Change to using main channel for flakes

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/a59eb7800787c926045d51b70982ae285faa2346?narHash=sha256-q8jG2HJWgooWa9H0iatZqBPF3bp0504e05MevFmnFLY%3D' (2025-05-31)
  → 'github:NixOS/nixpkgs/8f1b52b04f2cb6e5ead50bd28d76528a2f0380ef?narHash=sha256-OGcDEz60TXQC%2BgVz5sdtgGJdKVYr6rwdzQKuZAJQpCA%3D' (2025-06-04)
• Updated input 'nixvim':
    'github:nix-community/nixvim/d063d0dd5e0b82d8be4dd4bc00b887ac1f92e4b2?narHash=sha256-P/ldKE0SCGKH6pEVJoW2MJJo2dZCZe10d/h1ree66c0%3D' (2025-06-02)
  → 'github:nix-community/nixvim/1d8724144cef98dad6638e0b6333cc84d0b2f5c3?narHash=sha256-ebxyRA7rK6Jb3eXvz%2B0QcyKLHzUnUQWRFDbKleLdLZ8%3D' (2025-06-04)

.gitignore

@@ -1,3 +1,2 @@
 result
-*-iso
 *.iso

desktop.nix

@@ -1,168 +0,0 @@
-{ config, pkgs, ... }:
-let
-  Xresources = "${pkgs.writeText "Xresources" ''
-    Xft.dpi:       96
-    Xft.antialias: true
-    Xft.hinting:   true
-    Xft.rgba:      rgb
-    Xft.autohint:  false
-    Xft.hintstyle: hintslight
-    Xft.lcdfilter: lcddefault
-
-    Xcursor.theme: xcursor-breeze
-    Xcursor.size:                     0
-  ''}";
-in
-{
-  assertions = [
-    {
-      assertion = config.users.users ? "vili";
-      message = "User 'vili' needed for desktop!";
-    }
-  ];
-
-  imports = [ ./program-config-files/firefox.nix ];
-
-  environment.systemPackages = with pkgs; [
-    alacritty
-    i3status
-    rofi
-    arandr
-    telegram-desktop
-    signal-desktop
-    discord
-    vlc
-    pavucontrol
-    viewnior
-    xfce.mousepad
-    pcmanfm
-    libreoffice
-    evince
-    brightnessctl
-    networkmanagerapplet
-    flameshot
-    speedcrunch
-    bitwarden
-
-    zotero
-    kile
-    texliveFull
-    imagemagick
-    ghostscript
-    kdePackages.okular
-  ];
-  programs.zsh.interactiveShellInit = "export SSH_AUTH_SOCK=/home/vili/.bitwarden-ssh-agent.sock";
-  security = {
-    pam = {
-      rssh.enable = true;
-      services = {
-        sudo.rssh = true;
-      };
-    };
-    sudo.execWheelOnly = true;
-  };
-
-  programs.i3lock.enable = true;
-  services = {
-    displayManager = {
-      defaultSession = "none+i3";
-      autoLogin.enable = true;
-      autoLogin.user = "vili";
-    };
-    xserver = {
-      enable = true;
-      displayManager = {
-        lightdm.enable = true;
-        sessionCommands = ''${pkgs.xorg.xrdb}/bin/xrdb -merge < ${Xresources}'';
-      };
-      windowManager.i3 = {
-        enable = true;
-        extraPackages = [ ];
-        configFile = "${
-          (import ./program-config-files/i3.nix {
-            inherit config;
-            inherit pkgs;
-          })
-        }";
-      };
-    };
-
-    printing.enable = true;
-    avahi = {
-      enable = true;
-      nssmdns4 = true;
-      openFirewall = true;
-    };
-
-    pipewire.enable = false;
-    pulseaudio.enable = true;
-  };
-  nixpkgs.config.pulseaudio = true;
-
-  security.polkit.enable = true;
-
-  xdg.mime.defaultApplications = {
-    "application/pdf" = "org.gnome.Evince.desktop";
-    "text/plain" = "org.xfce.mousepad.desktop";
-    "text/x-tex" = "org.kde.kile.desktop";
-    "inode/directory" = "pcmanfm.description";
-  };
-
-  qt = {
-    enable = true;
-    style = "adwaita-dark";
-    platformTheme = "gnome";
-  };
-
-  system.userActivationScripts.mkDesktopSettingsSymlinks.text =
-    let
-      home = "/home/vili/";
-      paths = [
-        rec {
-          dir = "${home}.config/pcmanfm/default/";
-          file = "pcmanfm.conf";
-          full = "${dir}${file}";
-          source = "${./program-config-files/pcmanfm.conf}";
-        }
-        rec {
-          dir = "${home}.config/libfm/";
-          file = "libfm.conf";
-          full = "${dir}${file}";
-          source = "${./program-config-files/libfm.conf}";
-        }
-        rec {
-          dir = "${home}.config/gtk-3.0/";
-          file = "bookmarks";
-          full = "${dir}${file}";
-          source = "${./program-config-files/gtk-bookmarks}";
-        }
-        rec {
-          dir = "${home}";
-          file = ".gtkrc-2.0";
-          full = "${dir}${file}";
-          source = "${./program-config-files/gtkrc-2.0}";
-        }
-        rec {
-          dir = "${home}.config/gtk-3.0/";
-          file = "settings.ini";
-          full = "${dir}${file}";
-          source = "${./program-config-files/gtk-3-4-settings.ini}";
-        }
-        rec {
-          dir = "${home}.config/gtk-4.0/";
-          file = "settings.ini";
-          full = "${dir}${file}";
-          source = "${./program-config-files/gtk-3-4-settings.ini}";
-        }
-      ];
-    in
-    toString (
-      map (path: ''
-        mkdir -p ${path.dir}
-        if test -e ${path.full} -a ! -L ${path.full}; then
-          mv -f ${path.full} ${path.full}.old
-        fi
-        ln -sf ${path.source} ${path.full}
-      '') paths
-    );
-}

