Start migration to using flake-parts

.sops.yaml

@@ -1,15 +1,17 @@
 keys:
   - &primary age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg
   - &aspi-ssh age1q8lc5340gz5xw2f57nglrss68wv0j0hf36py2pdtrl6ky3yrq9qqk0njr4
+  - &pianonix-ssh age1tguyu2yd5xv8rgjjl50cq6dq5rr7umqgv098dgre4u9wyj30ea7sexw62c
   - &builder-ssh age1kw4kmdm45zprvdkrrpvgq966l7585vhusmum083qlwnr0xxgd3uqatcyja
   - &kardorf-ssh age15lxw97z03q40xrdscnxqqugh5ky5aqrerg2t2rphkcqm6rnllurq8v98q5
 
 creation_rules:
-  - path_regex: hosts/secrets-common.yaml$
+  - path_regex: hosts/common/secrets.yaml$
     key_groups:
     - age:
       - *primary
       - *aspi-ssh
+      - *pianonix-ssh
       - *kardorf-ssh
 
   - path_regex: hosts/builder/secrets.yaml$
@@ -17,3 +19,9 @@ creation_rules:
     - age:
       - *primary
       - *builder-ssh
+
+  - path_regex: hosts/pianonix/secrets*
+    key_groups:
+    - age:
+      - *primary
+      - *pianonix-ssh

features-home-manager/suites/desktop/default.nix

@@ -52,6 +52,7 @@
     # rustdesk
     tor-browser
     rusty-path-of-building # Path of Building for poe1 and poe2
+    # frajul.pob-dev-version # Path of Building
     vlc
     wineWowPackages.stable # 32-bit and 64-bit wine
     winetricks
@@ -68,5 +69,6 @@
     ## My scripts
     frajul.open-messaging
     frajul.xwacomcalibrate
+    frajul.pob2-frajul
   ];
 }

features-nixos/base/auto-upgrade.nix

@@ -0,0 +1,18 @@
+{
+  flake.nixosModules.base = {
+    inputs,
+    config,
+    ...
+  }: {
+    system.hydraAutoUpgrade = {
+      # Only enable if not dirty
+      enable = inputs.self ? rev;
+      dates = "*:0/10"; # Every 10 minutes
+      instance = "http://hydra.julian-mutter.de";
+      project = "dotfiles";
+      jobset = "main";
+      job = "hosts.${config.networking.hostName}";
+      oldFlakeRef = "self";
+    };
+  };
+}

features-nixos/base/default.nix

@@ -0,0 +1,40 @@
+# Common config for all hosts
+{
+  flake.nixosModules.base = {
+    inputs,
+    outputs,
+    pkgs,
+    lib,
+    ...
+  }: {
+    imports = [
+      inputs.home-manager.nixosModules.home-manager
+    ];
+
+    # Replaces the (modulesPath + "/installer/scan/not-detected.nix") from default hardware-configuration.nix
+    # Enables non-free firmware
+    hardware.enableRedistributableFirmware = true;
+
+    # Networking
+    networking.networkmanager = {
+      enable = true;
+      plugins = with pkgs; [
+        networkmanager-openconnect
+      ];
+    };
+    services.resolved.enable = false;
+    # MDNS Taken by avahi
+    # networking.networkmanager.dns = "none";
+    networking.nameservers = lib.mkDefault [
+      "1.1.1.1"
+      "8.8.8.8"
+    ];
+
+    # HM module
+    home-manager.useGlobalPkgs = true; # hm module uses the pkgs of the nixos config
+    home-manager.backupFileExtension = "hm-backup"; # backup conflicting files. So hm activation never fails
+    home-manager.extraSpecialArgs = {
+      inherit inputs outputs;
+    };
+  };
+}

features-nixos/base/fish.nix

@@ -0,0 +1,12 @@
+{
+  flake.nixosModules.base = {
+    programs.fish = {
+      enable = true;
+      vendor = {
+        completions.enable = true;
+        config.enable = true;
+        functions.enable = true;
+      };
+    };
+  };
+}

