Start migration to using flake-parts

.sops.yaml

@@ -1,15 +1,17 @@
 keys:
   - &primary age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg
   - &aspi-ssh age1q8lc5340gz5xw2f57nglrss68wv0j0hf36py2pdtrl6ky3yrq9qqk0njr4
+  - &pianonix-ssh age1tguyu2yd5xv8rgjjl50cq6dq5rr7umqgv098dgre4u9wyj30ea7sexw62c
   - &builder-ssh age1kw4kmdm45zprvdkrrpvgq966l7585vhusmum083qlwnr0xxgd3uqatcyja
   - &kardorf-ssh age15lxw97z03q40xrdscnxqqugh5ky5aqrerg2t2rphkcqm6rnllurq8v98q5
 
 creation_rules:
-  - path_regex: hosts/secrets-common.yaml$
+  - path_regex: hosts/common/secrets.yaml$
     key_groups:
     - age:
       - *primary
       - *aspi-ssh
+      - *pianonix-ssh
       - *kardorf-ssh
 
   - path_regex: hosts/builder/secrets.yaml$
@@ -17,3 +19,9 @@ creation_rules:
     - age:
       - *primary
       - *builder-ssh
+
+  - path_regex: hosts/pianonix/secrets*
+    key_groups:
+    - age:
+      - *primary
+      - *pianonix-ssh

features-home-manager/suites/desktop/default.nix

@@ -52,6 +52,7 @@
     # rustdesk
     tor-browser
     rusty-path-of-building # Path of Building for poe1 and poe2
+    # frajul.pob-dev-version # Path of Building
     vlc
     wineWowPackages.stable # 32-bit and 64-bit wine
     winetricks
@@ -68,5 +69,6 @@
     ## My scripts
     frajul.open-messaging
     frajul.xwacomcalibrate
+    frajul.pob2-frajul
   ];
 }

features-nixos/base/auto-upgrade.nix

@@ -0,0 +1,18 @@
+{
+  flake.nixosModules.base = {
+    inputs,
+    config,
+    ...
+  }: {
+    system.hydraAutoUpgrade = {
+      # Only enable if not dirty
+      enable = inputs.self ? rev;
+      dates = "*:0/10"; # Every 10 minutes
+      instance = "http://hydra.julian-mutter.de";
+      project = "dotfiles";
+      jobset = "main";
+      job = "hosts.${config.networking.hostName}";
+      oldFlakeRef = "self";
+    };
+  };
+}

features-nixos/base/default.nix

@@ -0,0 +1,40 @@
+# Common config for all hosts
+{
+  flake.nixosModules.base = {
+    inputs,
+    outputs,
+    pkgs,
+    lib,
+    ...
+  }: {
+    imports = [
+      inputs.home-manager.nixosModules.home-manager
+    ];
+
+    # Replaces the (modulesPath + "/installer/scan/not-detected.nix") from default hardware-configuration.nix
+    # Enables non-free firmware
+    hardware.enableRedistributableFirmware = true;
+
+    # Networking
+    networking.networkmanager = {
+      enable = true;
+      plugins = with pkgs; [
+        networkmanager-openconnect
+      ];
+    };
+    services.resolved.enable = false;
+    # MDNS Taken by avahi
+    # networking.networkmanager.dns = "none";
+    networking.nameservers = lib.mkDefault [
+      "1.1.1.1"
+      "8.8.8.8"
+    ];
+
+    # HM module
+    home-manager.useGlobalPkgs = true; # hm module uses the pkgs of the nixos config
+    home-manager.backupFileExtension = "hm-backup"; # backup conflicting files. So hm activation never fails
+    home-manager.extraSpecialArgs = {
+      inherit inputs outputs;
+    };
+  };
+}

features-nixos/base/fish.nix

@@ -0,0 +1,12 @@
+{
+  flake.nixosModules.base = {
+    programs.fish = {
+      enable = true;
+      vendor = {
+        completions.enable = true;
+        config.enable = true;
+        functions.enable = true;
+      };
+    };
+  };
+}

features-nixos/base/locale.nix

@@ -0,0 +1,28 @@
+{
+  flake.nixosModules.base = {
+    # Select internationalisation properties.
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    i18n.extraLocaleSettings = {
+      LC_ADDRESS = "de_DE.UTF-8";
+      LC_IDENTIFICATION = "de_DE.UTF-8";
+      LC_MEASUREMENT = "de_DE.UTF-8";
+      LC_MONETARY = "de_DE.UTF-8";
+      LC_NAME = "de_DE.UTF-8";
+      LC_NUMERIC = "en_US.UTF-8";
+      LC_PAPER = "de_DE.UTF-8";
+      LC_TELEPHONE = "de_DE.UTF-8";
+      LC_TIME = "de_DE.UTF-8";
+    };
+
+    # Keymap
+    services.xserver.xkb = {
+      layout = "de";
+      variant = "";
+    };
+
+    console.keyMap = "de";
+
+    time.timeZone = "Europe/Berlin";
+  };
+}

features-nixos/base/nix.nix

@@ -0,0 +1,48 @@
+{
+  flake.nixosModules.base = {outputs, ...}: {
+    # Apply overlays
+    nixpkgs = {
+      # TODO: apply this to hm and nixos without duplicate code
+      overlays = builtins.attrValues outputs.overlays;
+      config = {
+        nvidia.acceptLicense = true;
+        allowUnfree = true;
+        allowUnfreePredicate = _: true; # TODO: what is this
+        warn-dirty = false;
+        permittedInsecurePackages = [
+          "olm-3.2.16"
+        ];
+      };
+    };
+
+    # optimize at every build, slows down builds
+    # better to do optimise.automatic for regular optimising
+    # nix.settings.auto-optimise-store = lib.mkDefault true;
+    nix.settings.experimental-features = [
+      "nix-command"
+      "flakes"
+      "ca-derivations"
+    ];
+    # warn-dirty = false;
+
+    nix.gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 30d";
+      persistent = true;
+    };
+    nix.optimise = {
+      automatic = true;
+      dates = ["weekly"]; # Optional; allows customizing optimisation schedule
+      persistent = true;
+    };
+
+    programs.nix-ld.enable = true;
+
+    # TODO: is this useful?, what does it do?
+    # nix.settings.flake-registry = ""; # Disable global flake registry
+    # Add each flake input as a registry and nix_path
+    # registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
+    # nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+  };
+}