flake.lock

@@ -0,0 +1,171 @@
+{
+  "nodes": {
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nixvim",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1743550720,
+        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "ixx": {
+      "inputs": {
+        "flake-utils": [
+          "nixvim",
+          "nuschtosSearch",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixvim",
+          "nuschtosSearch",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748294338,
+        "narHash": "sha256-FVO01jdmUNArzBS7NmaktLdGA5qA3lUMJ4B7a05Iynw=",
+        "owner": "NuschtOS",
+        "repo": "ixx",
+        "rev": "cc5f390f7caf265461d4aab37e98d2292ebbdb85",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NuschtOS",
+        "ref": "v0.0.8",
+        "repo": "ixx",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1749024892,
+        "narHash": "sha256-OGcDEz60TXQC+gVz5sdtgGJdKVYr6rwdzQKuZAJQpCA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "8f1b52b04f2cb6e5ead50bd28d76528a2f0380ef",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixvim": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nuschtosSearch": "nuschtosSearch",
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1749028068,
+        "narHash": "sha256-ebxyRA7rK6Jb3eXvz+0QcyKLHzUnUQWRFDbKleLdLZ8=",
+        "owner": "nix-community",
+        "repo": "nixvim",
+        "rev": "1d8724144cef98dad6638e0b6333cc84d0b2f5c3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixvim",
+        "type": "github"
+      }
+    },
+    "nuschtosSearch": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "ixx": "ixx",
+        "nixpkgs": [
+          "nixvim",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748298102,
+        "narHash": "sha256-PP11GVwUt7F4ZZi5A5+99isuq39C59CKc5u5yVisU/U=",
+        "owner": "NuschtOS",
+        "repo": "search",
+        "rev": "f8a1c221afb8b4c642ed11ac5ee6746b0fe1d32f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NuschtOS",
+        "repo": "search",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "nixvim": "nixvim"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,40 @@
+{
+  description = "All system configurations for Vili Sinervä";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nixvim = {
+      url = "github:nix-community/nixvim";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs =
+    { nixpkgs, nixvim, ... }:
+    {
+      nixosConfigurations = (
+        let
+          hosts = builtins.attrNames (builtins.readDir ./hosts);
+        in
+        builtins.listToAttrs (
+          map (
+            host:
+            nixpkgs.lib.nameValuePair host (
+              nixpkgs.lib.nixosSystem {
+                specialArgs = {
+                  nixpkgs-flake = nixpkgs;
+                  inherit nixvim;
+                };
+                system = "x86_64-linux";
+                modules = [
+                  { networking.hostName = host; }
+                  ./hosts/${host}/configuration.nix
+                  ./hosts/${host}/state.nix
+                ];
+              }
+            )
+          ) hosts
+        )
+      );
+    };
+}

hosts/cert-store/configuration.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ../../shared/base.nix
+    ../../shared/hardware/vm.nix
+    ../../servers/acme-cert-store.nix
+  ];
+}

hosts/cert-store/state.nix

@@ -0,0 +1,39 @@
+{ lib, modulesPath, ... }:
+{
+  system.stateVersion = "24.11";
+
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "uhci_hcd"
+    "ehci_pci"
+    "ahci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/301cf8bf-93f0-4ba6-b14f-b7be94b075a0";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/9E16-9A5D";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/exoplasim/configuration.nix

@@ -1,11 +1,17 @@
-{ config, pkgs, ... }:
 {
-  imports = [ ../base.nix ];
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  imports = [
+    ../../shared/base.nix
+    ../../shared/hardware/vm.nix
+  ];
 
   # Networking conf including WireGuard
   networking = {
-    hostName = "exoplasim";
-
     firewall.allowedUDPPorts = [ 51821 ];
 
     wg-quick.interfaces = {
@@ -42,7 +48,7 @@
   };
   users.groups.worker.gid = 1001;
 
-  system.autoUpgrade.allowReboot = pkgs.lib.mkForce false;
+  system.autoUpgrade.allowReboot = lib.mkForce false;
 
   programs.rust-motd = {
     enable = true;
@@ -63,7 +69,4 @@
       memory.swap_pos = "beside";
     };
   };
-
-  # HARDWARE SPECIFIC
-  services.qemuGuest.enable = true;
 }

hosts/exoplasim/state.nix

@@ -0,0 +1,39 @@
+{ lib, modulesPath, ... }:
+{
+  system.stateVersion = "24.05";
+
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "uhci_hcd"
+    "ehci_pci"
+    "ahci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/17b26343-39c9-4598-97c0-b43aab7ed3a0";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/9F45-5FDF";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/forgejo/configuration.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ../../shared/base.nix
+    ../../shared/hardware/vm.nix
+    ../../servers/forgejo.nix
+  ];
+}

hosts/forgejo/state.nix

@@ -0,0 +1,39 @@
+{ lib, modulesPath, ... }:
+{
+  system.stateVersion = "24.11";
+
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "uhci_hcd"
+    "ehci_pci"
+    "ahci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/6de79a95-d101-4734-8482-1e0869498ce8";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/78B9-CA51";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/gaming/configuration.nix

@@ -0,0 +1,15 @@
+{ lib, ... }:
+{
+  imports = [
+    ../../shared/base.nix
+    ../../shared/hardware/nvidia.nix
+    ../../shared/hardware/vm.nix
+
+    ../../personal/desktop.nix
+    ../../personal/programs/i3.nix
+
+    ../../servers/gaming-server.nix
+  ];
+
+  users.users.vili.hashedPasswordFile = lib.mkForce null;
+}

hosts/gaming/state.nix

@@ -0,0 +1,45 @@
+{ lib, modulesPath, ... }:
+{
+  system.stateVersion = "24.11";
+
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "uhci_hcd"
+    "ehci_pci"
+    "ahci"
+    "xhci_pci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/22c7a7ae-cedc-43db-b4f1-d591466d8f60";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/1C79-66D7";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };
+
+  fileSystems."/mnt/data" = {
+    device = "/dev/disk/by-uuid/dec871b2-5727-486c-978a-8bb2279bd2b8";
+    fsType = "ext4";
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/helium/configuration.nix

@@ -0,0 +1,59 @@
+{ pkgs, lib, ... }:
+{
+  custom.home_wg_suffix = "2";
+  system.autoUpgrade.allowReboot = lib.mkForce false;
+
+  networking = {
+    wg-quick.interfaces = {
+      wg1 = {
+        autostart = false;
+        address = [ "10.100.0.7/24" ];
+        dns = [ "1.1.1.1" ];
+        privateKeyFile = "/root/wireguard-keys/privatekey-netflix";
+        listenPort = 51820;
+
+        peers = [
+          {
+            publicKey = "XSYHg0utIR1j7kRsWFwuWNo4RPD47KP53cVa6qDPtRE=";
+            allowedIPs = [
+              "0.0.0.0/0"
+              "192.168.0.0/24"
+            ];
+            endpoint = "netflix.vsinerva.fi:51821";
+          }
+        ];
+      };
+    };
+  };
+
+  services.xserver.displayManager.setupCommands = ''
+    ${pkgs.xorg.xrandr}/bin/xrandr --output DisplayPort-0 --auto --pos 0x0 --primary --output eDP --auto --pos 3840x360
+  '';
+
+  imports = [
+    ../../shared/base.nix
+
+    ../../personal/desktop.nix
+    ../../personal/development.nix
+
+    ../../personal/hardware/amd-laptop.nix
+    ../../personal/hardware/hibernate.nix
+    ../../personal/hardware/keychron-q11.nix
+    ../../personal/hardware/onlykey.nix
+    ../../personal/hardware/trackball.nix
+
+    ../../personal/networking/home-wg.nix
+    ../../personal/networking/printing.nix
+
+    ../../personal/programs/bitwarden.nix
+    ../../personal/programs/communication.nix
+    ../../personal/programs/firefox.nix
+    ../../personal/programs/i3.nix
+    ../../personal/programs/moonlight.nix
+    ../../personal/programs/redshift.nix
+    ../../personal/programs/study.nix
+    ../../personal/programs/usb-automount.nix
+
+    ../../servers/syncthing.nix
+  ];
+}

hosts/helium/state.nix

@@ -0,0 +1,50 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+{
+  system.stateVersion = "23.11";
+  boot = {
+    resumeDevice = "/dev/mapper/luks-f6e1979b-0dee-4ee9-8170-10490019854b";
+    kernelParams = [ "resume_offset=44537856" ];
+  };
+
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/25115cdc-3b55-4dbf-a414-98a1a3c44f52";
+    fsType = "ext4";
+  };
+
+  boot.initrd.luks.devices."luks-f6e1979b-0dee-4ee9-8170-10490019854b".device =
+    "/dev/disk/by-uuid/f6e1979b-0dee-4ee9-8170-10490019854b";
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/6E23-00AF";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/idacloud/configuration.nix

