refactor(sys): Modularize and move to `modules/system` or `pkgs`

63 files changed, 914 insertions, 34 deletions

diff --git a/sys/boot/boot_pictures/gnu.png b/modules/system/boot/boot_pictures/gnu.png
index d07dee3e..d07dee3e 100755
--- a/sys/boot/boot_pictures/gnu.png
+++ b/modules/system/boot/boot_pictures/gnu.png
diff --git a/sys/boot/boot_pictures/gnulin_emb_1.png b/modules/system/boot/boot_pictures/gnulin_emb_1.png
index 483f2681..483f2681 100755
--- a/sys/boot/boot_pictures/gnulin_emb_1.png
+++ b/modules/system/boot/boot_pictures/gnulin_emb_1.png
diff --git a/sys/boot/boot_pictures/gnulin_emb_2.png b/modules/system/boot/boot_pictures/gnulin_emb_2.png
index 48cd6ad7..48cd6ad7 100755
--- a/sys/boot/boot_pictures/gnulin_emb_2.png
+++ b/modules/system/boot/boot_pictures/gnulin_emb_2.png
diff --git a/modules/system/boot/default.nix b/modules/system/boot/default.nix
new file mode 100644
index 00000000..1e6fa99b
--- /dev/null
+++ b/modules/system/boot/default.nix
@@ -0,0 +1,129 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.soispha.boot;
+in {
+  options.soispha.boot = {
+    enable = lib.mkEnableOption "Bootloader configuration";
+    # TODO: Add this option <2024-05-16>
+    # enableIsoEntry = lib.mkEnableOption "an tails iso boot entry";
+  };
+
+  config = lib.mkIf cfg.enable (
+    # let
+    # cfg = config.boot.loader.systemd-boot;
+    # inherit (config.boot.loader) efi;
+    #
+    # esa = n: lib.strings.escapeShellArg n;
+    #
+    # bootMountPoint =
+    #   if cfg.xbootldrMountPoint != null
+    #   then cfg.xbootldrMountPoint
+    #   else efi.efiSysMountPoint;
+    #
+    # nixosDir = "/EFI/nixos";
+    #
+    # # FIXME: This system has two big problems:
+    # # 1. It does not updated files, which still have the same name
+    # # 2. It forgets about files, which were 'deleted' in this configuration (these just
+    # #    stay on disk forever) <2024-05-11>
+    # copyExtraFiles = ''
+    #   echo "[systemd-boot] copying files to ${bootMountPoint}"
+    #   empty_file=$(mktemp)
+    #
+    #   ${lib.concatStrings (lib.mapAttrsToList (n: v:
+    #     /*
+    #     bash
+    #     */
+    #     ''
+    #       if ! [ -e ${esa "${bootMountPoint}/${n}"} ]; then
+    #         install -Dp "${v}" ${esa "${bootMountPoint}/${n}"}
+    #         install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/${n}"}
+    #       fi
+    #     '')
+    #   cfg.extraFiles)}
+    #
+    #   ${lib.concatStrings (lib.mapAttrsToList (n: v:
+    #     /*
+    #     bash
+    #     */
+    #     ''
+    #       # if ! [ -e ${esa "${bootMountPoint}/loader/entries/${n}"} ]; then
+    #         install -Dp "${pkgs.writeText n v}" ${esa "${bootMountPoint}/loader/entries/${n}"}
+    #         install -D "$empty_file" ${esa "${bootMountPoint}/${nixosDir}/.extra-files/loader/entries/${n}"}
+    #       # fi
+    #     '')
+    #   cfg.extraEntries)}
+    # '';
+    # in
+    {
+      # FIXME: Reactviate this whole iso thing when a disko redeploy is done.
+      # (and switch to tails instead of arch) <2024-05-12>
+      #
+      # system.activationScripts = {
+      #   copyExtraFilesForBoot = copyExtraFiles;
+      # };
+
+      boot = {
+        initrd = {
+          kernelModules = ["nvme" "btrfs"];
+        };
+
+        kernelPackages = pkgs.linuxPackages_latest;
+
+        lanzaboote = {
+          enable = true;
+          pkiBundle = "/etc/secureboot";
+
+          settings = {
+            # Disable editing the kernel command line (which could allow someone to become root)
+            editor = false;
+          };
+        };
+
+        loader = {
+          systemd-boot = {
+            # Lanzaboote currently replaces the systemd-boot module.
+            # This setting is usually set to true in configuration.nix
+            # generated at installation time. So we force it to false
+            # for now.