features-nixos/base/locale.nix

@@ -0,0 +1,28 @@
+{
+  flake.nixosModules.base = {
+    # Select internationalisation properties.
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    i18n.extraLocaleSettings = {
+      LC_ADDRESS = "de_DE.UTF-8";
+      LC_IDENTIFICATION = "de_DE.UTF-8";
+      LC_MEASUREMENT = "de_DE.UTF-8";
+      LC_MONETARY = "de_DE.UTF-8";
+      LC_NAME = "de_DE.UTF-8";
+      LC_NUMERIC = "en_US.UTF-8";
+      LC_PAPER = "de_DE.UTF-8";
+      LC_TELEPHONE = "de_DE.UTF-8";
+      LC_TIME = "de_DE.UTF-8";
+    };
+
+    # Keymap
+    services.xserver.xkb = {
+      layout = "de";
+      variant = "";
+    };
+
+    console.keyMap = "de";
+
+    time.timeZone = "Europe/Berlin";
+  };
+}

features-nixos/base/nix.nix

@@ -0,0 +1,48 @@
+{
+  flake.nixosModules.base = {outputs, ...}: {
+    # Apply overlays
+    nixpkgs = {
+      # TODO: apply this to hm and nixos without duplicate code
+      overlays = builtins.attrValues outputs.overlays;
+      config = {
+        nvidia.acceptLicense = true;
+        allowUnfree = true;
+        allowUnfreePredicate = _: true; # TODO: what is this
+        warn-dirty = false;
+        permittedInsecurePackages = [
+          "olm-3.2.16"
+        ];
+      };
+    };
+
+    # optimize at every build, slows down builds
+    # better to do optimise.automatic for regular optimising
+    # nix.settings.auto-optimise-store = lib.mkDefault true;
+    nix.settings.experimental-features = [
+      "nix-command"
+      "flakes"
+      "ca-derivations"
+    ];
+    # warn-dirty = false;
+
+    nix.gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 30d";
+      persistent = true;
+    };
+    nix.optimise = {
+      automatic = true;
+      dates = ["weekly"]; # Optional; allows customizing optimisation schedule
+      persistent = true;
+    };
+
+    programs.nix-ld.enable = true;
+
+    # TODO: is this useful?, what does it do?
+    # nix.settings.flake-registry = ""; # Disable global flake registry
+    # Add each flake input as a registry and nix_path
+    # registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
+    # nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+  };
+}

features-nixos/base/root.nix

@@ -0,0 +1,11 @@
+{
+  flake.nixosModules.base = {pkgs, ...}: {
+    # Packages needed as root
+    environment.systemPackages = with pkgs; [
+      vim
+      htop
+      mc
+      gparted-xhost # needs to be installed as system package so it can be actually opened
+    ];
+  };
+}

