diff --git a/classes/desktop/clipboard.nix b/classes/desktop/clipboard.nix
new file mode 100644
index 0000000..cab0c1c
--- /dev/null
+++ b/classes/desktop/clipboard.nix
@@ -0,0 +1,3 @@
+{pkgs, ...}: {
+  environment.systemPackages = [pkgs.wl-clipboard];
+}
diff --git a/classes/desktop/flatpak.nix b/classes/desktop/flatpak.nix
new file mode 100644
index 0000000..1ff0c53
--- /dev/null
+++ b/classes/desktop/flatpak.nix
@@ -0,0 +1,3 @@
+{
+  services.flatpak.enable = true;
+}
diff --git a/classes/desktop/fonts.nix b/classes/desktop/fonts.nix
new file mode 100644
index 0000000..48e47b6
--- /dev/null
+++ b/classes/desktop/fonts.nix
@@ -0,0 +1,27 @@
+{pkgs, ...}: {
+  fonts = {
+    enableDefaultPackages = true;
+    packages = [
+      pkgs.noto-fonts
+      pkgs.noto-fonts-extra
+      pkgs.noto-fonts-cjk-sans
+      pkgs.noto-fonts-cjk-serif
+      pkgs.noto-fonts-monochrome-emoji
+      pkgs.noto-fonts-color-emoji
+      (pkgs.nerdfonts.override {fonts = ["FiraCode"];})
+    ];
+
+    fontconfig = {
+      enable = true;
+
+      defaultFonts = {
+        monospace = ["FiraCode Nerd Font"];
+        sansSerif = ["Noto Sans"];
+        serif = ["Noto Serif"];
+        emoji = ["Noto Color Emoji" "Noto Emoji"];
+      };
+    };
+
+    fontDir.enable = true;
+  };
+}
diff --git a/classes/desktop/fs.nix b/classes/desktop/fs.nix
new file mode 100644
index 0000000..03989d2
--- /dev/null
+++ b/classes/desktop/fs.nix
@@ -0,0 +1,15 @@
+{
+  boot.initrd.luks.devices.main.device = "/dev/disk/by-label/cryptmain";
+
+  fileSystems = {
+    "/" = {
+      fsType = "ext4";
+      device = "/dev/mapper/main";
+      options = ["noatime"];
+    };
+    "/boot" = {
+      label = "BOOT";
+      fsType = "vfat";
+    };
+  };
+}
diff --git a/classes/desktop/gamemode.nix b/classes/desktop/gamemode.nix
new file mode 100644
index 0000000..36e3c0d
--- /dev/null
+++ b/classes/desktop/gamemode.nix
@@ -0,0 +1,18 @@
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  programs.gamemode = {
+    enable = true;
+    settings = {
+      general = {
+        renice = 10;
+      };
+      custom = {
+        start = "${lib.getExe pkgs.libnotify} 'GameMode started'";
+        end = "${lib.getExe pkgs.libnotify} 'GameMode stopped'";
+      };
+    };
+  };
+}
diff --git a/classes/desktop/hardware.nix b/classes/desktop/hardware.nix
new file mode 100644
index 0000000..476bbf1
--- /dev/null
+++ b/classes/desktop/hardware.nix
@@ -0,0 +1,20 @@
+{pkgs, ...}: {
+  hardware = {
+    bluetooth.enable = true;
+    xone.enable = true;
+    xpadneo.enable = true;
+    opentabletdriver.enable = true;
+    graphics = {
+      enable = true;
+      enable32Bit = true;
+      extraPackages = [
+        pkgs.libvdpau-va-gl
+        pkgs.vaapiVdpau
+      ];
+      extraPackages32 = [
+        pkgs.pkgsi686Linux.libvdpau-va-gl
+        pkgs.pkgsi686Linux.vaapiVdpau
+      ];
+    };
+  };
+}
diff --git a/classes/desktop/location.nix b/classes/desktop/location.nix
new file mode 100644
index 0000000..285b45d
--- /dev/null
+++ b/classes/desktop/location.nix
@@ -0,0 +1,5 @@
+{
+  location.provider = "geoclue2";
+
+  services.automatic-timezoned.enable = true;
+}
diff --git a/classes/desktop/mullvad.nix b/classes/desktop/mullvad.nix
new file mode 100644
index 0000000..31d3c05
--- /dev/null
+++ b/classes/desktop/mullvad.nix
@@ -0,0 +1,6 @@
+{pkgs, ...}: {
+  services.mullvad-vpn = {
+    enable = true;
+    package = pkgs.mullvad-vpn;
+  };
+}
diff --git a/classes/desktop/neovide.nix b/classes/desktop/neovide.nix
new file mode 100644
index 0000000..6821dbf
--- /dev/null
+++ b/classes/desktop/neovide.nix
@@ -0,0 +1,5 @@
+{pkgs, ...}: let
+  package = pkgs.neovide;
+in {
+  environment.systemPackages = [package];
+}
