From 6332c96d3e504d04791303c3ef70267b6724e7a2 Mon Sep 17 00:00:00 2001
From: Jelle Spreeuwenberg <mail@jelles.net>
Date: Tue, 21 Apr 2026 12:12:43 +0200
Subject: [PATCH] refactor: centralize host and user metadata

---
 AGENTS.md                                 |  83 ---------
 modules/features/bitwarden.nix            |  12 +-
 modules/features/desktop-base.nix         |  47 +++--
 modules/features/dev-tools.nix            |   2 +-
 modules/features/email.nix                |  55 +++---
 modules/features/ergon-workstation.nix    |   9 +
 modules/features/git.nix                  |  14 +-
 modules/features/home-manager-base.nix    |  26 +++
 modules/features/kiri-workstation.nix     |  23 +++
 modules/features/local-apps.nix           |   2 +-
 modules/features/meta.nix                 | 147 ++++++++++++++++
 modules/features/neovim/default.nix       |   6 +-
 modules/features/networking.nix           |   8 +
 modules/features/niri/default.nix         |  28 ++-
 modules/features/qbittorrent-client.nix   |   4 +-
 modules/features/region-nl.nix            |   2 +-
 modules/features/services/actual.nix      |  32 ++--
 modules/features/services/deluge.nix      |   4 +-
 modules/features/services/gitea.nix       |  48 +++--
 modules/features/services/openssh.nix     |  15 +-
 modules/features/services/radicale.nix    |  58 ++++---
 modules/features/services/vaultwarden.nix |  36 ++--
 modules/features/shell.nix                |   6 +-
 modules/features/ssh.nix                  |   2 +-
 modules/features/standard-boot.nix        |  19 +-
 modules/features/system-base.nix          |  10 --
 modules/features/user-base.nix            |  22 +--
 modules/hosts/orion/default.nix           |  73 +++-----
 modules/hosts/polaris/default.nix         | 108 ++++--------
 modules/hosts/zenith/default.nix          |  81 ++++-----
 modules/lib.nix                           |  89 ++++++++++
 modules/secrets/sops.nix                  |  10 +-
 modules/users.nix                         | 203 +++++++++++++++-------
 33 files changed, 805 insertions(+), 479 deletions(-)
 delete mode 100644 AGENTS.md
 create mode 100644 modules/features/ergon-workstation.nix
 create mode 100644 modules/features/home-manager-base.nix
 create mode 100644 modules/features/kiri-workstation.nix
 create mode 100644 modules/features/meta.nix
 delete mode 100644 modules/features/system-base.nix
 create mode 100644 modules/lib.nix

