refactor

AGENTS.md

@@ -33,10 +33,12 @@ alejandra .                   # Format all Nix files
 
 ### File Structure
 - **Modules**: `modules/` - All configuration (flake-parts modules, auto-imported by import-tree)
+  - `hosts/` - Per-host composition modules
+  - `profiles/` - Shared host and user profile bundles
   - `_lib/` - Utility functions (underscore = ignored by import-tree)
   - `_darwin/` - Darwin-specific sub-modules
   - `_neovim/` - Neovim plugin configs
-  - `_hosts/` - Host-specific sub-files (disk-config, hardware, etc.)
+  - `hosts/_parts/` - Host-specific leaf files (disk-config, hardware, service fragments, etc.)
 - **Apps**: `apps/` - Per-system app scripts (Nushell)
 - **Secrets**: `secrets/` - SOPS-encrypted secrets (`.sops.yaml` for config)
 
@@ -52,7 +54,9 @@ alejandra .                   # Format all Nix files
 - `homeManager` - Home Manager configuration
 - `os` - Applies to both NixOS and darwin
 
-**Hosts**: `den.hosts.<system>.<name>` defined in `modules/hosts.nix`
+**Hosts**: `den.hosts.<system>.<name>` declared in `modules/inventory.nix`
+
+**Profiles**: shared bundles live under `modules/profiles/{host,user}` and are exposed as `den.aspects.host-*` and `den.aspects.user-*`
 
 **Defaults**: `den.default.*` defined in `modules/defaults.nix`
 
@@ -131,7 +135,7 @@ in {
 ### Secrets Management
 - Use SOPS for secrets (see `.sops.yaml`)
 - Never commit unencrypted secrets
-- Secret definitions live in per-host modules (`modules/michael.nix`, `modules/tahani.nix`, etc.)
+- Secret definitions live in per-host modules (`modules/hosts/michael.nix`, `modules/hosts/tahani.nix`, etc.)
 - Shared SOPS defaults (module imports, key paths) in `modules/secrets.nix`
 
 ### Aspect Composition

README.md

@@ -10,7 +10,9 @@ Personal Nix flake for four machines:
 ## Repository Map
 
 - `modules/` - flake-parts modules, auto-imported via `import-tree`
-- `modules/_hosts/` - host-specific submodules like hardware, disks, and services
+- `modules/hosts/` - per-host composition modules
+- `modules/hosts/_parts/` - host-private leaf modules like hardware, disks, and services
+- `modules/profiles/` - shared host and user profile bundles
 - `modules/_lib/` - local helper functions
 - `apps/` - Nushell apps exposed through the flake
 - `secrets/` - SOPS-encrypted secrets
@@ -21,9 +23,11 @@ Personal Nix flake for four machines:
 
 This repo uses `den` and organizes configuration around aspects instead of putting everything directly in host files.
 
-- shared behavior lives in `den.aspects.<name>.<class>` modules
+- shared behavior lives in `den.aspects.<name>.<class>` modules under `modules/*.nix`
-- hosts are declared in `modules/hosts.nix`
+- the machine inventory lives in `modules/inventory.nix`
-- host composition happens in `modules/<host>.nix`
+- shared bundles live in `modules/profiles/{host,user}/`
+- host composition happens in `modules/hosts/<host>.nix`
+- host-private imports live in `modules/hosts/_parts/<host>/`
 - user-level config mostly lives in Home Manager aspects
 
 Common examples:
@@ -31,8 +35,9 @@ Common examples:
 - `modules/core.nix` - shared Nix and shell foundation
 - `modules/dev-tools.nix` - VCS, language, and developer tooling
 - `modules/network.nix` - SSH, fail2ban, and tailscale aspects
-- `modules/michael.nix` - server composition for `michael`
+- `modules/profiles/user/workstation.nix` - shared developer workstation user bundle
-- `modules/tahani.nix` - server/workstation composition for `tahani`
+- `modules/hosts/michael.nix` - server composition for `michael`
+- `modules/hosts/tahani.nix` - server/workstation composition for `tahani`
 
 ## Common Commands
 

modules/hosts/_parts/michael/gitea.nix

@@ -5,21 +5,21 @@
 }: {
 	sops.secrets = {
 		michael-gitea-litestream = {
-			sopsFile = ../../../secrets/michael-gitea-litestream;
+			sopsFile = ../../../../secrets/michael-gitea-litestream;
 			format = "binary";
 			owner = "gitea";
 			group = "gitea";
 			path = "/run/secrets/michael-gitea-litestream";
 		};
 		michael-gitea-restic-password = {
-			sopsFile = ../../../secrets/michael-gitea-restic-password;
+			sopsFile = ../../../../secrets/michael-gitea-restic-password;
 			format = "binary";
 			owner = "gitea";
 			group = "gitea";
 			path = "/run/secrets/michael-gitea-restic-password";
 		};
 		michael-gitea-restic-env = {
-			sopsFile = ../../../secrets/michael-gitea-restic-env;
+			sopsFile = ../../../../secrets/michael-gitea-restic-env;
 			format = "binary";
 			owner = "gitea";
 			group = "gitea";