+            enable = false;
+
+            # extraEntries = {
+            #   "live.conf" = ''
+            #     title Archlinux Live ISO
+            #     linux /live/vmlinuz-linux
+            #     initrd /live/initramfs-linux.img
+            #     options img_dev=${config.soispha.disks.disk} img_loop=/archlinux.iso copytoram
+            #   '';
+            # };
+            #
+            # extraFiles = let
+            #   iso = import ./archlive_iso.nix {inherit pkgs;};
+            # in {
+            #   "archlinux.iso" = "${iso}/archlinux.iso";
+            #   "live/initramfs-linux.img" = "${iso}/live/initramfs-linux.img";
+            #   "live/vmlinuz-linux" = "${iso}/live/vmlinuz-linux";
+            # };
+          };
+
+          grub = {
+            enable = false;
+            # theme = pkgs.nixos-grub2-theme;
+            splashImage = ./boot_pictures/gnu.png;
+            efiSupport = true;
+            device = "nodev"; # only for efi
+          };
+
+          efi = {
+            canTouchEfiVariables = true;
+            efiSysMountPoint = "/boot";
+          };
+        };
+      };
+    }
+  );
+}
diff --git a/sys/boot/archlive_iso.nix b/modules/system/boot/iso_entry/archlive_iso.nix
index d19a4a87..d19a4a87 100644
--- a/sys/boot/archlive_iso.nix
+++ b/modules/system/boot/iso_entry/archlive_iso.nix
diff --git a/sys/boot/signing_key.nix b/modules/system/boot/iso_entry/signing_key.nix
index 788447be..788447be 100644
--- a/sys/boot/signing_key.nix
+++ b/modules/system/boot/iso_entry/signing_key.nix
diff --git a/modules/system/cleanup/default.nix b/modules/system/cleanup/default.nix
new file mode 100644
index 00000000..4e192f7d
--- /dev/null
+++ b/modules/system/cleanup/default.nix
@@ -0,0 +1,18 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.cleanup;
+in {
+  # remove all the bloat, which NixOS installs by default
+  options.soispha.cleanup = {
+    enable = lib.mkEnableOption "avoiding of nixos' default installed packages";
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment = {
+      defaultPackages = lib.mkForce [];
+    };
+  };
+}
diff --git a/modules/system/default.nix b/modules/system/default.nix
new file mode 100644
index 00000000..0eef0b7f
--- /dev/null
+++ b/modules/system/default.nix
@@ -0,0 +1,26 @@
+{config, ...}: let
+  cfg = config.soispha;
+in {
+  imports = [
+    ./boot
+    ./cleanup
+    ./disks
+    ./documentation
+    ./fonts
+    ./hardware
+    ./impermanence
+    ./locale
+    ./networking
+    ./polkit
+    ./power
+    ./secrets
+    ./services
+    ./sound
+    ./tempfiles
+    ./users
+    ./version
+    ./waydroid
+  ];
+  options = {};
+  config = {};
+}
diff --git a/sys/disks/default.nix b/modules/system/disks/default.nix
index 2283db96..c0e5bcfd 100644
--- a/sys/disks/default.nix
+++ b/modules/system/disks/default.nix
@@ -14,29 +14,25 @@
 in {
   options.soispha.disks = {
     enable = lib.mkEnableOption "disk setup with disko";
+
     disk = lib.mkOption {
       type = lib.types.path;
       example = lib.literalExpression "/dev/disk/by-uuid/0442cb6d-f13a-4635-b487-fa76189774c5";
-      description = ''
-        The disk used for installing the OS.
-      '';
-    };
-    ssd = lib.mkOption {
-      type = lib.types.bool;
-      example = lib.literalExpression "true";
-      default = false;
-      description = lib.mdDoc "Enable ssd specific improvements, like trim";
+      description = "The disk used for installing the OS.";
     };
+
+    ssd = lib.mkEnableOption "ssd specific improvements, like trim";
+
     swap = {
       uuid = lib.mkOption {
         type = lib.types.str;
         example = lib.literalExpression "d1d20ae7-3d8a-44da-86da-677dbbb10c89";
-        description = lib.mdDoc "The uuid of the swapfile";
+        description = "The uuid of the swapfile";
       };
       resumeOffset = lib.mkOption {
         type = lib.types.str;
         example = lib.literalExpression "134324224";
-        description = lib.mdDoc "The resume offset of the swapfile";
+        description = "The resume offset of the swapfile";
       };
     };
   };
diff --git a/sys/disks/fstrim.nix b/modules/system/disks/fstrim.nix
index 6daeb65e..6daeb65e 100644
--- a/sys/disks/fstrim.nix
+++ b/modules/system/disks/fstrim.nix
diff --git a/sys/disks/hibernate.nix b/modules/system/disks/hibernate.nix
index ad7ca12c..a50e5b57 100644
--- a/sys/disks/hibernate.nix
+++ b/modules/system/disks/hibernate.nix
@@ -12,6 +12,7 @@
         ExecStart = "${pkgs.bash}/bin/bash -c \"${pkgs.util-linux}/bin/swapon /swap/swapfile && ${pkgs.util-linux}/bin/swapoff /dev/zram0\"";
       };
     };
+
     hibernate-resume = {
       wantedBy = ["systemd-hibernate.service"];
       unitConfig = {
diff --git a/modules/system/documentation/default.nix b/modules/system/documentation/default.nix
new file mode 100644
index 00000000..0e998d6c
--- /dev/null
+++ b/modules/system/documentation/default.nix
@@ -0,0 +1,24 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.documentation;
+in {
+  options.soispha.documentation = {
+    enable = lib.mkEnableOption "documentation";
+  };
+  config = lib.mkIf cfg.enable {
+    documentation = {
+      nixos = {
+        includeAllModules = true;
+
+        enable = true;
+      };
+      dev = {
+        # Add man pages aimed at developers (I guess c library stuff, and the like)
+        enable = true;
+      };
+    };
+  };
+}
diff --git a/modules/system/fonts/default.nix b/modules/system/fonts/default.nix
new file mode 100644
index 00000000..fa99c1f3
--- /dev/null
+++ b/modules/system/fonts/default.nix
@@ -0,0 +1,55 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.soispha.fonts;
+in {
+  options.soispha.fonts = {
+    enable = lib.mkEnableOption "fonts";
+
+    fonts = lib.mkOption {
+      type = lib.types.listOf lib.types.path;
+      example = lib.literalExpression ''["SourceCodePro" "Overpass" "FiraCode"]'';
+      default = [
+        "SourceCodePro"
+        "Overpass"
+      ];
+      description = "The nerd-fonts to install";
+    };
+
+    enableEmoji = lib.mkEnableOpiton "emoji font support";
+  };
+
+  config = lib.mkIf cfg.enable {
+    fonts = {
+      packages = let
+        nerdFont = pkgs.nerdfonts.override {
+          inherit (cfg) fonts;
+        };
+      in
+        [
+          nerdFont
+        ]
+        ++ (with pkgs; [liberation_ttf])
+        ++ lib.optional cfg.enableEmoji pkgs.noto-fonts-emoji;
+
+      fontconfig = {
+        # NOTE: This is responsible for color emoji support <2023-08-28>