features-nixos/base/sops/secrets.yaml

@@ -1,8 +1,14 @@
 #ENC[AES256_GCM,data:NSxfTl2hTXEoGl23aQnElG+df/1YzA==,iv:+oy9oITMGzdM2muDUPjwxJqUu1Bdyregl65/0hiulZ0=,tag:VKjforpyahKj0ktIN36gNw==,type:comment]
 julian-password: ENC[AES256_GCM,data:tgeu4uVI91j34+Gfzy2Uckmopj9bJNWiu65W0cdA76Kly3LH7RqXCq4rNM4DCwrsX3k9WdOlGX6T9edIjJgmbbe6MkeH7oQwiA==,iv:GE6zfSHymkAewjry7fofURz70az608+hja385LLeCIY=,tag:FqTopL5DyM3DTpa7AoGPDg==,type:str]
+wifi:
+    pianonix: ENC[AES256_GCM,data:Ty1wElfVj+CU9bTbpuYIk2dA4fgFm59PkQGqvODn51Q=,iv:bLomyTlOW2Z4rPbue7Klo6Jt5lR+44AuL+dIMFgDNAE=,tag:DuH2ayeb19dkPi9xmbAu3A==,type:str]
 syncthing:
     public-keys:
         aspi-nix: ENC[AES256_GCM,data:ZTykdQCyh4DMuQUCy1DSKsGNxxn1dinaqztpDdJY53pkWcW4YcWRHk94iGJQZgG1oLfr3AB2S3J6b9w2WuV3,iv:9z2ovHzq6JjRtHzNMIQtcUCinIjG/ImSGqqC7KPhpuw=,tag:No2LCjD+XXB77Su+s98MIA==,type:str]
+        pianonix: ENC[AES256_GCM,data:pUJPXH47VG363aIoxZwmbVe3uBoO7EO2TflK4f761C7PwD0tFNthZt9HRE6gQXAMQMF6qWzNK3CNGspSzKsE,iv:E89oz8BG5iQW/mRzdxSrYewGeVLiCrTcAF+c9ny6gPc=,tag:rLqwUmFDsaOMClR1tbE1sA==,type:str]
+    pianonix:
+        key: ENC[AES256_GCM,data:IaCXIRDMWCHj3lTKpkLg1Nd3pX4bktWg4WjZPGKgTBCLVkMi/SDtlaoNhDz+a+Vt6jYTXHS4exFnIVJ878nWSrA1sD2NHXmfsMh1kkLhub68qv0M33dBXvgX0vQ51Z1WMoti73yDUjJH8Ym5yF/SCg2+RbkVf+4pe2hSlAzwkGP6YC2rbCE5sZG31C55MkaGC6zwo2ZpZXdVhCW845SqAc11cF/OeEHb9B1FS3rd+El7rlJHrIEVQTkomNLshcspb13H0z3vNhtfu9pPkGxee8Hp/hEhFQ+waWBAg4w15yKihjHJmhzdjhDHCilvwYaceb7b5OwARuuiruQ+cJ40bdnStDpi2ouP8QJjEi7tmKWeplZ0X70PVZJFH/e/mTH5,iv:3hQMB4ka31w3chXXwjl/1IHF8ES/RobZVeugMC3ddlU=,tag:j8wwrNQUQbCEGtcriSpc4g==,type:str]
+        cert: ENC[AES256_GCM,data:v9LO8qpeGDDV6I+AJU5iTYKKBV6qgr1ddwLvBVEOYyvmtPNeqaatYaK6vMBCabBIhxQu2NC96pREvWu1UHbxaMWvSCT1TzrIPrcFm+gKCH6PIPhqcnQpdGa3OYn01ohThpLp8hEmVUpJ0FO/AnE1QHK0VfPqJ3S0uHLjSCBJtxLmcBWNVvlcTU/P68QIQkrYAQRAtz9aDS+JNpUKhwCJBgjpY1Thj8Lj/fpc1t0qWo3BKIL3eW5iSlUW0iEriFS0bkMr4Bi9mNqpO26l1eZ3IXFJy/