initial cleanup work

home/base/age-encryption.nix

@@ -1,5 +0,0 @@
-{tree, ...}: {
-  imports = with tree; [
-    home.apps.age
-  ];
-}

home/dev/all/editors.nix

@@ -1,5 +0,0 @@
-{tree, ...}: {
-  imports = with tree; [
-    home.programming.editors.nano
-  ];
-}

home/dev/small/small.nix

@@ -1,12 +0,0 @@
-{tree, ...}: {
-  # basically everything apart from home.all.dev.debugging and extra archives
-  imports = with tree; [
-    home.dev.all.archives.common
-    home.dev.all.compression
-    home.dev.all.editors
-    home.dev.all.extra
-    home.dev.all.git
-    home.dev.all.info
-    home.dev.all.network
-  ];
-}

home/sshWSL.nix

@@ -1,9 +0,0 @@
-{...}: {
-  programs.ssh.matchBlocks."*".identityFile = "/home/chaos/.ssh/id_ed25519";
-  programs.git.extraConfig = {
-    gpg.format = "ssh";
-    commit.gpgsign = "true";
-    tag.gpgsign = "true";
-    user.signingKey = "/home/chaos/.ssh/id_ed25519";
-  };
-}

hosts/hetzner-arm/hetzner-arm.nix

@@ -11,8 +11,7 @@ in {
       presets.nixos.serverHetzner
       presets.nixos.serverEncryptedDrive
 
-      profiles.nginx
-      profiles.firewallAllow.httpCommon
+      profiles.nixos.nginx
 
       ./hardware.nix
       ./secrets.nix
@@ -53,8 +52,6 @@ in {
     })
   ];
 
-  # TODO: system.forbiddenDependenciesRegexes = ["libX11*"];
-
   # For Containers
   networking.nat = {
     enable = true;
@@ -62,6 +59,11 @@ in {
     externalInterface = "enp1s0";
   };
 
+  networking.firewall = {
+    allowedTCPPorts = [80 443];
+    allowedUDPPorts = [80 443];
+  };
+
   networking.hostName = "hetzner-arm";
 
   home-manager.users.root.home.stateVersion = "24.05";

hosts/lappy-surface/hardware.nix

@@ -1,25 +0,0 @@
-{tree, ...}: {
-  imports = with tree; [
-    presets.nixos.encryptedDrive
-  ];
-
-  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-    initrd.availableKernelModules = [
-      # defaults from nixos-generate-config
-      "xhci_pci"
-      "nvme"
-      "usb_storage"
-      "usbhid"
-      "sd_mod"
-      "rtsx_pci_sdmmc"
-    ];
-    kernelModules = ["kvm-intel"];
-    encryptedDrive.mode = "password";
-  };
-
-  hardware.cpu.intel.updateMicrocode = true;
-}

hosts/lappy-surface/lappy-surface.nix

@@ -1,49 +0,0 @@
-{tree, ...}: {
-  imports = with tree; [
-    users.root
-    users.chaos
-    profiles.sshd
-
-    presets.nixos.desktopGnome
-    presets.nixos.laptop
-    presets.nixos.encryptedUSB
-
-    profiles.cross.arm64
-    profiles.remoteBuilders
-
-    hosts.lappy-surface.profiles.music-player-target
-
-    ./secrets.nix
-  ];
-
-  home-manager.users.root = {
-    imports = with tree; [home.base];
-    home.stateVersion = "24.05";
-  };
-
-  home-manager.users.chaos = {
-    imports = with tree; [
-      home.base
-      home.dev.all
-      home.reversing
-      home.homeFolders
-      home.musicLibrary
-
-      home.programming.editors.nano
-      home.programming.editors.vscode
-      home.programming.languages.rust
-      home.programming.languages.nix
-    ];
-    home.stateVersion = "24.05";
-  };
-
-  networking.firewall.enable = true;
-  networking.firewall.allowPing = true;
-
-  networking.firewall.allowedTCPPorts = [8088];
-
-  networking.hostName = "lappy-surface";
-  time.timeZone = "Europe/London";
-
-  system.stateVersion = "24.05";
-}