diff --git a/classes/desktop/networking.nix b/classes/desktop/networking.nix
new file mode 100644
index 0000000..1844edb
--- /dev/null
+++ b/classes/desktop/networking.nix
@@ -0,0 +1,37 @@
+{
+  services.resolved.enable = true;
+
+  networking = {
+    networkmanager = {
+      enable = true;
+      dns = "systemd-resolved";
+    };
+    firewall = {
+      allowedTCPPorts = [
+        # Spotify track sync
+        57621
+        # Steam Remote Play
+        27036
+        # Source Dedicated Server SRCDS Rcon port
+        27015
+        # Syncthing TCP based sync protocol traffic
+        22000
+      ];
+      allowedUDPPorts = [
+        # Source Dedicated Server gameplay traffic
+        27015
+        # Syncthing QUIC based sync protocol traffic
+        22000
+        # Syncthing port for discovery broadcasts on IPv4 and multicasts on IPv6
+        21027
+      ];
+      allowedUDPPortRanges = [
+        # Steam Remote Play
+        {
+          from = 27031;
+          to = 27036;
+        }
+      ];
+    };
+  };
+}
diff --git a/classes/desktop/pipewire.nix b/classes/desktop/pipewire.nix
new file mode 100644
index 0000000..f22fcef
--- /dev/null
+++ b/classes/desktop/pipewire.nix
@@ -0,0 +1,12 @@
+{
+  hardware.pulseaudio.enable = false;
+  security.rtkit.enable = true;
+
+  services.pipewire = {
+    enable = true;
+    wireplumber.enable = true;
+    alsa.enable = true;
+    pulse.enable = true;
+    jack.enable = true;
+  };
+}
diff --git a/classes/desktop/plasma.nix b/classes/desktop/plasma.nix
new file mode 100644
index 0000000..41f2ecf
--- /dev/null
+++ b/classes/desktop/plasma.nix
@@ -0,0 +1,25 @@
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  services = {
+    desktopManager.plasma6.enable = true;
+    displayManager.sddm = {
+      enable = true;
+      wayland.enable = true;
+    };
+  };
+
+  environment.systemPackages = with pkgs.kdePackages; [sddm-kcm discover kate];
+
+  programs = {
+    kdeconnect.enable = true;
+    partition-manager.enable = true;
+  };
+
+  xdg.portal = {
+    xdgOpenUsePortal = true;
+    extraPortals = [pkgs.xdg-desktop-portal-gtk];
+  };
+}
diff --git a/classes/desktop/printing.nix b/classes/desktop/printing.nix
new file mode 100644
index 0000000..a7b3b55
--- /dev/null
+++ b/classes/desktop/printing.nix
@@ -0,0 +1,10 @@
+{
+  services = {
+    printing = {
+      enable = true;
+      webInterface = true;
+      cups-pdf.enable = true;
+    };
+    system-config-printer.enable = true;
+  };
+}
diff --git a/classes/desktop/syncthing.nix b/classes/desktop/syncthing.nix
new file mode 100644
index 0000000..0ec4025
--- /dev/null
+++ b/classes/desktop/syncthing.nix
@@ -0,0 +1,9 @@
+{
+  services.syncthing = {
+    enable = true;
+    overrideDevices = false;
+    overrideFolders = false;
+  };
+
+  systemd.user.services.syncthing.wantedBy = ["default.target"];
+}
diff --git a/classes/desktop/vm.nix b/classes/desktop/vm.nix
new file mode 100644
index 0000000..d923a08
--- /dev/null
+++ b/classes/desktop/vm.nix
@@ -0,0 +1,4 @@
+{
+  virtualisation.libvirtd.enable = true;
+  programs.virt-manager.enable = true;
+}
diff --git a/classes/desktop/wine.nix b/classes/desktop/wine.nix
new file mode 100644
index 0000000..632cc98
--- /dev/null
+++ b/classes/desktop/wine.nix
@@ -0,0 +1,3 @@
+{pkgs, ...}: {
+  environment.systemPackages = [pkgs.wineWowPackages.stableFull];
+}
diff --git a/common/fs.nix b/classes/server/fs.nix
similarity index 85%
rename from common/fs.nix
rename to classes/server/fs.nix
index e08bddd..9c13b89 100644
--- a/common/fs.nix
+++ b/classes/server/fs.nix
@@ -1,6 +1,4 @@
 {
-  boot.tmp.cleanOnBoot = true;
-
   fileSystems = {
     "/" = {
       fsType = "ext4";
diff --git a/common/time.nix b/classes/server/time.nix