+        # WARNING: This could lead to broken font rendering, if the emoji font is used as
+        # a fallback for normal characters <2024-05-16>
+        localConf = lib.mkIf cfg.enableEmoji (builtins.readFile ./emoji_font.xml);
+
+        defaultFonts = {
+          serif = lib.mkForce ["Liberation Serif"] ++ lib.optional cfg.enableEmoji "Noto Color Emoji";
+          sansSerif = lib.mkForce ["Overpass Nerd Font Propo"] ++ lib.optional cfg.enableEmoji "Noto Color Emoji";
+          monospace = lib.mkForce ["SauceCodePro Nerd Font Mono"] ++ lib.optional cfg.enableEmoji "Noto Color Emoji";
+          emoji = lib.mkIf cfg.enableEmoji (lib.mkForce ["Noto Color Emoji"]);
+        };
+        allowType1 = false;
+        allowBitmaps = false;
+      };
+    };
+  };
+}
diff --git a/sys/font/font.xml b/modules/system/fonts/emoji_font.xml
index f3f6bb3e..f3f6bb3e 100644
--- a/sys/font/font.xml
+++ b/modules/system/fonts/emoji_font.xml
diff --git a/modules/system/hardware/default.nix b/modules/system/hardware/default.nix
new file mode 100644
index 00000000..acf9fb2e
--- /dev/null
+++ b/modules/system/hardware/default.nix
@@ -0,0 +1,68 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.soispha.hardware;
+in {
+  options.soispha.hardware = {
+    enable = lib.mkEnableOption "udev rules for devices I use";
+    moonlander = {
+      enableLiveTraining = lib.mkEnableOption "udev rules for live training";
+      enableFlashing = lib.mkEnableOption "udev rules for firmware flashing";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    hardware = {
+      keyboard.zsa.enable = false;
+      nitrokey.enable = true;
+
+      # TODO: Remove this once I know, that it is no longer necessary <2024-05-16>
+      onlykey.enable = true;
+
+      opengl = {
+        enable = true;
+        extraPackages = builtins.attrValues {
+          inherit
+            (pkgs)
+            vaapiVdpau
+            libvdpau-va-gl
+            ;
+        };
+      };
+    };
+
+    # TODO: Remove the support for the old keyboards <2024-05-16>
+    services.udev.extraRules =
+      lib.mkIf cfg.moonlander.enableLiveTraining ''
+        # Rules for Oryx web flashing and live training
+        KERNEL=="hidraw*", ATTRS{idVendor}=="16c0", MODE="0664", GROUP="plugdev"
+        KERNEL=="hidraw*", ATTRS{idVendor}=="3297", MODE="0664", GROUP="plugdev"
+
+        # Legacy rules for live training over webusb (Not needed for firmware v21+)
+          # Rule for all ZSA keyboards
+          SUBSYSTEM=="usb", ATTR{idVendor}=="3297", GROUP="plugdev"
+          # Rule for the Moonlander
+          SUBSYSTEM=="usb", ATTR{idVendor}=="3297", ATTR{idProduct}=="1969", GROUP="plugdev"
+          # Rule for the Ergodox EZ
+          SUBSYSTEM=="usb", ATTR{idVendor}=="feed", ATTR{idProduct}=="1307", GROUP="plugdev"
+          # Rule for the Planck EZ
+          SUBSYSTEM=="usb", ATTR{idVendor}=="feed", ATTR{idProduct}=="6060", GROUP="plugdev"
+      ''
+      + lib.mkIf cfg.moonlander.enableFlashing
+      ''
+        # Wally Flashing rules for the Ergodox EZ
+        ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1"
+        ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1"
+        SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", MODE:="0666"
+        KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", MODE:="0666"
+
+        # Wally Flashing rules for the Moonlander and Planck EZ
+        SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", \
+            MODE:="0666", \
+            SYMLINK+="stm32_dfu"
+      '';
+  };
+}
diff --git a/modules/system/impermanence/default.nix b/modules/system/impermanence/default.nix
new file mode 100644
index 00000000..dca30083
--- /dev/null
+++ b/modules/system/impermanence/default.nix
@@ -0,0 +1,55 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.impermanence;
+in {
+  options.soispha.impermanence = {
+    enable = lib.mkEnableOption "persisting directories and files with impermanence";
+
+    directories = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default =
+        [
+          "/etc/nixos"
+          "/var/log"
+          "/var/lib/systemd"
+        ]
+        ++ lib.optional config.networking.networkmanager.enable "/etc/NetworkManager"
+        ++ lib.optional config.boot.lanzaboote.enable "/etc/secureboot"
+        ++ lib.optional config.hardware.bluetooth.enable "/var/lib/bluetooth"
+        ++ lib.optional config.virtualisation.waydroid.enable "/var/lib/waydroid"
+        ++ lib.optional config.services.postgresql.enable "/var/lib/postgresql";
+
+      defaultText = lib.literalExpression ''
+        [
+          "/etc/nixos"
+          "/var/log"
+          "/var/lib/systemd"
+        ]
+        ++ lib.optional config.networking.networkmanager.enable "/etc/NetworkManager"
+        ++ lib.optional config.boot.lanzaboote.enable "/etc/secureboot"
+        ++ lib.optional config.hardware.bluetooth.enable "/var/lib/bluetooth"
+        ++ lib.optional config.virtualisation.waydroid.enable "/var/lib/waydroid"
+        ++ lib.optional config.services.postgresql.enable "/var/lib/postgresql"
+      '';
+      description = "The directories to persist";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # needed for the hm impermanence config
+    programs.fuse.userAllowOther = true;
+
+    environment.persistence = {
+      "/srv" = {
+        hideMounts = true;
+        inherit (cfg) directories;
+        files = [
+          "/etc/machine-id"
+        ];
+      };
+    };
+  };
+}
diff --git a/sys/libvirtd/default.nix b/modules/system/libvirtd/default.nix
index 5c519550..5c519550 100644
--- a/sys/libvirtd/default.nix
+++ b/modules/system/libvirtd/default.nix
diff --git a/sys/locale/default.nix b/modules/system/locale/default.nix
index 7912b45b..10569216 100644
--- a/sys/locale/default.nix
+++ b/modules/system/locale/default.nix
@@ -6,19 +6,27 @@
   cfg = config.soispha.locale;
 in {
   options.soispha.locale = {
-    enable = lib.mkEnableOption (lib.mdDoc "locale");
+    enable = lib.mkEnableOption "locale setup";
+
     keyMap = lib.mkOption {
       type = lib.types.str;
       example = "us";
       default = "dvorak";
+      description = "The console key map language to use";
+    };
+
+    timeZone = lib.mkOption {
+      type = lib.types.str;
+      default = "Europe/Berlin";
+      description = "The time zone to use";
     };
   };
 
   config = lib.mkIf cfg.enable {
-    # Set your time zone.