features-nixos/base/root.nix

@@ -0,0 +1,11 @@
+{
+  flake.nixosModules.base = {pkgs, ...}: {
+    # Packages needed as root
+    environment.systemPackages = with pkgs; [
+      vim
+      htop
+      mc
+      gparted-xhost # needs to be installed as system package so it can be actually opened
+    ];
+  };
+}

features-nixos/base/sops/secrets.yaml

@@ -1,8 +1,14 @@
 #ENC[AES256_GCM,data:NSxfTl2hTXEoGl23aQnElG+df/1YzA==,iv:+oy9oITMGzdM2muDUPjwxJqUu1Bdyregl65/0hiulZ0=,tag:VKjforpyahKj0ktIN36gNw==,type:comment]
 julian-password: ENC[AES256_GCM,data:tgeu4uVI91j34+Gfzy2Uckmopj9bJNWiu65W0cdA76Kly3LH7RqXCq4rNM4DCwrsX3k9WdOlGX6T9edIjJgmbbe6MkeH7oQwiA==,iv:GE6zfSHymkAewjry7fofURz70az608+hja385LLeCIY=,tag:FqTopL5DyM3DTpa7AoGPDg==,type:str]
+wifi:
+    pianonix: ENC[AES256_GCM,data:Ty1wElfVj+CU9bTbpuYIk2dA4fgFm59PkQGqvODn51Q=,iv:bLomyTlOW2Z4rPbue7Klo6Jt5lR+44AuL+dIMFgDNAE=,tag:DuH2ayeb19dkPi9xmbAu3A==,type:str]
 syncthing:
     public-keys:
         aspi-nix: ENC[AES256_GCM,data:ZTykdQCyh4DMuQUCy1DSKsGNxxn1dinaqztpDdJY53pkWcW4YcWRHk94iGJQZgG1oLfr3AB2S3J6b9w2WuV3,iv:9z2ovHzq6JjRtHzNMIQtcUCinIjG/ImSGqqC7KPhpuw=,tag:No2LCjD+XXB77Su+s98MIA==,type:str]
+        pianonix: ENC[AES256_GCM,data:pUJPXH47VG363aIoxZwmbVe3uBoO7EO2TflK4f761C7PwD0tFNthZt9HRE6gQXAMQMF6qWzNK3CNGspSzKsE,iv:E89oz8BG5iQW/mRzdxSrYewGeVLiCrTcAF+c9ny6gPc=,tag:rLqwUmFDsaOMClR1tbE1sA==,type:str]
+    pianonix:
+        key: ENC[AES256_GCM,data:IaCXIRDMWCHj3lTKpkLg1Nd3pX4bktWg4WjZPGKgTBCLVkMi/SDtlaoNhDz+a+Vt6jYTXHS4exFnIVJ878nWSrA1sD2NHXmfsMh1kkLhub68qv0M33dBXvgX0vQ51Z1WMoti73yDUjJH8Ym5yF/SCg2+RbkVf+4pe2hSlAzwkGP6YC2rbCE5sZG31C55MkaGC6zwo2ZpZXdVhCW845SqAc11cF/OeEHb9B1FS3rd+El7rlJHrIEVQTkomNLshcspb13H0z3vNhtfu9pPkGxee8Hp/hEhFQ+waWBAg4w15yKihjHJmhzdjhDHCilvwYaceb7b5OwARuuiruQ+cJ40bdnStDpi2ouP8QJjEi7tmKWeplZ0X70PVZJFH/e/mTH5,iv:3hQMB4ka31w3chXXwjl/1IHF8ES/RobZVeugMC3ddlU=,tag:j8wwrNQUQbCEGtcriSpc4g==,type:str]
+        cert: ENC[AES256_GCM,data:v9LO8qpeGDDV6I+AJU5iTYKKBV6qgr1ddwLvBVEOYyvmtPNeqaatYaK6vMBCabBIhxQu2NC96pREvWu1UHbxaMWvSCT1TzrIPrcFm+gKCH6PIPhqcnQpdGa3OYn01ohThpLp8hEmVUpJ0FO/AnE1QHK0VfPqJ3S0uHLjSCBJtxLmcBWNVvlcTU/P68QIQkrYAQRAtz9aDS+JNpUKhwCJBgjpY1Thj8Lj/fpc1t0qWo3BKIL3eW5iSlUW0iEriFS0bkMr4Bi9mNqpO26l1eZ3IXFJy/7pkqhmXXW83qOaF9AFXgg41p1Kjw4G6isB/obuhR7Z4oQ/AtkSU0wxHP4mF0AWrvC7/YGlrDG9aPYUEWOexTTBHkm89PhgEa69sekbzac7mYYFi/MIdU34ks4oc8ZIChWpT+V66mbo4f+3mn7raih5SLnyEMS7ENBes9cQC7SghSpB7D8c/2+q74A5aEZHUWRhqiDEx9IggP43SiWuNnb/HyZw16RUB7xnQKPs7LzAVlLC6M7ZETUmyEDEWWOsDY8+0Li4wuD3z4WXLAD9nP43TMx4GNoafjG+0Gu05hSR8fWv8strRCtIWjzK3wMaD9VT/cbt2oqOBkJcaqIW8+lM+ktk1WsD4Kc1DQ4q5O2oMrdPOWI9xZOs7DQTFshLHuvxutN05vgEUovI1vbMOl7SIzUW8YUY9PN0ofC7zwQlEJxfOdqT0nwv9vmqikSMP6V3jXgP5OnPb4KVx8G27X0oCjN++dJgDxdkh2JiLR9JaJHNmYPtLlP7hU4NsBpRpd9ObxRlv+uIbF2o0I8PGXMo3IVnRjrFDrRyoth2UJ+YUMGCVuonoS+nZLMCNz1xwRMaZBYjSEESmxc2Ilwdu3XTzd1KF282UvumBpRwcNxvsmPhI84v/XV8TJE8Z7YxyO3RYBQHD5+OuHOHKTtlajnKpSp/m0p0QR7rrGFoDuDKp+Z81MKz8wz3/8GG+sDh0pgniUfNyrmLroLPdT6nj0brvSVWYmOIJHDHKqM+6HZok5PyS+uHlb5dzwnmrd9OmhmwPVdkP5s=,iv:X9VNz2nsN4ywu3E0c+agwZCl43I4bt6jHz0jMoMFTJQ=,tag:RZUWa4h5JoIiZaDrYgcAeg==,type:str]
 sops:
     age:
         - recipient: age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg
@@ -41,7 +47,7 @@ sops:
             VXhoN0VyWkVxMEJPQ3orVUNDK21rRU0KvnmuFxcCpP+LZg7v5jaStw9F0owVrQl9
             AkIq7GUJh7xewLxcVZfiBRpXMhw/mM8LYnd2KGP8R/TfYg+v0//+5A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-23T19:37:41Z"
+    lastmodified: "2025-04-23T07:00:17Z"
-    mac: ENC[AES256_GCM,data:nd4HHv/KfoLj5qGINngvWZX9XdYqtmJnUREo0BOO2JZgYR3AVw0ppmGhj1RFy1bVKdfll/fMoD5tGNc3UQJPB0j2g/1pj47AF44V0d1J79RP6dwov30rr0QnsXVt7P9EOFL/W6TRugYO9J7LZs+tpsSALfwNPTfnulSJQtaJdG4=,iv:EKfq4eKyv1HeMy/zS+V3OKpdL9IVjE5mg8iuz8OPgso=,tag:W8+CZLnYuNbnKRS1kqhY0w==,type:str]
+    mac: ENC[AES256_GCM,data:JgaTIRbzD0hs2o86xUlQrPN2cPXvsuTH/zKG5xbQIDaYcEvD/mkuVa3hfnYKrA91kWg2Y1DgEi9583+o6UCl/+ldY4ptu+xpnYfyQFdhM4rB+KoP/pDt8vQKQ3zAX8fpAkugCgTTbuvm3TfQ1nt98V8boyhCn4JHNC1T0j7ZtZI=,iv:G3YJOLeDWDKuANo2mxS2JAdrRaonD87CU9BpCZZrlRs=,tag:mcKIdP5cSQUwNL2tcv/o6g==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.11.0
+    version: 3.10.1

