.close()";
+          "<CR>" = "cmp.mapping.confirm({ select = true })";
+          "<Tab>" = "cmp.mapping(cmp.mapping.select_next_item(), {'i', 's'})";
+          "<S-Tab>" = "cmp.mapping(cmp.mapping.select_prev_item(), {'i', 's'})";
         };
-
-        lsp = {
-            enable = true;
-
-            servers = {
-                tsserver.enable = true;
-
-                lua-ls = {
-                    enable = true;
-                    settings.telemetry.enable = false;
-                };
-#                rust-analyzer = {
-#                    enable = true;
-#                    installCargo = true;
-#                };
-            };
-        };
-
-        telescope.enable = true;
-
-        treesitter.enable = true;
-
-        luasnip.enable = true;
+      };
     };
+
+    lsp = {
+      enable = true;
+
+      servers = {
+        tsserver.enable = true;
+
+        lua-ls = {
+          enable = true;
+          settings.telemetry.enable = false;
+        };
+        #                rust-analyzer = {
+        #                    enable = true;
+        #                    installCargo = true;
+        #                };
+      };
+    };
+
+    telescope.enable = true;
+
+    treesitter.enable = true;
+
+    luasnip.enable = true;
+  };
 }

modules/editors/nvim/default.nix

@@ -1,13 +1,9 @@
 #
 # Neovim
 #
-
-{ pkgs, ... }:
-
-{
-
+{pkgs, ...}: {
   home = {
-      packages = [ pkgs.gnvim ];
+    packages = [pkgs.gnvim];
   };
 
   programs = {
@@ -17,146 +13,147 @@
       vimAlias = true;
       vimdiffAlias = true;
       withNodeJs = true;
+      withRuby = true;
+      withPython3 = true;
 
-#      plugins = with pkgs.vimPlugins; [
-#
-#        # Syntax
-#        #vim-nix
-#        #vim-markdown
-#
-#        # Quality of life
-#        vim-lastplace         # Opens document where you left it
-#        auto-pairs            # Print double quotes/brackets/etc.
-#        vim-gitgutter         # See uncommitted changes of file :GitGutterEnable
-#
-#        # File Tree
-#        nerdtree              # File Manager - set in extraConfig to F6
-#	
-#        # Customization 
-#        wombat256-vim         # Color scheme for lightline
-#        srcery-vim            # Color scheme for text
-#
-#        lightline-vim         # Info bar at bottom
-#        indent-blankline-nvim # Indentation lines
-#
-#        # Syntax
-#        nvim-treesitter.withAllGrammars
-#        # finder
-#        telescope-nvim
-#        # completion
-#        nvim-cmp
-#        # status line
-#        lualine-nvim
-#        # indent
-#        indent-blankline-nvim
-#      ];
+      #      plugins = with pkgs.vimPlugins; [
+      #
+      #        # Syntax
+      #        #vim-nix
+      #        #vim-markdown
+      #
+      #        # Quality of life
+      #        vim-lastplace         # Opens document where you left it
+      #        auto-pairs            # Print double quotes/brackets/etc.
+      #        vim-gitgutter         # See uncommitted changes of file :GitGutterEnable
+      #
+      #        # File Tree
+      #        nerdtree              # File Manager - set in extraConfig to F6
+      #
+      #        # Customization
+      #        wombat256-vim         # Color scheme for lightline
+      #        srcery-vim            # Color scheme for text
+      #
+      #        lightline-vim         # Info bar at bottom
+      #        indent-blankline-nvim # Indentation lines
+      #
+      #        # Syntax
+      #        nvim-treesitter.withAllGrammars
+      #        # finder
+      #        telescope-nvim
+      #        # completion
+      #        nvim-cmp
+      #        # status line
+      #        lualine-nvim
+      #        # indent
+      #        indent-blankline-nvim
+      #      ];
 
-      extraPackages = with pkgs; [
-        ripgrep
-        fd
-        nodejs
-        nodePackages.npm
-      ];
+      #      extraPackages = with pkgs; [
+      #        ripgrep
+      #        fd
+      #        nodejs
+      #        nodePackages.npm
+      #      ];
 
-#      extraConfig = ''
-#        set expandtab
-#        set shiftwidth=4
-#        set tabstop=4
-#      '';
+      #      extraConfig = ''
+      #        set expandtab
+      #        set shiftwidth=4
+      #        set tabstop=4
+      #      '';
 
-#      extraLuaConfig = ''
-#          vim.g.mapleader = ' '
-#          vim.g.maplocalleader = ' '
-#
-#          -- Set highlight on search
-#          vim.o.hlsearch = false
-#          
-#          -- Make line numbers default
-#          vim.wo.number = true
-#          
-#          -- Enable mouse mode
-#          vim.o.mouse = 'a'
-#          
-#          -- Sync clipboard between OS and Neovim.
-#          --  Remove this option if you want your OS clipboard to remain independent.
-#          --  See `:help 'clipboard'`
-#          vim.o.clipboard = 'unnamedplus'
-#          
-#          -- Enable break indent
-#          vim.o.breakindent = true
-#          
-#          -- Save undo history
-#          vim.o.undofile = true
-#          
-#          -- Case insensitive searching UNLESS /C or capital in search
-#          vim.o.ignorecase = true
-#          vim.o.smartcase = true
-#          
-#          -- Keep signcolumn on by default
-#          vim.wo.signcolumn = 'yes'
-#          
-#          -- Decrease update time
-#          vim.o.updatetime = 250
-#          vim.o.timeout = true
-#          vim.o.timeoutlen = 300
-#          
-#          -- Set completeopt to have a better completion experience
-#          vim.o.completeopt = 'menuone,noselect'
-#          
-#          -- NOTE: You should make sure your terminal supports this
-#          vim.o.termguicolors = true
-#
-#          -- [[ Highlight on yank ]]
-#          -- See `:help vim.highlight.on_yank()`
-#          local highlight_group = vim.api.nvim_create_augroup('YankHighlight', { clear = true })
-#          vim.api.nvim_create_autocmd('TextYankPost', {
-#            callback = function()
-#              vim.highlight.on_yank()
-#            end,
-#            group = highlight_group,
-#            pattern = '*',
-#          })
-#          
-#          -- [[ Configure Telescope ]]
-#          -- See `:help telescope` and `:help telescope.setup()`
-#          require('telescope').setup {
-#            defaults = {
-#              mappings = {
-#                i = {
-#                  ['<C-u>'] = false,
-#                  ['<C-d>'] = false,
-#                },
-#              },
-#            },
-#          }
-#          
-#          -- Enable telescope fzf native, if installed
-#          pcall(require('telescope').load_extension, 'fzf')
-#          
-#          -- See `:help telescope.builtin`
-#          vim.keymap.set('n', '<leader>?', require('telescope.builtin').oldfiles, { desc = '[?] Find recently opened files' })
-#          vim.keymap.set('n', '<leader><space>', require('telescope.builtin').buffers, { desc = '[ ] Find existing buffers' })
-#          vim.keymap.set('n', '<leader>/', function()
-#            -- You can pass additional configuration to telescope to change theme, layout, etc.
-#            require('telescope.builtin').current_buffer_fuzzy_find(require('telescope.themes').get_dropdown {
-#              winblend = 10,
-#              previewer = false,
-#            })
-#          end, { desc = '[/] Fuzzily search in current buffer' })
-#          
-#          vim.keymap.set('n', '<leader>gf', require('telescope.builtin').git_files, { desc = 'Search [G]it [F]iles' })
-#          vim.keymap.set('n', '<leader>sf', require('telescope.builtin').find_files, { desc = '[S]earch [F]iles' })
-#          vim.keymap.set('n', '<leader>sh', require('telescope.builtin').help_tags, { desc = '[S]earch [H]elp' })
-#          vim.keymap.set('n', '<leader>sw', require('telescope.builtin').grep_string, { desc = '[S]earch current [W]ord' })
-#          vim.keymap.set('n', '<leader>sg', require('telescope.builtin').live_grep, { desc = '[S]earch by [G]rep' })
-#          vim.keymap.set('n', '<leader>sd', require('telescope.builtin').diagnostics, { desc = '[S]earch [D]iagnostics' })
-#          require("indent_blankline").setup {
-#              -- for example, context is off by default, use this to turn it on
-#              show_current_context = true,
-#              show_current_context_start = true,
-#          }
-#      '';
+      #      extraLuaConfig = ''
+      #          vim.g.mapleader = ' '
+      #          vim.g.maplocalleader = ' '
+      #
+      #          -- Set highlight on search
+      #          vim.o.hlsearch = false
+      #
+      #          -- Make line numbers default
+      #          vim.wo.number = true
+      #
+      #          -- Enable mouse mode
+      #          vim.o.mouse = 'a'
+      #
+      #          -- Sync clipboard between OS and Neovim.
+      #          --  Remove this option if you want your OS clipboard to remain independent.
+      #          --  See `:help 'clipboard'`
+      #          vim.o.clipboard = 'unnamedplus'
+      #
+      #          -- Enable break indent
+      #          vim.o.breakindent = true
+      #
+      #          -- Save undo history
+      #          vim.o.undofile = true
+      #
+      #          -- Case insensitive searching UNLESS /C or capital in search
+      #          vim.o.ignorecase = true
+      #          vim.o.smartcase = true
+      #
+      #          -- Keep signcolumn on by default
+      #          vim.wo.signcolumn = 'yes'
+      #
+      #          -- Decrease update time
+      #          vim.o.updatetime = 250
+      #          vim.o.timeout = true
+      #          vim.o.timeoutlen = 300
+      #
+      #          -- Set completeopt to have a better completion experience
+      #          vim.o.completeopt = 'menuone,noselect'
+      #
+      #          -- NOTE: You should make sure your terminal supports this
+      #          vim.o.termguicolors = true
+      #
+      #          -- [[ Highlight on yank ]]
+      #          -- See `:help vim.highlight.on_yank()`
+      #          local highlight_group = vim.api.nvim_create_augroup('YankHighlight', { clear = true })
+      #          vim.api.nvim_create_autocmd('TextYankPost', {
+      #            callback = function()
+      #              vim.highlight.on_yank()
+      #            end,
+      #            group = highlight_group,
+      #            pattern = '*',
+      #          })
+      #
+      #          -- [[ Configure Telescope ]]
+      #          -- See `:help telescope` and `:help telescope.setup()`
+      #          require('telescope').setup {
+      #            defaults = {
+      #              mappings = {
+      #                i = {
+      #                  ['<C-u>'] = false,
+      #                  ['<C-d>'] = false,
+      #                },
+      #              },
+      #            },
+      #          }
+      #
+      #          -- Enable telescope fzf native, if installed
+      #          pcall(require('telescope').load_extension, 'fzf')
+      #
+      #          -- See `:help telescope.builtin`
+      #          vim.keymap.set('n', '<leader>?', require('telescope.builtin').oldfiles, { desc = '[?] Find recently opened files' })
+      #          vim.keymap.set('n', '<leader><space>', require('telescope.builtin').buffers, { desc = '[ ] Find existing buffers' })
+      #          vim.keymap.set('n', '<leader>/', function()
+      #            -- You can pass additional configuration to telescope to change theme, layout, etc.
+      #            require('telescope.builtin').current_buffer_fuzzy_find(require('telescope.themes').get_dropdown {
+      #              winblend = 10,
+      #              previewer = false,
+      #            })
+      #          end, { desc = '[/] Fuzzily search in current buffer' })
+      #
+      #          vim.keymap.set('n', '<leader>gf', require('telescope.builtin').git_files, { desc = 'Search [G]it [F]iles' })
+      #          vim.keymap.set('n', '<leader>sf', require('telescope.builtin').find_files, { desc = '[S]earch [F]iles' })
+      #          vim.keymap.set('n', '<leader>sh', require('telescope.builtin').help_tags, { desc = '[S]earch [H]elp' })
+      #          vim.keymap.set('n', '<leader>sw', require('telescope.builtin').grep_string, { desc = '[S]earch current [W]ord' })
+      #          vim.keymap.set('n', '<leader>sg', require('telescope.builtin').live_grep, { desc = '[S]earch by [G]rep' })
+      #          vim.keymap.set('n', '<leader>sd', require('telescope.builtin').diagnostics, { desc = '[S]earch [D]iagnostics' })
+      #          require("indent_blankline").setup {
+      #              -- for example, context is off by default, use this to turn it on
+      #              show_current_context = true,
+      #              show_current_context_start = true,
+      #          }
+      #      '';
     };
   };
 }
-