modules/hosts/chidi.nix

@@ -2,34 +2,16 @@
 	den.hosts.aarch64-darwin.chidi.users.cschmatzler.aspect = "chidi-cschmatzler";
 
 	den.aspects.chidi-cschmatzler = {
-		includes = [
+		includes = [den.aspects.user-darwin-laptop];
-			den.aspects.shell
-			den.aspects.ssh-client
-			den.aspects.terminal
-			den.aspects.atuin
-			den.aspects.dev-tools
-			den.aspects.neovim
-			den.aspects.ai-tools
-			den.aspects.secrets
-			den.aspects.zellij
-			den.aspects.zk
-			den.aspects.desktop
-		];
 
 		homeManager = {...}: {
-			programs.home-manager.enable = true;
-			fonts.fontconfig.enable = true;
 			programs.git.settings.user.email = "christoph@tuist.dev";
 		};
 	};
 
 	den.aspects.chidi.includes = [
 		(den.lib.perHost {
-				includes = [
+				includes = [den.aspects.host-darwin-base];
-					den.aspects.darwin-system
-					den.aspects.core
-					den.aspects.tailscale
-				];
 
 				darwin = {pkgs, ...}: {
 					networking.hostName = "chidi";

modules/hosts/jason.nix

@@ -0,0 +1,21 @@
+{den, ...}: {
+	den.hosts.aarch64-darwin.jason.users.cschmatzler.aspect = "jason-cschmatzler";
+
+	den.aspects.jason-cschmatzler = {
+		includes = [
+			den.aspects.user-darwin-laptop
+			den.aspects.user-personal
+		];
+	};
+
+	den.aspects.jason.includes = [
+		(den.lib.perHost {
+				includes = [den.aspects.host-darwin-base];
+
+				darwin = {...}: {
+					networking.hostName = "jason";
+					networking.computerName = "jason";
+				};
+			})
+	];
+}

modules/hosts/michael.nix

@@ -6,30 +6,20 @@
 	den.hosts.x86_64-linux.michael.users.cschmatzler.aspect = "michael-cschmatzler";
 
 	den.aspects.michael-cschmatzler = {
-		includes = [den.aspects.shell];
+		includes = [den.aspects.user-minimal];
-
-		homeManager = {...}: {
-			programs.home-manager.enable = true;
-		};
 	};
 
 	den.aspects.michael.includes = [
 		(den.lib.perHost {
-				includes = [
+				includes = [den.aspects.host-public-server];
-					den.aspects.nixos-system
-					den.aspects.core
-					den.aspects.openssh
-					den.aspects.fail2ban
-					den.aspects.tailscale
-				];
 
 				nixos = {modulesPath, ...}: {
 					imports = [
 						(modulesPath + "/installer/scan/not-detected.nix")
-						./_hosts/michael/backups.nix
+						./_parts/michael/backups.nix
-						./_hosts/michael/disk-config.nix
+						./_parts/michael/disk-config.nix
-						./_hosts/michael/gitea.nix
+						./_parts/michael/gitea.nix
-						./_hosts/michael/hardware-configuration.nix
+						./_parts/michael/hardware-configuration.nix
 						inputs.disko.nixosModules.default
 					];
 

modules/hosts/tahani.nix

@@ -3,23 +3,12 @@
 
 	den.aspects.tahani-cschmatzler = {
 		includes = [
-			den.aspects.shell
+			den.aspects.user-workstation
-			den.aspects.ssh-client
+			den.aspects.user-personal
-			den.aspects.terminal
-			den.aspects.atuin
-			den.aspects.dev-tools
-			den.aspects.neovim
-			den.aspects.ai-tools
-			den.aspects.secrets
-			den.aspects.zellij
-			den.aspects.zk
 			den.aspects.email
 		];
 
 		homeManager = {
-			programs.home-manager.enable = true;
-			programs.git.settings.user.email = "christoph@schmatzler.com";
-
 			programs.nushell.extraConfig = ''
 				if $nu.is-interactive and ('SSH_CONNECTION' in ($env | columns)) and ('ZELLIJ' not-in ($env | columns)) {
 					try {
@@ -35,36 +24,31 @@
 
 	den.aspects.tahani.includes = [
 		(den.lib.perHost {
-				includes = [
+				includes = [den.aspects.host-nixos-base];
-					den.aspects.nixos-system
-					den.aspects.core
-					den.aspects.openssh
-					den.aspects.tailscale
-				];
 