7pkqhmXXW83qOaF9AFXgg41p1Kjw4G6isB/obuhR7Z4oQ/AtkSU0wxHP4mF0AWrvC7/YGlrDG9aPYUEWOexTTBHkm89PhgEa69sekbzac7mYYFi/MIdU34ks4oc8ZIChWpT+V66mbo4f+3mn7raih5SLnyEMS7ENBes9cQC7SghSpB7D8c/2+q74A5aEZHUWRhqiDEx9IggP43SiWuNnb/HyZw16RUB7xnQKPs7LzAVlLC6M7ZETUmyEDEWWOsDY8+0Li4wuD3z4WXLAD9nP43TMx4GNoafjG+0Gu05hSR8fWv8strRCtIWjzK3wMaD9VT/cbt2oqOBkJcaqIW8+lM+ktk1WsD4Kc1DQ4q5O2oMrdPOWI9xZOs7DQTFshLHuvxutN05vgEUovI1vbMOl7SIzUW8YUY9PN0ofC7zwQlEJxfOdqT0nwv9vmqikSMP6V3jXgP5OnPb4KVx8G27X0oCjN++dJgDxdkh2JiLR9JaJHNmYPtLlP7hU4NsBpRpd9ObxRlv+uIbF2o0I8PGXMo3IVnRjrFDrRyoth2UJ+YUMGCVuonoS+nZLMCNz1xwRMaZBYjSEESmxc2Ilwdu3XTzd1KF282UvumBpRwcNxvsmPhI84v/XV8TJE8Z7YxyO3RYBQHD5+OuHOHKTtlajnKpSp/m0p0QR7rrGFoDuDKp+Z81MKz8wz3/8GG+sDh0pgniUfNyrmLroLPdT6nj0brvSVWYmOIJHDHKqM+6HZok5PyS+uHlb5dzwnmrd9OmhmwPVdkP5s=,iv:X9VNz2nsN4ywu3E0c+agwZCl43I4bt6jHz0jMoMFTJQ=,tag:RZUWa4h5JoIiZaDrYgcAeg==,type:str]
 sops:
     age:
         - recipient: age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg
@@ -41,7 +47,7 @@ sops:
             VXhoN0VyWkVxMEJPQ3orVUNDK21rRU0KvnmuFxcCpP+LZg7v5jaStw9F0owVrQl9
             AkIq7GUJh7xewLxcVZfiBRpXMhw/mM8LYnd2KGP8R/TfYg+v0//+5A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-23T19:37:41Z"
-    mac: ENC[AES256_GCM,data:nd4HHv/KfoLj5qGINngvWZX9XdYqtmJnUREo0BOO2JZgYR3AVw0ppmGhj1RFy1bVKdfll/fMoD5tGNc3UQJPB0j2g/1pj47AF44V0d1J79RP6dwov30rr0QnsXVt7P9EOFL/W6TRugYO9J7LZs+tpsSALfwNPTfnulSJQtaJdG4=,iv:EKfq4eKyv1HeMy/zS+V3OKpdL9IVjE5mg8iuz8OPgso=,tag:W8+CZLnYuNbnKRS1kqhY0w==,type:str]
+    lastmodified: "2025-04-23T07:00:17Z"
+    mac: ENC[AES256_GCM,data:JgaTIRbzD0hs2o86xUlQrPN2cPXvsuTH/zKG5xbQIDaYcEvD/mkuVa3hfnYKrA91kWg2Y1DgEi9583+o6UCl/+ldY4ptu+xpnYfyQFdhM4rB+KoP/pDt8vQKQ3zAX8fpAkugCgTTbuvm3TfQ1nt98V8boyhCn4JHNC1T0j7ZtZI=,iv:G3YJOLeDWDKuANo2mxS2JAdrRaonD87CU9BpCZZrlRs=,tag:mcKIdP5cSQUwNL2tcv/o6g==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.11.0
+    version: 3.10.1