features-nixos/base/sops/sops.nix

@@ -0,0 +1,24 @@
+{
+  flake.nixosModules.base = {
+    inputs,
+    config,
+    ...
+  }: let
+    isEd25519 = k: k.type == "ed25519";
+    getKeyPath = k: k.path;
+    keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
+  in {
+    imports = [inputs.sops-nix.nixosModules.sops];
+
+    sops.age = {
+      sshKeyPaths = map getKeyPath keys;
+
+      # TODO: remove? only rely on ssh or pgp keys (e.g. ubikey like misterio is using!!!)
+      # keyFile = "/home/julian/.config/sops/age/keys.txt";
+      # Generate key if none of the above worked. With this, building will still work, just without secrets
+      generateKey = false; # TODO: building should not work without secrets!?
+    };
+
+    sops.defaultSopsFile = ./secrets.yaml;
+  };
+}

features-nixos/global/auto-upgrade.nix

@@ -1,16 +0,0 @@
-{
-  inputs,
-  config,
-  ...
-}: {
-  system.hydraAutoUpgrade = {
-    # Only enable if not dirty
-    enable = inputs.self ? rev;
-    dates = "*:0/10"; # Every 10 minutes
-    instance = "http://hydra.julian-mutter.de";
-    project = "dotfiles";
-    jobset = "main";
-    job = "hosts.${config.networking.hostName}";
-    oldFlakeRef = "self";
-  };
-}

features-nixos/global/default.nix

@@ -1,47 +0,0 @@
-# Common config for all hosts
-{
-  inputs,
-  outputs,
-  pkgs,
-  lib,
-  ...
-}: {
-  imports =
-    [
-      ./fish.nix # fish for admin
-      ./locale.nix
-      ./nix.nix
-      ./sops.nix
-      ./root.nix
-    ]
-    ++ [
-      inputs.home-manager.nixosModules.home-manager
-    ]
-    ++ (builtins.attrValues outputs.nixosModules);
-
-  # Replaces the (modulesPath + "/installer/scan/not-detected.nix") from default hardware-configuration.nix
-  # Enables non-free firmware
-  hardware.enableRedistributableFirmware = true;
-
-  # Networking
-  networking.networkmanager = {
-    enable = true;
-    plugins = with pkgs; [
-      networkmanager-openconnect
-    ];
-  };
-  services.resolved.enable = false;
-  # MDNS Taken by avahi
-  # networking.networkmanager.dns = "none";
-  networking.nameservers = lib.mkDefault [
-    "1.1.1.1"
-    "8.8.8.8"
-  ];
-
-  # HM module
-  home-manager.useGlobalPkgs = true; # hm module uses the pkgs of the nixos config
-  home-manager.backupFileExtension = "hm-backup"; # backup conflicting files. So hm activation never fails
-  home-manager.extraSpecialArgs = {
-    inherit inputs outputs;
-  };
-}

features-nixos/global/fish.nix

@@ -1,10 +0,0 @@
-{
-  programs.fish = {
-    enable = true;
-    vendor = {
-      completions.enable = true;
-      config.enable = true;
-      functions.enable = true;
-    };
-  };
-}

features-nixos/global/locale.nix

@@ -1,26 +0,0 @@
-{
-  # Select internationalisation properties.
-  i18n.defaultLocale = "en_US.UTF-8";
-
-  i18n.extraLocaleSettings = {
-    LC_ADDRESS = "de_DE.UTF-8";
-    LC_IDENTIFICATION = "de_DE.UTF-8";
-    LC_MEASUREMENT = "de_DE.UTF-8";
-    LC_MONETARY = "de_DE.UTF-8";
-    LC_NAME = "de_DE.UTF-8";
-    LC_NUMERIC = "en_US.UTF-8";
-    LC_PAPER = "de_DE.UTF-8";
-    LC_TELEPHONE = "de_DE.UTF-8";
-    LC_TIME = "de_DE.UTF-8";
-  };
-
-  # Keymap
-  services.xserver.xkb = {
-    layout = "de";
-    variant = "";
-  };
-
-  console.keyMap = "de";
-
-  time.timeZone = "Europe/Berlin";
-}