similarity index 100%
rename from common/time.nix
rename to classes/server/time.nix
diff --git a/common/boot.nix b/common/boot.nix
index a77c2d5..403a4a4 100644
--- a/common/boot.nix
+++ b/common/boot.nix
@@ -11,5 +11,6 @@
         efiSysMountPoint = "/boot";
       };
     };
+    tmp.cleanOnBoot = true;
   };
 }
diff --git a/common/fish.nix b/common/fish.nix
new file mode 100644
index 0000000..fc9c0ae
--- /dev/null
+++ b/common/fish.nix
@@ -0,0 +1,15 @@
+{pkgs, ...}: {
+  programs.fish.enable = true;
+
+  users.defaultUserShell = pkgs.fish;
+
+  nixpkgs.overlays = [
+    (final: prev: {
+      fish = prev.fish.overrideAttrs (_: {
+        postInstall = ''
+          rm $out/share/applications/fish.desktop
+        '';
+      });
+    })
+  ];
+}
diff --git a/common/user.nix b/common/user.nix
new file mode 100644
index 0000000..78511b7
--- /dev/null
+++ b/common/user.nix
@@ -0,0 +1,13 @@
+{lib, ...}: let
+  inherit (lib) types;
+in {
+  options = {
+    users.mainUser = lib.mkOption {
+      type = types.passwdEntry types.str;
+      default = "lukas";
+      description = ''
+        The main user.
+      '';
+    };
+  };
+}
diff --git a/common/users.nix b/common/users.nix
index ff79f5d..f62fbf8 100644
--- a/common/users.nix
+++ b/common/users.nix
@@ -1,5 +1,11 @@
-{config, ...}: {
-  age.secrets.user-lukas.file = ../secrets/user-lukas.age;
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (config.users) mainUser;
+in {
+  age.secrets = lib.mkSecrets {"user-${mainUser}" = {};};
 
   users = {
     mutableUsers = false;
@@ -9,10 +15,10 @@
         hashedPassword = "!";
         openssh.authorizedKeys.keys = builtins.attrValues (import ../pubkeys.nix).hosts;
       };
-      lukas = {
+      ${mainUser} = {
         uid = 1000;
         isNormalUser = true;
-        hashedPasswordFile = config.age.secrets.user-lukas.path;
+        hashedPasswordFile = config.age.secrets."user-${mainUser}".path;
         openssh.authorizedKeys.keys = builtins.attrValues (import ../pubkeys.nix).users;
         extraGroups = ["wheel"];
       };
diff --git a/flake.lock b/flake.lock
index 392a5a0..864cdc1 100644
--- a/flake.lock
+++ b/flake.lock
@@ -48,11 +48,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1727826117,
-        "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
         "type": "github"
       },
       "original": {
@@ -63,11 +63,11 @@
     },
     "hardware": {
       "locked": {
-        "lastModified": 1729742320,
-        "narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=",
+        "lastModified": 1732483221,
+        "narHash": "sha256-kF6rDeCshoCgmQz+7uiuPdREVFuzhIorGOoPXMalL2U=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda",
+        "rev": "45348ad6fb8ac0e8415f6e5e96efe47dd7f39405",
         "type": "github"
       },
       "original": {
@@ -115,23 +115,23 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1727825735,
-        "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
+        "lastModified": 1730504152,
+        "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
       },
       "original": {
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
       }
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1729880355,
-        "narHash": "sha256-RP+OQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM=",
+        "lastModified": 1732837521,
+        "narHash": "sha256-jNRNr49UiuIwaarqijgdTR2qLPifxsVhlJrKzQ8XUIE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "18536bf04cd71abd345f9579158841376fdd0c5a",
+        "rev": "970e93b9f82e2a0f3675757eb0bfc73297cc6370",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 9bf3036..169f317 100644
--- a/flake.nix
+++ b/flake.nix
@@ -16,35 +16,17 @@