@@ -5,14 +5,13 @@
   custom.collabora_domain = "idacollab.sinerva.eu";
 
   imports = [
-    ../base.nix
-    ../services/nextcloud.nix
+    ../../shared/base.nix
+    ../../shared/hardware/vm.nix
+    ../../servers/nextcloud.nix
   ];
 
   # Networking conf including WireGuard
   networking = {
-    hostName = "idacloud";
-
     firewall.allowedUDPPorts = [ 51822 ];
 
     wg-quick.interfaces = {
@@ -38,7 +37,4 @@
       };
     };
   };
-
-  # HARDWARE SPECIFIC
-  services.qemuGuest.enable = true;
 }

hosts/idacloud/state.nix

@@ -0,0 +1,44 @@
+{ lib, modulesPath, ... }:
+{
+  system.stateVersion = "24.11";
+
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "uhci_hcd"
+    "ehci_pci"
+    "ahci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/aaebdb14-a988-4cf8-bb33-f22419d55fbe";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/E1C0-7A9E";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };
+
+  fileSystems."/var/lib/nextcloud" = {
+    device = "/dev/disk/by-uuid/634b600c-8d3e-4021-906a-f00b7750e61e";
+    fsType = "ext4";
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/lithium/configuration.nix

@@ -0,0 +1,30 @@
+{ lib, ... }:
+{
+  custom.home_wg_suffix = "3";
+  system.autoUpgrade.allowReboot = lib.mkForce false;
+
+  imports = [
+    ../../shared/base.nix
+
+    ../../personal/desktop.nix
+    ../../personal/development.nix
+
+    ../../personal/hardware/hibernate.nix
+    ../../personal/hardware/intel-laptop.nix
+    ../../personal/hardware/onlykey.nix
+
+    ../../personal/networking/home-wg.nix
+    ../../personal/networking/printing.nix
+
+    ../../personal/programs/bitwarden.nix
+    ../../personal/programs/communication.nix
+    ../../personal/programs/firefox.nix
+    ../../personal/programs/i3.nix
+    ../../personal/programs/moonlight.nix
+    ../../personal/programs/redshift.nix
+    ../../personal/programs/study.nix
+    ../../personal/programs/usb-automount.nix
+
+    ../../servers/syncthing.nix
+  ];
+}

hosts/lithium/state.nix

@@ -0,0 +1,45 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+{
+  system.stateVersion = "24.05";
+  boot.kernelParams = [ "resume_offset=39292928" ];
+
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "thunderbolt"
+    "nvme"
+    "usb_storage"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/b43fe465-80e9-48d4-a4be-1113c917330e";
+    fsType = "ext4";
+  };
+
+  boot.initrd.luks.devices."nixos".device = "/dev/disk/by-uuid/4dc2fd8c-71da-4b95-91d5-7a118387172b";
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/D8BB-B91A";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/nextcloud/configuration.nix

@@ -0,0 +1,10 @@
+{ ... }:
+{
+  custom.nextcloud_domain = "nextcloud.vsinerva.fi";
+
+  imports = [
+    ../../shared/base.nix
+    ../../shared/hardware/vm.nix
+    ../../servers/nextcloud.nix
+  ];
+}

hosts/nextcloud/state.nix

@@ -0,0 +1,39 @@
+{ lib, modulesPath, ... }:
+{
+  system.stateVersion = "23.05";
+
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "uhci_hcd"
+    "ehci_pci"
+    "ahci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/428cdba7-04a8-4e69-992a-96aa197cd6c7";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/08B5-BFD8";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/nixos/configuration.nix

@@ -1,12 +1,12 @@
-{ pkgs, ... }:
+{ lib, ... }:
 {
   networking.hostName = "nixos";
 
-  imports = [ ../base.nix ];
+  imports = [ ../../shared/base.nix ];
 
   #Many installs will need this, and it won't hurt either way
   services.qemuGuest.enable = true;
 
   #Prevent user from being locked out of the system before switching to proper config
-  users.mutableUsers = pkgs.lib.mkForce true;
+  users.mutableUsers = lib.mkForce true;
 }

hosts/siit-dc/configuration.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ../../shared/base.nix
+    ../../shared/hardware/vm.nix
+    ../../servers/siit-dc.nix
+  ];
+}

hosts/siit-dc/state.nix

@@ -0,0 +1,39 @@
+{ lib, modulesPath, ... }:
+{
+  system.stateVersion = "24.05";
+
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "uhci_hcd"
+    "ehci_pci"
+    "ahci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/81dc35b1-5a34-4924-b864-b53e5ca9df24";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/D171-033F";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/syncthing/configuration.nix

@@ -0,0 +1,12 @@
+{ lib, ... }:
+{
+  imports = [
+    ../../shared/base.nix
+    ../../shared/hardware/vm.nix
+    ../../shared/users/vili.nix
+
+    ../../servers/syncthing.nix
+  ];
+
+  users.users.vili.hashedPasswordFile = lib.mkForce null;
+}

hosts/syncthing/state.nix

@@ -0,0 +1,44 @@
+{ lib, modulesPath, ... }:
+{
+  system.stateVersion = "22.11";
+
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "uhci_hcd"
+    "ehci_pci"
+    "ahci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/895d2004-3bd2-4bc5-bb46-62f94a0a68e3";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/38AD-EFDC";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };
+
+  fileSystems."/home/vili" = {
+    device = "/dev/disk/by-uuid/d08136ed-7950-412c-bcf6-7c6e9f015e47";
+    fsType = "ext4";
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/vaultwarden/configuration.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ../../shared/base.nix
+    ../../shared/hardware/vm.nix
+    ../../servers/vaultwarden.nix
+  ];
+}

hosts/vaultwarden/state.nix

@@ -0,0 +1,35 @@
+{ lib, modulesPath, ... }:
+{
+  system.stateVersion = "23.11";
+
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "uhci_hcd"
+    "ehci_pci"
+    "ahci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/22f0fb39-e264-450d-b575-9dedd2a02361";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/A604-6A7B";
+    fsType = "vfat";
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/wg-rpi/configuration.nix