features-nixos/global/nix.nix

@@ -1,46 +0,0 @@
-{outputs, ...}: {
-  # Apply overlays
-  nixpkgs = {
-    # TODO: apply this to hm and nixos without duplicate code
-    overlays = builtins.attrValues outputs.overlays;
-    config = {
-      nvidia.acceptLicense = true;
-      allowUnfree = true;
-      allowUnfreePredicate = _: true; # TODO: what is this
-      warn-dirty = false;
-      permittedInsecurePackages = [
-        "olm-3.2.16"
-      ];
-    };
-  };
-
-  # optimize at every build, slows down builds
-  # better to do optimise.automatic for regular optimising
-  # nix.settings.auto-optimise-store = lib.mkDefault true;
-  nix.settings.experimental-features = [
-    "nix-command"
-    "flakes"
-    "ca-derivations"
-  ];
-  # warn-dirty = false;
-
-  nix.gc = {
-    automatic = true;
-    dates = "weekly";
-    options = "--delete-older-than 30d";
-    persistent = true;
-  };
-  nix.optimise = {
-    automatic = true;
-    dates = ["weekly"]; # Optional; allows customizing optimisation schedule
-    persistent = true;
-  };
-
-  programs.nix-ld.enable = true;
-
-  # TODO: is this useful?, what does it do?
-  # nix.settings.flake-registry = ""; # Disable global flake registry
-  # Add each flake input as a registry and nix_path
-  # registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
-  # nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
-}

features-nixos/global/root.nix

@@ -1,9 +0,0 @@
-{pkgs, ...}: {
-  # Packages needed as root
-  environment.systemPackages = with pkgs; [
-    vim
-    htop
-    mc
-    gparted-xhost # needs to be installed as system package so it can be actually opened
-  ];
-}

features-nixos/global/sops.nix

@@ -1,23 +0,0 @@
-{
-  pwd,
-  inputs,
-  config,
-  ...
-}: let
-  isEd25519 = k: k.type == "ed25519";
-  getKeyPath = k: k.path;
-  keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
-in {
-  imports = [inputs.sops-nix.nixosModules.sops];
-
-  sops.age = {
-    sshKeyPaths = map getKeyPath keys;
-
-    # TODO: remove? only rely on ssh or pgp keys (e.g. ubikey like misterio is using!!!)
-    # keyFile = "/home/julian/.config/sops/age/keys.txt";
-    # Generate key if none of the above worked. With this, building will still work, just without secrets
-    generateKey = false; # TODO: building should not work without secrets!?
-  };
-
-  sops.defaultSopsFile = "${pwd}/hosts/secrets-common.yaml";
-}

features-nixos/optional/authentication.nix

@@ -1,28 +1,30 @@
 {
-  pkgs,
+  flake.nixosModules.authentication = {
-  lib,
+    pkgs,
-  ...
+    lib,
-}: {
+    ...
-  # Make programs like nextcloud client access saved passwords
+  }: {
-  services.gnome.gnome-keyring.enable = true;
+    # Make programs like nextcloud client access saved passwords
+    services.gnome.gnome-keyring.enable = true;
 
-  programs.seahorse.enable = true;
+    programs.seahorse.enable = true;
-  programs.ssh.askPassword = lib.mkForce "${pkgs.seahorse}/libexec/seahorse/ssh-askpass"; # Solve conflicting definition in seahorse and plasma6
+    programs.ssh.askPassword = lib.mkForce "${pkgs.seahorse}/libexec/seahorse/ssh-askpass"; # Solve conflicting definition in seahorse and plasma6
 
-  # Make authentication work for e.g. gparted
+    # Make authentication work for e.g. gparted
-  security.polkit.enable = true;
+    security.polkit.enable = true;
-  systemd = {
+    systemd = {
-    user.services.polkit-gnome-authentication-agent-1 = {
+      user.services.polkit-gnome-authentication-agent-1 = {
-      description = "polkit-gnome-authentication-agent-1";
+        description = "polkit-gnome-authentication-agent-1";
-      wantedBy = ["graphical-session.target"];
+        wantedBy = ["graphical-session.target"];
-      wants = ["graphical-session.target"];
+        wants = ["graphical-session.target"];
-      after = ["graphical-session.target"];
+        after = ["graphical-session.target"];
-      serviceConfig = {
+        serviceConfig = {
-        Type = "simple";
+          Type = "simple";
-        ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
+          ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
-        Restart = "on-failure";
+          Restart = "on-failure";
-        RestartSec = 1;
+          RestartSec = 1;
-        TimeoutStopSec = 10;
+          TimeoutStopSec = 10;
+        };
       };
     };
   };

features-nixos/optional/avahi.nix

@@ -1,12 +1,14 @@
 {
-  # MDNS on local network
+  flake.nixosModules.avahi = {
-  services.avahi = {
+    # MDNS on local network
-    enable = true;
+    services.avahi = {
-    nssmdns4 = true;
+      enable = true;
-    nssmdns6 = true;
+      nssmdns4 = true;
-    publish.enable = true;
+      nssmdns6 = true;
-    publish.addresses = true;
+      publish.enable = true;
-    ipv4 = true;
+      publish.addresses = true;
-    ipv6 = true;
+      ipv4 = true;
+      ipv6 = true;
+    };
   };
 }

features-nixos/optional/binarycaches.nix

@@ -1,31 +1,33 @@
 {
-  lib,
+  flake.nixosModules.binarycaches = {
-  outputs,
+    lib,
-  ...
+    outputs,
-}: {
+    ...
-  # Setup binary caches
+  }: {
-  nix.settings = {
+    # Setup binary caches
-    substituters = [
+    nix.settings = {
-      "https://nix-community.cachix.org"
+      substituters = [
-      "https://cache.nixos.org/"
+        "https://nix-community.cachix.org"
-      "https://hyprland.cachix.org"
+        "https://cache.nixos.org/"
-      "http://binarycache.julian-mutter.de"
+        "https://hyprland.cachix.org"
-      "https://devenv.cachix.org"
+        "http://binarycache.julian-mutter.de"
-    ];
+        "https://devenv.cachix.org"
-    trusted-public-keys = [
+      ];
-      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      trusted-public-keys = [
-      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      "binarycache.julian-mutter.de:oJ67uRFwRhNPKL58CHzy3QQLv38Kx7OA1K+6xlEPu7E="
+        "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
-      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "binarycache.julian-mutter.de:oJ67uRFwRhNPKL58CHzy3QQLv38Kx7OA1K+6xlEPu7E="
-      "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-    ];
+        "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
+      ];
 
-    trusted-users = [
+      trusted-users = [
-      "root"
+        "root"
-      "@wheel"
+        "@wheel"
-    ]; # needed for devenv to add custom caches
+      ]; # needed for devenv to add custom caches
 