     flake-parts.lib.mkFlake {inherit inputs;} {
       systems = ["x86_64-linux" "aarch64-linux"];
 
-      flake = {
-        nixosConfigurations = let
-          lib = nixpkgs.lib.extend (import ./lib.nix);
+      flake = let
+        lib = nixpkgs.lib.extend (import ./lib.nix);
+      in {
+        inherit lib;
 
-          commonNixosSystem = name:
-            lib.nixosSystem {
-              specialArgs = {
-                inherit inputs lib;
-                attrName = name;
-              };
-
-              modules =
-                (lib.findModules [
-                  ./common
-                  ./hosts/${name}
-                ])
-                ++ [
-                  inputs.agenix.nixosModules.default
-                  {networking.hostName = lib.mkDefault name;}
-                ];
-            };
-
-          genHosts = lib.pipe (builtins.readDir ./hosts) [
-            (lib.filterAttrs (_: type: type == "directory"))
-            builtins.attrNames
-            lib.genAttrs
+        nixosConfigurations = lib.genNixosConfigurations {
+          inherit inputs;
+          extraModules = [
+            inputs.agenix.nixosModules.default
           ];
-        in
-          genHosts commonNixosSystem;
+        };
       };
 
       perSystem = {
diff --git a/hosts/desktop/flamingo/hardware.nix b/hosts/desktop/flamingo/hardware.nix
new file mode 100644
index 0000000..3e77692
--- /dev/null
+++ b/hosts/desktop/flamingo/hardware.nix
@@ -0,0 +1,23 @@
+{
+  inputs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    "${modulesPath}/installer/scan/not-detected.nix"
+
+    inputs.hardware.nixosModules.lenovo-thinkpad-t480
+  ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  boot = {
+    initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"];
+    kernelModules = ["kvm-intel"];
+  };
+
+  powerManagement.cpuFreqGovernor = "powersave";
+
+  console.keyMap = "de";
+  services.xserver.layout = "de";
+}
diff --git a/hosts/desktop/flamingo/system.nix b/hosts/desktop/flamingo/system.nix
new file mode 100644
index 0000000..a05de83
--- /dev/null
+++ b/hosts/desktop/flamingo/system.nix
@@ -0,0 +1,3 @@
+{
+  system.stateVersion = "24.11";
+}
diff --git a/hosts/desktop/glacier/hardware.nix b/hosts/desktop/glacier/hardware.nix
new file mode 100644
index 0000000..b55c9fc
--- /dev/null
+++ b/hosts/desktop/glacier/hardware.nix
@@ -0,0 +1,26 @@
+{
+  inputs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    "${modulesPath}/installer/scan/not-detected.nix"
+
+    inputs.hardware.nixosModules.common-cpu-amd
+    inputs.hardware.nixosModules.common-gpu-amd
+    inputs.hardware.nixosModules.common-pc-ssd
+  ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  boot = {
+    initrd = {
+      availableKernelModules = ["nvme" "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod"];
+      kernelModules = ["amdgpu"];
+    };
+    kernelModules = ["kvm-amd"];
+    binfmt.emulatedSystems = ["aarch64-linux"];
+  };
+
+  powerManagement.cpuFreqGovernor = "performance";
+}
diff --git a/hosts/desktop/glacier/system.nix b/hosts/desktop/glacier/system.nix
new file mode 100644
index 0000000..a05de83
--- /dev/null
+++ b/hosts/desktop/glacier/system.nix
@@ -0,0 +1,3 @@
+{
+  system.stateVersion = "24.11";
+}
diff --git a/hosts/abacus/acme.nix b/hosts/server/abacus/acme.nix
similarity index 100%
rename from hosts/abacus/acme.nix
rename to hosts/server/abacus/acme.nix
diff --git a/hosts/abacus/backup.nix b/hosts/server/abacus/backup.nix
similarity index 89%
rename from hosts/abacus/backup.nix
rename to hosts/server/abacus/backup.nix
index d2b394b..9156ae9 100644
--- a/hosts/abacus/backup.nix
+++ b/hosts/server/abacus/backup.nix
@@ -1,9 +1,10 @@
 {
   attrName,
   config,
+  lib,
   ...