hosts/lappy-surface/profiles/music-player-target.nix

@@ -1,114 +0,0 @@
-{
-  config,
-  pkgs,
-  tree,
-  ...
-}: let
-  alsaDevice = "sysdefault:CARD=A";
-  alsaControl = "Headphone";
-  mpvDevice = "alsa/${alsaDevice}";
-  hardwareVolume = 80;
-
-  startMusicPlayer = pkgs.writeShellScriptBin "startMusicPlayer" ''
-    ${pkgs.alsa-utils}/bin/amixer -D "${alsaDevice}" sset "${alsaControl}" "${toString hardwareVolume}%"
-
-    exec ${pkgs.mpv}/bin/mpv \
-      "https://music:$(cat /secrets/music_stream_password)@mpd.owo.monster/flac" \
-        --cache=yes --cache-pause-initial=yes --cache-pause-wait=5 \
-        --vo=gpu --force-window --script-opts-append=osc-visibility=always \
-        --ao=alsa --audio-device="${mpvDevice}"
-  '';
-
-  startMusicPlayerSession = pkgs.writeShellScriptBin "startMusicPlayerSession" ''
-    set -x
-    export XDG_RUNTIME_DIR=/run/user/$UID
-
-    dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY XDG_CURRENT_DESKTOP
-
-    exec systemd-inhibit --what=sleep:idle:handle-lid-switch ${startMusicPlayer}/bin/startMusicPlayer
-  '';
-in {
-  imports = with tree; [
-    profiles.connectivity.networkManager
-    profiles.wifiHardware
-  ];
-
-  environment.systemPackages = [startMusicPlayer startMusicPlayerSession];
-
-  users.users.music-player = {
-    uid = 1001;
-    isNormalUser = true;
-    linger = true;
-    extraGroups = [
-      "video"
-      "input"
-      "audio"
-      "rtkit"
-    ];
-  };
-
-  home-manager.users.music-player = {
-    programs.mpv.enable = true;
-    imports = with tree; [
-      home.base
-    ];
-    home.stateVersion = "24.05";
-  };
-
-  systemd.services."music-player" = {
-    enable = true;
-    after = [
-      "systemd-user-sessions.service"
-      "plymouth-start.service"
-      "plymouth-quit.service"
-      "systemd-logind.service"
-      "getty@tty1.service"
-      "user@1001.service"
-      "network.target"
-    ];
-    before = ["music-player.target"];
-    wants = ["dbus.socket" "network.target" "user@1001.service" "systemd-logind.service" "plymouth-quit.service"];
-    wantedBy = ["music-player.target"];
-    conflicts = ["getty@tty1.service"];
-
-    restartIfChanged = true;
-    unitConfig.ConditionPathExists = "/dev/tty1";
-    serviceConfig = {
-      ExecStart = ''
-        ${pkgs.cage}/bin/cage -s ${startMusicPlayerSession}/bin/startMusicPlayerSession
-      '';
-      User = "music-player";
-      StandardError = "append:/var/log/music-player.log";
-      IgnoreSIGPIPE = "no";
-      UtmpIdentifier = "%n";
-      UtmpMode = "user";
-      TTYPath = "/dev/tty1";
-      TTYReset = "yes";
-      TTYVHangup = "yes";
-      TTYVTDisallocate = "yes";
-      StandardInput = "tty-fail";
-      PAMName = "music-player";
-    };
-    environment = {
-      XDG_RUNTIME_DIR = "/run/user/1001";
-      XDG_SESSION_TYPE = "wayland";
-    };
-  };
-
-  security.polkit.enable = true;
-
-  security.pam.services.music-player.text = ''
-    auth    required pam_unix.so nullok
-    account required pam_unix.so
-    session required pam_unix.so
-    session required pam_env.so conffile=/etc/pam/environment readenv=0
-    session required ${config.systemd.package}/lib/security/pam_systemd.so
-  '';
-
-  hardware.opengl.enable = true;
-
-  systemd.targets.music-player = {
-    description = "Music player";
-    wants = ["music-player.service" "networkmanager.service" "user@1001.service"];
-  };
-}