diff --git a/AGENTS.md b/AGENTS.md
deleted file mode 100644
index fac6a34..0000000
--- a/AGENTS.md
+++ /dev/null
@@ -1,83 +0,0 @@
-# Repository Guidelines
-
-## Project Structure & Module Organization
-This repository is a simplified `flake-parts` NixOS flake. `flake.nix` imports `./modules` through `import-tree`, so normal `.nix` files under `modules/` are loaded automatically unless their file or directory name starts with `_`.
-
-- `modules/flake-parts.nix` defines the `flake-parts` setup, formatter, and the exported `nixosConfigurations`.
-- `modules/hosts/<name>/default.nix` defines one top-level `flake.modules.nixos.<host>` module and assembles that machine by importing reusable features, user modules, and host-local helpers.
-- `modules/hosts/<name>/_*.nix` are private host-local helper modules such as hardware and disk layout files.
-- `modules/users/<name>.nix` defines one reusable NixOS user module and the baseline Home Manager imports for that account.
-- `modules/features/*.nix` contains reusable NixOS and Home Manager feature modules.
-- `modules/features/<feature>/default.nix` is used when a feature needs private helper files, for example `niri/_bindings.nix`.
-- `modules/features/services/*.nix` contains reusable service-oriented NixOS modules.
-- `modules/secrets/sops.nix` wires `sops-nix` for both NixOS and Home Manager.
-- `modules/secrets/secrets.yaml` stores encrypted secrets, with `.sops.yaml` defining SOPS creation rules.
-- `modules/_treefmt.nix` configures repository formatting.
-
-Keep host files thin. Shared behavior belongs in `modules/features/` or `modules/users/`. Host files should mainly compose imports and hold host-only settings such as monitor layouts, hardware quirks, boot tweaks, and machine-local firewall or service choices.
-
-## Mental Model
-This repo is direct module composition around `flake.modules`, not the old inventory-driven dendritic design.
-
-- Reusable building blocks are exposed as `flake.modules.nixos.<name>` and `flake.modules.homeManager.<name>`.
-- Host modules are the composition root. They import the reusable NixOS modules they need, enable Home Manager, and add any host-specific Home Manager imports inline.
-- User modules define the Unix user plus that account’s baseline Home Manager setup.
-- There is no `config.repo`, inventory schema, profiles layer, or attachment builder anymore.
-
-In practice:
-
-- Prefer importing a feature module directly over inventing a repo-local option just to toggle it.
-- Put cross-host reusable behavior in `modules/features/`.
-- Put account-specific defaults in `modules/users/`.
-- Keep private helper files `_`-prefixed so `import-tree` does not expose them as top-level modules.
-- Match the existing split between NixOS composition in host modules and Home Manager composition in user or host modules.
-
-## Current Host Composition
-There are three exported hosts:
-
-- `orion`: server-oriented host with `kiri`, SOPS, and service modules such as Caddy, Gitea, Vaultwarden, Radicale, Actual, and OpenSSH.
-- `polaris`: graphical desktop host with `kiri` and `ergon`, hardware imports, Niri, Steam, local desktop features, and host-specific monitor layout.
-- `zenith`: graphical laptop host with `kiri` and `ergon`, Niri, laptop hardware support, firmware updates, and host-specific monitor layout.
-
-When adjusting user-facing software, check whether it belongs in:
-
-- a user baseline in `modules/users/<name>.nix`
-- a reusable Home Manager feature in `modules/features/*.nix`
-- a host-local extension inside `modules/hosts/<name>/default.nix`
-
-Be careful not to move host-specific Home Manager imports into a user baseline unless that behavior should apply on every host that imports that user module.
-
-## Validation And Development Commands
-Run commands from the repository root.
-
-- `nix build --no-link --show-trace .#nixosConfigurations.<host>.config.system.build.toplevel`: baseline validation for one host.
-- `nix build --no-link --show-trace .#nixosConfigurations.orion.config.system.build.toplevel .#nixosConfigurations.polaris.config.system.build.toplevel .#nixosConfigurations.zenith.config.system.build.toplevel`: validate all defined hosts in one invocation.
-- `nixos-rebuild build --flake .#<host>`: use when you specifically want `nixos-rebuild` semantics without activation.
-- `nix eval --json .#nixosConfigurations.<host>.config.<option>`: inspect a single evaluated option while iterating.
-- `nix fmt`: format the repository using the flake-provided formatter from `modules/_treefmt.nix`.
-- `nix store diff-closures <old> <new>`: compare built system closures when reviewing refactors for parity or regressions.
-
-This repo does not define a first-party `checks` output. Validation is primarily host builds plus targeted `nix eval` checks.
-
-## Coding Style & Naming Conventions
-Use two-space indentation and standard Nix attrset formatting. Prefer small `let` bindings, lowerCamelCase local names, and lowercase file names.
-
-- Define reusable modules as `flake.modules.nixos.<name>` or `flake.modules.homeManager.<name>`.
-- Keep one obvious feature per file or directory.
-- Use `default.nix` only when the feature needs private helper files alongside it.
-- Match surrounding style instead of reformatting unrelated code.
-- Prefer explicit host imports over hidden indirection.
-
-## Commit
-Follow the existing history style: short imperative subjects, optionally with a conventional prefix, for example `refactor: simplify host composition`.
-
-## Security & Configuration Tips
-Never commit plaintext secrets. Add or update secrets through `modules/secrets/secrets.yaml` and reference them via `config.sops.secrets.<name>.path`.
-
-Be explicit and cautious with changes to:
-
-- firewall and OpenSSH settings
-- disk layout and boot configuration
-- SOPS key handling and admin user access
-- firmware, hardware, and authentication settings
-- host-vs-user module boundaries, because it is easy to accidentally broaden behavior to the wrong machines
diff --git a/modules/features/bitwarden.nix b/modules/features/bitwarden.nix
index 95854a1..d47cdda 100644
--- a/modules/features/bitwarden.nix
+++ b/modules/features/bitwarden.nix
@@ -1,12 +1,22 @@
 { ... }:
 {
   flake.modules.homeManager.bitwarden =
-    { pkgs, ... }:
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    let
+      user = config.meta.user;
+      primaryEmail = builtins.head (lib.filter (email: email.primary) (builtins.attrValues user.emails));
+    in
     {
       programs.rbw = {
         enable = true;
         settings = {
           base_url = "https://vault.jelles.net";
+          email = primaryEmail.address;
           pinentry = pkgs.pinentry-gnome3;
         };
       };
diff --git a/modules/features/desktop-base.nix b/modules/features/desktop-base.nix
index b5e381e..89d6444 100644
--- a/modules/features/desktop-base.nix
+++ b/modules/features/desktop-base.nix
@@ -1,15 +1,29 @@
-{ inputs, config, ... }:
+{ config, ... }:
 let
   nixosModules = config.flake.modules.nixos;
 in
 {
-  flake.modules.nixos.desktopBase = {
+  flake.modules.nixos."core-base" = {
     imports = [
-      inputs.home-manager.nixosModules.home-manager
+      nixosModules."meta-host"
+      nixosModules."home-manager-base"
       nixosModules.nix
-      nixosModules.systemBase
-      nixosModules.standardBoot
-      nixosModules.regionNl
+      nixosModules."region-nl"
+      nixosModules."sops-host"
+    ];
+  };
+
+  flake.modules.nixos."server-base" = {
+    imports = [
+      nixosModules."core-base"
+      nixosModules.openssh
+    ];
+  };
+
+  flake.modules.nixos."workstation-base" = {
+    imports = [
+      nixosModules."core-base"
+      nixosModules."standard-boot"
       nixosModules.sddm
       nixosModules.niri
       nixosModules.audio
@@ -18,18 +32,19 @@ in
       nixosModules.fonts
       nixosModules.networking
       nixosModules.printing
-      nixosModules.qbittorrentClient
-      nixosModules.sopsHost
+      nixosModules."qbittorrent-client"
     ];
 