features-nixos/base/sops/sops.nix

@@ -0,0 +1,24 @@
+{
+  flake.nixosModules.base = {
+    inputs,
+    config,
+    ...
+  }: let
+    isEd25519 = k: k.type == "ed25519";
+    getKeyPath = k: k.path;
+    keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
+  in {
+    imports = [inputs.sops-nix.nixosModules.sops];
+
+    sops.age = {
+      sshKeyPaths = map getKeyPath keys;
+
+      # TODO: remove? only rely on ssh or pgp keys (e.g. ubikey like misterio is using!!!)
+      # keyFile = "/home/julian/.config/sops/age/keys.txt";
+      # Generate key if none of the above worked. With this, building will still work, just without secrets
+      generateKey = false; # TODO: building should not work without secrets!?
+    };
+
+    sops.defaultSopsFile = ./secrets.yaml;
+  };
+}

features-nixos/global/auto-upgrade.nix

@@ -1,16 +0,0 @@
-{
-  inputs,
-  config,
-  ...
-}: {
-  system.hydraAutoUpgrade = {
-    # Only enable if not dirty
-    enable = inputs.self ? rev;
-    dates = "*:0/10"; # Every 10 minutes
-    instance = "http://hydra.julian-mutter.de";
-    project = "dotfiles";
-    jobset = "main";
-    job = "hosts.${config.networking.hostName}";
-    oldFlakeRef = "self";
-  };
-}

features-nixos/global/default.nix

@@ -1,47 +0,0 @@
-# Common config for all hosts
-{
-  inputs,
-  outputs,
-  pkgs,
-  lib,
-  ...
-}: {
-  imports =
-    [
-      ./fish.nix # fish for admin
-      ./locale.nix
-      ./nix.nix
-      ./sops.nix
-      ./root.nix
-    ]
-    ++ [
-      inputs.home-manager.nixosModules.home-manager
-    ]
-    ++ (builtins.attrValues outputs.nixosModules);
-
-  # Replaces the (modulesPath + "/installer/scan/not-detected.nix") from default hardware-configuration.nix
-  # Enables non-free firmware
-  hardware.enableRedistributableFirmware = true;
-
-  # Networking
-  networking.networkmanager = {
-    enable = true;
-    plugins = with pkgs; [
-      networkmanager-openconnect
-    ];
-  };
-  services.resolved.enable = false;
-  # MDNS Taken by avahi
-  # networking.networkmanager.dns = "none";
-  networking.nameservers = lib.mkDefault [
-    "1.1.1.1"
-    "8.8.8.8"
-  ];
-
-  # HM module
-  home-manager.useGlobalPkgs = true; # hm module uses the pkgs of the nixos config
-  home-manager.backupFileExtension = "hm-backup"; # backup conflicting files. So hm activation never fails
-  home-manager.extraSpecialArgs = {
-    inherit inputs outputs;
-  };
-}

features-nixos/global/fish.nix

@@ -1,10 +0,0 @@
-{
-  programs.fish = {
-    enable = true;
-    vendor = {
-      completions.enable = true;
-      config.enable = true;
-      functions.enable = true;
-    };
-  };
-}

features-nixos/global/locale.nix

@@ -1,26 +0,0 @@
-{
-  # Select internationalisation properties.
-  i18n.defaultLocale = "en_US.UTF-8";
-
-  i18n.extraLocaleSettings = {
-    LC_ADDRESS = "de_DE.UTF-8";
-    LC_IDENTIFICATION = "de_DE.UTF-8";
-    LC_MEASUREMENT = "de_DE.UTF-8";
-    LC_MONETARY = "de_DE.UTF-8";
-    LC_NAME = "de_DE.UTF-8";
-    LC_NUMERIC = "en_US.UTF-8";
-    LC_PAPER = "de_DE.UTF-8";
-    LC_TELEPHONE = "de_DE.UTF-8";
-    LC_TIME = "de_DE.UTF-8";
-  };
-
-  # Keymap
-  services.xserver.xkb = {
-    layout = "de";
-    variant = "";
-  };
-
-  console.keyMap = "de";
-
-  time.timeZone = "Europe/Berlin";
-}