hosts/lappy-surface/secrets.nix

@@ -1,18 +0,0 @@
-{...}: {
-  services.secrets = {
-    enable = true;
-    secrets = {
-      usb_encryption_passphrase = {
-        manual = true;
-      };
-
-      music_stream_password = {
-        user = "chaos";
-        group = "users";
-        fetchScript = ''
-          simple_get "/api-keys/music-stream" .password > "$secretFile"
-        '';
-      };
-    };
-  };
-}

hosts/lappy-t495/lappy-t495.nix

@@ -1,41 +1,49 @@
-{tree, ...}: {
-  imports = with tree; [
+{
+  lib,
+  tree,
+  ...
+}: let
+  inherit (lib.lists) flatten;
+in {
+  imports = flatten (with tree; [
     users.root
     users.chaos
-    profiles.sshd
 
-    presets.nixos.desktopGnome
-    presets.nixos.laptop
-    presets.nixos.encryptedUSB
+    presets.home-manager.root-base
 
-    profiles.cross.arm64
-    profiles.remoteBuilders
+    (with tree.presets.nixos; [
+      desktopGnome
+      laptop
+      encryptedUSB
+    ])
 
-    profiles.gaming.steam
+    (with tree.profiles.nixos; [
+      cross.arm64
+      remoteBuilders
+
+      gaming.steam
+    ])
 
     ./secrets.nix
-  ];
+  ]);
 
-  home-manager.users.root = {
-    imports = with tree; [home.base];
-    home.stateVersion = "24.05";
-  };
+  home-manager.users.root.home.stateVersion = "24.05";
 
   home-manager.users.chaos = {
-    imports = with tree; [
-      home.base
-      home.dev.all
-      home.reversing
-      home.homeFolders
-      home.musicLibrary
+    imports = with tree.profiles.home-manager; [
+      base
+      dev.all
+      reversing
+      homeFolders
+      musicLibrary
 
-      home.programming.editors.nano
-      home.programming.editors.vscode
-      home.programming.languages.rust
-      home.programming.languages.nix
+      programming.editors.nano
+      programming.editors.vscode
+      programming.languages.rust
+      programming.languages.nix
 
-      home.gaming.platforms.steam
-      home.gaming.platforms.lutris
+      gaming.platforms.steam
+      gaming.platforms.lutris
     ];
     home.stateVersion = "24.05";
   };

hosts/nixos.nix

@@ -25,7 +25,7 @@
   };
 
   defaultModules = [
-    tree.profiles.base
+    tree.profiles.nixos.base
 
     inputs.home-manager-unstable.nixosModules.home-manager
 
@@ -34,7 +34,6 @@
     tree.modules.nixos.rcloneServe
     tree.modules.nixos.rcloneSync
     tree.modules.nixos.secrets
-    tree.modules.nixos.postgreSQLRemoteBackup
     tree.modules.nixos.encryptedDrive
   ];
 
@@ -70,16 +69,6 @@ in rec {
     modules = defaultModules ++ [./lappy-t495/lappy-t495.nix ./lappy-t495/hardware.nix];
   };
 
-  lappy-surface = nixosUnstableSystem {
-    specialArgs =
-      defaultSpecialArgs
-      // {
-        hostPath = ./lappy-surface;
-      };
-    system = "x86_64-linux";
-    modules = defaultModules ++ [./lappy-surface/lappy-surface.nix ./lappy-surface/hardware.nix];
-  };
-
   hetzner-arm = nixosUnstableSystem {
     specialArgs =
       defaultSpecialArgs