-    home-manager = {
-      useGlobalPkgs = true;
-      backupFileExtension = "bak";
-      extraSpecialArgs = { inherit inputs; };
-    };
+    users.mutableUsers = false;
 
-    security.sudo.extraConfig = ''
-      Defaults env_keep+=SSH_AUTH_SOCK
-    '';
+    services.dbus.implementation = "broker";
+
+    programs.nix-ld.enable = true;
+    environment.localBinInPath = true;
+  };
+
+  flake.modules.nixos."portable-host" = {
+    hardware.enableRedistributableFirmware = true;
+    services.fwupd.enable = true;
   };
 }
diff --git a/modules/features/dev-tools.nix b/modules/features/dev-tools.nix
index 9bd1bae..f25f353 100644
--- a/modules/features/dev-tools.nix
+++ b/modules/features/dev-tools.nix
@@ -1,5 +1,5 @@
 {
-  flake.modules.homeManager.devTools =
+  flake.modules.homeManager."dev-tools" =
     { config, ... }:
     {
       home.sessionVariables.CARGO_HOME = "${config.xdg.dataHome}/cargo";
diff --git a/modules/features/email.nix b/modules/features/email.nix
index 23f0718..40a11e9 100644
--- a/modules/features/email.nix
+++ b/modules/features/email.nix
@@ -1,17 +1,23 @@
 { ... }:
 {
   flake.modules.homeManager.email =
-    { config, ... }:
+    {
+      config,
+      lib,
+      ...
+    }:
     let
-      realName = "Jelle Spreeuwenberg";
+      user = config.meta.user;
       mkOffice365Account =
         {
           address,
           primary,
+          ...
         }:
         {
           enable = true;
-          inherit address primary realName;
+          inherit address primary;
+          realName = user.realName;
           userName = address;
           thunderbird = {
             enable = true;
@@ -26,10 +32,12 @@
         {
           address,
           primary,
+          ...
         }:
         {
           enable = true;
-          inherit address primary realName;
+          inherit address primary;
+          realName = user.realName;
           userName = address;
           thunderbird.enable = true;
           imap = {
@@ -45,6 +53,14 @@
             tls.enable = true;
           };
         };
+      mkEmailAccount =
+        email:
+        if email.type == "office365" then
+          mkOffice365Account email
+        else if email.type == "mxrouting" then
+          mkMxrouteAccount email
+        else
+          throw "Unsupported email type `${email.type}` for ${config.home.username}";
     in
     {
       programs.thunderbird = {
@@ -65,35 +81,6 @@
         };
       };
 