modules/hardware/autoaspm.py

@@ -0,0 +1,114 @@
+#!/usr/bin/env python3
+
+# Original bash script by Luis R. Rodriguez
+# Re-written in Python by z8
+# Re-re-written to patch supported devices automatically by notthebee
+
+import re
+import subprocess
+import os
+import platform
+from enum import Enum
+
+class ASPM(Enum):
+    DISABLED = 0b00
+    L0s = 0b01
+    L1 = 0b10
+    L0sL1 = 0b11
+
+
+def run_prerequisites():
+    if platform.system() != "Linux":
+        raise OSError("This script only runs on Linux-based systems")
+    if not os.environ.get("SUDO_UID") and os.geteuid() != 0:
+        raise PermissionError("This script needs root privileges to run")
+    lspci_detected = subprocess.run(["which", "lspci"], stdout = subprocess.DEVNULL, stderr = subprocess.DEVNULL)
+    if lspci_detected.returncode > 0:
+        raise Exception("lspci not detected. Please install pciutils")
+    lspci_detected = subprocess.run(["which", "setpci"], stdout = subprocess.DEVNULL, stderr = subprocess.DEVNULL)
+    if lspci_detected.returncode > 0:
+        raise Exception("setpci not detected. Please install pciutils")
+
+
+def get_device_name(addr):
+    p = subprocess.Popen([
+        "lspci",
+        "-s",
+        addr,
+    ], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    return p.communicate()[0].splitlines()[0].decode()
+
+def read_all_bytes(device):
+    all_bytes = bytearray()
+    device_name = get_device_name(device)
+    p = subprocess.Popen([
+        "lspci",
+        "-s",
+        device,
+        "-xxx"
+    ], stdout= subprocess.PIPE, stderr=subprocess.PIPE)
+    ret = p.communicate()
+    ret = ret[0].decode()
+    for line in ret.splitlines():
+        if not device_name in line and ": " in line:
+            all_bytes.extend(bytearray.fromhex(line.split(": ")[1]))
+    if len(all_bytes) < 256:
+        exit()
+    return all_bytes
+
+def find_byte_to_patch(bytes, pos):
+    pos = bytes[pos]
+    if bytes[pos] != 0x10:
+        pos += 0x1
+        return find_byte_to_patch(bytes, pos)
+    else:
+        pos += 0x10
+        return pos
+
+def patch_byte(device, position, value):
+    subprocess.Popen([
+        "setpci",
+        "-s",
+        device,
+        f"{hex(position)}.B={hex(value)}"
+    ]).communicate()
+
+def patch_device(addr, aspm_value):
+    endpoint_bytes = read_all_bytes(addr)
+    byte_position_to_patch = find_byte_to_patch(endpoint_bytes, 0x34)
+    if int(endpoint_bytes[byte_position_to_patch]) & 0b11 != aspm_value.value:
+        patched_byte = int(endpoint_bytes[byte_position_to_patch])
+        patched_byte = patched_byte >> 2
+        patched_byte = patched_byte << 2
+        patched_byte = patched_byte | aspm_value.value
+
+        patch_byte(addr, byte_position_to_patch, patched_byte)
+        print(f"{addr}: Enabled ASPM {aspm_value.name}")
+    else:
+        print(f"{addr}: Already has ASPM {aspm_value.name} enabled")
+
+
+def list_supported_devices():
+    pcie_addr_regex = r"([0-9a-f]{2}:[0-9a-f]{2}.[0-9a-f])"
+    lspci = subprocess.run("lspci -vv", shell=True, capture_output=True).stdout
+    lspci_arr = re.split(pcie_addr_regex, str(lspci))[1:]
+    lspci_arr = [ x+y for x,y in zip(lspci_arr[0::2], lspci_arr[1::2]) ]
+
+    aspm_devices = {}
+    for dev in lspci_arr:
+        device_addr = re.findall(pcie_addr_regex, dev)[0]
+        if "ASPM" not in dev or "ASPM not supported" in dev:
+            continue
+        aspm_support = re.findall(r"ASPM (L[L0-1s ]*),", dev)
+        if aspm_support:
+            aspm_devices.update({device_addr: ASPM[aspm_support[0].replace(" ", "")]})
+    return aspm_devices
+
+
+def main():
+    run_prerequisites()
+    for device, aspm_mode in list_supported_devices().items():
+        patch_device(device, aspm_mode)
+
+if __name__ == "__main__":
+    main()

modules/hardware/backup.nix

@@ -1,15 +1,19 @@
-
-
-{ config, lib, pkgs, ... }:
-
 {
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
   services.btrbk = {
     sshAccess = [
       {
         key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDU2NJ9xwYnp6/frIOv96ih8psiFcC2eOQeT+ZEMW5rq";
-        roles = [ "source" "info" "send" ];
+        roles = ["source" "info" "send"];
+      }
+      {
+        key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIma7jNVQZM+lFMOKUex0+cyDpeUA3Wo4SEJ7P9YnHPG";
+        roles = ["target" "info" "receive" "delete"];
       }
     ];
-    extraPackages = [ pkgs.lz4 ];
   };
 }

modules/hardware/bluetooth.nix

@@ -1,17 +1,17 @@
 #
 # Bluetooth
 #
-
-{ pkgs, ... }:
-
-{
+{pkgs, ...}: {
   hardware.bluetooth = {
     enable = true;
-    hsphfpd.enable = false;         # HSP & HFP daemon
+    hsphfpd.enable = false; # HSP & HFP daemon
     settings = {
       General = {
         Enable = "Source,Sink,Media,Socket";
       };
     };
   };
+  environment.systemPackages = with pkgs; [
+    zmkBATx
+  ];
 }

modules/hardware/hydraCache.nix

@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  nix = {
+    settings = {
+      extra-trusted-public-keys = [
+        "hades-builder:AFdPgi6Qq/yKqc2V2imgzMikEkVEFCrDaHyAmOJ3MII="
+        "steamdeck.cachix.org-1:BVoP4TEu3ECgotaO+3J3r9SSn62GkUDBwizOFU/q4Bc="
+      ];
+      extra-substituters = [
+        "https://cache.home.opel-online.de"
+        "https://steamdeck.cachix.org"
+        "https://cache.ci.kabtop.de"
+      ];
+    };
+  };
+}

modules/hardware/remoteBuilder.nix

@@ -1,17 +1,21 @@
-{ pkgs, config, ... }:
-
 {
-  users.users.nixremote = {                   # System User
-    isNormalUser = true;
-    extraGroups = [ "kvm" ];
-    shell = pkgs.zsh;                       # Default shell
+  pkgs,
+  config,
+  ...
+}: {
+  users.users.nixremote = {
+    # System User
+    isSystemUser = true;
+    group = "nixremote";
+    extraGroups = ["kvm"];
     uid = 1001;
-#    initialPassword = "password95";
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILczsj4W1kFQaalFwaY+RJ4LEzNeFKD+itXB40Q2O59M nixremote@hades"
     ];
   };
 
+  users.groups.nixremote = {};
+
   nix.settings.trusted-users = [
     "nixremote"
   ];

modules/hardware/remoteClient.nix

@@ -1,20 +1,24 @@
-
-{ config, lib, pkgs, ... }:
-
 {
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
   nix = {
     distributedBuilds = false;
-    buildMachines = [ {
-      hostName = "hades";
-      system = "x86_64-linux";
-      supportedFeatures = [ "kvm" "big-parallel" ];
-      sshUser = "nixremote";
-      sshKey = config.age.secrets."keys/nixremote".path;
-      maxJobs = 1;
-      speedFactor = 4;
-      publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUVnbld5UVVVYSt2Y0hBS3g2ZWRiVGdxVzhwaCtNQ2lTNmZVd1lqWWNTK28gcm9vdEBoYWRlcwo=%";
-      protocol = "ssh-ng";
-    } ];
+    buildMachines = [
+      {
+        hostName = "hades";
+        system = "x86_64-linux";
+        supportedFeatures = ["kvm" "big-parallel"];
+        sshUser = "nixremote";
+        sshKey = config.age.secrets."keys/nixremote".path;
+        maxJobs = 1;
+        speedFactor = 4;
+        publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUVnbld5UVVVYSt2Y0hBS3g2ZWRiVGdxVzhwaCtNQ2lTNmZVd1lqWWNTK28gcm9vdEBoYWRlcwo=%";
+        protocol = "ssh-ng";
+      }
+    ];
     settings = {
       extra-trusted-public-keys = [
         "hades-builder:AFdPgi6Qq/yKqc2V2imgzMikEkVEFCrDaHyAmOJ3MII="
@@ -24,7 +28,7 @@
       ];
     };
   };
-  
+
   age.secrets."keys/nixremote" = {
     file = ../../secrets/keys/nixremote.age;
     owner = "root";

modules/home.nix

@@ -1,31 +1,75 @@
-{ lib, options, ... }:
-
 {
+  lib,
+  options,
+  ...
+}: {
   options = with lib; {
     cmds = {
-      shell = mkOption { type = types.str; default = "zsh"; };
-      fetch = mkOption { type = types.str; default = "hyfetch"; };
-      editor = mkOption { type = types.str; default = "nvim"; };
+      shell = mkOption {
+        type = types.str;
+        default = "zsh";
+      };
+      fetch = mkOption {
+        type = types.str;
+        default = "hyfetch";
+      };
+      editor = mkOption {
+        type = types.str;
+        default = "nvim";
+      };
 
-      wm = mkOption { type = types.str; default = "sway"; };
+      wm = mkOption {
+        type = types.str;
+        default = "sway";
+      };
 
-      terminal = mkOption { type = types.str; default = "alacritty"; };
-      menu = mkOption { type = types.str; default = "rofi -show drun -show-icons"; };
+      terminal = mkOption {
+        type = types.str;
+        default = "alacritty";
+      };
+      menu = mkOption {
+        type = types.str;
+        default = "rofi -show drun -show-icons";
+      };
 
