add multiple envs for packages

README.md

@@ -1,6 +1,141 @@
 # dots
 
+This repository contains my dotfiles and a Nix flake that supports multiple hosts (machines) with a shared base and per-host configuration.
+
+- On NixOS: hosts are built via `nixosConfigurations`.
+- On non-NixOS (e.g., Ubuntu): hosts are applied via Home Manager using `homeConfigurations`.
+
+## Bootstrap
+
 ```shell
 pip install pipx ansible
 ansible-playbook --ask-become-pass ansible/main.yml
+# Then apply dotfiles with dotter
 dotter
+```
+
+## NixOS: multi-host layout
+
+- nix/base/packages.nix — packages installed on all hosts
+- nix/hosts/<host>/
+  - configuration.nix — host-specific NixOS configuration
+  - hardware-configuration.nix — generated per-machine
+  - packages.nix — extra packages for this host
+- nix/flake.nix — exposes each host under nixosConfigurations
+
+Current hosts:
+- limgrave — my main system
+- carpates — scaffolded/minimal, ready to extend
+
+## Naming rule (important)
+Your machine hostname must match the Nix flake host name. For example:
+- networking.hostName = "limgrave" in the host configuration
+- The flake exports nixosConfigurations.limgrave
+- The system hostname (output of `hostname -s`) is limgrave
+
+This allows the upgrade function to pick the right configuration automatically.
+
+## Build or switch
+From repo root:
+
+```bash
+# Limgrave (current system)
+sudo nixos-rebuild switch --flake ./nix#limgrave
+
+# carpates (on target machine)
+sudo nixos-rebuild switch --flake ./nix#carpates
+# Or during install:
+# nixos-install --flake <repo-path>/nix#carpates
+```
+
+## Upgrades: nix_upgrade
+A convenience Fish function is provided in fish/conf.d/functions.fish: `nix_upgrade`.
+It updates flake inputs and rebuilds the system using a host name that matches the machine hostname.
+
+Usage:
+```fish
+# Automatic: uses (hostname -s) → must match a host in nix/flake.nix
+nix_upgrade
+
+# Override the host explicitly (useful for recovery or chroots)
+nix_upgrade limgrave
+```
+What it does:
+1) sudo nix flake update --flake /home/catalin/.dotfiles/nix
+2) sudo nixos-rebuild switch --flake /home/catalin/.dotfiles/nix#<host> --upgrade
+
+Safety checks:
+- Verifies nix/flake.nix exists
+- Verifies the host is declared in nix/flake.nix
+- Prints clear error if the hostname doesn’t map to a known host
+
+Tip: ensure your system hostname matches one of the directories in nix/hosts/ and the entry under nixosConfigurations in nix/flake.nix.
+
+## Adding a new host
+1) Create a directory: nix/hosts/<newhost>/
+2) Add configuration files (start by copying limgrave and trimming, or use the minimal example from carpates)
+3) Generate hardware config on the new machine:
+```bash
+sudo nixos-generate-config
+# Move merge the generated hardware-configuration.nix into nix/hosts/<newhost>/
+```
+4) Add the host to nix/flake.nix under nixosConfigurations
+5) Make sure networking.hostName = "<newhost>" in the host configuration
+6) Build or install:
+```bash
+sudo nixos-rebuild switch --flake ./nix#<newhost>
+# or during install:
+nixos-install --flake <repo-path>/nix#<newhost>
+```
+
+## Notes
+- Old single-host files nix/configuration.nix and nix/packages.nix are kept for reference but are not used by the flake. You can remove them once comfortable with the new layout.
+- limgrave includes nix-snapd and Home Manager; carpates currently includes Home Manager only.
+
+## Nix on non-NixOS (Ubuntu, etc.)
+You can also use this flake on non-NixOS systems (e.g., Ubuntu) via Home Manager. For that path, hosts are defined under `homeConfigurations` in `nix/flake.nix` and typically live next to their NixOS counterparts. In this repo, `carpates` is prepared for non-NixOS via Home Manager.
+
+- Naming rule: your machine's hostname (output of `hostname -s`) should match the `homeConfigurations.<host>` entry. Example: `carpates`.
+- Packages: non-NixOS hosts usually install user-scoped packages via Home Manager, using the shared base set from `nix/base/packages.nix`.