-    # Ensure we can still build when missing-server is not accessible
+      # Ensure we can still build when missing-server is not accessible
-    fallback = true;
+      fallback = true;
+    };
   };
 }

features-nixos/optional/boot-efi.nix

@@ -1,17 +1,19 @@
 {
-  # Bootloader
+  flake.nixosModules.boot-efi = {
-  # Use this for simple nix boot menu, if no dual boot required
+    # Bootloader
-  boot.loader.systemd-boot.enable = true;
+    # Use this for simple nix boot menu, if no dual boot required
-  boot.loader.systemd-boot.configurationLimit = 10;
+    boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
+    boot.loader.systemd-boot.configurationLimit = 10;
+    boot.loader.efi.canTouchEfiVariables = true;
 
-  # https://github.com/NixOS/nixpkgs/blob/c32c39d6f3b1fe6514598fa40ad2cf9ce22c3fb7/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix#L66
+    # https://github.com/NixOS/nixpkgs/blob/c32c39d6f3b1fe6514598fa40ad2cf9ce22c3fb7/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix#L66
-  boot.loader.systemd-boot.editor = false;
+    boot.loader.systemd-boot.editor = false;
 
-  boot.supportedFilesystems = [
+    boot.supportedFilesystems = [
-    "btrfs"
+      "btrfs"
-    "ntfs"
+      "ntfs"
-    "nfs"
+      "nfs"
-    "cifs"
+      "cifs"
-  ];
+    ];
+  };
 }

features-nixos/optional/docker.nix

@@ -1,5 +1,7 @@
 {
-  virtualisation.docker = {
+  flake.nixosModules.docker = {
-    enable = true;
+    virtualisation.docker = {
+      enable = true;
+    };
   };
 }

features-nixos/optional/flatpak.nix

@@ -1,6 +1,8 @@
-{pkgs, ...}: {
+{
-  services.flatpak.enable = true;
+  flake.nixosModules.flatpak = {pkgs, ...}: {
-  xdg.portal.enable = true;
+    services.flatpak.enable = true;
-  xdg.portal.extraPortals = [pkgs.xdg-desktop-portal-gtk];
+    xdg.portal.enable = true;
-  xdg.portal.config.common.default = "*"; # Use first portal implementation found
+    xdg.portal.extraPortals = [pkgs.xdg-desktop-portal-gtk];
+    xdg.portal.config.common.default = "*"; # Use first portal implementation found
+  };
 }

features-nixos/optional/gamemode.nix

@@ -1,20 +1,22 @@
-{pkgs, ...}: {
+{
-  programs.gamemode = {
+  flake.nixosModules.gamemode = {pkgs, ...}: {
-    enable = true;
+    programs.gamemode = {
-    settings = {
+      enable = true;
-      general = {
+      settings = {
-        softrealtime = "auto";
+        general = {
-        inhibit_screensaver = 1;
+          softrealtime = "auto";
-        renice = 5;
+          inhibit_screensaver = 1;
-      };
+          renice = 5;
-      # gpu = {
+        };
-      #   apply_gpu_optimisations = "accept-responsibility";
+        # gpu = {
-      #   gpu_device = 1;
+        #   apply_gpu_optimisations = "accept-responsibility";
-      #   amd_performance_level = "high";
+        #   gpu_device = 1;
-      # };
+        #   amd_performance_level = "high";
-      custom = {
+        # };
-        start = "${pkgs.libnotify}/bin/notify-send 'GameMode started'";
+        custom = {
-        end = "${pkgs.libnotify}/bin/notify-send 'GameMode ended'";
+          start = "${pkgs.libnotify}/bin/notify-send 'GameMode started'";
+          end = "${pkgs.libnotify}/bin/notify-send 'GameMode ended'";
+        };
       };
     };
   };

features-nixos/optional/gdm.nix

@@ -1,13 +1,15 @@
 {
-  config,
+  flake.nixosModules.gdm = {
-  lib,
+    config,
-  pkgs,
+    lib,
-  ...
+    pkgs,
-}: {
+    ...
-  services.xserver.displayManager.gdm = {
+  }: {
-    enable = true;
+    services.xserver.displayManager.gdm = {
-  };
+      enable = true;
+    };
 
-  # unlock GPG keyring on login
+    # unlock GPG keyring on login
-  security.pam.services.gdm.enableGnomeKeyring = true;
+    security.pam.services.gdm.enableGnomeKeyring = true;
+  };
 }

features-nixos/optional/greetd.nix

@@ -1,37 +1,39 @@
-{config, ...}: let
+{
-  homeCfgs = config.home-manager.users;
+  flake.nixosModules.greetd = {config, ...}: let
-  julianCfg = homeCfgs.julian;
+    homeCfgs = config.home-manager.users;
-in {
+    julianCfg = homeCfgs.julian;
-  users.extraUsers.greeter = {
+  in {
-    # For caching
+    users.extraUsers.greeter = {
-    home = "/tmp/greeter-home";
+      # For caching
-    createHome = true;
+      home = "/tmp/greeter-home";
-  };
+      createHome = true;
-
-  programs.regreet = {
-    enable = true;
-    iconTheme = julianCfg.gtk.iconTheme;
-    theme = julianCfg.gtk.theme;
-    # font = julianCfg.fontProfiles.regular; # TODO: do
-    cursorTheme = {
-      inherit (julianCfg.gtk.cursorTheme) name package;
     };
-    cageArgs = [
-      "-s"
-      "-m"
-      "last"
-    ]; # multimonitor use last monitor
-    # settings.background = {
-    #   path = julianCfg.wallpaper;
-    #   fit = "Cover";
-    # }; # TODO: fix
 