-    time.timeZone = "Europe/Berlin";
+    time = {
+      inherit (cfg) timeZone;
+    };
 
-    # Select internationalisation properties.
     i18n = {
       defaultLocale = "en_CA.UTF-8";
       extraLocaleSettings = {
@@ -35,7 +43,7 @@ in {
 
     services.xserver.xkb.extraLayouts = {
       "us-modified" = {
-        description = "standard us with german and swedish extra chars.";
+        description = "standard us with caps as compose key.";
         languages = ["eng" "swe" "deu"];
         symbolsFile = ./keymaps/us_modified.xkb;
       };
diff --git a/sys/locale/keymaps/dvorak_modified.xkb b/modules/system/locale/keymaps/dvorak_modified.xkb
index 63f5d4fb..63f5d4fb 100644
--- a/sys/locale/keymaps/dvorak_modified.xkb
+++ b/modules/system/locale/keymaps/dvorak_modified.xkb
diff --git a/sys/locale/keymaps/us_modified.xkb b/modules/system/locale/keymaps/us_modified.xkb
index 6299a5e9..6299a5e9 100644
--- a/sys/locale/keymaps/us_modified.xkb
+++ b/modules/system/locale/keymaps/us_modified.xkb
diff --git a/modules/system/networking/default.nix b/modules/system/networking/default.nix
new file mode 100644
index 00000000..aaaab782
--- /dev/null
+++ b/modules/system/networking/default.nix
@@ -0,0 +1,81 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.networking;
+in {
+  options.soispha.networking = {
+    enable = lib.mkEnableOption "networking";
+
+    networkManager = {
+      enable = lib.mkEnableOption "NetworkManager";
+    };
+
+    hostName = lib.mkOption {
+      type = lib.types.str;
+      example = "apzu";
+      description = "The name of the host";
+    };
+  };
+
+  config =
+    lib.mkIf cfg.enable {
+      systemd.network = {
+        networks = {
+          "tap0" = {
+            name = "tap0";
+            bridge = [
+              "virbr0"
+            ];
+          };
+          "enp4s0" = {
+            name = "enp4s0";
+            networkConfig = {
+              DHCP = "yes";
+              DNSOverTLS = "yes";
+              DNSSEC = "yes";
+            };
+            bridge = [
+              "virbr0"
+            ];
+          };
+        };
+
+        netdevs = {
+          "tap0" = {
+            netdevConfig = {
+              Name = "tap0";
+              Kind = "tap";
+            };
+            tapConfig = {
+              User = "${config.users.users.soispha.uid}";
+              Group = "libvirtd";
+            };
+          };
+          "virbr0" = {
+            netdevConfig = {
+              Name = "br0";
+              Kind = "bridge";
+            };
+          };
+        };
+      };
+    }
+    // lib.mkIf cfg.networkManager.enable {
+      networking = {
+        networkmanager = {
+          enable = true;
+          dns = "default";
+          wifi = {
+            powersave = true;
+          };
+        };
+        inherit (cfg) hostName;
+      };
+
+      users.users.soispha.extraGroups = [
+        "networkmanager" # allows to configure networkmanager as this user
+      ];
+    };
+}
diff --git a/modules/system/polkit/default.nix b/modules/system/polkit/default.nix
new file mode 100644
index 00000000..fb13505b
--- /dev/null
+++ b/modules/system/polkit/default.nix
@@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.polkit;
+in {
+  options.soispha.polkit = {
+    enable = lib.mkEnableOption "polkit";
+  };
+  config = lib.mkIf cfg.enable {
+    security.polkit.enable = true;
+  };
+}
diff --git a/modules/system/power/default.nix b/modules/system/power/default.nix
new file mode 100644
index 00000000..13013879
--- /dev/null
+++ b/modules/system/power/default.nix
@@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.power;
+in {
+  options.soispha.power = {
+    enable = lib.mkEnableOption "power optimizations";
+  };
+
+  config = lib.mkIf cfg.enable {
+    # see this for reference: https://github.com/NixOS/nixpkgs/issues/211345
+    services = {
+      # conflicts with tlp
+      power-profiles-daemon.enable = false;
+
+      thermald.enable = true;
+
+      tlp = {
+        enable = true;
+        settings = {
+          CPU_BOOST_ON_AC = 1;
+          CPU_BOOST_ON_BAT = 0;
+          CPU_SCALING_GOVERNOR_ON_AC = "performance";
+          CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
+          SATA_LINKPWR_ON_AC = "max_performance";
+          SATA_LINKPWR_ON_BAT = "min_power";
+        };
+      };
+    };
+  };
+}
diff --git a/modules/system/secrets/default.nix b/modules/system/secrets/default.nix
new file mode 100644
index 00000000..bbfaf9c1
--- /dev/null
+++ b/modules/system/secrets/default.nix
@@ -0,0 +1,82 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (config.networking) hostName;
+  # mkFakeSecret = secretName: {
+  #   name = secretName;
+  #   value = {
+  #     path = "/dev/null";
+  #   };
+  # };
+  # fakeSecrets =
+  #   builtins.listToAttrs (lib.debug.traceValSeqN 2 (builtins.map mkFakeSecret
+  #       (lib.debug.traceValSeqN 2 (builtins.attrNames secrets))));
+  cfg = config.soispha.secrets;
+in {
+  options.soispha.secrets = {
+    enable = lib.mkEnableOption "secrets through agenix";
+  };
+
+  config = lib.mkIf cfg.enable {
+    age = {
+      secrets = {
+        # TODO: Remove this, as I'm no longer using nheko <2024-05-16>
+        nheko = {
+          file = ./nheko/conf. + hostName;