+
+### Prerequisites
+- Install Nix (multi-user is recommended):
+  ```bash
+  sh <(curl -L https://nixos.org/nix/install) --daemon
+  ```
+- Enable flakes (if not already). On non-NixOS, set in `/etc/nix/nix.conf` or `$XDG_CONFIG_HOME/nix/nix.conf`:
+  ```
+  experimental-features = nix-command flakes
+  ```
+- Install Home Manager (no separate channel needed when using flakes; we can run it via `nix run` or install it on PATH):
+  ```bash
+  # Optional, to have `home-manager` on PATH:
+  nix profile install github:nix-community/home-manager
+  ```
+
+### Apply the configuration (non-NixOS)
+From repo root:
+```bash
+# Use the prepared Home Manager host (example: carpates)
+home-manager switch --flake ./nix#carpates
+# If `home-manager` is not installed, you can run it via nix:
+nix run github:nix-community/home-manager -- switch --flake ./nix#carpates
+```
+
+### Upgrades (non-NixOS)
+`nix_upgrade` also works on non-NixOS:
+```fish
+# Auto-detects host from (hostname -s) and runs Home Manager switch
+nix_upgrade
+
+# Or override explicitly
+nix_upgrade carpates
+```
+What it does on non-NixOS:
+- `nix flake update --flake /home/catalin/.dotfiles/nix`
+- `home-manager switch --flake /home/catalin/.dotfiles/nix#<host>` (or `nix run ... -- switch` if HM is not on PATH)
+
+### NixOS vs. non-NixOS summary
+- NixOS hosts are declared under `nixosConfigurations` and are applied with `nixos-rebuild`.
+- non-NixOS hosts are declared under `homeConfigurations` and are applied with `home-manager switch`.
+- The `nix_upgrade` function detects the OS and selects the correct path automatically based on the hostname.

fish/conf.d/functions.fish

@@ -77,8 +77,71 @@ function gur
 end
 
 function nix_upgrade
-    sudo nix flake update --flake /home/catalin/.dotfiles/nix/
+    # Upgrade this system based on hostname matching the flake host.
-    sudo nixos-rebuild switch --flake /home/catalin/.dotfiles/nix/ --upgrade
+    # Works on both NixOS (nixos-rebuild) and non-NixOS (Home Manager).
+    # Usage: nix_upgrade [host-override]
+
+    set -l flake_path /home/catalin/.dotfiles/nix
+
+    # Determine host either from arg or from the machine hostname
+    if set -q argv[1]
+        set -l host $argv[1]
+    else
+        set -l host (hostname -s)
+        if test $status -ne 0 -o -z "$host"
+            set host (hostname)
+        end
+    end
+
+    if not test -f $flake_path/flake.nix
+        echo "Error: flake not found at $flake_path/flake.nix"
+        return 1
+    end
+
+    # Detect if we are on NixOS
+    set -l is_nixos 0
+    if test -f /etc/NIXOS
+        set is_nixos 1
+    else if type -q nixos-version
+        set is_nixos 1
+    end
+
+    echo "Updating inputs for flake: $flake_path"
+    # On non-NixOS this usually doesn't require sudo; on NixOS it might.
+    if test $is_nixos -eq 1
+        sudo nix flake update --flake $flake_path
+    else
+        nix flake update --flake $flake_path
+    end
+
+    if test $is_nixos -eq 1
+        # NixOS path: verify host exists under nixosConfigurations (heuristic)
+        if not grep -Eq "^[[:space:]]*$host[[:space:]]*=[[:space:]]*lib\\.nixosSystem" $flake_path/flake.nix
+            echo "Error: host '$host' not found in nixosConfigurations in $flake_path/flake.nix."
+            echo "       Pass an explicit host: nix_upgrade <host>"
+            return 1
+        end
+        echo "Rebuilding NixOS for host: $host"
+        sudo nixos-rebuild switch --flake $flake_path#$host --upgrade
+    else
+        # non-NixOS path: try Home Manager via flake's homeConfigurations
+        if not grep -q "homeConfigurations" $flake_path/flake.nix
+            echo "Error: no homeConfigurations found in flake; cannot upgrade on non-NixOS."