@@ -8,7 +8,7 @@ let
   ddPassFile = "/root/wg-conf/ddPassFile";
 in
 {
-  imports = [ ../base.nix ];
+  imports = [ ../../shared/base.nix ];
 
   environment.systemPackages = with pkgs; [
     wireguard-tools

installer/base.nix

@@ -46,7 +46,7 @@ let
 
     nixos-generate-config --root /mnt
     mv /mnt/etc/nixos/configuration.nix configuration.nix.old
-    curl https://forgejo.sinerva.eu/VSinerva/nixos-conf/raw/branch/main/misc/template-configuration.nix -o /mnt/etc/nixos/configuration.nix
+    curl https://forgejo.sinerva.eu/VSinerva/nixos-conf/raw/branch/main/installer/template-configuration.nix -o /mnt/etc/nixos/configuration.nix
   '';
 in
 {
@@ -57,18 +57,7 @@ in
 
   environment.systemPackages =
     (with pkgs; [
-      (onlykey.override (prev: {
-        node_webkit = prev.node_webkit.overrideAttrs {
-          src = fetchurl {
-            url = "https://dl.nwjs.io/v0.71.1/nwjs-v0.71.1-linux-x64.tar.gz";
-            hash = "sha256-bnObpwfJ6SNJdOvzWTnh515JMcadH1+fxx5W9e4gl/4=";
-          };
-        };
-      }))
-
       cryptsetup
-      onlykey-cli
-      onlykey-agent
     ])
     ++ [
       create-partitions
@@ -76,13 +65,6 @@ in
       prep-install
     ];
 
-  programs.gnupg.agent = {
-    enable = true;
-    enableSSHSupport = true;
-    pinentryPackage = pkgs.pinentry-curses;
-  };
-  hardware.onlykey.enable = true;
-
   isoImage.squashfsCompression = "gzip -Xcompression-level 1";
 
   #Many installs will need this, and it won't hurt either way

installer/graphical.nix

@@ -1,7 +1,7 @@
 { ... }:
 {
   imports = [
-    <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-gnome.nix>
-    ./custom-iso-base.nix
+    <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-combined.nix>
+    ./base.nix
   ];
 }

installer/minimal.nix

@@ -0,0 +1,9 @@
+{ lib, ... }:
+{
+  imports = [
+    <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
+    ./base.nix
+  ];
+
+  networking.networkmanager.enable = lib.mkForce false;
+}

machine-confs/cert-store.nix

@@ -1,15 +0,0 @@
-{ pkgs, ... }:
-{
-  networking.hostName = "cert-store";
-
-  imports = [
-    ../base.nix
-    ../services/acme-cert-store.nix
-  ];
-
-  #Many installs will need this, and it won't hurt either way
-  services.qemuGuest.enable = true;
-
-  #Prevent user from being locked out of the system before switching to proper config
-  users.mutableUsers = pkgs.lib.mkForce true;
-}

machine-confs/forgejo.nix

@@ -1,12 +0,0 @@
-{ ... }:
-{
-  networking.hostName = "forgejo";
-
-  imports = [
-    ../base.nix
-    ../services/forgejo.nix
-  ];
-
-  # HARDWARE SPECIFIC
-  services.qemuGuest.enable = true;
-}

machine-confs/gaming.nix

@@ -1,15 +0,0 @@
-{ lib, ... }:
-{
-  networking.hostName = "gaming";
-
-  imports = [
-    ../base.nix
-    ../desktop.nix
-    ../users/vili.nix
-    ../services/gaming-server.nix
-    ../hardware-specific/nvidia.nix
-  ];
-
-  users.users.vili.hashedPasswordFile = lib.mkForce null;
-  services.qemuGuest.enable = true;
-}

machine-confs/helium.nix

@@ -1,100 +0,0 @@
-{ pkgs, config, ... }:
-{
-  networking = {
-    hostName = "helium";
-
-    wg-quick.interfaces = {
-      wg0 = {
-        autostart = true;
-        address = [ "${config.custom.gua_pref}ff::2/64" ];
-        dns = [
-          "${config.custom.gua_pref}ff::1"
-          "vsinerva.fi"
-        ];
-        privateKeyFile = "/root/wireguard-keys/privatekey-home";
-        listenPort = 51820;
-
-        peers = [
-          {
-            publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34=";
-            presharedKeyFile = "/root/wireguard-keys/psk-home";
-            allowedIPs = [ "::/0" ];
-            endpoint = "wg.vsinerva.fi:51820";
-          }
-        ];
-      };
-      wg1 = {
-        autostart = false;
-        address = [ "10.100.0.7/24" ];
-        dns = [ "1.1.1.1" ];
-        privateKeyFile = "/root/wireguard-keys/privatekey-netflix";
-        listenPort = 51820;
-
-        peers = [
-          {
-            publicKey = "XSYHg0utIR1j7kRsWFwuWNo4RPD47KP53cVa6qDPtRE=";
-            allowedIPs = [
-              "0.0.0.0/0"
-              "192.168.0.0/24"
-            ];
-            endpoint = "netflix.vsinerva.fi:51821";
-          }
-        ];
-      };
-    };
-  };
-  # Dirty hack to fix autostart failing due to DNS lookups
-  systemd.services."wg-quick-wg0".serviceConfig = {
-    Restart = "on-failure";
-    RestartSec = "1s";
-  };
-  services.clatd = {
-    enable = true;
-    settings.clat-v6-addr = "${config.custom.gua_pref}ff::c2";
-  };
-  systemd.services.clatd.wants = [ "wg-quick-wg0.service" ];
-
-  services.openssh.openFirewall = false;
-  services.fail2ban.enable = pkgs.lib.mkForce false;
-
-  imports = [
-    ../base.nix
-    ../users/vili.nix
-    ../desktop.nix
-    ../development.nix
-    ../services/syncthing.nix
-    ../services/redshift.nix
-    ../services/moonlight.nix
-    ../hardware-specific/onlykey.nix
-    ../hardware-specific/keychron-q11.nix
-    ../hardware-specific/trackball.nix
-    ../hardware-specific/amd-laptop.nix
-    ../hardware-specific/usb-automount.nix
-  ];
-
-  services.xserver.displayManager.setupCommands = ''
-    ${pkgs.xorg.xrandr}/bin/xrandr --output DisplayPort-0 --auto --pos 0x0 --primary --output eDP --auto --pos 3840x360
-  '';
-
-  system.autoUpgrade.allowReboot = pkgs.lib.mkForce false;
-
-  swapDevices = pkgs.lib.mkForce [
-    {
-      device = "/var/lib/swapfile";
-      size = 16 * 1024;
-    }
-  ];
-
-  boot = {
-    loader.timeout = 3;
-    initrd.luks = {
-      fido2Support = true;
-      devices."luks-f6e1979b-0dee-4ee9-8170-10490019854b".fido2 = {
-        passwordLess = true;
-        credential = "df9233221fa09173fea61d8b8516d184f8ede475024a88201b34d838ecf306ee070052dae2262619c1da2be7562ec9dd94888c71a9326fea70dfe16214b5ea8ec014d86afa01";
-      };
-    };
-    resumeDevice = "/dev/mapper/luks-f6e1979b-0dee-4ee9-8170-10490019854b";
-    kernelParams = [ "resume_offset=44537856" ];
-  };
-}