features-nixos/global/nix.nix

@@ -1,46 +0,0 @@
-{outputs, ...}: {
-  # Apply overlays
-  nixpkgs = {
-    # TODO: apply this to hm and nixos without duplicate code
-    overlays = builtins.attrValues outputs.overlays;
-    config = {
-      nvidia.acceptLicense = true;
-      allowUnfree = true;
-      allowUnfreePredicate = _: true; # TODO: what is this
-      warn-dirty = false;
-      permittedInsecurePackages = [
-        "olm-3.2.16"
-      ];
-    };
-  };
-
-  # optimize at every build, slows down builds
-  # better to do optimise.automatic for regular optimising
-  # nix.settings.auto-optimise-store = lib.mkDefault true;
-  nix.settings.experimental-features = [
-    "nix-command"
-    "flakes"
-    "ca-derivations"
-  ];
-  # warn-dirty = false;
-
-  nix.gc = {
-    automatic = true;
-    dates = "weekly";
-    options = "--delete-older-than 30d";
-    persistent = true;
-  };
-  nix.optimise = {
-    automatic = true;
-    dates = ["weekly"]; # Optional; allows customizing optimisation schedule
-    persistent = true;
-  };
-
-  programs.nix-ld.enable = true;
-
-  # TODO: is this useful?, what does it do?
-  # nix.settings.flake-registry = ""; # Disable global flake registry
-  # Add each flake input as a registry and nix_path
-  # registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
-  # nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
-}

features-nixos/global/root.nix

@@ -1,9 +0,0 @@
-{pkgs, ...}: {
-  # Packages needed as root
-  environment.systemPackages = with pkgs; [
-    vim
-    htop
-    mc
-    gparted-xhost # needs to be installed as system package so it can be actually opened
-  ];
-}

features-nixos/global/sops.nix

@@ -1,23 +0,0 @@
-{
-  pwd,
-  inputs,
-  config,
-  ...
-}: let
-  isEd25519 = k: k.type == "ed25519";
-  getKeyPath = k: k.path;
-  keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
-in {
-  imports = [inputs.sops-nix.nixosModules.sops];
-
-  sops.age = {
-    sshKeyPaths = map getKeyPath keys;
-
-    # TODO: remove? only rely on ssh or pgp keys (e.g. ubikey like misterio is using!!!)
-    # keyFile = "/home/julian/.config/sops/age/keys.txt";
-    # Generate key if none of the above worked. With this, building will still work, just without secrets
-    generateKey = false; # TODO: building should not work without secrets!?
-  };
-
-  sops.defaultSopsFile = "${pwd}/hosts/secrets-common.yaml";
-}

features-nixos/optional/authentication.nix

@@ -1,4 +1,5 @@
 {
+  flake.nixosModules.authentication = {
     pkgs,
     lib,
     ...
@@ -26,4 +27,5 @@
         };
       };
     };
+  };
 }

features-nixos/optional/avahi.nix

@@ -1,4 +1,5 @@
 {
+  flake.nixosModules.avahi = {
     # MDNS on local network
     services.avahi = {
       enable = true;
@@ -9,4 +10,5 @@
       ipv4 = true;
       ipv6 = true;
     };
+  };
 }

features-nixos/optional/binarycaches.nix

@@ -1,4 +1,5 @@
 {
+  flake.nixosModules.binarycaches = {
     lib,
     outputs,
     ...
@@ -28,4 +29,5 @@
       # Ensure we can still build when missing-server is not accessible
       fallback = true;
     };
+  };
 }

features-nixos/optional/boot-efi.nix

@@ -1,4 +1,5 @@
 {
+  flake.nixosModules.boot-efi = {
     # Bootloader
     # Use this for simple nix boot menu, if no dual boot required
     boot.loader.systemd-boot.enable = true;
@@ -14,4 +15,5 @@
       "nfs"
       "cifs"
     ];
+  };
 }

features-nixos/optional/docker.nix

@@ -1,5 +1,7 @@
 {
+  flake.nixosModules.docker = {
     virtualisation.docker = {
       enable = true;
     };
+  };
 }

features-nixos/optional/flatpak.nix

@@ -1,6 +1,8 @@
-{pkgs, ...}: {
+{
+  flake.nixosModules.flatpak = {pkgs, ...}: {
     services.flatpak.enable = true;
     xdg.portal.enable = true;
     xdg.portal.extraPortals = [pkgs.xdg-desktop-portal-gtk];
     xdg.portal.config.common.default = "*"; # Use first portal implementation found
+  };
 }