modules/nixos/postgreSQLRemoteBackup.nix

@@ -1,165 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: let
-  inherit (builtins) listToAttrs getAttr;
-  inherit (lib.modules) mkIf mkMerge;
-  inherit (lib.options) mkOption mkEnableOption mdDoc;
-  inherit (lib.strings) optionalString;
-  inherit (lib.attrsets) attrValues;
-  inherit (lib) types;
-
-  cfg = config.services.postgreSQLRemoteBackup;
-in {
-  options = {
-    # TODO: add host, port, user options
-    services.postgreSQLRemoteBackup = {
-      enable = mkEnableOption (mdDoc "PostgreSQL database dumps");
-
-      keepPrev = mkOption {
-        default = true;
-        type = types.bool;
-        description = mdDoc ''
-          Keep the previous run's backups but rename them to $name.prev
-        '';
-      };
-
-      startAt = mkOption {
-        default = "4h";
-        type = with types; either (listOf str) str;
-        description = mdDoc ''
-          This option defines (see `systemd.time` for format) when the
-          databases should be dumped.
-          The default is run every 4 hours.
-        '';
-      };
-
-      backupUser = mkOption {
-        default = "root";
-        type = types.str;
-        description = mdDoc ''
-          User which will be used for backup job and files
-        '';
-      };
-
-      databases = mkOption {
-        default = [];
-        type = types.listOf types.str;
-        description = mdDoc ''
-          List of database names to dump.
-        '';
-      };
-
-      location = mkOption {
-        default = "/var/backup/postgresql";
-        type = types.path;
-        description = mdDoc ''
-          Path of directory where the PostgreSQL database dumps will be placed.
-        '';
-      };
-
-      pgdumpOptions = mkOption {
-        type = types.separatedString " ";
-        default = "-C";
-        description = mdDoc ''
-          Command line options for pg_dump.
-        '';
-      };
-
-      compression = mkOption {
-        type = types.enum ["none" "zstd"];
-        default = "zstd";
-        description = mdDoc ''
-          The type of compression to use on the generated database dump.
-        '';
-      };
-
-      compressionLevel = mkOption {
-        type = types.int;
-        default = 9;
-        description = mdDoc ''
-          The compression level used when compression is enabled.
-          zstd accepts levels 1 to 19.
-        '';
-      };
-    };
-  };
-
-  config = mkMerge [
-    (mkIf cfg.enable {
-      systemd.tmpfiles.rules = [
-        "d '${cfg.location}' 0700 ${cfg.backupUser} - - -"
-      ];
-    })
-    (mkIf cfg.enable {
-      systemd.services = listToAttrs (map (db: {
-          name = "remotePostgreSQLBackup-${db}";
-          value = let
-            compressSuffixes = {
-              "none" = "";
-              "zstd" = ".zstd";
-            };
-            compressSuffix = getAttr cfg.compression compressSuffixes;
-
-            compressCmd = getAttr cfg.compression {
-              "none" = "cat";
-              "zstd" = "${pkgs.zstd}/bin/zstd -c -${toString cfg.compressionLevel}";
-            };
-
-            mkSqlPath = prefix: suffix: "${cfg.location}/${db}${prefix}.sql${suffix}";
-            curFile = mkSqlPath "" compressSuffix;
-            prevFile = mkSqlPath ".prev" compressSuffix;
-            prevFiles = map (mkSqlPath ".prev") (attrValues compressSuffixes);
-            inProgressFile = mkSqlPath ".in-progress" compressSuffix;
-          in {
-            enable = true;
-
-            description = "Backup of ${db} database(s)";
-
-            requires = mkIf config.services.postgresql.enable [
-              "postgresql.service"
-            ];
-
-            path = [
-              pkgs.coreutils
-              (let
-                pgCfg = config.services.postgresql;
-              in
-                if pgCfg.enable
-                then pgCfg.package
-                else pkgs.postgresql)
-            ];
-
-            script = ''
-              set -e -o pipefail
-
-              umask 0077 # ensure backup is only readable by backup user
-
-              ${optionalString cfg.keepPrev ''
-                if [ -e ${curFile} ]; then
-                  rm -f ${toString prevFiles}
-                  mv ${curFile} ${prevFile}
-                fi
-              ''}
-
-              pg_dump ${cfg.pgdumpOptions} ${db} \
-                | ${compressCmd} \
-                > ${inProgressFile}
-
-              mv ${inProgressFile} ${curFile}
-            '';
-
-            serviceConfig = {
-              Type = "oneshot";
-              User = cfg.backupUser;
-            };
-
-            inherit (cfg) startAt;
-          };
-        })
-        cfg.databases);
-    })
-  ];
-}