machine-confs/lithium.nix

@@ -1,78 +0,0 @@
-{ pkgs, config, ... }:
-{
-  networking = {
-    hostName = "lithium";
-
-    wg-quick.interfaces = {
-      wg0 = {
-        autostart = true;
-        address = [ "${config.custom.gua_pref}ff::3/64" ];
-        dns = [
-          "${config.custom.gua_pref}ff::1"
-          "vsinerva.fi"
-        ];
-        privateKeyFile = "/root/wireguard-keys/privatekey-home";
-        listenPort = 51820;
-
-        peers = [
-          {
-            publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34=";
-            presharedKeyFile = "/root/wireguard-keys/psk-home";
-            allowedIPs = [ "::/0" ];
-            endpoint = "wg.vsinerva.fi:51820";
-          }
-        ];
-      };
-    };
-  };
-  # Dirty hack to fix autostart failing due to DNS lookups
-  systemd.services."wg-quick-wg0".serviceConfig = {
-    Restart = "on-failure";
-    RestartSec = "1s";
-  };
-  services.clatd = {
-    enable = true;
-    settings.clat-v6-addr = "${config.custom.gua_pref}ff::c3";
-  };
-  systemd.services.clatd.wants = [ "wg-quick-wg0.service" ];
-
-  services.openssh.openFirewall = false;
-  services.fail2ban.enable = pkgs.lib.mkForce false;
-
-  imports = [
-    ../base.nix
-    ../users/vili.nix
-    ../desktop.nix
-    ../development.nix
-    ../services/syncthing.nix
-    ../services/redshift.nix
-    ../services/moonlight.nix
-    ../hardware-specific/onlykey.nix
-    ../hardware-specific/keychron-q11.nix
-    ../hardware-specific/trackball.nix
-    ../hardware-specific/usb-automount.nix
-    ../hardware-specific/intel-laptop.nix
-  ];
-
-  system.autoUpgrade.allowReboot = pkgs.lib.mkForce false;
-
-  swapDevices = pkgs.lib.mkForce [
-    {
-      device = "/var/lib/swapfile";
-      size = 16 * 1024;
-    }
-  ];
-
-  boot = {
-    loader.timeout = 10;
-    initrd.luks = {
-      fido2Support = true;
-      devices."nixos".fido2 = {
-        passwordLess = true;
-        credential = "f29b0760a6ec3b18b0a9958d77d8be8b15ff4fd90d42c3ceaeeb5d24a19c8f81315f52dae2262619c1da2be7562ec9dd94888c71a9326fea70dfe16214b5ea8ec014225afa01";
-      };
-    };
-    resumeDevice = "/dev/mapper/nixos";
-    kernelParams = [ "resume_offset=39292928" ];
-  };
-}

machine-confs/nextcloud.nix

@@ -1,13 +0,0 @@
-{ ... }:
-{
-  networking.hostName = "nextcloud";
-  custom.nextcloud_domain = "nextcloud.vsinerva.fi";
-
-  imports = [
-    ../base.nix
-    ../services/nextcloud.nix
-  ];
-
-  # HARDWARE SPECIFIC
-  services.qemuGuest.enable = true;
-}

machine-confs/siit-dc.nix

@@ -1,12 +0,0 @@
-{ ... }:
-{
-  networking.hostName = "siit-dc";
-
-  imports = [
-    ../base.nix
-    ../services/siit-dc.nix
-  ];
-
-  # HARDWARE SPECIFIC
-  services.qemuGuest.enable = true;
-}

machine-confs/syncthing.nix

@@ -1,15 +0,0 @@
-{ pkgs, ... }:
-{
-  networking.hostName = "syncthing";
-
-  imports = [
-    ../base.nix
-    ../users/vili.nix
-    ../services/syncthing.nix
-  ];
-
-  users.users.vili.hashedPasswordFile = pkgs.lib.mkForce null;
-
-  # HARDWARE SPECIFIC
-  services.qemuGuest.enable = true;
-}

machine-confs/vaultwarden.nix

@@ -1,12 +0,0 @@
-{ ... }:
-{
-  networking.hostName = "vaultwarden";
-
-  imports = [
-    ../base.nix
-    ../services/vaultwarden.nix
-  ];
-
-  # HARDWARE SPECIFIC
-  services.qemuGuest.enable = true;
-}

misc/custom-minimal-iso.nix

@@ -1,9 +0,0 @@
-{ pkgs, ... }:
-{
-  imports = [
-    <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
-    ./custom-iso-base.nix
-  ];
-
-  networking.networkmanager.enable = pkgs.lib.mkForce false;
-}

misc/template-configuration.nix

@@ -1,25 +0,0 @@
-{ ... }:
-let
-  host = "generic";
-  stateVersion = "24.11";
-
-  repo = builtins.fetchGit {
-    url = "https://forgejo.sinerva.eu/VSinerva/nixos-conf.git";
-    name = "nixos-conf-forgejo";
-    ref = "main";
-  };
-in
-{
-  imports = [
-    ./hardware-configuration.nix
-    "${repo}/machine-confs/${host}.nix"
-  ];
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = stateVersion; # Did you read the comment?
-}

personal/desktop.nix

@@ -0,0 +1,49 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./programs/symlinked/symlinks.nix
+    ../shared/users/vili.nix
+  ];
+
+  environment.systemPackages = with pkgs; [
+    alacritty
+    vlc
+    flameshot
+    speedcrunch
+  ];
+
+  services = {
+    displayManager = {
+      autoLogin.enable = true;
+      autoLogin.user = "vili";
+    };
+    xserver = {
+      enable = true;
+      displayManager = {
+        lightdm.enable = true;
+        sessionCommands = ''${pkgs.xorg.xrdb}/bin/xrdb -merge < ${
+          (import ./programs/embedded/xresources.nix { inherit pkgs; })
+        }'';
+      };
+    };
+
+    pipewire.enable = false;
+    pulseaudio.enable = true;
+  };
+  nixpkgs.config.pulseaudio = true;
+
+  security.polkit.enable = true;
+
+  xdg.mime.defaultApplications = {
+    "application/pdf" = "org.gnome.Evince.desktop";
+    "text/plain" = "org.xfce.mousepad.desktop";
+    "text/x-tex" = "org.kde.kile.desktop";
+    "inode/directory" = "pcmanfm.description";
+  };
+
+  qt = {
+    enable = true;
+    style = "adwaita-dark";
+    platformTheme = "gnome";
+  };
+}

personal/development.nix

@@ -0,0 +1,44 @@
+{ pkgs, lib, ... }:
+{
+  imports = [ ./programs/embedded/nvim.nix ];
+
+  #################### Git configuration ####################
+  programs.git = {
+    enable = true;
+    lfs.enable = true;
+    config = {
+      user = {
+        email = "vili.m.sinerva@gmail.com";
+        name = "Vili Sinervä";
+        signingkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV";
+      };
+      merge = {
+        ff = "true";
+      };
+      pull = {
+        ff = "only";
+      };
+      commit = {
+        verbose = "true";
+      };
+      gpg.format = "ssh";
+      commit.gpgsign = "true";
+    };
+  };
+
+  #################### Packages ####################
+  environment.systemPackages = with pkgs; [
+    nixfmt-rfc-style
+    nixd
+
+    vagrant
+    nmap
+    metasploit
+    armitage
+  ];
+  virtualisation.virtualbox.host.enable = true;
+  virtualisation.virtualbox.host.addNetworkInterface = false;
+  users.extraGroups.vboxusers.members = [ "vili" ];
+
+  fonts.packages = builtins.filter lib.attrsets.isDerivation (builtins.attrValues pkgs.nerd-fonts);
+}

personal/hardware/amd-laptop.nix

@@ -1,4 +1,9 @@
-{ config, pkgs, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 {
   environment.systemPackages = with pkgs; [ zenmonitor ];
 