 }: {
-  age.secrets."restic-${attrName}".file = ../../secrets/restic-${attrName}.age;
+  age.secrets = lib.mkSecrets {"restic-${attrName}" = {};};
 
   services.restic.backups.${attrName} = {
     repository = "sftp:u385962@u385962.your-storagebox.de:/restic/${attrName}";
diff --git a/hosts/abacus/fs.nix b/hosts/server/abacus/fs.nix
similarity index 100%
rename from hosts/abacus/fs.nix
rename to hosts/server/abacus/fs.nix
diff --git a/hosts/server/abacus/hardware.nix b/hosts/server/abacus/hardware.nix
new file mode 100644
index 0000000..dd4182c
--- /dev/null
+++ b/hosts/server/abacus/hardware.nix
@@ -0,0 +1,9 @@
+{modulesPath, ...}: {
+  imports = ["${modulesPath}/profiles/qemu-guest.nix"];
+
+  nixpkgs.hostPlatform = "aarch64-linux";
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod"];
+
+  powerManagement.cpuFreqGovernor = "performance";
+}
diff --git a/hosts/abacus/microbin.nix b/hosts/server/abacus/microbin.nix
similarity index 85%
rename from hosts/abacus/microbin.nix
rename to hosts/server/abacus/microbin.nix
index 0e80fc0..b5cdc48 100644
--- a/hosts/abacus/microbin.nix
+++ b/hosts/server/abacus/microbin.nix
@@ -6,7 +6,7 @@
   inherit (config.networking) domain;
   virtualHostName = "bin.${domain}";
 in {
-  age.secrets.microbin.file = ../../secrets/microbin.age;
+  age.secrets = lib.mkSecrets {microbin = {};};
 
   services.microbin = {
     enable = true;
@@ -23,10 +23,10 @@ in {
       MICROBIN_ETERNAL_PASTA = true;
       MICROBIN_HIGHLIGHTSYNTAX = true;
       MICROBIN_PRIVATE = true;
-      MICROBIN_ENABLE_BURN_AFTER=true;
+      MICROBIN_ENABLE_BURN_AFTER = true;
       MICROBIN_QR = true;
-      MICROBIN_NO_FILE_UPLOAD=false;
-      MICROBIN_ENCRYPTION_CLIENT_SIDE=true;
+      MICROBIN_NO_FILE_UPLOAD = false;
+      MICROBIN_ENCRYPTION_CLIENT_SIDE = true;
 
       MICROBIN_MAX_FILE_SIZE_ENCRYPTED_MB = 1024;
       MICROBIN_MAX_FILE_SIZE_UNENCRYPTED_MB = 4096;
diff --git a/hosts/abacus/miniflux.nix b/hosts/server/abacus/miniflux.nix
similarity index 87%
rename from hosts/abacus/miniflux.nix
rename to hosts/server/abacus/miniflux.nix
index cf3058d..2e7788a 100644
--- a/hosts/abacus/miniflux.nix
+++ b/hosts/server/abacus/miniflux.nix
@@ -1,8 +1,12 @@
-{config, ...}: let
+{
+  config,
+  lib,
+  ...