outputs.nix

@@ -124,7 +124,6 @@ in
                 sshAddress = "hetzner-arm.servers.genderfucked.monster";
               };
             "lappy-t495" = configForMachine "lappy-t495";
-            "lappy-surface" = configForMachine "lappy-surface";
           };
 
           machinesWithHostSecrets = filter (

overlay/default.nix

@@ -2,8 +2,6 @@ final: prev: rec {
   comic-sans = final.callPackage ./comic-sans {};
   comic-code = final.callPackage ./comic-code {};
 
-  gobar = final.callPackage ./gobar {};
-
   mk-enc-usb = final.callPackage ../extras/mk-enc-usb.nix {};
   mk-encrypted-drive = final.callPackage ../extras/mk-encrypted-drive.nix {};
 

overlay/gobar/default.nix

@@ -1,22 +0,0 @@
-{
-  fetchFromGitLab,
-  buildGoModule,
-}:
-buildGoModule rec {
-  pname = "gobar";
-  version = "latest-1";
-
-  src = fetchFromGitLab {
-    owner = "ChaotiCryptidz";
-    repo = "gobar";
-    rev = "34c807423e5ea1420dbe2c08574cdc234f9b0789";
-    sha256 = "sha256-H+CjnkMde3rx7CoLKOluxHlYrhZGqzTnU8oOgkDEwsc=";
-  };
-
-  runVend = false;
-  vendorSha256 = "sha256-37QYc+gLzCW1jefAQNy4AbabckJ4jO1sDOiUZTsLgWo=";
-
-  preBuild = ''
-    export HOME=$TMPDIR
-  '';
-}

presets/home-manager/root-base.nix

@@ -0,0 +1,7 @@
+{tree, ...}: {
+  home-manager.users.root = {
+    imports = with tree.profiles.home-manager; [
+      base
+    ];
+  };
+}

presets/home-manager/root-minimalServer.nix

@@ -0,0 +1,9 @@
+{tree, ...}: {
+  home-manager.users.root = {
+    imports = with tree.profiles.home-manager; [
+      base.zsh
+      base.age-encryption
+      dev.small
+    ];
+  };
+}

presets/nixos/containerBase.nix

@@ -5,13 +5,14 @@
 }: {
   imports =
     (with tree; [
-      profiles.base
+      profiles.nixos.base
+
       users.root
+      presets.home-manager.root-minimalServer
 
       modules.nixos.rcloneServe
       modules.nixos.rcloneSync
       modules.nixos.secrets
-      modules.nixos.postgreSQLRemoteBackup
     ])
     ++ [
       # Default modules which are usually included in nixos.nix
@@ -19,10 +20,6 @@
       inputs.vaultui.nixosModules.default
     ];
 
-  home-manager.users.root = {
-    imports = with tree; [home.base.zsh home.base.age-encryption home.dev.small];
-  };
-
   networking.firewall = {
     enable = true;
     allowPing = true;

presets/nixos/desktopBase.nix

@@ -1,41 +1,38 @@
 {tree, ...}: {
-  imports = with tree; [
-    profiles.wifiHardware
+  imports = with tree.profiles.nixos; [
+    wifiHardware
 
-    profiles.sound.base
-    profiles.sound.pipewire
-    profiles.gui.base
+    sound.base
+    sound.pipewire
+    gui.base
 
-    profiles.firewallAllow.aria2c
-    profiles.firewallAllow.soulseek
-    profiles.mullvad
+    mullvad
   ];
 
   home-manager.users.chaos = {
-    imports = with tree; [
-      home.gui.base
+    imports = with tree.profiles.home-manager; [
+      gui.base
 