@@ -7,7 +12,7 @@
   boot.initrd.kernelModules = [ "amdgpu" ];
 
   services = {
-    xserver = pkgs.lib.mkIf config.services.xserver.enable {
+    xserver = lib.mkIf config.services.xserver.enable {
       videoDrivers = [
         "amdgpu"
         "modesetting"

personal/hardware/hibernate.nix

@@ -0,0 +1,13 @@
+{ lib, ... }:
+{
+  swapDevices = [
+    {
+      device = "/var/lib/swapfile";
+      size = 16 * 1024;
+    }
+  ];
+
+  boot = {
+    resumeDevice = lib.mkDefault "/dev/mapper/nixos";
+  };
+}

personal/hardware/onlykey.nix

@@ -1,12 +1,5 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
-  assertions = [
-    {
-      assertion = config.users.users ? "vili";
-      message = "User 'vili' needed for onlykey!";
-    }
-  ];
-
   environment.systemPackages = with pkgs; [
     (onlykey.override (prev: {
       node_webkit = prev.node_webkit.overrideAttrs {
@@ -21,7 +14,5 @@
     onlykey-cli
   ];
 
-  security.pam.u2f.enable = true;
   hardware.onlykey.enable = true;
-  programs.i3lock.u2fSupport = true;
 }

personal/hardware/trackball.nix

@@ -3,7 +3,7 @@
   nixpkgs.overlays = [
     (final: prev: {
       moonlight-qt = prev.moonlight-qt.overrideAttrs (old: {
-        patches = (old.patches or [ ]) ++ [ ../misc/mouse-accel.patch ];
+        patches = (old.patches or [ ]) ++ [ ./moonlight-trackball-accel.patch ];
       });
     })
   ];

personal/networking/home-wg.nix

@@ -0,0 +1,50 @@
+{ config, lib, ... }:
+{
+  options.custom.home_wg_suffix = lib.mkOption {
+    type = with lib.types; nullOr (strMatching "^[0-9a-zA-Z:]+$");
+    default = null;
+    description = "IPv6 GUA Suffix for Home WireGuard config";
+  };
+
+  config = {
+    networking = {
+      wg-quick.interfaces = {
+        wg0 = {
+          autostart = true;
+          address = [ "${config.custom.gua_pref}ff::${config.custom.home_wg_suffix}/64" ];
+          dns = [
+            "${config.custom.gua_pref}ff::1"
+            "vsinerva.fi"
+          ];
+          privateKeyFile = "/persist/secrets/wireguard/priv-home";
+          listenPort = 51820;
+
+          peers = [
+            {
+              publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34=";
+              presharedKeyFile = "/persist/secrets/wireguard/psk-home";
+              allowedIPs = [ "::/0" ];
+              endpoint = "wg.vsinerva.fi:51820";
+            }
+          ];
+        };
+      };
+    };
+
+    services.clatd = {
+      enable = true;
+      settings.clat-v6-addr = "${config.custom.gua_pref}ff::c${config.custom.home_wg_suffix}";
+    };
+
+    systemd.services = {
+      "wg-quick-wg0" = {
+        wants = [ "network-online.target" ];
+        after = [ "network-online.target" ];
+      };
+      clatd = {
+        wants = [ "wg-quick-wg0.service" ];
+        after = [ "wg-quick-wg0.service" ];
+      };
+    };
+  };
+}

personal/networking/printing.nix

@@ -0,0 +1,12 @@
+{ ... }:
+{
+  programs.i3lock.enable = true;
+  services = {
+    printing.enable = true;
+    avahi = {
+      enable = true;
+      nssmdns4 = true;
+      openFirewall = true;
+    };
+  };
+}

personal/programs/bitwarden.nix

@@ -0,0 +1,21 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    bitwarden
+    bitwarden-cli
+  ];
+
+  programs.zsh.interactiveShellInit = "export SSH_AUTH_SOCK=/home/vili/.bitwarden-ssh-agent.sock";
+  security = {
+    pam = {
+      rssh.enable = true;
+      services = {
+        sudo.rssh = true;
+      };
+    };
+    sudo.execWheelOnly = true;
+  };
+
+  # We need SSH for the sudo, but generally don't want it open on machines with Bitwarden client
+  services.openssh.openFirewall = false;
+}

personal/programs/communication.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    telegram-desktop
+    signal-desktop
+    discord
+  ];
+}

personal/programs/embedded/i3-conf.nix

@@ -1,8 +1,7 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 let
   alacritty-conf = "${
     (import ./alacritty.nix {
-      inherit config;
       inherit pkgs;
     })
   }";

personal/programs/embedded/nvim.nix

@@ -1,54 +1,5 @@
-{ pkgs, lib, ... }:
-let
-  nixvim = import (
-    builtins.fetchGit {
-      url = "https://github.com/nix-community/nixvim";
-      ref = "nixos-25.05";
-    }
-  );
-in
+{ nixvim, ... }:
 {
-  #################### Git configuration ####################
-  programs.git = {
-    enable = true;
-    lfs.enable = true;
-    config = {
-      user = {
-        email = "vili.m.sinerva@gmail.com";
-        name = "Vili Sinervä";
-        signingkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV";
-      };
-      merge = {
-        ff = "true";
-      };
-      pull = {
-        ff = "only";
-      };
-      commit = {
-        verbose = "true";
-      };
-      gpg.format = "ssh";
-      commit.gpgsign = "true";
-    };
-  };
-
-  #################### Packages ####################
-  environment.systemPackages = with pkgs; [
-    nixfmt-rfc-style
-    nixd
-
-    vagrant
-    nmap
-    metasploit
-    armitage
-  ];
-  virtualisation.virtualbox.host.enable = true;
-  virtualisation.virtualbox.host.addNetworkInterface = false;
-  users.extraGroups.vboxusers.members = [ "vili" ];
-
-  fonts.packages = builtins.filter lib.attrsets.isDerivation (builtins.attrValues pkgs.nerd-fonts);
-
-  #################### Neovim configuration ####################
   imports = [ nixvim.nixosModules.nixvim ];
 
   programs.nixvim = {

personal/programs/embedded/xresources.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+pkgs.writeText "Xresources" ''
+  Xft.dpi:       96
+  Xft.antialias: true
+  Xft.hinting:   true
+  Xft.rgba:      rgb
+  Xft.autohint:  false
+  Xft.hintstyle: hintslight
+  Xft.lcdfilter: lcddefault
+
+  Xcursor.theme: xcursor-breeze
+  Xcursor.size:                     0
+''

personal/programs/i3.nix

@@ -0,0 +1,28 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    i3status
+    rofi
+    arandr
+    pavucontrol
+    viewnior
+    xfce.mousepad
+    pcmanfm
+    evince
+    brightnessctl
+    networkmanagerapplet
+  ];
+
+  programs.i3lock.enable = true;
+
+  services = {
+    displayManager = {
+      defaultSession = "none+i3";
+    };
+    xserver.windowManager.i3 = {
+      enable = true;
+      extraPackages = [ ];
+      configFile = "${(import ./embedded/i3-conf.nix { inherit pkgs; })}";
+    };
+  };
+}