-    # TODO: setting keyboard language does not work
+    programs.regreet = {
-    # settings = {
+      enable = true;
-    #   env = {
+      iconTheme = julianCfg.gtk.iconTheme;
-    #     XKB_DEFAULT_LAYOUT = "de";
+      theme = julianCfg.gtk.theme;
-    #     # XKB_DEFAULT_VARIANT = "altgr-intl";
+      # font = julianCfg.fontProfiles.regular; # TODO: do
-    #   };
+      cursorTheme = {
-    # };
+        inherit (julianCfg.gtk.cursorTheme) name package;
+      };
+      cageArgs = [
+        "-s"
+        "-m"
+        "last"
+      ]; # multimonitor use last monitor
+      # settings.background = {
+      #   path = julianCfg.wallpaper;
+      #   fit = "Cover";
+      # }; # TODO: fix
+
+      # TODO: setting keyboard language does not work
+      # settings = {
+      #   env = {
+      #     XKB_DEFAULT_LAYOUT = "de";
+      #     # XKB_DEFAULT_VARIANT = "altgr-intl";
+      #   };
+      # };
+    };
   };
 }

features-nixos/optional/i3.nix

@@ -1,16 +1,18 @@
 {
-  config,
+  flake.nixosModules.i3 = {
-  lib,
+    config,
-  pkgs,
+    lib,
-  ...
+    pkgs,
-}: {
+    ...
-  services.xserver.windowManager.i3.enable = true;
+  }: {
-  services.xserver.windowManager.i3.package = pkgs.i3-gaps;
+    services.xserver.windowManager.i3.enable = true;
-  services.displayManager.defaultSession = "none+i3";
+    services.xserver.windowManager.i3.package = pkgs.i3-gaps;
+    services.displayManager.defaultSession = "none+i3";
 
-  programs.xss-lock = {
+    programs.xss-lock = {
-    # responds to "loginctl lock-session" via dbus
+      # responds to "loginctl lock-session" via dbus
-    enable = true;
+      enable = true;
-    lockerCommand = "${pkgs.i3lock}/bin/i3lock --ignore-empty-password --color=000000";
+      lockerCommand = "${pkgs.i3lock}/bin/i3lock --ignore-empty-password --color=000000";
+    };
   };
 }

features-nixos/optional/kerberos.nix

@@ -1,22 +1,24 @@
 {
-  security.krb5.enable = true;
+  flake.nixosModules.kerberos = {
-  security.krb5.settings = {
+    security.krb5.enable = true;
-    # domain_realm = {
+    security.krb5.settings = {
-    #   ".julian-mutter.de" = "julian-mutter.de";
+      # domain_realm = {
-    #   "julian-mutter.de" = "julian-mutter.de";
+      #   ".julian-mutter.de" = "julian-mutter.de";
-    # };
+      #   "julian-mutter.de" = "julian-mutter.de";
-    libdefaults = {
+      # };
-      default_realm = "julian-mutter.de";
+      libdefaults = {
-      #   dns_lookup_realm = true;
+        default_realm = "julian-mutter.de";
-      #   dns_lookup_kdc = true;
+        #   dns_lookup_realm = true;
-      #   ticket_lifetime = "24h";
+        #   dns_lookup_kdc = true;
-      #   renew_lifetime = "7d";
+        #   ticket_lifetime = "24h";
-    };
+        #   renew_lifetime = "7d";
-    realms = {
+      };
-      "julian-mutter.de" = {
+      realms = {
-        kdc = ["kerberos.julian-mutter.de"];
+        "julian-mutter.de" = {
-        admin_server = "kerberos-admin.julian-mutter.de";
+          kdc = ["kerberos.julian-mutter.de"];
-        default_domain = "julian-mutter.de";
+          admin_server = "kerberos-admin.julian-mutter.de";
+          default_domain = "julian-mutter.de";
+        };
       };
     };
   };

features-nixos/optional/openssh.nix

@@ -1,49 +1,51 @@
 {
-  outputs,
+  flake.nixosModules.openssh = {
-  lib,
+    outputs,
-  config,
+    lib,
-  ...
+    config,
-}: let
+    ...
-  hosts = lib.attrNames outputs.nixosConfigurations;
+  }: let
-in {
+    hosts = lib.attrNames outputs.nixosConfigurations;
-  services.openssh = {
+  in {
-    enable = true;
+    services.openssh = {
-    settings = {
+      enable = true;
-      # Harden
+      settings = {
-      PasswordAuthentication = false;
+        # Harden
-      PermitRootLogin = "no";
+        PasswordAuthentication = false;
+        PermitRootLogin = "no";
 
-      # TODO: what does this do
+        # TODO: what does this do
-      # Let WAYLAND_DISPLAY be forwarded
+        # Let WAYLAND_DISPLAY be forwarded
-      AcceptEnv = "WAYLAND_DISPLAY";
+        AcceptEnv = "WAYLAND_DISPLAY";
-      X11Forwarding = true;
+        X11Forwarding = true;
+      };
+
+      hostKeys = [
+        {
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
     };
 
-    hostKeys = [
+    # TODO: is automatic known hosts file even necessary?
-      {
+    # programs.ssh = {
-        path = "/etc/ssh/ssh_host_ed25519_key";
+    #   # Each hosts public key
-        type = "ed25519";
+    #   knownHosts = lib.genAttrs hosts (hostname: {
-      }
+    #     publicKeyFile = ../../${hostname}/ssh_host_ed25519_key.pub;
-    ];
+    #     extraHostNames =
+    #       [
+    #         # "${hostname}.m7.rs"
+    #       ]
+    #       ++
+    #         # Alias for localhost if it's the same host
+    #         (lib.optional (hostname == config.networking.hostName) "localhost")
+    #       # Alias to m7.rs and git.m7.rs if it's alcyone
+    #       ++ (lib.optionals (hostname == "alcyone") [
+    #         "m7.rs"
+    #         "git.m7.rs"
+    #       ]);
+    #   });
+    # };
   };
-
-  # TODO: is automatic known hosts file even necessary?
-  # programs.ssh = {
-  #   # Each hosts public key
-  #   knownHosts = lib.genAttrs hosts (hostname: {
-  #     publicKeyFile = ../../${hostname}/ssh_host_ed25519_key.pub;
-  #     extraHostNames =
-  #       [
-  #         # "${hostname}.m7.rs"
-  #       ]
-  #       ++
-  #         # Alias for localhost if it's the same host
-  #         (lib.optional (hostname == config.networking.hostName) "localhost")
-  #       # Alias to m7.rs and git.m7.rs if it's alcyone
-  #       ++ (lib.optionals (hostname == "alcyone") [
-  #         "m7.rs"
-  #         "git.m7.rs"
-  #       ]);
-  #   });
-  # };
 }

features-nixos/optional/pcmanfm.nix

@@ -1,9 +1,11 @@
-{pkgs, ...}: {
+{
-  environment.systemPackages = with pkgs; [
+  flake.nixosModules.pcmanfm = {pkgs, ...}: {
-    shared-mime-info # extended mimetype support
+    environment.systemPackages = with pkgs; [
-    lxmenu-data # open with "Installed Applications"
+      shared-mime-info # extended mimetype support
-    pcmanfm
+      lxmenu-data # open with "Installed Applications"
-  ];
+      pcmanfm
+    ];
 