-      accounts.email.accounts =
-        if config.home.username == "ergon" then
-          {
-            work = mkOffice365Account {
-              address = "jelle.spreeuwenberg@yookr.org";
-              primary = true;
-            };
-          }
-        else
-          {
-            main = mkMxrouteAccount {
-              address = "mail@jelles.net";
-              primary = true;
-            };
-
-            old = mkMxrouteAccount {
-              address = "mail@jellespreeuwenberg.nl";
-              primary = false;
-            };
-
-            uni = mkOffice365Account {
-              address = "j.spreeuwenberg@student.tue.nl";
-              primary = false;
-            };
-
-            work = mkOffice365Account {
-              address = "jelle.spreeuwenberg@yookr.org";
-              primary = false;
-            };
-          };
+      accounts.email.accounts = lib.mapAttrs (_: mkEmailAccount) user.emails;
     };
 }
diff --git a/modules/features/ergon-workstation.nix b/modules/features/ergon-workstation.nix
new file mode 100644
index 0000000..8d21966
--- /dev/null
+++ b/modules/features/ergon-workstation.nix
@@ -0,0 +1,9 @@
+{ config, ... }:
+let
+  homeModules = config.flake.modules.homeManager;
+in
+{
+  flake.modules.homeManager."ergon-workstation" = {
+    imports = [ homeModules.nix ];
+  };
+}
diff --git a/modules/features/git.nix b/modules/features/git.nix
index 9b25437..31f95e3 100644
--- a/modules/features/git.nix
+++ b/modules/features/git.nix
@@ -1,7 +1,15 @@
 { ... }:
 {
   flake.modules.homeManager.git =
-    { ... }:
+    {
+      config,
+      lib,
+      ...
+    }:
+    let
+      user = config.meta.user;
+      primaryEmail = builtins.head (lib.filter (email: email.primary) (builtins.attrValues user.emails));
+    in
     {
       programs.git = {
         enable = true;
@@ -12,6 +20,10 @@
         ];
         settings = {
           init.defaultBranch = "main";
+          user = {
+            name = user.realName;
+            email = primaryEmail.address;
+          };
         };
       };
     };
diff --git a/modules/features/home-manager-base.nix b/modules/features/home-manager-base.nix
new file mode 100644
index 0000000..9dd0f7a
--- /dev/null
+++ b/modules/features/home-manager-base.nix
@@ -0,0 +1,26 @@
+{
+  inputs,
+  config,
+  ...
+}:
+let
+  homeModules = config.flake.modules.homeManager;
+in
+{
+  flake.modules.nixos."home-manager-base" =
+    { ... }:
+    {
+      imports = [ inputs.home-manager.nixosModules.home-manager ];
+
+      home-manager = {
+        useGlobalPkgs = true;
+        backupFileExtension = "bak";
+        extraSpecialArgs = { inherit inputs; };
+        sharedModules = [ homeModules."meta-context" ];
+      };
+
+      security.sudo.extraConfig = ''
+        Defaults env_keep+=SSH_AUTH_SOCK
+      '';
+    };
+}
diff --git a/modules/features/kiri-workstation.nix b/modules/features/kiri-workstation.nix
new file mode 100644
index 0000000..5d7f469
--- /dev/null
+++ b/modules/features/kiri-workstation.nix
@@ -0,0 +1,23 @@
+{ config, ... }:
+let
+  homeModules = config.flake.modules.homeManager;
+in
+{
+  flake.modules.homeManager."kiri-workstation" = {
+    imports = [
+      homeModules.nix
+      homeModules.bitwarden
+      homeModules.email
+      homeModules.pim
+      homeModules.mpv
+      homeModules.niri
+      homeModules.clipboard
+      homeModules."local-apps"
+      homeModules."qbittorrent-client"
+      homeModules.vicinae
+      homeModules.xdg
+      homeModules.theme
+      homeModules.noctalia
+    ];
+  };
+}
diff --git a/modules/features/local-apps.nix b/modules/features/local-apps.nix
index 80a91d5..e1344ea 100644
--- a/modules/features/local-apps.nix
+++ b/modules/features/local-apps.nix
@@ -1,5 +1,5 @@
 {
-  flake.modules.homeManager.localApps =
+  flake.modules.homeManager."local-apps" =
     { pkgs, ... }:
     {
       home.sessionVariables.BROWSER = "vivaldi";
diff --git a/modules/features/meta.nix b/modules/features/meta.nix
new file mode 100644
index 0000000..b91cd5e
--- /dev/null
+++ b/modules/features/meta.nix
@@ -0,0 +1,147 @@
+{ lib, ... }:
+let
+  emailType = lib.types.submodule (
+    { ... }:
+    {
+      options = {
+        address = lib.mkOption {
+          type = lib.types.str;
+        };
+
+        primary = lib.mkOption {
+          type = lib.types.bool;
+        };
+
+        type = lib.mkOption {
+          type = lib.types.str;
+        };
+      };
+    }
+  );
+
+  userType = lib.types.submodule (
+    { ... }:
+    {
+      options = {
+        name = lib.mkOption {
+          type = lib.types.str;
+        };
+
+        realName = lib.mkOption {
+          type = lib.types.str;
+        };
+
+        homeDirectory = lib.mkOption {
+          type = lib.types.str;
+        };
+
+        emails = lib.mkOption {
+          type = lib.types.attrsOf emailType;
+        };
+      };
+    }
+  );
+
+  displayModeType = lib.types.submodule (
+    { ... }:
+    {
+      options = {
+        width = lib.mkOption {
+          type = lib.types.int;
+        };
+
+        height = lib.mkOption {
+          type = lib.types.int;
+        };
+
+        refresh = lib.mkOption {
+          type = lib.types.float;
+        };
+      };
+    }
+  );
+
+  displayType = lib.types.submodule (
+    { ... }:
+    {
+      options = {
+        primary = lib.mkOption {
+          type = lib.types.bool;
+          default = false;
+        };
+
+        x = lib.mkOption {
+          type = lib.types.int;
+        };
+
+        y = lib.mkOption {
+          type = lib.types.int;
+        };
+
+        scale = lib.mkOption {
+          type = lib.types.nullOr lib.types.float;
+          default = null;
+        };
+
+        mode = lib.mkOption {
+          type = lib.types.nullOr displayModeType;
+          default = null;
+        };
+      };
+    }
+  );
+
+  hostType = lib.types.submodule (
+    { ... }:
+    {
+      options = {
+        name = lib.mkOption {
+          type = lib.types.str;
+        };
+
+        kind = lib.mkOption {
+          type = lib.types.enum [
+            "server"
+            "workstation"
+          ];
+        };
+
+        traits = lib.mkOption {
+          type = lib.types.listOf lib.types.str;
+          default = [ ];
+        };
+
+        displays = lib.mkOption {
+          type = lib.types.attrsOf displayType;
+          default = { };
+        };
+
+        users = lib.mkOption {
+          type = lib.types.attrsOf userType;
+          default = { };
+        };
+      };
+    }
+  );
+in
+{
+  flake.modules.nixos."meta-host" = {
+    options.meta.host = lib.mkOption {
+      type = hostType;
+    };
+  };
+
+  flake.modules.homeManager."meta-context" = {
+    options.meta = {
+      host = lib.mkOption {
+        type = lib.types.nullOr hostType;
+        default = null;
+      };
+
+      user = lib.mkOption {
+        type = lib.types.nullOr userType;
+        default = null;
+      };
+    };
+  };
+}
diff --git a/modules/features/neovim/default.nix b/modules/features/neovim/default.nix
index 4f429d0..fdea638 100644
--- a/modules/features/neovim/default.nix
+++ b/modules/features/neovim/default.nix
@@ -2,10 +2,8 @@
   flake.modules.homeManager.neovim =
     {
       pkgs,
-      lib,
       config,
       inputs,
-      osConfig,
       ...
     }:
     {
@@ -119,8 +117,8 @@
           # Hostname/ConfigDir needed for nixd
           nixdExtras = {
             nixpkgs = "import ${pkgs.path} {}";
-            nixos_options = ''(builtins.getFlake "path://${config.home.homeDirectory}/.config/nixos").nixosConfigurations.${osConfig.networking.hostName}.options'';
-            home_manager_options = ''(builtins.getFlake "path://${config.home.homeDirectory}/.config/nixos").nixosConfigurations.${osConfig.networking.hostName}.options.home-manager.users.type.getSubOptions []'';
+            nixos_options = ''(builtins.getFlake "path://${config.home.homeDirectory}/.config/nixos").nixosConfigurations.${config.meta.host.name}.options'';
+            home_manager_options = ''(builtins.getFlake "path://${config.home.homeDirectory}/.config/nixos").nixosConfigurations.${config.meta.host.name}.options.home-manager.users.type.getSubOptions []'';
           };
 