+            return 1
+        end
+        # Best-effort heuristic that the host exists as a home configuration
+        if not grep -Eq "^[[:space:]]*$host[[:space:]]*=" $flake_path/flake.nix
+            echo "Warning: host '$host' not explicitly found; attempting Home Manager switch anyway."
+        end
+
+        echo "Rebuilding Home Manager for host: $host"
+        if type -q home-manager
+            home-manager switch --flake $flake_path#$host
+        else
+            # Fallback: use nix to run HM
+            nix run github:nix-community/home-manager -- switch --flake $flake_path#$host
+        end
+    end
 end
 
 function delete_line

nix/base/packages.nix

@@ -0,0 +1,38 @@
+pkgs: with pkgs; [
+  vim
+  wget
+  git
+  tmux
+  eza
+  bat
+  jq
+  curl
+  atuin
+  leaf
+  dotter
+  kubectl
+  k9s
+  trashy
+  krew
+  pre-commit
+  devenv
+  git-cliff
+  difftastic
+  unzip
+  hadolint
+  docker-compose
+  delta
+  bottom
+  bat
+  dust
+  popeye
+  kubecolor
+  kubeconform
+  kube-score
+  uv
+  neovim
+  ncdu
+  direnv
+  asciinema
+  yq
+]

nix/flake.lock

@@ -1,13 +1,74 @@
 {
   "nodes": {
+    "autofirma-nix": {
+      "inputs": {
+        "autofirma-src": "autofirma-src",
+        "clienteafirma-external-src": "clienteafirma-external-src",
+        "flake-parts": "flake-parts",
+        "home-manager": "home-manager",
+        "jmulticard-src": "jmulticard-src",
+        "nix-unit": "nix-unit",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1762846273,
+        "narHash": "sha256-TvPVL/CLMstwlnsDrBHw7vMbrxwO1RlxJcQD2Csc/3Q=",
+        "owner": "nix-community",
+        "repo": "autofirma-nix",
+        "rev": "014a7decf4a60dcab532f78469ce83387c9aa40e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-25.05",
+        "repo": "autofirma-nix",
+        "type": "github"
+      }
+    },
+    "autofirma-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1716805628,
+        "narHash": "sha256-GQyj3QuWIHTkYwdJ4oKVsG923YG9mCUXfhqdIvEWNMA=",
+        "owner": "ctt-gob-es",
+        "repo": "clienteafirma",
+        "rev": "f8888062394a4ca41c5802beb2524597a5ce465a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ctt-gob-es",
+        "ref": "v1.8.3",
+        "repo": "clienteafirma",
+        "type": "github"
+      }
+    },
+    "clienteafirma-external-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1712248159,
+        "narHash": "sha256-iS3I6zIxuKG133s/FqDlXZzOZ2ZOJcqZK9X6Tv3+3lc=",
+        "owner": "ctt-gob-es",
+        "repo": "clienteafirma-external",
+        "rev": "f450ac76094ffe387f6590b9ac61b5ada5a501e7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ctt-gob-es",
+        "ref": "OT_14395",
+        "repo": "clienteafirma-external",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1733328505,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
-        "revCount": 57,
+        "revCount": 69,
         "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
+        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -15,15 +76,36 @@
       }
     },
     "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "autofirma-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1762810396,
+        "narHash": "sha256-dxFVgQPG+R72dkhXTtqUm7KpxElw3u6E+YlQ2WaDgt8=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "0bdadb1b265fb4143a75bd1ec7d8c915898a9923",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1733312601,
+        "lastModified": 1760948891,
-        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
+        "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
+        "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
         "type": "github"
       },
       "original": {
@@ -33,6 +115,24 @@
       }
     },
     "home-manager": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1762787259,
+        "narHash": "sha256-t2U/GLLXHa2+kJkwnFNRVc2fEJ/lUfyZXBE5iKzJdcs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "37a3d97f2873e0f68711117c34d04b7c7ead8f4e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
@@ -53,20 +153,59 @@
         "type": "github"
       }
     },
+    "jmulticard-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1686816513,
+        "narHash": "sha256-sCqMK4FvwRHsGIB6iQVyqrx0+EDiUfQSAsPqmDq2Giw=",
+        "owner": "ctt-gob-es",
+        "repo": "jmulticard",