-  services.gvfs.enable = true; # Mount, trash, and other functionalities
+    services.gvfs.enable = true; # Mount, trash, and other functionalities
+  };
 }

features-nixos/optional/pipewire.nix

@@ -1,26 +1,28 @@
 {
-  security.rtkit.enable = true;
+  flake.nixosModules.pipewire = {
-  services.pulseaudio.enable = false;
+    security.rtkit.enable = true;
-  services.pipewire = {
+    services.pulseaudio.enable = false;
-    enable = true;
+    services.pipewire = {
-    wireplumber.enable = true;
+      enable = true;
-    alsa.enable = true;
+      wireplumber.enable = true;
-    alsa.support32Bit = true;
+      alsa.enable = true;
-    pulse.enable = true;
+      alsa.support32Bit = true;
-    jack.enable = true;
+      pulse.enable = true;
-    extraConfig.pipewire = {
+      jack.enable = true;
-      "99-no-bell" = {
+      extraConfig.pipewire = {
-        # Disable bell sound
+        "99-no-bell" = {
-        "context.properties" = {
+          # Disable bell sound
-          "module.x11.bell" = false;
+          "context.properties" = {
+            "module.x11.bell" = false;
+          };
         };
-      };
+        "10-increase-buffer" = {
-      "10-increase-buffer" = {
+          "context.properties" = {
-        "context.properties" = {
+            "default.clock.rate" = 48000;
-          "default.clock.rate" = 48000;
+            "default.clock.quantum" = 1024;
-          "default.clock.quantum" = 1024;
+            "default.clock.min-quantum" = 1024;
-          "default.clock.min-quantum" = 1024;
+            "default.clock.max-quantum" = 2048;
-          "default.clock.max-quantum" = 2048;
+          };
         };
       };
     };

features-nixos/optional/podman.nix

@@ -1,10 +1,12 @@
-{config, ...}: let
+{
-  dockerEnabled = config.virtualisation.docker.enable;
+  flake.nixosModules.podman = {config, ...}: let
-in {
+    dockerEnabled = config.virtualisation.docker.enable;
-  virtualisation.podman = {
+  in {
-    enable = true;
+    virtualisation.podman = {
-    dockerCompat = !dockerEnabled;
+      enable = true;
-    dockerSocket.enable = !dockerEnabled;
+      dockerCompat = !dockerEnabled;
-    defaultNetwork.settings.dns_enabled = true;
+      dockerSocket.enable = !dockerEnabled;
+      defaultNetwork.settings.dns_enabled = true;
+    };
   };
 }

features-nixos/optional/redshift.nix

@@ -1,12 +1,14 @@
 {
-  config,
+  flake.nixosModules.redshift = {
-  lib,
+    config,
-  pkgs,
+    lib,
-  ...
+    pkgs,
-}: {
+    ...
-  # Set location used by redshift
+  }: {
-  location.provider = "manual";
+    # Set location used by redshift
-  location.latitude = 47.92;
+    location.provider = "manual";
-  location.longitude = 10.12;
+    location.latitude = 47.92;
-  services.redshift.enable = true;
+    location.longitude = 10.12;
+    services.redshift.enable = true;
+  };
 }

features-nixos/optional/remote-builder.nix

@@ -1,34 +1,36 @@
 {
-  nix.distributedBuilds = true;
+  flake.nixosModules.remote-builder = {
-  nix.settings.builders-use-substitutes = true;
+    nix.distributedBuilds = true;
+    nix.settings.builders-use-substitutes = true;
 
-  nix.buildMachines = [
+    nix.buildMachines = [
-    {
+      {
-      hostName = "builder.julian-mutter.de";
+        hostName = "builder.julian-mutter.de";
-      protocol = "ssh";
+        protocol = "ssh";
-      sshUser = "nix";
+        sshUser = "nix";
-      systems = [
+        systems = [
-        "x86_64-linux"
+          "x86_64-linux"
-        "aarch64-linux"
+          "aarch64-linux"
-      ];
+        ];
-      maxJobs = 4;
+        maxJobs = 4;
-      speedFactor = 3;
+        speedFactor = 3;
-      supportedFeatures = [
+        supportedFeatures = [
-        "nixos-test"
+          "nixos-test"
-        "benchmark"
+          "benchmark"
-        "big-parallel"
+          "big-parallel"
-        "kvm"
+          "kvm"
-      ];
+        ];
-      mandatoryFeatures = [];
+        mandatoryFeatures = [];
-    }
+      }
-    # {
+      # {
-    #   hostName = "localhost";
+      #   hostName = "localhost";
-    #   protocol = null;
+      #   protocol = null;
-    #   systems = [
+      #   systems = [
-    #     "x86_64-linux"
+      #     "x86_64-linux"
-    #   ];
+      #   ];
-    #   maxJobs = 4;
+      #   maxJobs = 4;
-    #   speedFactor = 1;
+      #   speedFactor = 1;
-    # }
+      # }
-  ];
+    ];
+  };
 }

features-nixos/optional/thunar.nix

@@ -1,16 +1,18 @@
 {
-  config,
+  flake.nixosModules.thunar = {
-  lib,
+    config,
-  pkgs,
+    lib,
-  ...
+    pkgs,
-}: {
+    ...
-  programs.thunar.enable = true;
+  }: {
-  programs.xfconf.enable = true; # Persist saved preferences
+    programs.thunar.enable = true;
-  programs.thunar.plugins = with pkgs.xfce; [
+    programs.xfconf.enable = true; # Persist saved preferences
-    thunar-archive-plugin
+    programs.thunar.plugins = with pkgs.xfce; [
-    thunar-volman
+      thunar-archive-plugin
-    thunar-media-tags-plugin
+      thunar-volman
-  ];
+      thunar-media-tags-plugin
-  services.gvfs.enable = true; # Mount, trash, and other functionalities
+    ];
-  services.tumbler.enable = true; # Thumbnail support for images
+    services.gvfs.enable = true; # Mount, trash, and other functionalities
+    services.tumbler.enable = true; # Thumbnail support for images
+  };
 }