           # TODO: Put in separate theme file
diff --git a/modules/features/networking.nix b/modules/features/networking.nix
index 943f9bb..e0a970b 100644
--- a/modules/features/networking.nix
+++ b/modules/features/networking.nix
@@ -1,4 +1,12 @@
 {
+  flake.modules.nixos."server-firewall" = {
+    networking = {
+      firewall.enable = true;
+      firewall.allowPing = false;
+      nftables.enable = true;
+    };
+  };
+
   flake.modules.nixos.networking = {
     networking = {
       nftables.enable = true;
diff --git a/modules/features/niri/default.nix b/modules/features/niri/default.nix
index 89ff5f6..453ac48 100644
--- a/modules/features/niri/default.nix
+++ b/modules/features/niri/default.nix
@@ -16,7 +16,32 @@
     };
 
   flake.modules.homeManager.niri =
-    { config, pkgs, ... }:
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    let
+      outputs = lib.mapAttrs (
+        _: display:
+        {
+          position = {
+            x = display.x;
+            y = display.y;
+          };
+        }
+        // lib.optionalAttrs (display.primary or false) {
+          "focus-at-startup" = true;
+        }
+        // lib.optionalAttrs (display ? scale) {
+          inherit (display) scale;
+        }
+        // lib.optionalAttrs (display ? mode) {
+          inherit (display) mode;
+        }
+      ) config.meta.host.displays;
+    in
     {
       home.sessionVariables.NIXOS_OZONE_WL = "1";
 
@@ -34,6 +59,7 @@
       ];
 
       programs.niri.settings = {
+        inherit outputs;
         environment.DISPLAY = ":0";
         spawn-at-startup = [
           { command = [ "xwayland-satellite" ]; }
diff --git a/modules/features/qbittorrent-client.nix b/modules/features/qbittorrent-client.nix
index c037112..cf0b8d5 100644
--- a/modules/features/qbittorrent-client.nix
+++ b/modules/features/qbittorrent-client.nix
@@ -1,12 +1,12 @@
 {
-  flake.modules.nixos.qbittorrentClient = {
+  flake.modules.nixos."qbittorrent-client" = {
     networking.firewall = {
       allowedTCPPorts = [ 43864 ];
       allowedUDPPorts = [ 43864 ];
     };
   };
 
-  flake.modules.homeManager.qbittorrentClient =
+  flake.modules.homeManager."qbittorrent-client" =
     { pkgs, ... }:
     {
       home.packages = [ pkgs.qbittorrent ];
diff --git a/modules/features/region-nl.nix b/modules/features/region-nl.nix
index 3ced96f..e372cf7 100644
--- a/modules/features/region-nl.nix
+++ b/modules/features/region-nl.nix
@@ -1,6 +1,6 @@
 { ... }:
 {
-  flake.modules.nixos.regionNl = {
+  flake.modules.nixos."region-nl" = {
     time.timeZone = "Europe/Amsterdam";
 