personal/programs/redshift.nix

@@ -1,11 +1,5 @@
-{ config, ... }:
+{ ... }:
 {
-  assertions = [
-    {
-      assertion = config.services.xserver.enable;
-      message = "Redshift does not work without a desktop!";
-    }
-  ];
   services.redshift = {
     executable = "/bin/redshift-gtk";
     enable = true;

personal/programs/study.nix

@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    libreoffice
+    zotero
+    kile
+    texliveFull
+    imagemagick
+    ghostscript
+    kdePackages.okular
+  ];
+}

personal/programs/symlinked/symlinks.nix

@@ -0,0 +1,54 @@
+{ ... }:
+{
+  system.userActivationScripts.mkDesktopSettingsSymlinks.text =
+    let
+      home = "/home/vili/";
+      paths = [
+        rec {
+          dir = "${home}.config/pcmanfm/default/";
+          file = "pcmanfm.conf";
+          full = "${dir}${file}";
+          source = "${./pcmanfm.conf}";
+        }
+        rec {
+          dir = "${home}.config/libfm/";
+          file = "libfm.conf";
+          full = "${dir}${file}";
+          source = "${./libfm.conf}";
+        }
+        rec {
+          dir = "${home}.config/gtk-3.0/";
+          file = "bookmarks";
+          full = "${dir}${file}";
+          source = "${./gtk-bookmarks}";
+        }
+        rec {
+          dir = "${home}";
+          file = ".gtkrc-2.0";
+          full = "${dir}${file}";
+          source = "${./gtkrc-2.0}";
+        }
+        rec {
+          dir = "${home}.config/gtk-3.0/";
+          file = "settings.ini";
+          full = "${dir}${file}";
+          source = "${./gtk-3-4-settings.ini}";
+        }
+        rec {
+          dir = "${home}.config/gtk-4.0/";
+          file = "settings.ini";
+          full = "${dir}${file}";
+          source = "${./gtk-3-4-settings.ini}";
+        }
+      ];
+    in
+    toString (
+      map (path: ''
+        mkdir -p ${path.dir}
+        if test -e ${path.full} -a ! -L ${path.full}; then
+          mv -f ${path.full} ${path.full}.old
+        fi
+        ln -sf ${path.source} ${path.full}
+      '') paths
+    );
+}

servers/acme-cert-store.nix

@@ -13,5 +13,4 @@
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1 opnsense"
   ];
-
 }

servers/forgejo.nix

@@ -1,15 +1,10 @@
 { config, ... }:
 {
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
+  imports = [
+    ./utils/nginx-https-server.nix
+    ./utils/acme-http-client.nix
   ];
 
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "vili.m.sinerva@gmail.com";
-  };
-
   services = {
     forgejo = {
       enable = true;

servers/nextcloud.nix

@@ -5,7 +5,10 @@
   ...
 }:
 {
-  imports = [ ./cert-store-client.nix ];
+  imports = [
+    ./utils/nginx-https-server.nix
+    ./utils/cert-store-client.nix
+  ];
 
   options.custom = {
     nextcloud_domain = lib.mkOption {
@@ -22,8 +25,6 @@
 
   config = lib.mkMerge [
     {
-      networking.firewall.allowedTCPPorts = [ 443 ];
-
       services = {
         nextcloud = {
           package = pkgs.nextcloud31;
@@ -46,19 +47,7 @@
           };
         };
 
-        nginx = {
-          recommendedGzipSettings = true;
-          recommendedOptimisation = true;
-          recommendedTlsSettings = true;
-          recommendedProxySettings = true;
-
-          virtualHosts.${config.services.nextcloud.hostName} = {
-            forceSSL = true;
-            kTLS = true;
-            sslCertificate = "/mnt/acme/fullchain.pem";
-            sslCertificateKey = "/mnt/acme/key.pem";
-          };
-        };
+        nginx.virtualHosts.${config.services.nextcloud.hostName} = { };
       };
     }
     (
@@ -89,10 +78,6 @@
           };
 
           nginx.virtualHosts.${config.services.collabora-online.settings.server_name} = {
-            forceSSL = true;
-            kTLS = true;
-            sslCertificate = "/mnt/acme/fullchain.pem";
-            sslCertificateKey = "/mnt/acme/key.pem";
             locations."/" = {
               proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
               proxyWebsockets = true; # collabora uses websockets

servers/syncthing.nix

@@ -1,12 +1,5 @@
-{ config, pkgs, ... }:
+{ config, lib, ... }:
 {
-  assertions = [
-    {
-      assertion = config.users.users ? "vili";
-      message = "User 'vili' needed for syncthing!";
-    }
-  ];
-
   boot.kernel.sysctl."fs.inotify.max_user_watches" = 204800;
 
   services.syncthing = {
@@ -27,14 +20,14 @@
         relaysEnabled = false;
       };
 
-      devices = pkgs.lib.mkMerge [
+      devices = lib.mkMerge [
         {
           "syncthing" = {
             id = "J6GNM4Z-2TWASPT-3P3EW4V-KZEQYFF-TXL22QX-4YTZ3WO-WLM7GQ7-NUP66A4";
             addresses = [ "tcp://syncthing.vsinerva.fi:22000" ];
           };
         }
-        (pkgs.lib.mkIf (config.networking.hostName == "syncthing") {
+        (lib.mkIf (config.networking.hostName == "syncthing") {
           "helium" = {
             id = "2MRUBSY-NHXYMAW-SY22RHP-CNNMHKR-DPDKMM4-2XV5F6M-6KSNLQI-DD4EOAM";
             addresses = [ "tcp://helium.vsinerva.fi:22000" ];
@@ -49,9 +42,9 @@
       folders =
         let
           default = {
-            devices = pkgs.lib.mkMerge [
+            devices = lib.mkMerge [
               [ "syncthing" ]
-              (pkgs.lib.mkIf (config.networking.hostName == "syncthing") [
+              (lib.mkIf (config.networking.hostName == "syncthing") [
                 "helium"
                 "lithium"
               ])

servers/utils/acme-http-client.nix

@@ -0,0 +1,21 @@
+{ lib, ... }:
+{
+  options.services.nginx.virtualHosts = lib.mkOption {
+    type = lib.types.attrsOf (
+      lib.types.submodule {
+        config = lib.mkDefault {
+          enableACME = true;
+        };
+      }
+    );
+  };
+
+  config = {
+    networking.firewall.allowedTCPPorts = [ 80 ];
+
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "vili.m.sinerva@gmail.com";
+    };
+  };
+}