+          mode = "700";
+          owner = "soispha";
+          group = "users";
+        };
+
+        lf_cd_paths = {
+          file = ./lf/cd_paths;
+          mode = "700";
+          owner = "soispha";
+          group = "users";
+        };
+
+        # FIXME: Reactive when serverphone is merged in tree again <2024-05-11>
+        #
+        # serverphoneCa = {
+        #   file = ./serverphone/ca.key;
+        #   mode = "700";
+        #   owner = "serverphone";
+        #   group = "serverphone";
+        # };
+        # serverphoneServer = {
+        #   file = ./serverphone/server.key;
+        #   mode = "700";
+        #   owner = "serverphone";
+        #   group = "serverphone";
+        # };
+
+        taskserverPrivate = {
+          file = ./taskserver/private.key;
+          mode = "700";
+          owner = "soispha";
+          group = "users";
+        };
+        taskserverPublic = {
+          file = ./taskserver/public.cert;
+          mode = "700";
+          owner = "soispha";
+          group = "users";
+        };
+        taskserverCA = {
+          file = ./taskserver/ca.cert;
+          mode = "700";
+          owner = "soispha";
+          group = "users";
+        };
+        taskserverCredentials = {
+          file = ./taskserver/credentials;
+          mode = "700";
+          owner = "soispha";
+          group = "users";
+        };
+      };
+    };
+  };
+}
diff --git a/sys/secrets/lf/cd_paths b/modules/system/secrets/lf/cd_paths
index fff32c61..fff32c61 100644
--- a/sys/secrets/lf/cd_paths
+++ b/modules/system/secrets/lf/cd_paths
diff --git a/sys/secrets/nheko/conf.apzu b/modules/system/secrets/nheko/conf.apzu
index a4f704ea..a4f704ea 100644
--- a/sys/secrets/nheko/conf.apzu
+++ b/modules/system/secrets/nheko/conf.apzu
diff --git a/sys/secrets/nheko/conf.isimud b/modules/system/secrets/nheko/conf.isimud
index ef6c52b6..ef6c52b6 100644
--- a/sys/secrets/nheko/conf.isimud
+++ b/modules/system/secrets/nheko/conf.isimud
diff --git a/sys/secrets/nheko/conf.tiamat b/modules/system/secrets/nheko/conf.tiamat
index 51cab7df..51cab7df 100644
--- a/sys/secrets/nheko/conf.tiamat
+++ b/modules/system/secrets/nheko/conf.tiamat
diff --git a/sys/secrets/secrets.nix b/modules/system/secrets/secrets.nix
index cd6447b7..cd6447b7 100644
--- a/sys/secrets/secrets.nix
+++ b/modules/system/secrets/secrets.nix
diff --git a/sys/secrets/serverphone/ca.key b/modules/system/secrets/serverphone/ca.key
index d49c5395..d49c5395 100644
--- a/sys/secrets/serverphone/ca.key
+++ b/modules/system/secrets/serverphone/ca.key
diff --git a/sys/secrets/serverphone/server.key b/modules/system/secrets/serverphone/server.key
index a2720406..a2720406 100644
--- a/sys/secrets/serverphone/server.key
+++ b/modules/system/secrets/serverphone/server.key
diff --git a/sys/secrets/taskserver/ca.cert b/modules/system/secrets/taskserver/ca.cert
index 203d62a8..203d62a8 100644
--- a/sys/secrets/taskserver/ca.cert
+++ b/modules/system/secrets/taskserver/ca.cert
diff --git a/sys/secrets/taskserver/credentials b/modules/system/secrets/taskserver/credentials
index f3aaf502..f3aaf502 100644
--- a/sys/secrets/taskserver/credentials
+++ b/modules/system/secrets/taskserver/credentials
diff --git a/sys/secrets/taskserver/private.key b/modules/system/secrets/taskserver/private.key
index 5afecdaf..5afecdaf 100644
--- a/sys/secrets/taskserver/private.key
+++ b/modules/system/secrets/taskserver/private.key
diff --git a/sys/secrets/taskserver/public.cert b/modules/system/secrets/taskserver/public.cert
index 1cf9b5f0..1cf9b5f0 100644
--- a/sys/secrets/taskserver/public.cert
+++ b/modules/system/secrets/taskserver/public.cert
diff --git a/sys/secrets/update.sh b/modules/system/secrets/update.sh
index edc4ae8a..edc4ae8a 100755
--- a/sys/secrets/update.sh
+++ b/modules/system/secrets/update.sh
diff --git a/sys/svcs/adb/default.nix b/modules/system/services/adb/default.nix
index 4055dbb1..4055dbb1 100644
--- a/sys/svcs/adb/default.nix
+++ b/modules/system/services/adb/default.nix
diff --git a/sys/svcs/backup/default.nix b/modules/system/services/backup/default.nix
index 91433bf9..705dcf23 100644
--- a/sys/svcs/backup/default.nix
+++ b/modules/system/services/backup/default.nix
@@ -9,16 +9,18 @@
     ${pkgs.snap-sync-forked}/bin/snap-sync-forked --UUID "${cfg.backupDiskUuid}" --noconfirm;
     ${pkgs.util-linux}/bin/umount "/run/media/${cfg.backupDiskUuid}";
   '';
-  cfg = config.soispha.fs.backup;
+
+  cfg = config.soispha.backup;
 in {
-  options.soispha.fs.backup = {
-    enable = lib.mkEnableOption (lib.mdDoc "backups with snap-sync");
+  options.soispha.backup = {
+    enable = lib.mkEnableOption "backups with my forked snap-sync";
     backupDiskUuid = lib.mkOption {
       type = lib.types.str;
       example = lib.literalExpression "d1d20ae7-3d8a-44da-86da-677dbbb10c89";
-      description = lib.mdDoc "The UUID of the backup disk";
+      description = "The UUID of the backup disk";
     };
   };
+
   config = lib.mkIf cfg.enable {
     systemd = {
       services.backup = {
@@ -31,6 +33,7 @@ in {
           ExecStart = "${backup-script}/bin/backsnap";
         };
       };
+
       timers.backup = {
         wantedBy = ["timers.target"];
         unitConfig = {