-      lock = mkOption { type = types.str; default = "locksway"; };
+      lock = mkOption {
+        type = types.str;
+        default = "locksway";
+      };
       notifications = {
-        volume = mkOption { type = types.str; default = "volume-notify"; };
-        brightness = mkOption { type = types.str; default = "brightness-notify"; };
+        volume = mkOption {
+          type = types.str;
+          default = "volume-notify";
+        };
+        brightness = mkOption {
+          type = types.str;
+          default = "brightness-notify";
+        };
       };
     };
 
-    is-wayland = mkOption { type = types.bool; default = true; };
-    
+    is-wayland = mkOption {
+      type = types.bool;
+      default = true;
+    };
+
     theme = {
-      theme = mkOption { type = types.str; default = "catppuccin-mocha"; };
-      icon-theme = mkOption { type = types.str; default = "Papirus-Dark"; };
-      font = mkOption { type = types.str; default = "Cascadia Code 11"; };
-      wallpaper = mkOption { type = types.str; default = ""; };
+      theme = mkOption {
+        type = types.str;
+        default = "catppuccin-mocha";
+      };
+      icon-theme = mkOption {
+        type = types.str;
+        default = "Papirus-Dark";
+      };
+      font = mkOption {
+        type = types.str;
+        default = "Cascadia Code 11";
+      };
+      wallpaper = mkOption {
+        type = types.str;
+        default = "";
+      };
     };
   };
 }

modules/kabbone/corosync-qdevice.nix

@@ -0,0 +1,72 @@
+{
+  lib,
+  config,
+  pkgs,
+  pkgs-kabbone,
+  ...
+}: let
+  cfg = config.services.corosync-qnetd;
+  dataDir = "/var/run/corosync-qnetd";
+in {
+  # interface
+  options.services.corosync-qnetd = {
+    enable = lib.mkEnableOption "corosync-qnetd";
+    package = lib.mkPackageOption pkgs-kabbone "corosync-qdevice" {};
+
+    extraOptions = lib.mkOption {
+      type = with lib.types; listOf str;
+      default = [];
+      description = "Additional options with which to start corosync-qnetd.";
+    };
+  };
+
+  # implementation
+
+  # implementation
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [cfg.package];
+
+    users.users.coroqnetd = {
+      isSystemUser = true;
+      group = "coroqnetd";
+      home = dataDir;
+      description = "Corosync-qnetd Service User";
+    };
+
+    users.groups.coroqnetd = {};
+
+    # environment.etc."corosync/corosync-qnetd.conf".text = ''
+    #   totem {
+    #     version: 2
+    #     secauth: on
+    #     cluster_name: ${cfg.clusterName}
+    #     transport: knet
+    #   }
+
+    #   logging {
+    #     to_syslog: yes
+    #   }
+    # '';
+
+    systemd.packages = [cfg.package];
+    systemd.services.corosync-qnetd = {
+      serviceConfig = {
+        User = "coroqnetd";
+        StateDirectory = "corosync-qnetd";
+        StateDirectoryMode = "0700";
+      };
+    };
+
+    environment.etc."sysconfig/corosync-qnetd".text = lib.optionalString (cfg.extraOptions != []) ''
+      COROSYNC-QNETD_OPTIONS="${lib.escapeShellArgs cfg.extraOptions}"
+    '';
+  };
+
+  meta = {
+    #buildDocsInSandbox = false;
+    #doc = ./mautrix-whatsapp.md;
+    maintainers = with lib.maintainers; [
+      kabbone
+    ];
+  };
+}

modules/kabbone/mautrix-whatsapp.md

@@ -0,0 +1,32 @@
+# Mautrix-Whatsapp {#module-services-mautrix-whatsapp}
+
+[Mautrix-Whatsapp](https://github.com/mautrix/whatsapp) is a Matrix-Whatsapp puppeting bridge.
+
+## Configuration {#module-services-mautrix-whatsapp-configuration}
+
+1. Set [](#opt-services.mautrix-whatsapp.enable) to `true`. The service will use
+   SQLite by default.
+2. To create your configuration check the default configuration for
+   [](#opt-services.mautrix-whatsapp.settings). To obtain the complete default
+   configuration, run
+   `nix-shell -p mautrix-whatsapp --run "mautrix-whatsapp -c default.yaml -e"`.
+
+::: {.warning}
+Mautrix-Whatsapp allows for some options like `encryption.pickle_key`,
+`provisioning.shared_secret`, allow the value `generate` to be set.
+Since the configuration file is regenerated on every start of the
+service, the generated values would be discarded and might break your
+installation. Instead, set those values via
+[](#opt-services.mautrix-whatsapp.environmentFile).
+:::
+
+## Migrating from an older configuration {#module-services-mautrix-whatsapp-migrate-configuration}
+
+With Mautrix-Whatsapp v0.7.0 the configuration has been rearranged. Mautrix-Whatsapp
+performs an automatic configuration migration so your pre-0.7.0 configuration
+should just continue to work.
+
+In case you want to update your NixOS configuration, compare the migrated configuration
+at `/var/lib/mautrix-whatsapp/config.yaml` with the default configuration
+(`nix-shell -p mautrix-whatsapp --run "mautrix-whatsapp -c example.yaml -e"`) and
+update your module configuration accordingly.

modules/kabbone/mautrix-whatsapp.nix

@@ -0,0 +1,275 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  cfg = config.services.kabbone_mautrix-whatsapp;
+  dataDir = "/var/lib/mautrix-whatsapp";
+  registrationFile = "${dataDir}/whatsapp-registration.yaml";
+  settingsFile = "${dataDir}/config.yaml";
+  settingsFileUnsubstituted = settingsFormat.generate "mautrix-whatsapp-config-unsubstituted.json" cfg.settings;
+  settingsFormat = pkgs.formats.json {};
+  appservicePort = 29318;
+
+  # to be used with a list of lib.mkIf values
+  optOneOf = lib.lists.findFirst (value: value.condition) (lib.mkIf false null);
+  mkDefaults = lib.mapAttrsRecursive (n: v: lib.mkDefault v);
+  defaultConfig = {
+    network = {
+      displayname_template = "{{or .BusinessName .PushName .Phone}} (WA)";
+      identity_change_notices = true;
+      history_sync = {
+        request_full_sync = true;
+      };
+    };
+    bridge = {
+      command_prefix = "!wa";
+      relay.enabled = true;
+      permissions."*" = "relay";
+    };
+    database = {
+      type = "sqlite3";
+      uri = "file:${dataDir}/mautrix-whatsapp.db?_txlock=immediate";
+    };
+    homeserver.address = "http://localhost:8448";
+    appservice = {
+      hostname = "[::]";
+      port = appservicePort;
+      id = "whatsapp";
+      bot = {
+        username = "whatsappbot";
+        displayname = "WhatsApp Bridge Bot";
+      };
+      as_token = "";
+      hs_token = "";
+      username_template = "whatsapp_{{.}}";
+    };
+    double_puppet = {
+      servers = {};
+      secrets = {};
+    };
+    # By default, the following keys/secrets are set to `generate`. This would break when the service
+    # is restarted, since the previously generated configuration will be overwritten everytime.
+    # If encryption is enabled, it's recommended to set those keys via `environmentFile`.
+    encryption.pickle_key = "";
+    provisioning.shared_secret = "";
+    public_media.signing_key = "";
+    direct_media.server_key = "";
+    logging = {
+      min_level = "info";
+      writers = lib.singleton {
+        type = "stdout";
+        format = "pretty-colored";
+        time_format = " ";
+      };
+    };
+  };
+in {
+  options.services.kabbone_mautrix-whatsapp = {
+    enable = lib.mkEnableOption "mautrix-whatsapp, a Matrix-Whatsapp puppeting bridge";
+
+    package = lib.mkPackageOption pkgs "mautrix-whatsapp" {};
+
+    settings = lib.mkOption {
+      apply = lib.recursiveUpdate defaultConfig;
+      type = settingsFormat.type;
+      default = defaultConfig;
+      description = ''
+        {file}`config.yaml` configuration as a Nix attribute set.
+        Configuration options should match those described in the example configuration.
+        Get an example configuration by executing `mautrix-whatsapp -c example.yaml --generate-example-config`
+        Secret tokens should be specified using {option}`environmentFile`
+        instead of this world-readable attribute set.
+      '';
+      example = {
+        bridge = {
+          private_chat_portal_meta = true;
+          mute_only_on_create = false;
+          permissions = {
+            "example.com" = "user";
+          };
+        };
+        database = {
+          type = "postgres";
+          uri = "postgresql:///mautrix_whatsapp?host=/run/postgresql";
+        };
+        homeserver = {
+          address = "http://[::1]:8008";
+          domain = "my-domain.tld";
+        };
+        appservice = {
+          id = "whatsapp";
+          ephemeral_events = false;
+        };
+        matrix.message_status_events = true;
+        provisioning = {
+          shared_secret = "disable";
+        };
+        backfill.enabled = true;
+        encryption = {
+          allow = true;
+          default = true;
+          require = true;
+          pickle_key = "$ENCRYPTION_PICKLE_KEY";
+        };
+      };
+    };
+
+    environmentFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      description = ''
+        File containing environment variables to be passed to the mautrix-signal service.
+        If an environment variable `MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET` is set,
+        then its value will be used in the configuration file for the option
+        `double_puppet.secrets` without leaking it to the store, using the configured
+        `homeserver.domain` as key.
+      '';
+    };
+
+    serviceDependencies = lib.mkOption {
+      type = with lib.types; listOf str;
+      default =
+        (lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit)
+        ++ (lib.optional config.services.matrix-conduit.enable "conduit.service");
+      defaultText = lib.literalExpression ''
+        (optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit)
+        ++ (optional config.services.matrix-conduit.enable "conduit.service")
+      '';
+      description = ''
+        List of systemd units to require and wait for when starting the application service.
+      '';
+    };
+
+    registerToSynapse = lib.mkOption {
+      type = lib.types.bool;
+      default = config.services.matrix-synapse.enable;
+      defaultText = lib.literalExpression ''
+        config.services.matrix-synapse.enable
+      '';
+      description = ''
+        Whether to add the bridge's app service registration file to
+        `services.matrix-synapse.settings.app_service_config_files`.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users.mautrix-whatsapp = {
+      isSystemUser = true;
+      group = "mautrix-whatsapp";
+      home = dataDir;
+      description = "Mautrix-Whatsapp bridge user";
+    };
+
+    users.groups.mautrix-whatsapp = {};
+
+    services.matrix-synapse = lib.mkIf cfg.registerToSynapse {
+      settings.app_service_config_files = [registrationFile];
+    };
+    systemd.services.matrix-synapse = lib.mkIf cfg.registerToSynapse {
+      serviceConfig.SupplementaryGroups = ["mautrix-whatsapp"];
+    };
+
+    # Note: this is defined here to avoid the docs depending on `config`
+    services.kabbone_mautrix-whatsapp.settings.homeserver = optOneOf (
+      with config.services; [
+        (lib.mkIf matrix-synapse.enable (mkDefaults {
+          domain = matrix-synapse.settings.server_name;
+        }))
+        (lib.mkIf matrix-conduit.enable (mkDefaults {
+          domain = matrix-conduit.settings.global.server_name;
+          address = "http://localhost:${toString matrix-conduit.settings.global.port}";
+        }))
+      ]
+    );
+
+    systemd.services.kabbone_mautrix-whatsapp = {
+      description = "mautrix-whatsapp, a Matrix-Whatsapp puppeting bridge.";
+
+      wantedBy = ["multi-user.target"];
+      wants = ["network-online.target"] ++ cfg.serviceDependencies;
+      after = ["network-online.target"] ++ cfg.serviceDependencies;
+      # ffmpeg is required for conversion of voice messages
+      path = [pkgs.ffmpeg-headless];
+
+      preStart = ''
+        # substitute the settings file by environment variables
+        # in this case read from EnvironmentFile
+        test -f '${settingsFile}' && rm -f '${settingsFile}'
+        old_umask=$(umask)
+        umask 0177
+        ${pkgs.envsubst}/bin/envsubst \
+          -o '${settingsFile}' \
+          -i '${settingsFileUnsubstituted}'
+        umask $old_umask
+
+        # generate the appservice's registration file if absent
+        if [ ! -f '${registrationFile}' ]; then
+          ${cfg.package}/bin/mautrix-whatsapp \
+            --generate-registration \
+            --config='${settingsFile}' \
+            --registration='${registrationFile}'
+        fi
+        chmod 640 ${registrationFile}
+
+        umask 0177
+        # 1. Overwrite registration tokens in config
+        # 2. If environment variable MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET
+        #    is set, set it as the login shared secret value for the configured
+        #    homeserver domain.
+        ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token
+          | .[0].appservice.hs_token = .[1].hs_token
+          | .[0]
+          | if env.MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET then .double_puppet.secrets.[.homeserver.domain] = env.MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET else . end' \
+          '${settingsFile}' '${registrationFile}' > '${settingsFile}.tmp'
+        mv '${settingsFile}.tmp' '${settingsFile}'
+        umask $old_umask
+      '';
+
+      serviceConfig = {
+        User = "mautrix-whatsapp";
+        Group = "mautrix-whatsapp";
+        EnvironmentFile = cfg.environmentFile;
+        StateDirectory = baseNameOf dataDir;
+        WorkingDirectory = dataDir;
+        ExecStart = ''
+          ${cfg.package}/bin/mautrix-whatsapp \
+          --config='${settingsFile}' \
+          --registration='${registrationFile}'
+        '';
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        Restart = "on-failure";
+        RestartSec = "30s";
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallErrorNumber = "EPERM";
+        SystemCallFilter = ["@system-service"];
+        Type = "simple";
+        UMask = 27;
+      };
+      restartTriggers = [settingsFileUnsubstituted];
+    };
+  };
+  meta = {
+    #buildDocsInSandbox = false;
+    #doc = ./mautrix-whatsapp.md;
+    maintainers = with lib.maintainers; [
+      kabbone
+    ];
+  };
+}