 				nixos = {...}: {
 					imports = [
-						./_hosts/tahani/adguardhome.nix
+						./_parts/tahani/adguardhome.nix
-						./_hosts/tahani/cache.nix
+						./_parts/tahani/cache.nix
-						./_hosts/tahani/networking.nix
+						./_parts/tahani/networking.nix
-						./_hosts/tahani/paperless.nix
+						./_parts/tahani/paperless.nix
 					];
 
 					networking.hostName = "tahani";
 
 					sops.secrets = {
 						tahani-paperless-password = {
-							sopsFile = ../secrets/tahani-paperless-password;
+							sopsFile = ../../secrets/tahani-paperless-password;
 							format = "binary";
 							path = "/run/secrets/tahani-paperless-password";
 						};
 						tahani-paperless-gpt-env = {
-							sopsFile = ../secrets/tahani-paperless-gpt-env;
+							sopsFile = ../../secrets/tahani-paperless-gpt-env;
 							format = "binary";
 							path = "/run/secrets/tahani-paperless-gpt-env";
 						};
 						tahani-email-password = {
-							sopsFile = ../secrets/tahani-email-password;
+							sopsFile = ../../secrets/tahani-email-password;
 							format = "binary";
 							owner = "cschmatzler";
 							path = "/run/secrets/tahani-email-password";

modules/jason.nix

@@ -1,40 +0,0 @@
-{den, ...}: {
-	den.hosts.aarch64-darwin.jason.users.cschmatzler.aspect = "jason-cschmatzler";
-
-	den.aspects.jason-cschmatzler = {
-		includes = [
-			den.aspects.shell
-			den.aspects.ssh-client
-			den.aspects.terminal
-			den.aspects.atuin
-			den.aspects.dev-tools
-			den.aspects.neovim
-			den.aspects.ai-tools
-			den.aspects.secrets
-			den.aspects.zellij
-			den.aspects.zk
-			den.aspects.desktop
-		];
-
-		homeManager = {...}: {
-			programs.home-manager.enable = true;
-			fonts.fontconfig.enable = true;
-			programs.git.settings.user.email = "christoph@schmatzler.com";
-		};
-	};
-
-	den.aspects.jason.includes = [
-		(den.lib.perHost {
-				includes = [
-					den.aspects.darwin-system
-					den.aspects.core
-					den.aspects.tailscale
-				];
-
-				darwin = {...}: {
-					networking.hostName = "jason";
-					networking.computerName = "jason";
-				};
-			})
-	];
-}

modules/profiles/host/darwin-base.nix

@@ -0,0 +1,7 @@
+{den, ...}: {
+	den.aspects.host-darwin-base.includes = [
+		den.aspects.darwin-system
+		den.aspects.core
+		den.aspects.tailscale
+	];
+}

modules/profiles/host/nixos-base.nix

@@ -0,0 +1,8 @@
+{den, ...}: {
+	den.aspects.host-nixos-base.includes = [
+		den.aspects.nixos-system
+		den.aspects.core
+		den.aspects.openssh
+		den.aspects.tailscale
+	];
+}

modules/profiles/host/public-server.nix

@@ -0,0 +1,6 @@
+{den, ...}: {
+	den.aspects.host-public-server.includes = [
+		den.aspects.host-nixos-base
+		den.aspects.fail2ban
+	];
+}

modules/profiles/user/base.nix

@@ -0,0 +1,17 @@
+{den, ...}: {
+	den.aspects.user-base = {
+		includes = [
+			den.aspects.shell
+			den.aspects.ssh-client
+			den.aspects.terminal
+			den.aspects.atuin
+			den.aspects.secrets
+			den.aspects.zellij
+			den.aspects.zk
+		];
+
+		homeManager = {
+			programs.home-manager.enable = true;
+		};
+	};
+}

modules/profiles/user/darwin-laptop.nix

@@ -0,0 +1,12 @@
+{den, ...}: {
+	den.aspects.user-darwin-laptop = {
+		includes = [
+			den.aspects.user-workstation
+			den.aspects.desktop
+		];
+
+		homeManager = {
+			fonts.fontconfig.enable = true;
+		};
+	};
+}

modules/profiles/user/minimal.nix

@@ -0,0 +1,11 @@
+{den, ...}: {
+	den.aspects.user-minimal = {
+		includes = [
+			den.aspects.shell
+		];
+
+		homeManager = {
+			programs.home-manager.enable = true;
+		};
+	};
+}

modules/profiles/user/personal.nix

@@ -0,0 +1,5 @@
+{...}: {
+	den.aspects.user-personal.homeManager = {
+		programs.git.settings.user.email = "christoph@schmatzler.com";
+	};
+}

modules/profiles/user/workstation.nix

@@ -0,0 +1,8 @@
+{den, ...}: {
+	den.aspects.user-workstation.includes = [
+		den.aspects.user-base
+		den.aspects.dev-tools
+		den.aspects.neovim
+		den.aspects.ai-tools
+	];
+}