diff --git a/modules/system/services/dconf/default.nix b/modules/system/services/dconf/default.nix
new file mode 100644
index 00000000..f6598a9b
--- /dev/null
+++ b/modules/system/services/dconf/default.nix
@@ -0,0 +1,7 @@
+{...}: {
+  # needed to make home-manager play nice with some apps. See:
+  # https://nix-community.github.io/home-manager/index.xhtml#_why_do_i_get_an_error_message_about_literal_ca_desrt_dconf_literal_or_literal_dconf_service_literal
+  programs.dconf.enable = true;
+  # FIXME: This should also be parameterized. <2024-05-16>
+}
+# vim: nolinebreak nowrap textwidth=0
diff --git a/sys/svcs/default.nix b/modules/system/services/default.nix
index 56a16055..76ef26e2 100644
--- a/sys/svcs/default.nix
+++ b/modules/system/services/default.nix
@@ -1,16 +1,16 @@
 {...}: {
   imports = [
+    #./serverphone
     ./adb
     ./backup
     ./dconf
     ./fwupd
-    ./getty
+    ./issue_file
     ./nix
     ./openssh
     ./postgresql
     ./printing
     ./scanning
-    #./serverphone
     ./snapper
     ./steam
     ./swaylock
diff --git a/modules/system/services/fwupd/default.nix b/modules/system/services/fwupd/default.nix
new file mode 100644
index 00000000..5ad4f467
--- /dev/null
+++ b/modules/system/services/fwupd/default.nix
@@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.services.fwupd;
+in {
+  options.soispha.services.fwupd = {
+    enable = lib.mkEnableOption "fwupd";
+  };
+  config = lib.mkIf cfg.enable {
+    services.fwupd.enable = true;
+  };
+}
diff --git a/sys/svcs/getty/default.nix b/modules/system/services/issue_file/default.nix
index 7e8a4e46..930be1d9 100644
--- a/sys/svcs/getty/default.nix
+++ b/modules/system/services/issue_file/default.nix
@@ -1,10 +1,7 @@
-{
-  lib,
-  config,
-  ...
-}: {
-  services.getty = {
-    greetingLine = lib.mkForce ''
+{config, ...}: {
+  environment.etc.issue = {
+    # Friendly greeting on the virtual consoles.
+    text = ''
       [?25l[?7l                                           
                 ▗▄▄▄       ▗▄▄▄▄    ▄▄▄▖         
                 ▜███▙       ▜███▙  ▟███▛         
@@ -27,7 +24,7 @@
                ▟███▛  ▜███▙       ▜███▙          
                ▝▀▀▀    ▀▀▀▀▘       ▀▀▀▘          
                                                  
-        NixOS ${config.system.nixos.label} 
+       NixOS ${config.system.nixos.label} 
         --------------
       
         date: \d
diff --git a/sys/svcs/nix/default.nix b/modules/system/services/nix/default.nix
index 5766fcdd..65fc7273 100644
--- a/sys/svcs/nix/default.nix
+++ b/modules/system/services/nix/default.nix
@@ -1,5 +1,6 @@
 {
   pkgs,
+
   # flakes
   nixpkgs_as_input,
   templates,
diff --git a/sys/svcs/openssh/default.nix b/modules/system/services/openssh/default.nix
index b733dbe7..b733dbe7 100644
--- a/sys/svcs/openssh/default.nix
+++ b/modules/system/services/openssh/default.nix
diff --git a/modules/system/services/postgresql/default.nix b/modules/system/services/postgresql/default.nix
new file mode 100644
index 00000000..c47a235c
--- /dev/null
+++ b/modules/system/services/postgresql/default.nix
@@ -0,0 +1,17 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.services.postgresql;
+in {
+  options.soispha.services.postgresql = {
+    enable = lib.mkEnableOption "postgresql";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.postgresql = {
+      enable = true;
+    };
+  };
+}
diff --git a/modules/system/services/printing/default.nix b/modules/system/services/printing/default.nix
new file mode 100644
index 00000000..85d15b16
--- /dev/null
+++ b/modules/system/services/printing/default.nix
@@ -0,0 +1,45 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.services.printing;
+in {
+  options.soispha.services.printing = {
+    enable = lib.mkEnableOption "default printing configuration";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.avahi = {
+      enable = true;
+      nssmdns4 = true;
+      nssmdns6 = true;
+      openFirewall = true;
+    };
+
+    services.printing = {
+      enable = true;
+      startWhenNeeded = true;
+      webInterface = true;
+
+      # deletes `/var/cache/cups`, `/var/lib/cups` and `/var/spool/cups` on cups startup
+      stateless = true;
+
+      drivers = [];
+    };
+
+    hardware = {
+      printers = {
+        ensurePrinters = [
+          {
+            name = "Brother";
+            description = "Brother DCP-9022CDW";
+            model = "everywhere";
+            deviceUri = "dnssd://Brother%20DCP-9022CDW._ipp._tcp.local/?uuid=e3248000-80ce-11db-8000-30055c773bcf";
+          }
+        ];
+        ensureDefaultPrinter = "Brother";
+      };
+    };
+  };
+}
diff --git a/modules/system/services/scanning/default.nix b/modules/system/services/scanning/default.nix
new file mode 100644
index 00000000..dda507fa
--- /dev/null
+++ b/modules/system/services/scanning/default.nix
@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.soispha.services.scanning;
+in {
+  options.soispha.services.scanning = {
+    enable = lib.mkEnableOption "default scanning configuration";
+  };
+
+  config = lib.mkIf cfg.enable {
+    hardware = {
+      sane = {
+        enable = true;
+        extraBackends = [pkgs.sane-airscan];
+      };
+    };
+
+    users.users.soispha.extraGroups = [
+      "scanner" # for permission to access the scanner.