+}: let
   inherit (config.networking) domain;
   virtualHostName = "flux.${domain}";
 in {
-  age.secrets.miniflux.file = ../../secrets/miniflux.age;
+  age.secrets = lib.mkSecrets {miniflux = {};};
 
   services.miniflux = {
     enable = true;
diff --git a/hosts/abacus/navidrome.nix b/hosts/server/abacus/navidrome.nix
similarity index 100%
rename from hosts/abacus/navidrome.nix
rename to hosts/server/abacus/navidrome.nix
diff --git a/hosts/abacus/hardware.nix b/hosts/server/abacus/networking.nix
similarity index 53%
rename from hosts/abacus/hardware.nix
rename to hosts/server/abacus/networking.nix
index c1c7c6b..a6f04a5 100644
--- a/hosts/abacus/hardware.nix
+++ b/hosts/server/abacus/networking.nix
@@ -1,14 +1,4 @@
-{modulesPath, ...}: {
-  imports = ["${modulesPath}/profiles/qemu-guest.nix"];
-
-  nixpkgs.hostPlatform = "aarch64-linux";
-
-  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod"];
-
-  system.stateVersion = "24.11";
-
-  powerManagement.cpuFreqGovernor = "performance";
-
+{
   networking = let
     interface = "enp1s0";
   in {
diff --git a/hosts/abacus/nginx.nix b/hosts/server/abacus/nginx.nix
similarity index 100%
rename from hosts/abacus/nginx.nix
rename to hosts/server/abacus/nginx.nix
diff --git a/hosts/abacus/static.nix b/hosts/server/abacus/static.nix
similarity index 93%
rename from hosts/abacus/static.nix
rename to hosts/server/abacus/static.nix
index 150a4fe..cd5ae05 100644
--- a/hosts/abacus/static.nix
+++ b/hosts/server/abacus/static.nix
@@ -22,7 +22,7 @@ in
         };
 
         systemd.tmpfiles.settings."10-static-sites".${root}.d = {
-          user = "lukas";
+          user = config.users.mainUser;
           group = "users";
           mode = "0755";
         };
diff --git a/hosts/abacus/syncthing.nix b/hosts/server/abacus/syncthing.nix
similarity index 100%
rename from hosts/abacus/syncthing.nix
rename to hosts/server/abacus/syncthing.nix
diff --git a/hosts/server/abacus/system.nix b/hosts/server/abacus/system.nix
new file mode 100644
index 0000000..a05de83
--- /dev/null
+++ b/hosts/server/abacus/system.nix
@@ -0,0 +1,3 @@
+{
+  system.stateVersion = "24.11";
+}
diff --git a/hosts/abacus/vaultwarden.nix b/hosts/server/abacus/vaultwarden.nix
similarity index 93%
rename from hosts/abacus/vaultwarden.nix
rename to hosts/server/abacus/vaultwarden.nix
index e708fae..a58e7a1 100644
--- a/hosts/abacus/vaultwarden.nix
+++ b/hosts/server/abacus/vaultwarden.nix
@@ -7,7 +7,7 @@
   virtualHostName = "vault.${domain}";
   backupDir = "/srv/backup/vaultwarden";
 in {
-  age.secrets.vaultwarden.file = ../../secrets/vaultwarden.age;
+  age.secrets = lib.mkSecrets {vaultwarden = {};};
 
   services.vaultwarden = {
     enable = true;
diff --git a/hosts/vessel/audiocomp.nix b/hosts/server/vessel/audiocomp.nix
similarity index 100%
rename from hosts/vessel/audiocomp.nix
rename to hosts/server/vessel/audiocomp.nix
diff --git a/hosts/vessel/backup.nix b/hosts/server/vessel/backup.nix
similarity index 95%
rename from hosts/vessel/backup.nix
rename to hosts/server/vessel/backup.nix
index 789065f..66e4156 100644
--- a/hosts/vessel/backup.nix
+++ b/hosts/server/vessel/backup.nix
@@ -40,7 +40,7 @@ in {
     }
   ) (lib.attrNames backups));
 
-  age.secrets."restic-${attrName}".file = ../../secrets/restic-${attrName}.age;