+        "rev": "9983fc690f3b68dc2c8fde19db269766cf0fb387",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ctt-gob-es",
+        "ref": "v1.8",
+        "repo": "jmulticard",
+        "type": "github"
+      }
+    },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "autofirma-nix",
+          "nix-unit",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1737420293,
+        "narHash": "sha256-F1G5ifvqTpJq7fdkT34e/Jy9VCyzd5XfJ9TO8fHhJWE=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "f4158fa080ef4503c8f4c820967d946c2af31ec9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
     "nix-snapd": {
       "inputs": {
         "flake-compat": "flake-compat",
-        "flake-parts": "flake-parts",
+        "flake-parts": "flake-parts_2",
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1734935829,
+        "lastModified": 1761703712,
-        "narHash": "sha256-/7Y+EZoU8O+N2PgEIvJKwp6qLBuwiOq3MeC0YLezX/w=",
+        "narHash": "sha256-OKuNVXmHuZ0zi8T0aGWrBJizIfvdTqV1RiV0IN8GPZs=",
         "owner": "nix-community",
         "repo": "nix-snapd",
-        "rev": "355a1ed0141b6fd3093e3cb7b3492e6e67913681",
+        "rev": "f7694a0e26d890e285137e1b726b1b44038805c4",
         "type": "github"
       },
       "original": {
@@ -75,13 +214,71 @@
         "type": "github"
       }
     },
+    "nix-unit": {
+      "inputs": {
+        "flake-parts": [
+          "autofirma-nix",
+          "flake-parts"
+        ],
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": [
+          "autofirma-nix",
+          "nixpkgs"
+        ],
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1762774186,
+        "narHash": "sha256-hRADkHjNt41+JUHw2EiSkMaL4owL83g5ZppjYUdF/Dc=",
+        "owner": "nix-community",
+        "repo": "nix-unit",
+        "rev": "1c9ab50554eed0b768f9e5b6f646d63c9673f0f7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-unit",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1760862643,
+        "lastModified": 1762111121,
-        "narHash": "sha256-PXwG0TM7Ek87DNx4LbGWuD93PbFeKAJs4FfALtp7Wo0=",
+        "narHash": "sha256-4vhDuZ7OZaZmKKrnDpxLZZpGIJvAeMtK6FKLJYUtAdw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "33c6dca0c0cb31d6addcd34e90a63ad61826b28c",
+        "rev": "b3d51a0365f6695e7dd5cdf3e180604530ed33b4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1754788789,
+        "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1762233356,
+        "narHash": "sha256-cGS3lLTYusbEP/IJIWGgnkzIl+FA5xDvtiHyjalGr4k=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ca534a76c4afb2bdc07b681dbc11b453bab21af8",
         "type": "github"
       },
       "original": {
@@ -91,25 +288,13 @@
         "type": "github"
       }
     },
-    "nixpkgs-lib": {
+    "nixpkgs_3": {
       "locked": {
-        "lastModified": 1733096140,
+        "lastModified": 1761907660,
-        "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=",
+        "narHash": "sha256-kJ8lIZsiPOmbkJypG+B5sReDXSD1KGu2VEPNqhRa/ew=",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
-      }
-    },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1760524057,
-        "narHash": "sha256-EVAqOteLBFmd7pKkb0+FIUyzTF61VKi7YmvP1tw4nEw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "544961dfcce86422ba200ed9a0b00dd4b1486ec5",
+        "rev": "2fb006b87f04c4d3bdf08cfdbc7fab9c13d94a15",
         "type": "github"
       },
       "original": {
@@ -121,24 +306,25 @@
     },
     "root": {
       "inputs": {
-        "home-manager": "home-manager",
+        "autofirma-nix": "autofirma-nix",
+        "home-manager": "home-manager_2",
         "nix-snapd": "nix-snapd",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "spicetify-nix": "spicetify-nix",
         "unstable": "unstable"
       }
     },
     "spicetify-nix": {
       "inputs": {
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1760848035,
+        "lastModified": 1762057664,
-        "narHash": "sha256-H3MFH8+i4wFagkebtHPcosQdkmxQ4a6fl1lMbLb+RkA=",
+        "narHash": "sha256-mdEEvepIi8ebpGP1WWOHNvNQyd8rF0mUrKAiU6mwHCk=",
         "owner": "Gerg-L",
         "repo": "spicetify-nix",
-        "rev": "cde9f78ae705343a38f5d1d19ab34858b5e9caa9",
+        "rev": "4aa6e43d29e3c8acf544aa6782a1963a11369208",
         "type": "github"
       },
       "original": {