features-nixos/optional/gamemode.nix

@@ -1,4 +1,5 @@
-{pkgs, ...}: {
+{
+  flake.nixosModules.gamemode = {pkgs, ...}: {
     programs.gamemode = {
       enable = true;
       settings = {
@@ -18,4 +19,5 @@
         };
       };
     };
+  };
 }

features-nixos/optional/gdm.nix

@@ -1,4 +1,5 @@
 {
+  flake.nixosModules.gdm = {
     config,
     lib,
     pkgs,
@@ -10,4 +11,5 @@
 
     # unlock GPG keyring on login
     security.pam.services.gdm.enableGnomeKeyring = true;
+  };
 }

features-nixos/optional/greetd.nix

@@ -1,4 +1,5 @@
-{config, ...}: let
+{
+  flake.nixosModules.greetd = {config, ...}: let
     homeCfgs = config.home-manager.users;
     julianCfg = homeCfgs.julian;
   in {
@@ -34,4 +35,5 @@ in {
       #   };
       # };
     };
+  };
 }

features-nixos/optional/i3.nix

@@ -1,4 +1,5 @@
 {
+  flake.nixosModules.i3 = {
     config,
     lib,
     pkgs,
@@ -13,4 +14,5 @@
       enable = true;
       lockerCommand = "${pkgs.i3lock}/bin/i3lock --ignore-empty-password --color=000000";
     };
+  };
 }

features-nixos/optional/kerberos.nix

@@ -1,4 +1,5 @@
 {
+  flake.nixosModules.kerberos = {
     security.krb5.enable = true;
     security.krb5.settings = {
       # domain_realm = {
@@ -20,4 +21,5 @@
         };
       };
     };
+  };
 }

features-nixos/optional/openssh.nix

@@ -1,4 +1,5 @@
 {
+  flake.nixosModules.openssh = {
     outputs,
     lib,
     config,
@@ -46,4 +47,5 @@ in {
     #       ]);
     #   });
     # };
+  };
 }

features-nixos/optional/pcmanfm.nix

@@ -1,4 +1,5 @@
-{pkgs, ...}: {
+{
+  flake.nixosModules.pcmanfm = {pkgs, ...}: {
     environment.systemPackages = with pkgs; [
       shared-mime-info # extended mimetype support
       lxmenu-data # open with "Installed Applications"
@@ -6,4 +7,5 @@
     ];
 
     services.gvfs.enable = true; # Mount, trash, and other functionalities
+  };
 }

features-nixos/optional/pipewire.nix

@@ -1,4 +1,5 @@
 {
+  flake.nixosModules.pipewire = {
     security.rtkit.enable = true;
     services.pulseaudio.enable = false;
     services.pipewire = {
@@ -25,4 +26,5 @@
         };
       };
     };
+  };
 }

features-nixos/optional/podman.nix

@@ -1,4 +1,5 @@
-{config, ...}: let
+{
+  flake.nixosModules.podman = {config, ...}: let
     dockerEnabled = config.virtualisation.docker.enable;
   in {
     virtualisation.podman = {
@@ -7,4 +8,5 @@ in {
       dockerSocket.enable = !dockerEnabled;
       defaultNetwork.settings.dns_enabled = true;
     };
+  };
 }

features-nixos/optional/redshift.nix

@@ -1,4 +1,5 @@
 {
+  flake.nixosModules.redshift = {
     config,
     lib,
     pkgs,
@@ -9,4 +10,5 @@
     location.latitude = 47.92;
     location.longitude = 10.12;
     services.redshift.enable = true;
+  };
 }

features-nixos/optional/remote-builder.nix

@@ -1,4 +1,5 @@
 {
+  flake.nixosModules.remote-builder = {
     nix.distributedBuilds = true;
     nix.settings.builders-use-substitutes = true;
 