+    ];
+  };
+}
diff --git a/sys/svcs/serverphone/certificates/ca.crt b/modules/system/services/serverphone/certificates/ca.crt
index 7a4ae6f9..7a4ae6f9 100644
--- a/sys/svcs/serverphone/certificates/ca.crt
+++ b/modules/system/services/serverphone/certificates/ca.crt
diff --git a/sys/svcs/serverphone/certificates/server.crt b/modules/system/services/serverphone/certificates/server.crt
index f994cdc8..f994cdc8 100644
--- a/sys/svcs/serverphone/certificates/server.crt
+++ b/modules/system/services/serverphone/certificates/server.crt
diff --git a/sys/svcs/serverphone/default.nix b/modules/system/services/serverphone/default.nix
index 20125a75..20125a75 100644
--- a/sys/svcs/serverphone/default.nix
+++ b/modules/system/services/serverphone/default.nix
diff --git a/sys/svcs/serverphone/keys/key_1 b/modules/system/services/serverphone/keys/key_1
index 67720882..67720882 120000
--- a/sys/svcs/serverphone/keys/key_1
+++ b/modules/system/services/serverphone/keys/key_1
diff --git a/sys/svcs/serverphone/keys/key_2 b/modules/system/services/serverphone/keys/key_2
index 24df7207..24df7207 120000
--- a/sys/svcs/serverphone/keys/key_2
+++ b/modules/system/services/serverphone/keys/key_2
diff --git a/modules/system/services/snapper/default.nix b/modules/system/services/snapper/default.nix
new file mode 100644
index 00000000..bf8201a4
--- /dev/null
+++ b/modules/system/services/snapper/default.nix
@@ -0,0 +1,53 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.services.snapper;
+in {
+  options.soispha.services.snapper = {
+    enable = lib.mkEnableOption "snapper config";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.snapper = {
+      configs = {
+        srv = {
+          SUBVOLUME = "/srv";
+          FSTYPE = "btrfs";
+          # users and groups allowed to work with config
+          ALLOW_GROUPS = ["wheel"];
+
+          # sync users and groups from ALLOW_USERS and ALLOW_GROUPS to .snapshots
+          # directory
+          SYNC_ACL = true;
+
+          # run daily number cleanup
+          NUMBER_CLEANUP = false;
+
+          # limit for number cleanup
+          NUMBER_MIN_AGE = 1800;
+          NUMBER_LIMIT = 50;
+          NUMBER_LIMIT_IMPORTANT = 10;
+
+          # create hourly snapshots
+          TIMELINE_CREATE = true;
+
+          # cleanup hourly snapshots after some time
+          TIMELINE_CLEANUP = true;
+
+          # limits for timeline cleanup
+          TIMELINE_MIN_AGE = 1800;
+          TIMELINE_LIMIT_HOURLY = 7;
+          TIMELINE_LIMIT_DAILY = 3;
+          TIMELINE_LIMIT_WEEKLY = 2;
+          TIMELINE_LIMIT_MONTHLY = 0;
+          TIMELINE_LIMIT_YEARLY = 2;
+
+          # cleanup empty pre-post-pairs
+          EMPTY_PRE_POST_CLEANUP = true;
+        };
+      };
+    };
+  };
+}
diff --git a/sys/svcs/steam/default.nix b/modules/system/services/steam/default.nix
index 54091493..6e507fd9 100644
--- a/sys/svcs/steam/default.nix
+++ b/modules/system/services/steam/default.nix
@@ -7,16 +7,16 @@
   cfg = config.soispha.services.steam;
 in {
   options.soispha.services.steam = {
-    enable = lib.mkOption {
-      default = false;
-      description = lib.mdDoc "Steam";
-    };
+    enable = lib.mkEnableOption "Stream";
   };
+
   config = lib.mkIf cfg.enable {
     programs.steam = {
       enable = true;
     };
+
     environment.systemPackages = [
+      # TODO: Why is this package needed? <2024-05-16>
       pkgs.wineWowPackages.waylandFull
     ];
   };
diff --git a/sys/svcs/swaylock/default.nix b/modules/system/services/swaylock/default.nix
index 6cbcef28..6cbcef28 100644
--- a/sys/svcs/swaylock/default.nix
+++ b/modules/system/services/swaylock/default.nix
diff --git a/sys/svcs/xdg/default.nix b/modules/system/services/xdg/default.nix
index 5140a832..5140a832 100644
--- a/sys/svcs/xdg/default.nix
+++ b/modules/system/services/xdg/default.nix
diff --git a/sys/svcs/xdg/scripts/lf_wrapper.sh b/modules/system/services/xdg/scripts/lf_wrapper.sh
index 16603fe4..16603fe4 100755
--- a/sys/svcs/xdg/scripts/lf_wrapper.sh
+++ b/modules/system/services/xdg/scripts/lf_wrapper.sh
diff --git a/sys/svcs/xdg/scripts/ranger_wrapper.sh b/modules/system/services/xdg/scripts/ranger_wrapper.sh
index e148bf19..e148bf19 100755
--- a/sys/svcs/xdg/scripts/ranger_wrapper.sh
+++ b/modules/system/services/xdg/scripts/ranger_wrapper.sh
diff --git a/modules/system/sound/default.nix b/modules/system/sound/default.nix
new file mode 100644