modules/programs/alacritty.nix

@@ -1,32 +0,0 @@
-#
-# Terminal Emulator
-#
-
-# Hardcoded as terminal for rofi and doom emacs
-
-{ pkgs, ... }:
-
-{
-
-  home.packages = [ pkgs.alacritty ];
-
-  programs = {
-    alacritty = {
-      enable = true;
-      package = pkgs.alacritty;
-      settings = {
-        font = rec {                          # Font - Laptop has size manually changed at home.nix
-          #normal.family = "FiraCode Nerd Font";
-          normal.family = "Cascadia Code";
-          #normal.family = "Intel One Mono";
-          #bold = { style = "Bold"; };
-#         size = 8;
-        };
-        offset = {                            # Positioning
-          x = -1;
-          y = 0;
-        };
-      };
-    };
-  };
-}

modules/programs/configs/default.nix

@@ -9,7 +9,6 @@
 #           └─ default.nix *
 #               └─ ...
 #
-
 [
-   ./mpv.nix
+  ./mpv.nix
 ]

modules/programs/configs/mpv.nix

@@ -9,17 +9,14 @@
 #           └─ ./configs
 #               └─ mpv.nix *
 #
-
-{ pkgs, ... }:
-
-{
+{pkgs, ...}: {
   home.file = {
     ".config/mpv/mpv.conf".text = ''
-        hwdec=vaapi
-        vo=gpu
-        hwdec-codecs=all
-        gpu-context=wayland
-        #profile=gpu-hq
-    '';  
+      hwdec=vaapi
+      vo=gpu
+      hwdec-codecs=all
+      gpu-context=wayland
+      #profile=gpu-hq
+    '';
   };
 }

modules/programs/default.nix

@@ -1,21 +1,3 @@
-#
-#  Apps
-#
-#  flake.nix
-#   ├─ ./hosts
-#   │   └─ home.nix
-#   └─ ./modules
-#       └─ ./apps
-#           └─ default.nix *
-#               └─ ...
-#
-
 [
-   ./alacritty.nix
-   ./rofi.nix
-   ./firefox.nix
-   #./waybar.nix
-   #./games.nix
+  ./firefox.nix
 ]
-# Waybar.nix is pulled from modules/wm/..
-# Games.nix is pulled from desktop/default.nix

modules/programs/firefox.nix

@@ -1,167 +1,167 @@
 #
 # Firefox Brower Emulator
 #
-
-
-{ pkgs, ... }:
-
 {
-
+  pkgs,
+  config,
+  ...
+}: {
   #home.packages = [ pkgs.firefox-wayland ];
 
   programs = {
     firefox = {
       enable = true;
+      configPath = "${config.xdg.configHome}/mozilla/firefox";
       #package = pkgs.wrapFirefox pkgs.firefox-unwrapped {
-          #forceWayland = true;
+      #forceWayland = true;
       #    extraPolicies = {
       #        ExtensionSettings =  {};
       #    };
       #};
-      package = pkgs.firefox-wayland;
-#      profiles.kabbone = {
-#          #id = 271987;
-#          name = "kabbone";
-#          isDefault = true;
-#          settings = {
-#              "media.ffmpeg.vaapi.enabled" = true;
-#              "gfx.webrender.all" = true;
-#              "browser.contentblocking.category" = "strict";
-#              "browser.search.region" = "DE";
-#              "extensions.active.ThemeID" = "dreamer-bold-colorway@mozilla.org";
-#              "media.autoplay.default" = 0;
-#              "security.enterprise_roots.enabled" = true;
-#              "widget.gtk.overlay-scrollbars.enabled" = true;
-#              "signon.rememberSignons" = false;
-#              "extensions.formautofill.creditCards.enabled" = false;
-#              "datareporting.healthreport.uploadEnabled" = false;
-#              "browser.urlbar.placeholderName" = "DuckDuckGo";
-#              "browser.urlbar.placeholderName.private" = "DuckDuckGo";
-#              "browser.theme.toolbar-theme" = 0;
-#          };
-#
-#          userChrome = ''
-#            /* Hide tab bar in FF Quantum */
-#            @-moz-document url("chrome://browser/content/browser.xul") {
-#              #TabsToolbar {
-#                visibility: collapse !important;
-#                margin-bottom: 21px !important;
-#              }
-#            
-#              #sidebar-box[sidebarcommand="treestyletab_piro_sakura_ne_jp-sidebar-action"] #sidebar-header {
-#                visibility: collapse !important;
-#              }
-#            }
-#          '';
-#
-#          search = {
-#            engines = {
-#              "Nix Packages" = {
-#                  urls = [{
-#                    template = "https://search.nixos.org/packages";
-#                    params = [
-#                      { name = "type"; value = "packages"; }
-#                      { name = "query"; value = "{searchTerms}"; }
-#                    ];
-#                  }];
-#              
-#                  icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
-#                  definedAliases = [ "@np" ];
-#                };
-#              
-#                "NixOS Wiki" = {
-#                  urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }];
-#                  iconUpdateURL = "https://nixos.wiki/favicon.png";
-#                  updateInterval = 24 * 60 * 60 * 1000; # every day
-#                  definedAliases = [ "@nw" ];
-#                };
-#            };
-#
-#            order = [ "DuckDuckGo" ];
-#            default = "DuckDuckGo";
-#          };
-#
-#          bookmarks = [
-#              {
-#                  name = "Kabtop Nextcloud";
-#                  url = "https://cloud.kabtop.de/";
-#              }
-#              {
-#                  name = "Home Assistant";
-#                  url = "https://hass.home.opel-online.de/";
-#              }
-#              {
-#                  name = "Netflix";
-#                  url = "https://netflix.com/browse";
-#              }
-#              {
-#                  name = "YouTube";
-#                  url = "https://youtube.com/";
-#              }
-#              {
-#                  name = "Kicker";
-#                  url = "https://kicker.de/";
-#              }
-#              {
-#                  name = "Chilloutzone";
-#                  url = "https://chilloutzone.net/";
-#              }
-#              {
-#                  name = "myDealZ";
-#                  url = "https://mydealz.de/";
-#              }
-#              {
-#                  name = "Kabtop Git";
-#                  url = "https://git.kabtop.de/";
-#              }
-#              {
-#                  name = "Spotify";
-#                  url = "https://open.spotify.com/";
-#              }
-#              {
-#                  name = "Tech";
-#                  bookmarks = [
-#                    {
-#                        name = "Golem";
-#                        url = "https://golem.de/";
-#                    }
-#                    {
-#                        name = "Heise";
-#                        url = "https://heise.de/";
-#                    }
-#                    {
-#                        name = "Phoronix";
-#                        url = "https://phoronix.com/";
-#                    }
-#                  ];
-#              }
-#              {
-#                  name = "Foren";
-#                  bookmarks = [
-#                    {
-#                        name = "Archlinux-en";
-#                        url = "https://archlinux.org/";
-#                    }
-#                    {
-#                        name = "Archlinux-ARM";
-#                        url = "https://archlinuxarm.org/";
-#                    }
-#                    {
-#                        name = "Archlinux-de";
-#                        url = "https://archlinux.de/";
-#                    }
-#                  ];
-#              }
-#          ];
-#        };
-#
-#      extensions = with pkgs.nur.repos.rycee.firefox-addons; [
-#        honey
-#        keepassxc-browser
-#        multi-account-containers
-#        netflix-1080p
-#        ublock-origin
-#      ];
+      #      package = pkgs.firefox-wayland;
+      #      profiles.kabbone = {
+      #          #id = 271987;
+      #          name = "kabbone";
+      #          isDefault = true;
+      #          settings = {
+      #              "media.ffmpeg.vaapi.enabled" = true;
+      #              "gfx.webrender.all" = true;
+      #              "browser.contentblocking.category" = "strict";
+      #              "browser.search.region" = "DE";
+      #              "extensions.active.ThemeID" = "dreamer-bold-colorway@mozilla.org";
+      #              "media.autoplay.default" = 0;
+      #              "security.enterprise_roots.enabled" = true;
+      #              "widget.gtk.overlay-scrollbars.enabled" = true;
+      #              "signon.rememberSignons" = false;
+      #              "extensions.formautofill.creditCards.enabled" = false;
+      #              "datareporting.healthreport.uploadEnabled" = false;
+      #              "browser.urlbar.placeholderName" = "DuckDuckGo";
+      #              "browser.urlbar.placeholderName.private" = "DuckDuckGo";
+      #              "browser.theme.toolbar-theme" = 0;
+      #          };
+      #
+      #          userChrome = ''
+      #            /* Hide tab bar in FF Quantum */
+      #            @-moz-document url("chrome://browser/content/browser.xul") {
+      #              #TabsToolbar {
+      #                visibility: collapse !important;
+      #                margin-bottom: 21px !important;
+      #              }
+      #
+      #              #sidebar-box[sidebarcommand="treestyletab_piro_sakura_ne_jp-sidebar-action"] #sidebar-header {
+      #                visibility: collapse !important;
+      #              }
+      #            }
+      #          '';
+      #
+      #          search = {
+      #            engines = {
+      #              "Nix Packages" = {
+      #                  urls = [{
+      #                    template = "https://search.nixos.org/packages";
+      #                    params = [
+      #                      { name = "type"; value = "packages"; }
+      #                      { name = "query"; value = "{searchTerms}"; }
+      #                    ];
+      #                  }];
+      #
+      #                  icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
+      #                  definedAliases = [ "@np" ];
+      #                };
+      #
+      #                "NixOS Wiki" = {
+      #                  urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }];
+      #                  iconUpdateURL = "https://nixos.wiki/favicon.png";
+      #                  updateInterval = 24 * 60 * 60 * 1000; # every day
+      #                  definedAliases = [ "@nw" ];
+      #                };
+      #            };
+      #
+      #            order = [ "DuckDuckGo" ];
+      #            default = "DuckDuckGo";
+      #          };
+      #
+      #          bookmarks = [
+      #              {
+      #                  name = "Kabtop Nextcloud";
+      #                  url = "https://cloud.kabtop.de/";
+      #              }
+      #              {
+      #                  name = "Home Assistant";
+      #                  url = "https://hass.home.opel-online.de/";
+      #              }
+      #              {
+      #                  name = "Netflix";
+      #                  url = "https://netflix.com/browse";
+      #              }
+      #              {
+      #                  name = "YouTube";
+      #                  url = "https://youtube.com/";
+      #              }
+      #              {
+      #                  name = "Kicker";
+      #                  url = "https://kicker.de/";
+      #              }
+      #              {
+      #                  name = "Chilloutzone";
+      #                  url = "https://chilloutzone.net/";
+      #              }
+      #              {
+      #                  name = "myDealZ";
+      #                  url = "https://mydealz.de/";
+      #              }
+      #              {
+      #                  name = "Kabtop Git";
+      #                  url = "https://git.kabtop.de/";
+      #              }
+      #              {
+      #                  name = "Spotify";
+      #                  url = "https://open.spotify.com/";
+      #              }
+      #              {
+      #                  name = "Tech";
+      #                  bookmarks = [
+      #                    {
+      #                        name = "Golem";
+      #                        url = "https://golem.de/";
+      #                    }
+      #                    {
+      #                        name = "Heise";
+      #                        url = "https://heise.de/";
+      #                    }
+      #                    {
+      #                        name = "Phoronix";
+      #                        url = "https://phoronix.com/";
+      #                    }
+      #                  ];
+      #              }
+      #              {
+      #                  name = "Foren";
+      #                  bookmarks = [
+      #                    {
+      #                        name = "Archlinux-en";
+      #                        url = "https://archlinux.org/";
+      #                    }
+      #                    {
+      #                        name = "Archlinux-ARM";
+      #                        url = "https://archlinuxarm.org/";
+      #                    }
+      #                    {
+      #                        name = "Archlinux-de";
+      #                        url = "https://archlinux.de/";
+      #                    }
+      #                  ];
+      #              }
+      #          ];
+      #        };
+      #
+      #      extensions = with pkgs.nur.repos.rycee.firefox-addons; [
+      #        honey
+      #        keepassxc-browser
+      #        multi-account-containers
+      #        netflix-1080p
+      #        ublock-origin
+      #      ];
     };
   };
 }