+  age.secrets = lib.mkSecrets {"restic-${attrName}" = {};};
 
   services.restic.backups.${attrName} = {
     repository = "sftp:u385962@u385962.your-storagebox.de:/restic/${attrName}";
diff --git a/hosts/vessel/blocky.nix b/hosts/server/vessel/blocky.nix
similarity index 100%
rename from hosts/vessel/blocky.nix
rename to hosts/server/vessel/blocky.nix
diff --git a/hosts/vessel/fs.nix b/hosts/server/vessel/fs.nix
similarity index 100%
rename from hosts/vessel/fs.nix
rename to hosts/server/vessel/fs.nix
diff --git a/hosts/vessel/hardware.nix b/hosts/server/vessel/hardware.nix
similarity index 93%
rename from hosts/vessel/hardware.nix
rename to hosts/server/vessel/hardware.nix
index 628ff7e..82aab42 100644
--- a/hosts/vessel/hardware.nix
+++ b/hosts/server/vessel/hardware.nix
@@ -18,7 +18,5 @@
     kernelModules = ["kvm-intel"];
   };
 
-  system.stateVersion = "24.11";
-
   powerManagement.cpuFreqGovernor = "powersave";
 }
diff --git a/hosts/vessel/storage.nix b/hosts/server/vessel/storage.nix
similarity index 100%
rename from hosts/vessel/storage.nix
rename to hosts/server/vessel/storage.nix
diff --git a/hosts/vessel/syncthing.nix b/hosts/server/vessel/syncthing.nix
similarity index 100%
rename from hosts/vessel/syncthing.nix
rename to hosts/server/vessel/syncthing.nix
diff --git a/hosts/server/vessel/system.nix b/hosts/server/vessel/system.nix
new file mode 100644
index 0000000..a05de83
--- /dev/null
+++ b/hosts/server/vessel/system.nix
@@ -0,0 +1,3 @@
+{
+  system.stateVersion = "24.11";
+}
diff --git a/lib.nix b/lib.nix
index cb44264..1280330 100644
--- a/lib.nix
+++ b/lib.nix
@@ -13,4 +13,63 @@ lib: _: {
     host,
     port,
   }: "${host}:${builtins.toString port}";
+
+  mkSecrets = secrets: let
+    mkSecret = {
+      name,
+      secret,
+    }:
+      secret
+      // {
+        file = ./secrets/${name}.age;
+      };
+  in
+    builtins.mapAttrs (name: secret: mkSecret {inherit name secret;}) secrets;
+
+  genNixosConfigurations = {
+    inputs,
+    extraModules,
+  }: let
+    commonDir = ./common;
+    classesDir = ./classes;
+    hostsDir = ./hosts;
+
+    commonNixosSystem = {
+      class,
+      name,
+    }:
+      lib.nixosSystem {
+        specialArgs = {
+          inherit inputs lib;
+          attrName = name;
+        };
+
+        modules =
+          (lib.findModules [
+            commonDir
+            ./classes/${class}
+            (classesDir + "/${class}")
+            (hostsDir + "/${class}/${name}")
+          ])
+          ++ [
+            {networking.hostName = lib.mkDefault name;}
+          ]
+          ++ extraModules;
+      };
+
+    dirsIn = dir:
+      lib.pipe (builtins.readDir dir) [
+        (lib.filterAttrs (_: type: type == "directory"))
+        builtins.attrNames
+      ];
+  in
+    lib.pipe (dirsIn hostsDir) [
+      (classes:
+        builtins.concatMap (
+          class: map (name: {inherit class name;}) (dirsIn (hostsDir + "/${class}"))
+        )
+        classes)
+      (map (obj: lib.nameValuePair obj.name (commonNixosSystem obj)))
+      builtins.listToAttrs
+    ];
 }
diff --git a/pubkeys.nix b/pubkeys.nix
index 77a9d91..c0a572e 100644
--- a/pubkeys.nix
+++ b/pubkeys.nix
@@ -5,7 +5,9 @@
   };
 
   hosts = {
+    glacier = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrKpoDV/ImivtTZVbSsQ59IbGYVvSsKls4av2Zc9Nk8";