@@ -162,13 +348,35 @@
         "type": "github"
       }
     },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "autofirma-nix",
+          "nix-unit",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1762410071,
+        "narHash": "sha256-aF5fvoZeoXNPxT0bejFUBXeUjXfHLSL7g+mjR/p5TEg=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "97a30861b13c3731a84e09405414398fbf3e109f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
     "unstable": {
       "locked": {
-        "lastModified": 1760965567,
+        "lastModified": 1762361079,
-        "narHash": "sha256-0JDOal5P7xzzAibvD0yTE3ptyvoVOAL0rcELmDdtSKg=",
+        "narHash": "sha256-lz718rr1BDpZBYk7+G8cE6wee3PiBUpn8aomG/vLLiY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "cb82756ecc37fa623f8cf3e88854f9bf7f64af93",
+        "rev": "ffcdcf99d65c61956d882df249a9be53e5902ea5",
         "type": "github"
       },
       "original": {

nix/flake.nix

@@ -7,31 +7,63 @@
     nix-snapd.url = "github:nix-community/nix-snapd";
     nix-snapd.inputs.nixpkgs.follows = "nixpkgs";
     spicetify-nix.url = "github:Gerg-L/spicetify-nix";
+    autofirma-nix = {
+      url = "github:nix-community/autofirma-nix/release-25.05";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     home-manager = {
       url = "github:nix-community/home-manager/release-24.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
 
-  outputs = { self, nixpkgs, unstable, nix-snapd, home-manager, ... }:
+  nixConfig = {
+    extra-substituters = [
+      "https://nix-community.cachix.org"
+    ];
+    extra-trusted-public-keys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+  };
+
+  outputs = { self, nixpkgs, unstable, nix-snapd, home-manager, autofirma-nix, ... }:
   let
     system = "x86_64-linux";
     lib = nixpkgs.lib;
     pkgs-unstable = unstable.legacyPackages.${system};
+    pkgs = nixpkgs.legacyPackages.${system};
   in
   {
-    nixosConfigurations.limgrave = nixpkgs.lib.nixosSystem {
+    nixosConfigurations = {
-      inherit system;
+      limgrave = lib.nixosSystem {
-      specialArgs = { inherit pkgs-unstable; };
+        inherit system;
-      modules = [
+        specialArgs = { inherit pkgs-unstable; };
-        ./configuration.nix
+        modules = [
-        nix-snapd.nixosModules.default
+          ./hosts/limgrave/configuration.nix
-        home-manager.nixosModules.home-manager
+          nix-snapd.nixosModules.default
-        {
+          autofirma-nix.nixosModules.default
-          environment.systemPackages = [
+          home-manager.nixosModules.home-manager
-          ];
+        ];
-        }
+      };
-      ];
+
+      carpates = lib.nixosSystem {
+        inherit system;
+        specialArgs = { inherit pkgs-unstable; };
+        modules = [
+          ./hosts/carpates/configuration.nix
+          home-manager.nixosModules.home-manager
+        ];
+      };
+    };
+
+    # Home Manager configurations for non-NixOS hosts (e.g., Ubuntu)
+    homeConfigurations = {
+      # For non-NixOS usage on a machine named "carpates".
+      # Run: home-manager switch --flake ./nix#carpates
+      carpates = home-manager.lib.homeManagerConfiguration {
+        inherit pkgs;
+        modules = [ ./hosts/carpates/home.nix ];
+      };
     };
   };
 }

nix/hosts/carpates/configuration.nix

@@ -0,0 +1,37 @@
+{ config, pkgs, pkgs-unstable, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  # Basic system metadata
+  networking.hostName = "carpates";
+  time.timeZone = "Europe/Madrid";
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  # Nix settings
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nixpkgs.config = {
+    allowUnfree = true;
+    allowBroken = false;
+  };
+
+  # Users
+  users.users.catalin = {
+    isNormalUser = true;
+    description = "catalin";
+    shell = pkgs.fish;
+    extraGroups = [ "networkmanager" "wheel" ];
+  };
+
+  # Minimal services
+  networking.networkmanager.enable = true;
+  services.openssh.enable = true;
+
+  # Base CLI set only (shared across hosts)
+  environment.systemPackages = import ../../base/packages.nix pkgs;
+
+  programs.fish.enable = true;
+
+  system.stateVersion = "24.11";
+}

nix/hosts/carpates/home.nix

@@ -0,0 +1,27 @@
+{ config, pkgs, ... }:
+{
+  # Home Manager configuration for non-NixOS usage on host "carpates".