modules/programs/rofi.nix

@@ -1,119 +0,0 @@
-#
-# System Menu
-#
-
-{ config, lib, pkgs, ... }:
-
-let
-  inherit (config.lib.formats.rasi) mkLiteral;        # Theme.rasi alternative. Add Theme here
-  colors = import ../themes/colors.nix;
-in
-{
-  programs = {
-    rofi = {
-      enable = true;
-      terminal = "${pkgs.alacritty}/bin/alacritty";           # Alacritty is default terminal emulator
-      location = "center";
-      theme =  with colors.scheme.doom; {
-        "*" = {
-          bg0 = mkLiteral "#${bg}";
-          bg1 = mkLiteral "#414868";
-          fg0 = mkLiteral "#${text}";
-          fg1 = mkLiteral "#${text-alt}";
-
-          background-color = mkLiteral "transparent";
-          text-color = mkLiteral "@fg0";
-
-          margin = 0;
-          padding = 0;
-          spacing = 0;
-        };
-
-        "element-icon, element-text, scrollbar" = {
-          cursor = mkLiteral "pointer";
-        };
-
-        "window" = {
-          location = mkLiteral "northwest";
-          width = mkLiteral "280px";
-          x-offset = mkLiteral "8px";
-          y-offset = mkLiteral "24px";
-
-          background-color = mkLiteral "@bg0";
-          border = mkLiteral "1px";
-          border-color = mkLiteral "@bg1";
-          border-radius = mkLiteral "6px";
-        };
-
-        "inputbar" = {
-          spacing = mkLiteral "8px";
-          padding = mkLiteral "4px 8px";
-          children = mkLiteral "[ icon-search, entry ]";
-
-          #background-color = mkLiteral "@bg0";
-          background-color = mkLiteral "@bg0";
-        };
-
-        "icon-search, entry, element-icon, element-text" = {
-          vertical-align = mkLiteral "0.5";
-        };
-
-        "icon-search" = {
-          expand = false;
-          filename = mkLiteral "[ search-symbolic ]";
-          size = mkLiteral "14px";
-        };
-
-        "textbox" = {
-          padding = mkLiteral "4px 8px";
-          background-color = mkLiteral "@bg0";
-        };
-
-        "listview" = {
-          padding = mkLiteral "4px 0px";
-          lines = 12;
-          columns = 1;
-          scrollbar = true;
-          fixed-height = false;
-          dynamic = true;
-        };
-
-        "element" = {
-          padding = mkLiteral "4px 8px";
-          spacing = mkLiteral "8px";
-        };
-
-        "element normal urgent" = {
-          text-color = mkLiteral "@fg1";
-        };
-
-        "element normal active" = {
-          text-color = mkLiteral "@fg1";
-        };
-
-        "element selected" = {
-          text-color = mkLiteral "@bg0"; #1
-          background-color = mkLiteral "@fg1";
-        };
-
-        "element selected urgent" = {
-          background-color = mkLiteral "@fg1";
-        };
-
-        "element-icon" = {
-          size = mkLiteral "0.8em";
-        };
-
-        "element-text" = {
-          text-color = mkLiteral "inherit";
-        };
-
-        "scrollbar" = {
-          handle-width = mkLiteral "4px";
-          handle-color = mkLiteral "@fg1";
-          padding = mkLiteral "0 4px";
-        };
-      };
-    };
-  };
-}

modules/server/default.nix

@@ -0,0 +1,151 @@
+#
+#  Server module — import this instead of configuration_server.nix + manual virtualisation imports.
+#
+#  Usage in hosts/<hostname>/default.nix:
+#
+#    imports = [
+#      ./hardware-configuration.nix
+#      ../../modules/server
+#    ];
+#
+#    myServer.virtualisation.enable = true;
+#    myServer.virtualisation.cpu    = "amd";   # amd | intel | none (default)
+#
+#    myServer.sshPort               = 2220;    # default
+#    myServer.fail2ban.enable       = true;
+#
+#    myServer.extraSystemPackages   = with pkgs; [ some-tool ];
+#
+{
+  config,
+  lib,
+  pkgs,
+  user,
+  ...
+}: let
+  cfg = config.myServer;
+in {
+  # ── Options ──────────────────────────────────────────────────────────────
+
+  options.myServer = with lib; {
+    uid = mkOption {
+      type = types.int;
+      default = 3000;
+      description = "UID for the server user.";
+    };
+
+    sshPort = mkOption {
+      type = types.port;
+      default = 2220;
+      description = "Port openssh listens on.";
+    };
+
+    sudoRequiresPassword = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Whether wheel users must enter a password for sudo.";
+    };
+
+    autoUpgrade.enable = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Enable automatic NixOS upgrades (inherits flake URL from configuration_common.nix).";
+    };
+
+    virtualisation = {
+      enable = mkEnableOption "container/VM stack (podman with docker-compat, KVM tuning)";
+      cpu = mkOption {
+        type = types.enum ["amd" "intel" "none"];
+        default = "none";
+        description = "CPU type — selects KVM kernel parameters when virtualisation is enabled.";
+      };
+    };
+
+    extraGroups = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = "Additional groups for the server user beyond the defaults.";
+    };
+
+    extraSystemPackages = mkOption {
+      type = types.listOf types.package;
+      default = [];
+      description = "Additional system packages specific to this host.";
+    };
+
+    fail2ban = {
+      enable = mkEnableOption "fail2ban intrusion prevention";
+    };
+  };
+
+  # ── Configuration ────────────────────────────────────────────────────────
+
+  config = lib.mkMerge [
+    # ── Base server config ────────────────────────────────────────────────
+    {
+      users.users.${user} = {
+        isNormalUser = true;
+        uid = cfg.uid;
+        extraGroups = ["wheel" "networkmanager" "kvm" "libvirtd"] ++ cfg.extraGroups;
+      };
+
+      security.sudo.wheelNeedsPassword = cfg.sudoRequiresPassword;
+
+      environment.systemPackages = with pkgs;
+        [
+          ffmpeg
+          smartmontools
+          htop
+        ]
+        ++ cfg.extraSystemPackages;
+
+      services.openssh = {
+        ports = [cfg.sshPort];
+        openFirewall = true;
+      };
+
+      nix.extraOptions = ''
+        keep-outputs          = true
+        keep-derivations      = true
+      '';
+
+      system.autoUpgrade.enable = cfg.autoUpgrade.enable;
+    }
+
+    # ── Virtualisation (podman/docker-compat) ─────────────────────────────
+    (lib.mkIf cfg.virtualisation.enable {
+      virtualisation.podman = {
+        enable = true;
+        autoPrune.enable = true;
+        dockerCompat = true;
+      };
+
+      users.groups.docker.members = [user];
+    })
+
+    # ── KVM – AMD ─────────────────────────────────────────────────────────
+    (lib.mkIf (cfg.virtualisation.enable && cfg.virtualisation.cpu == "amd") {
+      boot.extraModprobeConfig = ''
+        options kvm_amd nested=0 avic=1 npt=1
+      '';
+    })
+
+    # ── KVM – Intel ───────────────────────────────────────────────────────
+    (lib.mkIf (cfg.virtualisation.enable && cfg.virtualisation.cpu == "intel") {
+      boot.extraModprobeConfig = ''
+        options kvm_intel nested=1
+        options kvm_intel emulate_invalid_guest_state=0
+        options kvm ignore_nsrs=1
+      '';
+    })
+
+    # ── Fail2ban ──────────────────────────────────────────────────────────
+    (lib.mkIf cfg.fail2ban.enable {
+      services.fail2ban = {
+        enable = true;
+        maxretry = 5;
+        jails.DEFAULT.settings.findtime = "15m";
+      };
+    })
+  ];
+}