index 00000000..f49cf95a
--- /dev/null
+++ b/modules/system/sound/default.nix
@@ -0,0 +1,38 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.sound;
+in {
+  options.soispha.sound = {
+    enable = lib.mkEnableOption "sound based on pipewire";
+  };
+
+  config = lib.mkIf cfg.enable {
+    sound.enable = true;
+    hardware.pulseaudio.enable = false;
+    security.rtkit.enable = true;
+
+    services.pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      jack.enable = true;
+    };
+
+    # TODO: Find a better way to set the default volume <2024-03-10>
+    #
+    # environment.etc.pipewire-pulse-config = {
+    #   target = "pipewire/pipewire-pulse.conf.d/pipewire-pulse-config.conf";
+    #   text = ''
+    #     # Extra scripts can be started here. Setup in default.pa can be moved in
+    #     # a script or in pulse.cmd below
+    #     context.exec = [
+    #         { path = "${pkgs.pulseaudio}/bin/pactl"        args = "set-sink-volume 0 13%" }
+    #     ]
+    #   '';
+    # };
+  };
+}
diff --git a/modules/system/tempfiles/default.nix b/modules/system/tempfiles/default.nix
new file mode 100644
index 00000000..fa17f112
--- /dev/null
+++ b/modules/system/tempfiles/default.nix
@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.temfiles;
+in {
+  options.soispha.tempfiles = {
+    enable = lib.mkEnableOption "systemd tempfiles generation";
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.tmpfiles.rules = [
+      # TODO: Find a way to move this file to the lf home manager config.
+      #
+      # This file is needed to trash stuff on the root ('/') temp file system.
+      "d /.Trash 1777 root root"
+    ];
+  };
+}
diff --git a/modules/system/users/default.nix b/modules/system/users/default.nix
new file mode 100644
index 00000000..a44df7e8
--- /dev/null
+++ b/modules/system/users/default.nix
@@ -0,0 +1,50 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.users;
+in {
+  options.soispha.users = {
+    enable = lib.mkEnableOption "user set-up for soispha";
+    hashedPassword = lib.mkOption {
+      type = lib.types.str;
+      example = lib.literalExpression "$y$jFT$ONrCqZIJKB7engmfA4orD/$0GO58/wV5wrYWj0cyONhyujZPjFmbT0XKtx2AvXLG0B";
+      description = "The hashed password of the user";
+    };
+    groups = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = ["wheel"];
+      description = "The groups the soispha user should be part of";
+    };
+
+    # Although deprecated, this helps with old udev rules, that still use this group.
+    # TODO: Try to find a way to remove this option (i.e. set it always to false).
+    enableDeprecatedPlugdev = lib.mkEnableOption "the deprecated plugdev group for the user";
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Ensure that the default shell of the user is actually enabled.
+    programs.zsh.enable = true;
+
+    users = {
+      mutableUsers = false;
+
+      users.soispha = {
+        isNormalUser = true;
+        home = "/home/soispha";
+        createHome = true;
+        shell = pkgs.zsh;
+        initialHashedPassword = cfg.hashedPassword;
+        extraGroups = cfg.groups ++ lib.optional cfg.enableDeprecatedPlugdev "plugdev";
+
+        uid = 1000;
+        openssh.authorizedKeys.keys = [
+          # TODO: This should be parameterized. <2024-05-16>
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIME4ZVa+IoZf6T3U08JG93i6QIAJ4amm7mkBzO14JSkz"
+        ];
+      };
+    };
+  };
+}
diff --git a/modules/system/version/default.nix b/modules/system/version/default.nix
new file mode 100644
index 00000000..77cada14
--- /dev/null
+++ b/modules/system/version/default.nix
@@ -0,0 +1,19 @@
+{
+  config,
+  lib,
+  self,
+  ...
+}: let
+  cfg = config.soispha.version;
+in {
+  options.soispha.version = {
+    enable = lib.mkEnableOption "storing the git revision in /etc/nixos_git_rev";
+  };
+  config = lib.mkIf cfg.enable {
+    environment.etc.nixos_git_rev = {
+      text = builtins.toString (self.longRev
+        or self.lastModified
+        or "unknown");
+    };
+  };
+}
diff --git a/sys/waydroid/default.nix b/modules/system/waydroid/default.nix
index 09c388a6..4680db63 100644
--- a/sys/waydroid/default.nix
+++ b/modules/system/waydroid/default.nix
@@ -1,4 +1,5 @@
 {...}: {
   # FIXME: Running `waydroid session start` causes all fuse mounts instances to coredump <2023-09-02>
+  #        Thus this setting must be false.
   virtualisation.waydroid.enable = false;
 }