+  # Apply with:
+  #   home-manager switch --flake ./nix#carpates
+
+  home.username = "catalin";
+  home.homeDirectory = "/home/catalin";
+
+  # Use the same base CLI set as all hosts
+  home.packages = import ../../base/packages.nix pkgs;
+
+  programs.fish.enable = true;
+
+  # Example: some common quality-of-life programs
+  programs.git = {
+    enable = true;
+    userName = "catalin";
+    userEmail = ""; # set if desired
+  };
+
+  # Make sure HM itself can manage its state
+  programs.home-manager.enable = true;
+
+  # Set the HM release; doesn't have to match NixOS release
+  home.stateVersion = "24.11";
+}

nix/hosts/limgrave/configuration.nix

@@ -1,19 +1,26 @@
-
 { config, pkgs, pkgs-unstable, ... }:
-{ imports =
+{
-    [
+  imports = [
-      ./hardware-configuration.nix
+    ./hardware-configuration.nix
-    ];
+  ];
+
   nixpkgs.config.allowBroken = true;
   nix.settings.download-buffer-size = 524288000;
-  nixpkgs.config.permittedInsecurePackages = ["electron-33.4.11" "mono-5.20.1.34"];
+  nixpkgs.config.permittedInsecurePackages = [ "electron-33.4.11" "mono-5.20.1.34" ];
+
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
-  boot.supportedFilesystems = ["ntfs"];
+  boot.supportedFilesystems = [ "ntfs" ];
+
   services.snap.enable = false;
+
   networking.hostName = "limgrave";
   networking.networkmanager.enable = true;
+  services.mullvad-vpn.enable = true;
+
+
   environment.sessionVariables.MOZ_ENABLE_WAYLAND = 0;
+
   time.timeZone = "Europe/Madrid";
   i18n.defaultLocale = "en_US.UTF-8";
   i18n.extraLocaleSettings = {
@@ -27,10 +34,12 @@
     LC_TELEPHONE = "es_ES.UTF-8";
     LC_TIME = "es_ES.UTF-8";
   };
+
   networking.firewall = rec {
     allowedTCPPortRanges = [ { from = 1714; to = 1764; } ];
     allowedUDPPortRanges = allowedTCPPortRanges;
   };
+
   home-manager.users.catalin = {
     programs.gnome-shell = {
       enable = true;
@@ -72,17 +81,17 @@
       ];
     };
   };
-  
+
   services.xserver = {
-      enable = true;
+    enable = true;
-      displayManager.gdm.enable = true;
+    displayManager.gdm.enable = true;
-      desktopManager.gnome.enable = true;
+    desktopManager.gnome.enable = true;
-        windowManager.openbox.enable = true;
+    windowManager.openbox.enable = true;
-     
+
-      xkb = {
+    xkb = {
-        layout = "us";
+      layout = "us";
-        variant = "";
+      variant = "";
-      };
+    };
   };
 
   services.printing.enable = true;
@@ -100,19 +109,44 @@
     isNormalUser = true;
     description = "catalin";
     shell = pkgs.fish;
-    useDefaultShell =  true;
+    useDefaultShell = true;
     extraGroups = [ "networkmanager" "wheel" "docker" "nas" ];
-    packages = with pkgs; [
+    packages = with pkgs; [ flatpak ];
-      flatpak
-    ];
   };
   users.groups.nas.gid = 568;
 
   programs.firefox.enable = true;
+  # Enable smart card service and eID tooling (AutoFirma stack)
+  services.pcscd.enable = true;
+  programs.autofirma = {
+    enable = true;
+    firefoxIntegration.enable = true;
+  };
+  programs.dnieremote = {
+    enable = true;
+    jumpIntro = "no";
+    wifiPort = 9501;
+    usbPort = 9501;
+    openFirewall = false;
+  };
+  programs.configuradorfnmt = {
+    enable = true;
+    firefoxIntegration.enable = true;
+  };
+  # Configure Firefox PKCS#11 modules for DNIe and OpenSC