modules/services/default.nix

@@ -1,25 +1,3 @@
-#
-#  Services
-#
-#  flake.nix
-#   ├─ ./hosts
-#   │   └─ home.nix
-#   └─ ./modules
-#       └─ ./services
-#           └─ default.nix *
-#               └─ ...
-#
-
 [
-  ./dunst.nix
-  ./flameshot.nix
-  #./picom.nix
-  #./polybar.nix
-  #./sxhkd.nix
-  #./udiskie.nix
-  #./redshift.nix
-  ./kanshi.nix
+  ./keyring.nix
 ]
-
-# picom, polybar and sxhkd are pulled from desktop module
-# redshift temporarely disables

modules/services/dmz/default.nix

@@ -9,11 +9,10 @@
 #           └─ default.nix *
 #               └─ ...
 #
-
 [
   ./microvm.nix
-  ./hydra.nix
+  #  ./hydra.nix
 ]
-
 # picom, polybar and sxhkd are pulled from desktop module
 # redshift temporarely disables
+

modules/services/dmz/gitea_runner.nix

@@ -1,60 +1,63 @@
-{ lib, config, pkgs, ... }:
-
 {
-    virtualisation = {
-      podman ={
-        enable = true;
-        autoPrune.enable = true;
-        dockerCompat = true;
-      };
-      containers.containersConf.settings = {
-        # podman seems to not work with systemd-resolved
-        containers.dns_servers = [ "192.168.101.1" ];
-        #containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  virtualisation = {
+    podman = {
+      enable = true;
+      autoPrune.enable = true;
+      dockerCompat = true;
+    };
+    containers.containersConf.settings = {
+      # podman seems to not work with systemd-resolved
+      containers.dns_servers = ["192.168.101.1"];
+      #containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
+    };
+  };
+
+  services.gitea-actions-runner.instances = {
+    homerunner = {
+      enable = true;
+      url = "https://git.kabtop.de";
+      name = "Homerunner";
+      tokenFile = config.age.secrets."services/gitea/homerunner-token".path;
+      labels = [
+        "home"
+        "debian-latest:docker://node:18-bullseye"
+        "ubuntu-latest:docker://node:16-bullseye"
+        "ubuntu-22.04:docker://node:16-bullseye"
+        "ubuntu-20.04:docker://node:16-bullseye"
+        "ubuntu-18.04:docker://node:16-buster"
+        "native:host"
+      ];
+      hostPackages = with pkgs; [
+        bash
+        coreutils
+        curl
+        gawk
+        gitMinimal
+        gnused
+        nodejs
+        wget
+      ];
+      settings = {
+        # container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
+        # the default network that also respects our dns server settings
+        container.network = "host";
+        container.privileged = false;
+        # container.valid_volumes = [
+        #   "/nix"
+        #   "${storeDeps}/bin"
+        #   "${storeDeps}/etc/ssl"
+        # ];
       };
     };
+  };
 
-    services.gitea-actions-runner.instances = {
-        homerunner = {
-            enable = true;
-            url = "https://git.kabtop.de";
-            name = "Homerunner";
-            tokenFile = config.age.secrets."services/gitea/homerunner-token".path;
-            labels = [ 
-              "home"
-              "debian-latest:docker://node:18-bullseye"
-              "ubuntu-latest:docker://node:16-bullseye"
-              "ubuntu-22.04:docker://node:16-bullseye"
-              "ubuntu-20.04:docker://node:16-bullseye"
-              "ubuntu-18.04:docker://node:16-buster"
-              "native:host"
-            ];
-            hostPackages = with pkgs; [
-              bash
-              coreutils
-              curl
-              gawk
-              gitMinimal
-              gnused
-              nodejs
-              wget
-            ];
-            settings = {
-             # container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
-               # the default network that also respects our dns server settings
-              container.network = "host";
-              container.privileged = false;
-             # container.valid_volumes = [
-             #   "/nix"
-             #   "${storeDeps}/bin"
-             #   "${storeDeps}/etc/ssl"
-             # ];
-            };
-        };
-    };
-
-    age.secrets."services/gitea/homerunner-token" = {
-      file = ../../../secrets/services/gitea/homerunner-token.age;
-      owner = "gitea-runner";
-    };
+  age.secrets."services/gitea/homerunner-token" = {
+    file = ../../../secrets/services/gitea/homerunner-token.age;
+    owner = "gitea-runner";
+  };
 }

modules/services/dmz/hydra.nix

@@ -1,11 +1,92 @@
-{ lib, config, pkgs, ... }:
-
 {
-    services.hydra = {
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  services = {
+    hydra = {
       enable = true;
-      hydraURL = "http://localhost:3000";
+      hydraURL = "https://hydra.home.opel-online.de";
+      listenHost = "127.0.0.1";
       notificationSender = "hydra@localhost";
       useSubstitutes = true;
+      minimumDiskFree = 30;
+    };
+    nix-serve = {
+      enable = true;
+      port = 5001;
+      bindAddress = "127.0.0.1";
+      secretKeyFile = config.age.secrets."keys/nixsign".path;
+    };
+    nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      virtualHosts = {
+        "home.opel-online.de" = {
+          enableACME = true;
+          forceSSL = true;
+          default = true;
+          locations."/".return = "503";
+        };
+        "hydra.home.opel-online.de" = {
+          useACMEHost = "home.opel-online.de";
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://localhost:3000";
+            extraConfig = ''
+              proxy_set_header X-Forwarded-Port 443;
+            '';
+          };
+        };
+        "cache.home.opel-online.de" = {
+          useACMEHost = "home.opel-online.de";
+          forceSSL = true;
+          locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+        };
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "webmaster@opel-online.de";
+      #server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+      dnsResolver = "9.9.9.9:53";
+    };
+    certs = {
+      "home.opel-online.de" = {
+        domain = "*.home.opel-online.de";
+        dnsProvider = "netcup";
+        environmentFile = config.age.secrets."services/acme/opel-online".path;
+        webroot = null;
+      };
+    };
+  };
+
+  nix = {
+    settings = {
+      trusted-users = [
+        "hydra"
+      ];
+      allowed-uris = "http:// https://";
     };
 
+    extraOptions = ''
+      secret-key-files = ${config.age.secrets."keys/nixsign".path}
+    '';
+  };
+
+  age.secrets."keys/nixsign" = {
+    file = ../../../secrets/keys/nixservepriv.age;
+    owner = "hydra";
+  };
+  age.secrets."services/acme/opel-online" = {
+    file = ../../../secrets/services/acme/opel-online.age;
+    owner = "acme";
+  };
 }

modules/services/dmz/microvm.nix

@@ -1,48 +1,55 @@
-{ config, microvm, lib, pkgs, user, agenix, impermanence, ... }:
-let
-  name = "gitea-runner";
-in
 {
+  config,
+  microvm,
+  lib,
+  pkgs,
+  user,
+  agenix,
+  impermanence,
+  ...
+}: let
+  name = "gitea-runner";
+in {
   microvm = {
     autostart = [
       name
     ];
     vms = {
       ${name} = {
-
         inherit pkgs;
 
         config = {
-          imports = 
-            [ agenix.nixosModules.default ] ++
-            [ impermanence.nixosModules.impermanence ] ++
-            [( ./gitea_runner.nix )];
+          imports =
+            [agenix.nixosModules.default]
+            ++ [impermanence.nixosModules.impermanence]
+            ++ [(./gitea_runner.nix)];
 
           networking = {
             hostName = "${name}";
 
             firewall = {
               enable = true;
-                allowedUDPPorts = [  ];
-                allowedTCPPorts = [  ];
+              allowedUDPPorts = [];
+              allowedTCPPorts = [];
             };
           };
           systemd.network = {
-              enable = true;
-              networks = {
-                  "10-lan" = {
-                      matchConfig.Name = "*";
-                      networkConfig = {
-                        DHCP = "yes";
-                        IPv6AcceptRA = true;
-                      };
-                  };
+            enable = true;
+            networks = {
+              "10-lan" = {
+                matchConfig.Name = "*";
+                networkConfig = {
+                  DHCP = "yes";
+                  IPv6AcceptRA = true;
+                };
               };
+            };
           };
 
-          users.users.${user} = {                   # System User
+          users.users.${user} = {
+            # System User
             isNormalUser = true;
-            extraGroups = [ "wheel" ];
+            extraGroups = ["wheel"];
             uid = 2000;
             openssh.authorizedKeys.keys = [
               "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc"
@@ -56,34 +63,37 @@ in
               enable = true;
               settings.PasswordAuthentication = false;
               hostKeys = [
-              {
+                {
                   path = "/persist/etc/ssh/ssh_host_ed25519_key";
                   type = "ed25519";
-              }
-              {
+                }
+                {
                   path = "/persist/etc/ssh/ssh_host_rsa_key";
                   type = "rsa";
                   bits = 4096;
-              }];
+                }
+              ];
             };
           };
 
           fileSystems."/persist".neededForBoot = lib.mkForce true;
 
           environment = {
-            systemPackages = with pkgs; [           # Default packages install system-wide
-               bash
-               coreutils
-               curl
-               gawk
-               gitMinimal
-               gnused
-               nodejs
-               wget
+            systemPackages = with pkgs; [
+              # Default packages install system-wide
+              bash
+              coreutils
+              curl
+              gawk
+              gitMinimal
+              gnused
+              nodejs
+              wget
             ];
             persistence."/persist" = {
               directories = [
                 "/var/log"
+                "/var/lib/nixos"
                 "/var/lib/private"
               ];
 
@@ -95,30 +105,34 @@ in
 
           microvm = {
             hypervisor = "cloud-hypervisor";
+            vsock.cid = 3;
             vcpu = 4;
             mem = 4096;
             interfaces = [
-            {
-              type = "macvtap";
-              id = "vm-${name}";
-              mac = "04:00:00:00:00:01";
-              macvtap = {
-                  link = "enp6s18";
+              {
+                type = "macvtap";
+                id = "vm-${name}";
+                mac = "04:00:00:00:00:01";
+                macvtap = {
+                  link = "ens18";
                   mode = "bridge";
-              };
-            } ];
-             shares = [{
-              source = "/nix/store";
-              mountPoint = "/nix/.ro-store";
-              tag = "ro-store";
-              proto = "virtiofs";
-            }
-            {
-              source = "/etc/vm-persist/${name}";
-              mountPoint = "/persist";
-              tag = "persist";
-              proto = "virtiofs";
-            }];
+                };
+              }
+            ];
+            shares = [
+              {
+                source = "/nix/store";
+                mountPoint = "/nix/.ro-store";
+                tag = "ro-store";
+                proto = "virtiofs";
+              }
+              {
+                source = "/etc/vm-persist/${name}";
+                mountPoint = "/persist";
+                tag = "persist";
+                proto = "virtiofs";
+              }
+            ];
             #writableStoreOverlay = "/nix/.rw-store";
             #storeOnDisk = true;
           };