     i18n.defaultLocale = "en_US.UTF-8";
diff --git a/modules/features/services/actual.nix b/modules/features/services/actual.nix
index d8aa1cc..a3a8e4e 100644
--- a/modules/features/services/actual.nix
+++ b/modules/features/services/actual.nix
@@ -1,17 +1,25 @@
+{ config, ... }:
+let
+  metaLib = config.meta.lib;
+in
 {
   flake.modules.nixos.actual =
-    { config, ... }:
-    {
-      services.actual = {
-        enable = true;
-        openFirewall = false;
-        settings = {
-          port = 3000;
-          hostname = "127.0.0.1";
+    { lib, ... }:
+    lib.mkMerge [
+      {
+        services.actual = {
+          enable = true;
+          openFirewall = false;
+          settings = {
+            port = 3000;
+            hostname = "127.0.0.1";
+          };
         };
-      };
+      }
 
-      services.caddy.virtualHosts."finance.jelles.net".extraConfig =
-        "reverse_proxy :${toString config.services.actual.settings.port}";
-    };
+      (metaLib.mkCaddyReverseProxy {
+        domain = "finance.jelles.net";
+        port = 3000;
+      })
+    ];
 }
diff --git a/modules/features/services/deluge.nix b/modules/features/services/deluge.nix
index bbfcad5..9c673ef 100644
--- a/modules/features/services/deluge.nix
+++ b/modules/features/services/deluge.nix
@@ -1,5 +1,5 @@
 {
-  flake.modules.nixos.delugeService =
+  flake.modules.nixos."deluge-service" =
     { ... }:
     {
       sops.secrets.deluge-auth-file = { };
@@ -10,7 +10,7 @@
       };
     };
 
-  flake.modules.homeManager.delugeClient =
+  flake.modules.homeManager."deluge-client" =
     { pkgs, ... }:
     {
       home.packages = [ pkgs.deluge ];
diff --git a/modules/features/services/gitea.nix b/modules/features/services/gitea.nix
index 3d3011d..5269957 100644
--- a/modules/features/services/gitea.nix
+++ b/modules/features/services/gitea.nix
@@ -1,28 +1,38 @@
+{ config, ... }:
+let
+  metaLib = config.meta.lib;
+in
 {
   flake.modules.nixos.gitea =
-    { config, ... }:
-    {
-      services.gitea = {
-        enable = true;
+    { lib, ... }:
+    lib.mkMerge [
+      {
+        services.gitea = {
+          enable = true;
 
-        settings = {
-          server = {
-            DOMAIN = "git.jelles.net";
-            ROOT_URL = "https://git.jelles.net/";
-            HTTP_PORT = 3001;
-            HTTP_ADDR = "127.0.0.1";
+          settings = {
+            server = {
+              DOMAIN = "git.jelles.net";
+              ROOT_URL = "https://git.jelles.net/";
+              HTTP_PORT = 3001;
+              HTTP_ADDR = "127.0.0.1";
 
-            START_SSH_SERVER = false;
-            SSH_PORT = 22;
+              START_SSH_SERVER = false;
+              SSH_PORT = 22;
+            };
+
+            service.DISABLE_REGISTRATION = true;
           };
-
-          service.DISABLE_REGISTRATION = true;
         };
-      };
+      }
 
-      services.openssh.settings.AllowUsers = [ "gitea" ];
+      {
+        services.openssh.settings.AllowUsers = [ "gitea" ];
+      }
 