+  programs.firefox.policies = {
+    SecurityDevices = {
+      "OpenSC PKCS#11" = "${pkgs.opensc}/lib/opensc-pkcs11.so";
+      "DNIeRemote" = "${config.programs.dnieremote.finalPackage}/lib/libdnieremotepkcs11.so";
+    };
+  };
   nixpkgs.config.allowUnfree = true;
   services.flatpak.enable = true;
   programs.nix-ld.enable = true;
-  environment.systemPackages = import ./packages.nix pkgs ;
+
+  # Merge base packages with host-specific packages
+  environment.systemPackages = (import ../../base/packages.nix pkgs) ++ (import ./packages.nix pkgs);
+
   programs = {
     bash = {
       interactiveShellInit = ''
@@ -127,20 +161,23 @@
     steam = {
       enable = true;
       package = pkgs.steam.override {
-        extraLibraries = p: with p; [(lib.getLib networkmanager)];
+        extraLibraries = p: with p; [ (lib.getLib networkmanager) ];
       };
     };
   };
+
   xdg.portal.enable = true;
   xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
   xdg.portal.config.common.default = "gtk";
+
   programs.mtr.enable = true;
   programs.dconf.enable = true;
   programs.gnupg.agent = {
     enable = true;
     enableSSHSupport = true;
   };
- systemd.services.flatpak-repo = {
+
+  systemd.services.flatpak-repo = {
     wantedBy = [ "multi-user.target" ];
     path = [ pkgs.flatpak ];
     script = ''
@@ -154,18 +191,21 @@
     dates = "weekly";
     options = "--delete-older-than 1w";
   };
+
   fonts.packages = with pkgs; [
     atkinson-hyperlegible
   ];
+
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
   services.openssh.enable = true;
   services.tailscale.enable = true;
   virtualisation.docker.enable = true;
   networking.nameservers = [ "192.168.1.7" "1.1.1.1" ];
+
   nix.extraOptions = ''
-      trusted-users = root catalin
+    trusted-users = root catalin
   '';
+
   system.autoUpgrade.enable = true;
   system.stateVersion = "24.11";
-
 }

nix/hosts/limgrave/packages.nix

@@ -0,0 +1,77 @@
+pkgs: with pkgs; [
+    kitty
+    steam
+    steam-run
+    vesktop
+    python311
+    protonup-qt
+    jellyfin-media-player
+    spotify
+    adwaita-icon-theme
+    fishPlugins.z
+    fishPlugins.tide
+    fishPlugins.transient-fish
+    fishPlugins.done
+    fishPlugins.colored-man-pages
+    lutris
+    telegram-desktop
+    restic
+    bitwarden
+    pre-commit
+    cargo
+    inconsolata
+    google-chrome
+    yt-dlp
+    mpv
+    gnumake
+    stremio
+    kubernetes-helm
+    opentofu
+    kubeseal
+    openssl
+    xclip
+    resticprofile
+    gnupg
+    awscli2
+    kor
+    exiftool
+    jetbrains-toolbox
+    chiaki-ng
+    gnome-themes-extra
+    tela-circle-icon-theme
+    hmcl
+    rose-pine-gtk-theme
+    rose-pine-icon-theme
+    rose-pine-cursor
+    vlc
+    unrar-wrapper
+    atkinson-hyperlegible
+    libreoffice-qt
+    hunspell
+    hunspellDicts.es_ES
+    hunspellDicts.en_US
+    sqlite-interactive
+    ffmpeg
+    filezilla
+    lrcget
+    picard
+    gimp
+    yq
+    qbittorrent
+    p7zip
+    ansible
+    k3sup
+    gamemode
+    lm_sensors
+    appimage-run
+    coder
+    xcolor
+    signal-desktop
+    element-desktop
+    pavucontrol
+    samrewritten
+    audacity
+    mullvad-browser
+    mullvad-vpn
+    limo
+]

nix/packages.nix

@@ -117,4 +117,5 @@ pkgs: with pkgs; [
     nexusmods-app
     cargo
     rustc
+    samrewritten
 ]