modules/services/dunst.nix

@@ -1,76 +0,0 @@
-#
-# System notifications
-#
-
-{ config, lib, pkgs, ... }:
-
-let
-  colors = import ../themes/colors.nix;                 # Import colors theme
-
-  dunst-volume-notification = pkgs.writeShellScriptBin "volume-notify" ''
-    if [ "$(pulsemixer --get-mute)" = "0" ]; then dunstify -u low -r 1 " 🔊 $(pulsemixer --get-volume | awk '{print $1}')%"
-    else dunstify -u low -r 1 "🔈 Muted"; fi
-  '';
-  dunst-brightness-notification = pkgs.writeShellScriptBin "brightness-notify" ''    
-    dunstify -u low -r 1 " $(light -G)%"
-  '';
-in
-{
-  cmds.notifications.volume = "volume-notify";
-  cmds.notifications.brightness = "brightness-notify";
-
-  home.packages = [
-    dunst-volume-notification
-    dunst-brightness-notification
-    pkgs.libnotify
-  ];
-
-  services.dunst = {
-    enable = true;
-    settings = {
-      global = {
-        monitor = 0;
-        follow = "keyboard";
-        indicate_hidden = "yes";
-        shrink = true;
-        transparency = 0;
-        origin = "top-center";
-        offset = "0x20";
-        seperator_height = 0;
-        padding = 12;
-        horizontal_padding = 20;
-        frame_width = 4;
-        seperator_color = "auto";
-        font = "${config.theme.font}";
-        markup = "full";
-        format = "<span foreground='#b3cfa7'><b>%s</b>%p</span>\n%b";
-        alignment = "center";
-        show_age_threshold = 60;
-        word_wrap = "yes";
-        ellipsize = "middle";
-        ignore_newline = "no";
-        stack_duplicates = true;
-        hide_duplicate_count = true;
-        show_indicators = "yes";
-        icon_position = "off";
-        sticky_history = "yes";
-        history_length = 20;
-        always_run_script = true;
-        browser = "/usr/bin/xdg-open";
-        corner_radius = 12;
-        force_xinerama = false;
-        mouse_left_click = "close_current";
-        mouse_middle_click = "do_action";
-        mouse_right_click = "close_all";
-        progress_bar_min_width = "200";
-        enable_recursive_icon_lookup = true;
-      };
-
-      urgency_low.timeout = 4;
-      urgency_normal.timeout = 8;
-      urgency_critical.timeout = 0;
-    };
-
-  };
-  xdg.dataFile."dbus-1/services/org.knopwob.dunst.service".source = "${pkgs.dunst}/share/dbus-1/services/org.knopwob.dunst.service";
-}

modules/services/flameshot.nix

@@ -1,22 +0,0 @@
-#
-# Screenshots
-#
-
-{ pkgs, user, ... }:
-
-{
-  services = {                                    # sxhkd shortcut = Printscreen button (Print)
-    flameshot = {
-      enable = true;
-      settings = {
-        General = {                               # Settings
-          savePath = "/home/${user}/";
-          saveAsFileExtension = ".png";
-          uiColor = "#2d0096";
-          showHelp = "false";
-          disabledTrayIcon = "true";              # Hide from systray
-        };
-      };
-    };
-  };
-}

modules/services/kabtopci/default.nix

@@ -0,0 +1,18 @@
+#
+#  Services
+#
+#  flake.nix
+#   ├─ ./hosts
+#   │   └─ home.nix
+#   └─ ./modules
+#       └─ ./services
+#           └─ default.nix *
+#               └─ ...
+#
+[
+  #  ./microvm.nix
+  ./hydra.nix
+]
+# picom, polybar and sxhkd are pulled from desktop module
+# redshift temporarely disables
+

modules/services/kabtopci/gitea_runner.nix

@@ -0,0 +1,62 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  virtualisation = {
+    podman = {
+      enable = true;
+      autoPrune.enable = true;
+      dockerCompat = true;
+    };
+    containers.containersConf.settings = {
+      # podman seems to not work with systemd-resolved
+      containers.dns_servers = ["8.8.8.8" "8.8.4.4"];
+    };
+  };
+
+  services.gitea-actions-runner.instances = {
+    cirunner = {
+      enable = true;
+      url = "https://git.kabtop.de";
+      name = "CI Kabtop runner";
+      tokenFile = config.age.secrets."services/gitea/cirunner-token".path;
+      labels = [
+        "ci"
+        "debian-latest:docker://node:18-bullseye"
+        "ubuntu-latest:docker://node:16-bullseye"
+        "ubuntu-22.04:docker://node:16-bullseye"
+        "ubuntu-20.04:docker://node:16-bullseye"
+        "ubuntu-18.04:docker://node:16-buster"
+        "native:host"
+      ];
+      hostPackages = with pkgs; [
+        bash
+        coreutils
+        curl
+        gawk
+        gitMinimal
+        gnused
+        nodejs
+        wget
+      ];
+      settings = {
+        # container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
+        # the default network that also respects our dns server settings
+        container.network = "host";
+        container.privileged = false;
+        # container.valid_volumes = [
+        #   "/nix"
+        #   "${storeDeps}/bin"
+        #   "${storeDeps}/etc/ssl"
+        # ];
+      };
+    };
+  };
+
+  age.secrets."services/gitea/cirunner-token" = {
+    file = ../../../secrets/services/gitea/cirunner-token.age;
+    owner = "gitea-runner";
+  };
+}

modules/services/kabtopci/hydra.nix

@@ -0,0 +1,84 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  services = {
+    hydra = {
+      enable = true;
+      hydraURL = "https://hydra.ci.kabtop.de";
+      listenHost = "127.0.0.1";
+      notificationSender = "hydra@kabtop.de";
+      useSubstitutes = true;
+      minimumDiskFree = 8;
+    };
+    nix-serve = {
+      enable = true;
+      port = 5001;
+      bindAddress = "127.0.0.1";
+      secretKeyFile = config.age.secrets."keys/nixsign".path;
+    };
+    nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      virtualHosts = {
+        "ci.kabtop.de" = {
+          enableACME = true;
+          forceSSL = true;
+          default = true;
+          locations."/".return = "503";
+        };
+        "hydra.ci.kabtop.de" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://localhost:3000";
+            extraConfig = ''
+              proxy_set_header X-Forwarded-Port 443;
+            '';
+          };
+        };
+        "cache.ci.kabtop.de" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+        };
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "webmaster@kabtop.de";
+      webroot = "/var/lib/acme/acme-challenge";
+      #server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+    };
+  };
+
+  nix = {
+    settings = {
+      trusted-users = [
+        "hydra"
+      ];
+      allowed-uris = [
+        "github:"
+        "https://github.com/"
+        "git+ssh://github.com/"
+      ];
+    };
+
+    extraOptions = ''
+      secret-key-files = ${config.age.secrets."keys/nixsign".path}
+    '';
+  };
+
+  age.secrets."keys/nixsign" = {
+    file = ../../../secrets/keys/nixservepriv.age;
+    owner = "hydra";
+  };
+}

modules/services/kabtopci/microvm.nix

@@ -0,0 +1,141 @@
+{
+  config,
+  microvm,
+  lib,
+  pkgs,
+  user,
+  agenix,
+  impermanence,
+  ...
+}: let
+  name = "gitea-runner";
+in {
+  microvm = {
+    autostart = [
+      name
+    ];
+    vms = {
+      ${name} = {
+        inherit pkgs;
+
+        config = {
+          imports =
+            [agenix.nixosModules.default]
+            ++ [impermanence.nixosModules.impermanence]
+            ++ [(./gitea_runner.nix)];
+
+          networking = {
+            hostName = "${name}";
+
+            firewall = {
+              enable = true;
+              allowedUDPPorts = [];
+              allowedTCPPorts = [];
+            };
+          };
+          systemd.network = {
+            enable = true;
+            networks = {
+              "10-lan" = {
+                matchConfig.Name = "*";
+                networkConfig = {
+                  DHCP = "yes";
+                  IPv6AcceptRA = true;
+                };
+              };
+            };
+          };
+
+          users.users.${user} = {
+            # System User
+            isNormalUser = true;
+            extraGroups = ["wheel"];
+            uid = 2000;
+            openssh.authorizedKeys.keys = [
+              "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc"
+              "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIgo4IP8ISUohyAMiDc3zEe6ESUE3un7eN5FhVtxZHmcAAAABHNzaDo= kabbone@kabc"
+              "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKVDApb3vZ+i97V4xLJh8rUF6z5OVYfORlXYbLhdQO15AAAABHNzaDo= kabbone@hades.home.opel-online.de"
+              "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB0q++epdX7feQxvmC2m/CJEoJbkqtAJy6Ml6WKHxryZAAAABHNzaDo= kabbone@hades.home.opel-online.de"
+            ];
+          };
+          services = {
+            openssh = {
+              enable = true;
+              settings.PasswordAuthentication = false;
+              hostKeys = [
+                {
+                  path = "/persist/etc/ssh/ssh_host_ed25519_key";
+                  type = "ed25519";
+                }
+                {
+                  path = "/persist/etc/ssh/ssh_host_rsa_key";
+                  type = "rsa";
+                  bits = 4096;
+                }
+              ];
+            };
+          };
+
+          fileSystems."/persist".neededForBoot = lib.mkForce true;
+
+          environment = {
+            systemPackages = with pkgs; [
+              # Default packages install system-wide
+              bash
+              coreutils
+              curl
+              gawk
+              gitMinimal
+              gnused
+              nodejs
+              wget
+            ];
+            persistence."/persist" = {
+              directories = [
+                "/var/log"
+                "/var/lib/nixos"
+                "/var/lib/private"
+              ];
+
+              files = [
+                "/etc/machine-id"
+              ];
+            };
+          };
+
+          microvm = {
+            hypervisor = "qemu";
+            vcpu = 4;
+            mem = 3096;
+            #kernel = pkgs.linuxKernel.packages.linux_latest;
+            interfaces = [
+              {
+                type = "user";
+                id = "vm-${name}";
+                mac = "04:00:00:00:00:02";
+              }
+            ];
+            shares = [
+              {
+                source = "/nix/store";
+                mountPoint = "/nix/.ro-store";
+                tag = "ro-store";
+                proto = "virtiofs";
+              }
+              {
+                source = "/etc/vm-persist/${name}";
+                mountPoint = "/persist";
+                tag = "persist";
+                proto = "virtiofs";
+              }
+            ];
+            #writableStoreOverlay = "/nix/.rw-store";
+            #storeOnDisk = true;
+          };
+
+          system.stateVersion = "23.05";
+        };
+      };
+    };
+  };
+}

modules/services/kanshi.nix

@@ -1,37 +0,0 @@
-#
-# System notifications
-#
-
-{ config, lib, pkgs, ... }:
-
-{
-    services.kanshi = {
-        enable = true;
-        profiles = {
-            undocked = {
-                outputs = [
-                    { criteria = "eDP-1"; status = "enable"; mode = "1920x1080"; position = "0,0"; }
-                ];
-            };
-            #docked_c = {
-            #    outputs = [
-            #        { criteria = "eDP-1"; status = "enable"; mode = "1920x1080"; position = "2560,0"; }
-            #        { criteria = "DP-1"; status = "enable"; mode = "2560x1080"; position = "0,0"; }
-            #    ];
-            #};
-            docked_c = {
-                outputs = [
-                    { criteria = "eDP-1"; status = "enable"; mode = "1920x1080"; position = "0,0"; scale = 1.5; }
-                    { criteria = "DP-1"; status = "enable"; mode = "2560x1080"; position = "1920,0"; }
-                ];
-            };
-            docked_triple = {
-                outputs = [
-                    { criteria = "eDP-1"; status = "disable"; mode = "1920x1080"; position = "4480,0"; }
-                    { criteria = "HDMI-A-1"; status = "enable"; mode = "1920x1080"; position = "0,0"; }
-                    { criteria = "DP-1"; status = "enable"; mode = "2560x1080"; position = "1920,0"; }
-                ];
-            };
-        };
-    };
-}