features-nixos/optional/virtualbox.nix

@@ -1,12 +1,14 @@
 {
-  config,
+  flake.nixosModules.virtualbox = {
-  lib,
+    config,
-  pkgs,
+    lib,
-  ...
+    pkgs,
-}: {
+    ...
-  virtualisation.virtualbox.host.enable = true;
+  }: {
-  # virtualisation.virtualbox.host.enableExtensionPack = true;
+    virtualisation.virtualbox.host.enable = true;
-  # virtualisation.virtualbox.guest.enable = true;
+    # virtualisation.virtualbox.host.enableExtensionPack = true;
-  # virtualisation.virtualbox.guest.x11 = true;
+    # virtualisation.virtualbox.guest.enable = true;
-  users.extraGroups.vboxusers.members = ["julian"];
+    # virtualisation.virtualbox.guest.x11 = true;
+    users.extraGroups.vboxusers.members = ["julian"];
+  };
 }

features-nixos/optional/wireguard.nix

@@ -1,12 +1,14 @@
 {
-  networking.wg-quick.interfaces = {
+  flake.nixosModules.wireguard = {
-    julian = {
+    networking.wg-quick.interfaces = {
-      configFile = "/etc/wireguard/julian.conf";
+      julian = {
-      autostart = true; # This interface is started on boot
+        configFile = "/etc/wireguard/julian.conf";
-    };
+        autostart = true; # This interface is started on boot
-    comu = {
+      };
-      configFile = "/etc/wireguard/comu.conf";
+      comu = {
-      autostart = false;
+        configFile = "/etc/wireguard/comu.conf";
+        autostart = false;
+      };
     };
   };
 }

features-nixos/optional/wireshark.nix

@@ -1,9 +1,11 @@
 {
-  programs.wireshark = {
+  flake.nixosModules.wireshark = {
-    enable = true;
+    programs.wireshark = {
-    dumpcap.enable = true;
+      enable = true;
-    usbmon.enable = true;
+      dumpcap.enable = true;
-  };
+      usbmon.enable = true;
+    };
 
-  users.users.julian.extraGroups = ["wireshark"];
+    users.users.julian.extraGroups = ["wireshark"];
+  };
 }

features-nixos/optional/xserver.nix

@@ -1,6 +1,8 @@
 {
-  services.xserver = {
+  flake.nixosModules.xserver = {
-    enable = true;
+    services.xserver = {
-    wacom.enable = true;
+      enable = true;
+      wacom.enable = true;
+    };
   };
 }

features-nixos/users/julian/default.nix

@@ -1,51 +1,52 @@
 {
-  pwd,
+  flake.nixosModules.users.julian = {
-  pkgs,
+    pkgs,
-  config,
+    config,
-  lib,
+    lib,
-  ...
+    ...
-}: let
+  }: let
-  ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
+    ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
-in {
+  in {
-  users.mutableUsers = false;
+    users.mutableUsers = false;
-  users.users.julian = {
+    users.users.julian = {
-    description = "Julian";
+      description = "Julian";
-    group = "julian";
+      group = "julian";
-    isNormalUser = true;
+      isNormalUser = true;
-    uid = 1000;
+      uid = 1000;
-    shell = pkgs.fish;
+      shell = pkgs.fish;
-    extraGroups = ifTheyExist [
+      extraGroups = ifTheyExist [
-      "networkmanager"
+        "networkmanager"
-      "wheel"
+        "wheel"
-      "audio"
+        "audio"
-      "realtime"
+        "realtime"
-      "rtkit"
+        "rtkit"
-      "network"
+        "network"
-      "video"
+        "video"
-      "podman"
+        "podman"
-      "docker"
+        "docker"
-      "git"
+        "git"
-      "gamemode"
+        "gamemode"
-      "dialout"
+        "dialout"
-    ];
+      ];
 
-    openssh.authorizedKeys.keys = lib.splitString "\n" (
+      openssh.authorizedKeys.keys = lib.splitString "\n" (
-      builtins.readFile ./ssh.pub
+        builtins.readFile ../../../../homes/julian/ssh.pub
-    );
+      );
-    # hashedPasswordFile = config.sops.secrets.julian-password.path;
+      # hashedPasswordFile = config.sops.secrets.julian-password.path;
-    hashedPassword = "$y$j9T$N33kLJQbV8soUoCbDkpwA1$r/yahJDgOPo4GGOrAi6BUG5zLTzmaBrA5NQ4nno561A";
+      hashedPassword = "$y$j9T$N33kLJQbV8soUoCbDkpwA1$r/yahJDgOPo4GGOrAi6BUG5zLTzmaBrA5NQ4nno561A";
-    packages = [pkgs.home-manager];
+      packages = [pkgs.home-manager];
+    };
+    users.groups.julian = {
+      gid = 1000;
+    };
+
+    sops.secrets.julian-password = {
+      sopsFile = ../../secrets.yaml;
+      neededForUsers = true;
+    };
+
+    home-manager.users.julian = import ../../../../homes/julian/${config.networking.hostName}.nix;
+
+    security.pam.services.swaylock = {}; # Make swaylock unlocking work
   };
-  users.groups.julian = {
-    gid = 1000;
-  };
-
-  sops.secrets.julian-password = {
-    sopsFile = "${pwd}/hosts/secrets-common.yaml";
-    neededForUsers = true;
-  };
-
-  home-manager.users.julian = import "${pwd}/homes/julian/${config.networking.hostName}.nix";
-
-  security.pam.services.swaylock = {}; # Make swaylock unlocking work
 }

features-nixos/users/pob/default.nix

@@ -0,0 +1,30 @@
+{
+  flake.nixosModules.users.pob = {
+    pkgs,
+    config,
+    ...
+  }: let
+    ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
+  in {
+    users.mutableUsers = false;
+    users.users.pob = {
+      description = "A helper user to use another profile for some applications";
+      group = "pob";
+      isNormalUser = true;
+      shell = pkgs.fish;
+      extraGroups = ifTheyExist [
+        "networkmanager"
+      ];
+      packages = with pkgs; [
+        firefox
+        wineWowPackages.stable # 32-bit and 64-bit wine
+        winetricks
+      ];
+    };
+    users.groups.pob = {};
+
+    security.sudo.extraConfig = ''
+      julian ALL=(pob) NOPASSWD: ALL
+    '';
+  };
+}