@@ -31,4 +32,5 @@
       #   speedFactor = 1;
       # }
     ];
+  };
 }

features-nixos/optional/thunar.nix

@@ -1,4 +1,5 @@
 {
+  flake.nixosModules.thunar = {
     config,
     lib,
     pkgs,
@@ -13,4 +14,5 @@
     ];
     services.gvfs.enable = true; # Mount, trash, and other functionalities
     services.tumbler.enable = true; # Thumbnail support for images
+  };
 }

features-nixos/optional/virtualbox.nix

@@ -1,4 +1,5 @@
 {
+  flake.nixosModules.virtualbox = {
     config,
     lib,
     pkgs,
@@ -9,4 +10,5 @@
     # virtualisation.virtualbox.guest.enable = true;
     # virtualisation.virtualbox.guest.x11 = true;
     users.extraGroups.vboxusers.members = ["julian"];
+  };
 }

features-nixos/optional/wireguard.nix

@@ -1,4 +1,5 @@
 {
+  flake.nixosModules.wireguard = {
     networking.wg-quick.interfaces = {
       julian = {
         configFile = "/etc/wireguard/julian.conf";
@@ -9,4 +10,5 @@
         autostart = false;
       };
     };
+  };
 }

features-nixos/optional/wireshark.nix

@@ -1,4 +1,5 @@
 {
+  flake.nixosModules.wireshark = {
     programs.wireshark = {
       enable = true;
       dumpcap.enable = true;
@@ -6,4 +7,5 @@
     };
 
     users.users.julian.extraGroups = ["wireshark"];
+  };
 }

features-nixos/optional/xserver.nix

@@ -1,6 +1,8 @@
 {
+  flake.nixosModules.xserver = {
     services.xserver = {
       enable = true;
       wacom.enable = true;
     };
+  };
 }

features-nixos/users/julian/default.nix

@@ -1,5 +1,5 @@
 {
-  pwd,
+  flake.nixosModules.users.julian = {
     pkgs,
     config,
     lib,
@@ -30,7 +30,7 @@ in {
       ];
 
       openssh.authorizedKeys.keys = lib.splitString "\n" (
-      builtins.readFile ./ssh.pub
+        builtins.readFile ../../../../homes/julian/ssh.pub
       );
       # hashedPasswordFile = config.sops.secrets.julian-password.path;
       hashedPassword = "$y$j9T$N33kLJQbV8soUoCbDkpwA1$r/yahJDgOPo4GGOrAi6BUG5zLTzmaBrA5NQ4nno561A";
@@ -41,11 +41,12 @@ in {
     };
 
     sops.secrets.julian-password = {
-    sopsFile = "${pwd}/hosts/secrets-common.yaml";
+      sopsFile = ../../secrets.yaml;
       neededForUsers = true;
     };
 
-  home-manager.users.julian = import "${pwd}/homes/julian/${config.networking.hostName}.nix";
+    home-manager.users.julian = import ../../../../homes/julian/${config.networking.hostName}.nix;
 
     security.pam.services.swaylock = {}; # Make swaylock unlocking work
+  };
 }

features-nixos/users/pob/default.nix

@@ -0,0 +1,30 @@
+{
+  flake.nixosModules.users.pob = {
+    pkgs,
+    config,
+    ...
+  }: let
+    ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
+  in {
+    users.mutableUsers = false;
+    users.users.pob = {
+      description = "A helper user to use another profile for some applications";
+      group = "pob";
+      isNormalUser = true;
+      shell = pkgs.fish;
+      extraGroups = ifTheyExist [
+        "networkmanager"
+      ];
+      packages = with pkgs; [
+        firefox
+        wineWowPackages.stable # 32-bit and 64-bit wine
+        winetricks
+      ];
+    };
+    users.groups.pob = {};
+
+    security.sudo.extraConfig = ''
+      julian ALL=(pob) NOPASSWD: ALL
+    '';
+  };
+}