modules/services/keyring.nix

@@ -0,0 +1,16 @@
+#
+# Screenshots
+#
+{
+  pkgs,
+  user,
+  ...
+}: {
+  services = {
+    # sxhkd shortcut = Printscreen button (Print)
+    gnome-keyring = {
+      enable = true;
+    };
+  };
+  home.packages = with pkgs; [gcr seahorse];
+}

modules/services/kubemaster/default.nix

@@ -0,0 +1,18 @@
+#
+#  Services
+#
+#  flake.nix
+#   ├─ ./hosts
+#   │   └─ home.nix
+#   └─ ./modules
+#       └─ ./services
+#           └─ default.nix *
+#               └─ ...
+#
+[
+  #  ./microvm.nix
+  #  ./hydra.nix
+]
+# picom, polybar and sxhkd are pulled from desktop module
+# redshift temporarely disables
+

modules/services/nas/default.nix

@@ -9,10 +9,13 @@
 #           └─ default.nix *
 #               └─ ...
 #
-
 [
   ./nfs.nix
+  ./nginx.nix
+  ./vaultwarden.nix
+  ./syncthing.nix
+  ./paperless.nix
 ]
-
 # picom, polybar and sxhkd are pulled from desktop module
 # redshift temporarely disables
+

modules/services/nas/nfs.nix

@@ -1,18 +1,23 @@
-{config, pkgs, lib, ...}: {
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
   # enable nfs
   services.nfs.server = rec {
-      enable = true;
-      exports = ''
-          /export         192.168.2.0/24(rw,fsid=0,no_subtree_check)
-          /export/Pluto   192.168.2.0/24(rw,no_subtree_check)
-          /export/Mars    192.168.2.0/24(rw,no_subtree_check)
-      '';
-      createMountPoints = true;
+    enable = true;
+    exports = ''
+      /export         192.168.2.0/24(rw,fsid=0,no_subtree_check)
+      /export/Pluto   192.168.2.0/24(rw,no_subtree_check)
+      /export/Mars    192.168.2.0/24(rw,no_subtree_check)
+    '';
+    createMountPoints = true;
   };
   # open the firewall
   networking.firewall = {
-    interfaces.enp6s18 = {
-      allowedTCPPorts = [ 2049 ];
+    interfaces.ens18 = {
+      allowedTCPPorts = [2049];
     };
   };
 }

modules/services/nas/nginx.nix

@@ -0,0 +1,91 @@
+#
+# System notifications
+#
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+
+    appendHttpConfig = ''
+      proxy_cache_path /mnt/Pluto/nix-cache
+        levels=1:2
+        keys_zone=nix_cache:10m
+        max_size=100g
+        inactive=14d
+        use_temp_path=off;
+    '';
+
+    virtualHosts = {
+      "home.opel-online.de" = {
+        enableACME = true;
+        forceSSL = true;
+        default = true;
+        locations."/".return = "503";
+      };
+      "cache.home.opel-online.de" = {
+        useACMEHost = "home.opel-online.de";
+        forceSSL = true;
+        locations."/" = {
+          extraConfig = ''
+            proxy_pass              https://cache.ci.kabtop.de;
+            proxy_ssl_server_name   on;
+            proxy_http_version      1.1;
+            proxy_set_header        Connection "";
+            proxy_set_header        Host cache.ci.kabtop.de;
+
+            proxy_cache             nix_cache;
+            proxy_cache_valid       200 14d;
+            proxy_cache_valid       404 1m;
+            proxy_cache_use_stale   error timeout updating;
+            proxy_cache_lock        on;
+            proxy_cache_lock_timeout 1h;
+            add_header              X-Cache-Status $upstream_cache_status;
+
+            proxy_buffering         on;
+            proxy_buffer_size       128k;
+            proxy_buffers           8 1m;
+            proxy_max_temp_file_size 0;
+          '';
+        };
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "webmaster@opel-online.de";
+      #      server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+      dnsResolver = "9.9.9.9:53";
+    };
+    certs = {
+      "home.opel-online.de" = {
+        domain = "*.home.opel-online.de";
+        dnsProvider = "netcup";
+        environmentFile = config.age.secrets."services/acme/opel-online".path;
+        webroot = null;
+      };
+    };
+  };
+
+  systemd.services.nginx.serviceConfig.ReadWritePaths = ["/mnt/Pluto/nix-cache"];
+
+  networking.firewall = {
+    enable = true;
+    allowedUDPPorts = [];
+    allowedTCPPorts = [80 443];
+  };
+
+  age.secrets."services/acme/opel-online" = {
+    file = ../../../secrets/services/acme/opel-online.age;
+    owner = "acme";
+  };
+}

modules/services/nas/paperless.nix

@@ -0,0 +1,39 @@
+#
+# System notifications
+#
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  services.paperless = {
+    enable = true;
+    domain = "paperless.home.opel-online.de";
+    passwordFile = config.age.secrets."services/paperless/pwFile".path;
+    #    environmentFile = config.age.secrets."services/paperless/environment".path;
+    configureTika = true;
+    settings = {
+      PAPERLESS_OCR_LANGUAGE = "deu+eng";
+      PAPERLESS_OCR_USER_ARGS = {
+        optimize = 1;
+        pdfa_image_compression = "lossless";
+      };
+    };
+  };
+
+  services.nginx = {
+    virtualHosts = {
+      "paperless.home.opel-online.de" = {
+        useACMEHost = "home.opel-online.de";
+        forceSSL = true;
+        locations."/".proxyPass = "http://127.0.0.1:${toString config.services.paperless.port}";
+      };
+    };
+  };
+
+  age.secrets."services/paperless/pwFile" = {
+    file = ../../../secrets/services/paperless/pwFile.age;
+    owner = "paperless";
+  };
+}

modules/services/nas/syncthing.nix

@@ -0,0 +1,55 @@
+#
+# System notifications
+#
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  services.syncthing = {
+    enable = true;
+    group = "users";
+    user = "kabbone";
+    dataDir = "/home/${config.services.syncthing.user}/Sync";
+    configDir = "/home/${config.services.syncthing.user}/.config/syncthing";
+    overrideDevices = true; # overrides any devices added or deleted through the WebUI
+    overrideFolders = true; # overrides any folders added or deleted through the WebUI
+    openDefaultPorts = true;
+    settings = {
+      devices = {
+        "hades.home.opel-online.de" = {id = "3VPCBVW-RH7XKFM-TWJGQHC-ZRAQ575-CQKGGKP-NAB4VXE-KCKJFUT-AMCUQQA";};
+        "lifebook.home.opel-online.de" = {id = "RKPZG3H-BDUZID3-DV26MKR-UOARIQC-JBCAFXP-J5QFM4H-5EGBSM5-VEGXHQ4";};
+      };
+      folders = {
+        "Sync" = {
+          # Name of folder in Syncthing, also the folder ID
+          path = "/mnt/Mars/${config.services.syncthing.user}/Sync"; # Which folder to add to Syncthing
+          devices = ["hades.home.opel-online.de" "lifebook.home.opel-online.de"]; # Which devices to share the folder with
+          ignorePerms = false; # By default, Syncthing doesn't sync file permissions. This line enables it for this folder.
+        };
+      };
+    };
+  };
+
+  services.nginx = {
+    virtualHosts = {
+      "syncthing.home.opel-online.de" = {
+        useACMEHost = "home.opel-online.de";
+        forceSSL = true;
+        locations."/" = {
+          recommendedProxySettings = false;
+          proxyPass = "http://${toString config.services.syncthing.guiAddress}";
+          extraConfig = ''
+            proxy_set_header        Host localhost;
+            proxy_set_header        X-Real-IP $remote_addr;
+            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header        X-Forwarded-Proto $scheme;
+            proxy_set_header        X-Forwarded-Host $host;
+            proxy_set_header        X-Forwarded-Server $host;
+          '';
+        };
+      };
+    };
+  };
+}

modules/services/nas/vaultwarden.nix

@@ -0,0 +1,39 @@
+#
+# System notifications
+#
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "sqlite";
+    backupDir = "/var/backup/vaultwarden";
+    environmentFile = config.age.secrets."services/vaultwarden/environment".path;
+    config = {
+      DOMAIN = "https://vault.home.opel-online.de";
+      SIGNUPS_ALLOWED = false;
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 8222;
+
+      ROCKET_LOG = "critical";
+    };
+  };
+
+  services.nginx = {
+    virtualHosts = {
+      "vault.home.opel-online.de" = {
+        useACMEHost = "home.opel-online.de";
+        forceSSL = true;
+        locations."/".proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+      };
+    };
+  };
+
+  age.secrets."services/vaultwarden/environment" = {
+    file = ../../../secrets/services/vaultwarden/environment.age;
+    owner = "vaultwarden";
+  };
+}

modules/services/nasbackup/default.nix

@@ -9,10 +9,9 @@
 #           └─ default.nix *
 #               └─ ...
 #
-
 [
-#  ./nfs.nix
+  #  ./nfs.nix
 ]
-
 # picom, polybar and sxhkd are pulled from desktop module
 # redshift temporarely disables
+

modules/services/printer/cfgs/CALIBRATION.cfg

@@ -0,0 +1,50 @@
+[gcode_macro PID_TEST_BED]
+gcode:
+    # Parameters
+    {% set TARGETTEMP = params.TEMP|default(70)|int %}
+    
+    {% set max_x = printer.configfile.config["stepper_x"]["position_max"]|float %}
+    {% set max_y = printer.configfile.config["stepper_y"]["position_max"]|float %}
+    G28
+    G90
+    G1 X{max_x/2} Y{max_y/2} Z40 F6000
+    PID_CALIBRATE HEATER=heater_bed TARGET={TARGETTEMP}
+
+[gcode_macro PID_TEST_HOTEND]
+gcode:
+    # Parameters
+    {% set TARGETTEMP = params.TEMP|default(245)|int %}
+    
+    {% set max_x = printer.configfile.config["stepper_x"]["position_max"]|float %}
+    {% set max_y = printer.configfile.config["stepper_y"]["position_max"]|float %}
+    G28
+    G90
+    G1 X{max_x/2} Y{max_y/2} Z10 F6000
+    M106 S64
+    PID_CALIBRATE HEATER=extruder TARGET={TARGETTEMP}
+    M107 ; Turn off print cooling fan
+
+# TODO test this
+[gcode_macro PID_TEST_ALL]
+gcode:
+    PID_TEST_BED
+    PID_TEST_HOTEND
+    SAVE_CONFIG
+
+[gcode_macro DO_PROBE_CALIBRATE]
+gcode:
+    SET_HEATER_TEMPERATURE HEATER=heater_bed TARGET=60
+    SET_HEATER_TEMPERATURE HEATER=extruder TARGET=180
+    TEMPERATURE_WAIT SENSOR=heater_bed MINIMUM=60
+    TEMPERATURE_WAIT SENSOR=extruder MINIMUM=180
+    G28
+    PROBE_CALIBRATE
+
+[gcode_macro DO_CREATE_MESH]
+gcode:
+    SET_HEATER_TEMPERATURE HEATER=heater_bed TARGET=60
+    SET_HEATER_TEMPERATURE HEATER=extruder TARGET=180
+    TEMPERATURE_WAIT SENSOR=heater_bed MINIMUM=60
+    TEMPERATURE_WAIT SENSOR=extruder MINIMUM=180
+    G28
+    _BED_MESH_CALIBRATE