     abacus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHoUgClpkOlBEffQOb9KkVn970RwnIhU0OiVr7P2WVzg";
     vessel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkYcOb1JPNLTJtob1TcuC08cH9P2APAhLR26RYd573d";
+    flamingo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInV+UpCZhoTwgkgnCzCPEu3TD5b5mu6tagRslljrFJ/";
   };
 }
diff --git a/secrets/microbin.age b/secrets/microbin.age
index 644d7ea..6fcba36 100644
Binary files a/secrets/microbin.age and b/secrets/microbin.age differ
diff --git a/secrets/miniflux.age b/secrets/miniflux.age
index 3a9e5bf..898de75 100644
--- a/secrets/miniflux.age
+++ b/secrets/miniflux.age
@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 SFHVrw 7IUsgabq/d+4prqwDCSwfrVvEEhp4nVYRvlYtBaReEY
-OgSjIcOOnzIzRphDnpUOdisOxhfou9cQ2xPD7LxPkD8
--> ssh-ed25519 S+dwQQ XgeEXzPoIW/AbGN5Mj+Z9QV/xmjqybEVgQ0lpFov4GI
-n4v/ulFqPZcCj9Z0V/rpXLgO9V1KEx5XkctB+UQX7gM
--> ssh-ed25519 ffmsLw KE3L3CV3hBXZZ0Uup6ggdO0JNgQZNwRW1bgLQu59CQE
-KkZK1aZ740LPYKblEINVwNrThrMKiI85xvu2Zj2wfzw
---- Hhtrr0g6S2TYjX6bIT0pmpRF6Gr/HazJXo6uuoeVh+M
-�)0QV��
�[��:����^����Uj������3�C�o�{!S;����s<�Gf�w#{�%d�� M�Q�]�~Zp����zֿ�2
\ No newline at end of file
+-> ssh-ed25519 SFHVrw 7n/cv5G7okGi5Hd+rkniHQCUgcCK0Yg9yuzpjrN05Ww
+jb4Z4oP5CblZQFS+n3bBSRhvCc/5EPS6vLA9AT5jyo8
+-> ssh-ed25519 S+dwQQ HUSchkkcUVHzKeuu5WFHs8jUc0zILPmdFBl4LUX4M2w
+uDzKbQU/4yaRB0nXyKEex8KH00RGjKW6BK18+J/yn8c
+-> ssh-ed25519 ffmsLw K0foK6dte+zZqImHL4kLfCkhMHlKLEQEfbCxLQIbKxk
+s+Rf6+Ro6tJkrAFzj1h/4yqHvbYfpxEgUMSt4nqmkUw
+--- AJdGEnKHCGfNINBQ44TjyP93mA+Os6H6p/Q41PKGmuE
+���Ppgc֪%i�@).�qHj
�B�㔗�*�Ws�%Jc=��OAcl<���b��������T�K��Q�^MQҼn�vE�
�1[n���_
\ No newline at end of file
diff --git a/secrets/restic-abacus.age b/secrets/restic-abacus.age
index 440f8bc..ab6073e 100644
Binary files a/secrets/restic-abacus.age and b/secrets/restic-abacus.age differ
diff --git a/secrets/restic-vessel.age b/secrets/restic-vessel.age
index eda8517..8646b01 100644
--- a/secrets/restic-vessel.age
+++ b/secrets/restic-vessel.age
@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 SFHVrw GIDp7q94BIYpC3rBG75QUFO5kfeyD/6K4G6TfVwWJXg
-BnVU8spAlE23pu6yV29I423tsJASxkLC6TGJ2aEAbnw
--> ssh-ed25519 S+dwQQ d4iYbW/SrgO+SZQhULUHC6eBocihdzgwM6OKu6XJkmw
-PaEV2ILDpXCrFPNxlxtW/ycKAb2rHJHLAx23pOtiEpo
--> ssh-ed25519 Sm0lOA kzHXpk3nBINMjCJi3M/KzKFkLk2Dl2acrEMbdqg3d2s
-q/9mc7sqXfP+UTz3teyzPW8zSHapFijFiH2TzghsSG0
---- 41oc9HNIK12x4QPE3yy8uw247yyJZ59A/G1So2t61vc
-_˲�}l����?�I4�n�$��p30l�IX�e
-s�5��P���
\ No newline at end of file
+-> ssh-ed25519 SFHVrw T90IpkfLUbCrEQEOvErDVp/uv36oCPfZ5QthIEz1uG4
+6ge0ldLTgXJOgBabC2VzElNYg/CpWssd+smNo3JTgBA
+-> ssh-ed25519 S+dwQQ qJrUqmj66/eDDvYPbcohc+IA3YwhDDOyfCwxI4jLxUI
+yDFBlLTSfJXzvvGhW2DbJVCIRYQDEL9WML1EaUAtXNI
+-> ssh-ed25519 Sm0lOA cEd39ojIF4yab0JWV/poybmF4kH6ub9/tTXRXLS0ghU
+rA5GqgeruK6Tscay6EnBdHmM5edR0kF4cg+iGPAZuTc
+--- 0CvvxtMR1IyIhsNNdwAuh5SWqwEbCtIVPi/K0yeheLM
+���okj�2d�B�ѿg�����ez�.�K@r�w�{�����S�zjW�
\ No newline at end of file
diff --git a/secrets/user-lukas.age b/secrets/user-lukas.age
index 845ab0c..22f8fd9 100644
Binary files a/secrets/user-lukas.age and b/secrets/user-lukas.age differ
diff --git a/secrets/vaultwarden.age b/secrets/vaultwarden.age
index 7934c30..e50d808 100644
Binary files a/secrets/vaultwarden.age and b/secrets/vaultwarden.age differ