servers/utils/cert-store-client.nix

@@ -0,0 +1,34 @@
+{ lib, ... }:
+{
+  options.services.nginx.virtualHosts = lib.mkOption {
+    type = lib.types.attrsOf (
+      lib.types.submodule {
+        config = lib.mkDefault {
+          sslCertificate = "/mnt/acme/fullchain.pem";
+          sslCertificateKey = "/mnt/acme/key.pem";
+        };
+      }
+    );
+  };
+
+  config = {
+    services.openssh.knownHosts."cert-store.vsinerva.fi".publicKey =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4FaKqA2rQbxpdRBdGtb2lb5El/zbGnvmDfdYJdrxH7";
+
+    systemd.services.nginx = {
+      wants = [ "mnt-acme.mount" ];
+      after = [ "mnt-acme.mount" ];
+    };
+
+    fileSystems."/mnt/acme" = {
+      device = "cert-store@cert-store.vsinerva.fi:/home/cert-store/acme/-.vsinerva.fi";
+      fsType = "sshfs";
+      options = [
+        "nodev"
+        "noatime"
+        "allow_other"
+        "IdentityFile=/etc/ssh/ssh_host_ed25519_key"
+      ];
+    };
+  };
+}

servers/utils/nginx-https-server.nix

@@ -0,0 +1,25 @@
+{ lib, ... }:
+{
+  options.services.nginx.virtualHosts = lib.mkOption {
+    type = lib.types.attrsOf (
+      lib.types.submodule {
+        config = lib.mkDefault {
+          forceSSL = true;
+          kTLS = true;
+        };
+      }
+    );
+  };
+
+  config = {
+    networking.firewall.allowedTCPPorts = [ 443 ];
+
+    services.nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      recommendedProxySettings = true;
+    };
+  };
+}

servers/vaultwarden.nix

@@ -1,9 +1,9 @@
 { ... }:
 {
-  imports = [ ./cert-store-client.nix ];
-
-  networking.firewall.allowedTCPPorts = [ 443 ];
-  networking.firewall.allowedUDPPorts = [ 443 ];
+  imports = [
+    ./utils/nginx-https-server.nix
+    ./utils/cert-store-client.nix
+  ];
 
   services = {
     vaultwarden = {
@@ -31,17 +31,7 @@
     };
 
     nginx = {
-      enable = true;
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedTlsSettings = true;
-      recommendedProxySettings = true;
-
       virtualHosts."vaultwarden.vsinerva.fi" = {
-        forceSSL = true;
-        kTLS = true;
-        sslCertificate = "/mnt/acme/fullchain.pem";
-        sslCertificateKey = "/mnt/acme/key.pem";
         locations."/" = {
           proxyPass = "http://localhost:8000";
         };

services/cert-store-client.nix

@@ -1,21 +0,0 @@
-{ ... }:
-{
-  services.openssh.knownHosts."cert-store.vsinerva.fi".publicKey =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4FaKqA2rQbxpdRBdGtb2lb5El/zbGnvmDfdYJdrxH7";
-
-  systemd.services.nginx = {
-    wants = [ "mnt-acme.mount" ];
-    after = [ "mnt-acme.mount" ];
-  };
-
-  fileSystems."/mnt/acme" = {
-    device = "cert-store@cert-store.vsinerva.fi:/home/cert-store/acme/-.vsinerva.fi";
-    fsType = "sshfs";
-    options = [
-      "nodev"
-      "noatime"
-      "allow_other"
-      "IdentityFile=/etc/ssh/ssh_host_ed25519_key"
-    ];
-  };
-}

shared/base.nix

@@ -1,4 +1,9 @@
-{ pkgs, lib, ... }:
+{
+  pkgs,
+  lib,
+  nixpkgs-flake,
+  ...
+}:
 {
   options.custom.gua_pref = lib.mkOption {
     type = with lib.types; nullOr (strMatching "^[0-9a-zA-Z:]+$");
@@ -44,9 +49,9 @@
         ZSH_TMUX_CONFIG=/etc/tmux.conf
       '';
       promptInit = ''
-        if [ -n "$IN_NIX_SHELL" ]; then 
+        if [ "$SHLVL" != 1 ]; then 
           setopt PROMPT_SUBST
-          RPROMPT+='[nix]'
+          RPROMPT+='[depth-''${SHLVL}]'
         fi
       '';
     };
@@ -83,7 +88,7 @@
       set -s escape-time 0
     '';
 
-    ######################################## SSH and fail2ban configuration #########################
+    ######################################## SSH configuration #########################
     services.openssh = {
       enable = true;
       settings.PasswordAuthentication = false;
@@ -92,21 +97,6 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV vili-bw-ssh-ed25519-main"
     ];
 
-    services.fail2ban = {
-      enable = true;
-      maxretry = 10;
-      bantime = "10m";
-      bantime-increment = {
-        enable = true;
-        maxtime = "1d";
-      };
-      jails = {
-        DEFAULT.settings = {
-          findtime = 3600;
-        };
-      };
-    };
-
     ######################################## Localization ###########################################
     i18n.defaultLocale = "en_US.UTF-8";
 
@@ -126,7 +116,7 @@
       layout = "us,";
       variant = "de_se_fi,";
     };
-    console = pkgs.lib.mkForce {
+    console = lib.mkForce {
       font = "Lat2-Terminus16";
       useXkbConfig = true; # use xkbOptions in tty.
     };
@@ -134,16 +124,11 @@
 
     ######################################## Memory management ######################################
     zramSwap.enable = true;
-    swapDevices = [
-      {
-        device = "/var/lib/swapfile";
-        size = 8 * 1024;
-      }
-    ];
 
     ######################################## Housekeeping ###########################################
     system.autoUpgrade = {
       enable = true;
+      flake = ''"git+https://forgejo.sinerva.eu/VSinerva/nixos-conf.git?ref=main&shallow=1"'';
       dates = "04:00";
       randomizedDelaySec = "30min";
       allowReboot = true;
@@ -153,14 +138,17 @@
       };
     };
 
+    nixpkgs.config.allowUnfree = true;
     nix = {
+      registry = {
+        nixpkgs.flake = nixpkgs-flake;
+      };
       settings = {
         experimental-features = [
           "nix-command"
           "flakes"
         ];
         auto-optimise-store = true;
-        tarball-ttl = 0;
       };
       gc = {
         automatic = true;
@@ -171,8 +159,6 @@
     };
 
     ######################################## Misc. ##################################################
-    nixpkgs.config.allowUnfree = true;
-
     networking = {
       # Easiest to use and most distros use this by default.
       networkmanager = {
@@ -187,9 +173,9 @@
     users.mutableUsers = false; # Force all user management to happen throught nix-files
 
     boot.loader = {
-      systemd-boot.enable = pkgs.lib.mkDefault true;
-      efi.canTouchEfiVariables = pkgs.lib.mkDefault true;
-      timeout = pkgs.lib.mkDefault 0;
+      systemd-boot.enable = lib.mkDefault true;
+      efi.canTouchEfiVariables = lib.mkDefault true;
+      timeout = lib.mkDefault 0;
     };
   };
 }

shared/hardware/vm.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  swapDevices = [
+    {
+      device = "/var/lib/swapfile";
+      size = 2 * 1024;
+    }
+  ];
+
+  services.qemuGuest.enable = true;
+}

shared/users/vili.nix

@@ -11,7 +11,7 @@
       "audio"
     ];
     openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
-    hashedPasswordFile = "/root/hashed-passwords/vili";
+    hashedPasswordFile = "/persist/secrets/hashed-passwords/vili";
   };
 
   users.groups.vili.gid = 1000;