-      home.apps.fileRoller
-      home.apps.nautilus
-      home.apps.pavucontrol
-      home.apps.mpv
+      apps.fileRoller
+      apps.nautilus
+      apps.pavucontrol
+      apps.mpv
 
-      home.apps.firefox
-      home.apps.telegram
-      home.apps.thunderbird
-      #home.apps.session
-      home.apps.toot-cli
+      apps.firefox
+      apps.telegram
+      apps.thunderbird
+      apps.toot-cli
 
-      home.apps.obsidian
-      home.apps.libreoffice
+      apps.obsidian
+      apps.libreoffice
 
-      home.apps.nicotine-plus
-      home.apps.musicutil
+      apps.nicotine-plus
+      apps.musicutil
 
-      home.apps.mullvad
-      home.apps.aria2
-      home.apps.rclone
-      home.apps.restic
+      apps.mullvad
+      apps.aria2
+      apps.rclone
+      apps.restic
     ];
   };
 }

presets/nixos/desktopGnome.nix

@@ -1,11 +1,12 @@
 {tree, ...}: {
   imports = with tree; [
     presets.nixos.desktopBase
-    profiles.gui.environments.gnome
+
+    profiles.nixos.gui.environments.gnome
   ];
   home-manager.users.chaos = {
     imports = with tree; [
-      home.gui.environments.gnome
+      profiles.home-manager.gui.environments.gnome
     ];
   };
 }

presets/nixos/encryptedUSB.nix

@@ -1,6 +1,11 @@
 {tree, ...}: {
-  imports = with tree; [profiles.usbAutoMount];
+  imports = with tree.profiles.nixos; [
+    usbAutoMount
+  ];
+
   home-manager.users.chaos = {
-    imports = with tree; [home.sshUSB];
+    imports = with tree.profiles.home-manager; [
+      sshUSB
+    ];
   };
 }

presets/nixos/laptop.nix

@@ -1,13 +1,13 @@
 {tree, ...}: {
-  imports = with tree; [
-    profiles.laptop
+  imports = with tree.profiles.nixos; [
+    laptop
 
-    profiles.connectivity.networkManager
-    profiles.connectivity.iOS
+    connectivity.networkManager
+    connectivity.iOS
 
-    profiles.wifiHardware
+    wifiHardware
 
-    profiles.tor
+    tor
   ];
 
   boot.loader.systemd-boot = {

presets/nixos/serverBase.nix

@@ -1,22 +1,19 @@
 {tree, ...}: {
   imports = with tree; [
     users.root
+    presets.home-manager.root-minimalServer
 
-    profiles.sshd
-    profiles.firewallAllow.ssh
+    profiles.nixos.sshd
 
-    profiles.nixGC
-    profiles.serverExtras
+    profiles.nixos.nixGC
+    profiles.nixos.serverExtras
   ];
 
-  home-manager.users.root = {
-    imports = with tree; [home.base.zsh home.base.age-encryption home.dev.small];
-  };
-
   networking.firewall = {
     enable = true;
     allowPing = true;
     checkReversePath = "loose";
+    allowedTCPPorts = [22];
   };
 
   # TODO: Better DNS setup

presets/nixos/serverEncryptedDrive.nix

@@ -14,7 +14,7 @@
   driveData = import "${self}/data/drives/encryptedDrive.nix";
 in {
   imports = with tree; [
-    profiles.sshd
+    profiles.nixos.sshd
   ];
 
   boot = {

profiles/fingerprint.nix

@@ -1,37 +0,0 @@
-{
-  lib,
-  pkgs,
-  config,
-  ...
-}: let
-  inherit (lib.modules) mkIf mkForce;
-in {
-  services.fprintd.enable = true;
-
-  security.sudo.wheelNeedsPassword = mkForce true;
-
-  security.pam.services = {
-    sudo.fprintAuth = true;
-    login.fprintAuth = true;
-
-    gdm-fingerprint = mkIf config.services.xserver.displayManager.gdm.enable {
-      text = ''
-        auth       required                    pam_shells.so
-        auth       requisite                   pam_nologin.so
-        auth       requisite                   pam_faillock.so      preauth
-        auth       required                    ${pkgs.fprintd}/lib/security/pam_fprintd.so
-        auth       optional                    pam_permit.so
-        auth       required                    pam_env.so
-        auth       [success=ok default=1]      ${pkgs.gdm}/lib/security/pam_gdm.so
-        auth       optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so
-
-        account    include                     login
-
-        password   required                    pam_deny.so
-
-        session    include                     login
-        session    optional                    ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start
-      '';
-    };
-  };
-}

profiles/home-manager/base/age-encryption.nix

@@ -0,0 +1,5 @@
+{tree, ...}: {
+  imports = with tree.profiles.home-manager; [
+    apps.age
+  ];
+}

profiles/home-manager/dev/all/editors.nix

@@ -0,0 +1,5 @@
+{tree, ...}: {
+  imports = with tree.profiles.home-manager; [
+    programming.editors.nano
+  ];
+}

profiles/home-manager/dev/small/small.nix

@@ -0,0 +1,12 @@
+{tree, ...}: {
+  # basically everything apart from dev.debugging and extra archives
+  imports = with tree.profiles.home-manager.dev.all; [
+    archives.common
+    compression
+    editors
+    extra
+    git
+    info
+    network
+  ];
+}

profiles/home-manager/gui/environments/gnome/default.nix

@@ -1,14 +1,10 @@
 {
   tree,
-  nixosConfig,
   pkgs,
   inputs,
   lib,
   ...
 }: let
-  inherit (lib.lists) optional;
-  inherit (lib.modules) mkIf;
-
   homeManagerLib = inputs.home-manager.lib.hm;
 
   fontSizes = {
@@ -16,7 +12,7 @@
     medium = "12";
   };
 in {
-  imports = with tree; [home.gui.base home.apps.kitty];
+  imports = with tree.profiles.home-manager; [gui.base apps.kitty];
 
   home.packages = with pkgs; [
     dconf2nix

profiles/home-manager/musicLibrary.nix

@@ -3,9 +3,9 @@
   tree,
   ...
 }: {
-  imports = with tree; [
-    home.apps.rclone
-    home.apps.musicutil
+  imports = with tree.profiles.home-manager; [
+    apps.rclone
+    apps.musicutil
   ];
 
   home.packages = [

profiles/home-manager/sshUSB.nix

@@ -1,5 +1,5 @@
-{...}: let
-  encryptedUSBData = import ../data/drives/encryptedUSB.nix;
+{self, ...}: let
+  encryptedUSBData = import "${self}/data/drives/encryptedUSB.nix";
 in {
   programs.ssh.matchBlocks."*".identityFile = "${encryptedUSBData.sshPrivateKeyPath}";
   programs.git.extraConfig = {

profiles/minimalServer.nix

@@ -1,8 +0,0 @@
-{lib, ...}: let
-  inherit (lib.modules) mkDefault;
-in {
-  environment.noXlibs = mkDefault true;
-  documentation.man.enable = mkDefault false;
-  documentation.doc.enable = mkDefault false;
-  fonts.fontconfig.enable = mkDefault false;
-}

profiles/nixos/base/nix.nix

@@ -1,4 +1,5 @@
 {
+  self,
   inputs,
   config,
   pkgs,
@@ -24,13 +25,9 @@ in {
   nixpkgs = mkIf (!config.boot.isContainer) {
     config = {
       allowUnfree = true;
-
-      permittedInsecurePackages = [
-        "electron-25.9.0"
-      ];
     };
     overlays = [
-      (import ../../overlay)
+      (import "${self}/overlay")
     ];
   };
   environment.etc."nixpkgs-commit".text = inputs.nixpkgs-unstable.rev;

profiles/nixos/connectivity/iOS.nix

@@ -3,6 +3,6 @@
 
   environment.systemPackages = with pkgs; [
     libimobiledevice
-    ifuse # optional, to mount using 'ifuse'
+    ifuse
   ];
 }