-      services.caddy.virtualHosts."git.jelles.net".extraConfig =
-        "reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT}";
-    };
+      (metaLib.mkCaddyReverseProxy {
+        domain = "git.jelles.net";
+        port = 3001;
+      })
+    ];
 }
diff --git a/modules/features/services/openssh.nix b/modules/features/services/openssh.nix
index 63f71d1..7104b40 100644
--- a/modules/features/services/openssh.nix
+++ b/modules/features/services/openssh.nix
@@ -1,17 +1,20 @@
 { ... }:
 {
+  flake.modules.nixos."ssh-agent-auth" = {
+    security.pam = {
+      sshAgentAuth.enable = true;
+      services.sudo.sshAgentAuth = true;
+    };
+  };
+
   flake.modules.nixos.openssh =
     {
       config,
-      hostType ? "desktop",
-      lib,
       ...
     }:
     let
-      isServer = hostType == "server";
-      hostUserNames = builtins.attrNames (
-        lib.filterAttrs (_: user: user.isNormalUser or false) config.users.users
-      );
+      isServer = config.meta.host.kind == "server";
+      hostUserNames = builtins.attrNames config.meta.host.users;
     in
     {
       services.openssh = {
diff --git a/modules/features/services/radicale.nix b/modules/features/services/radicale.nix
index dcac3e6..4d376a0 100644
--- a/modules/features/services/radicale.nix
+++ b/modules/features/services/radicale.nix
@@ -1,27 +1,45 @@
+{ config, ... }:
+let
+  metaLib = config.meta.lib;
+in
 {
   flake.modules.nixos.radicale =
-    { ... }:
-    {
-      services.radicale = {
-        enable = true;
-        settings = {
-          server.hosts = [ "127.0.0.1:5232" ];
+    { lib, ... }:
+    lib.mkMerge [
+      {
+        services.radicale = {
+          enable = true;
+          settings = {
+            server.hosts = [ "127.0.0.1:5232" ];
 
-          auth = {
-            type = "htpasswd";
-            htpasswd_filename = "/var/lib/radicale/users";
-            htpasswd_encryption = "bcrypt";
+            auth = {
+              type = "htpasswd";
+              htpasswd_filename = "/var/lib/radicale/users";
+              htpasswd_encryption = "bcrypt";
+            };
+
+            storage.filesystem_folder = "/var/lib/radicale/collections";
           };
-
-          storage.filesystem_folder = "/var/lib/radicale/collections";
         };
-      };
+      }
 
-      services.caddy.virtualHosts."radicale.jelles.net".extraConfig = ''
-        reverse_proxy :5232 {
-           header_up X-Script-Name /
-           header_up X-Forwarded-For {remote}
-           header_up X-Remote-User {http.auth.user.id}
-        }'';
-    };
+      (metaLib.mkCaddyReverseProxy {
+        domain = "radicale.jelles.net";
+        port = 5232;
+        extraHeaders = [
+          {
+            name = "X-Script-Name";
+            value = "/";
+          }
+          {
+            name = "X-Forwarded-For";
+            value = "{remote}";
+          }
+          {
+            name = "X-Remote-User";
+            value = "{http.auth.user.id}";
+          }
+        ];
+      })
+    ];
 }
diff --git a/modules/features/services/vaultwarden.nix b/modules/features/services/vaultwarden.nix
index 4f56f27..e1168dd 100644
--- a/modules/features/services/vaultwarden.nix
+++ b/modules/features/services/vaultwarden.nix
@@ -1,19 +1,27 @@
+{ config, ... }:
+let
+  metaLib = config.meta.lib;
+in
 {
   flake.modules.nixos.vaultwarden =
-    { config, ... }:
-    {
-      services.vaultwarden = {
-        enable = true;
-        backupDir = "/var/backup/vaultwarden";
-        config = {
-          DOMAIN = "https://vault.jelles.net";
-          SIGNUPS_ALLOWED = false;
-          ROCKET_PORT = 8100;
-          ROCKET_LOG = "critical";
+    { lib, ... }:
+    lib.mkMerge [
+      {
+        services.vaultwarden = {
+          enable = true;
+          backupDir = "/var/backup/vaultwarden";
+          config = {
+            DOMAIN = "https://vault.jelles.net";
+            SIGNUPS_ALLOWED = false;
+            ROCKET_PORT = 8100;
+            ROCKET_LOG = "critical";
+          };
         };
-      };
+      }
 
-      services.caddy.virtualHosts."vault.jelles.net".extraConfig =
-        "reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT}";
-    };
+      (metaLib.mkCaddyReverseProxy {
+        domain = "vault.jelles.net";
+        port = 8100;
+      })
+    ];
 }
diff --git a/modules/features/shell.nix b/modules/features/shell.nix
index 8c206a1..9decd42 100644
--- a/modules/features/shell.nix
+++ b/modules/features/shell.nix
@@ -1,4 +1,5 @@
 {
+
   flake.modules.homeManager.shell =
     { lib, config, ... }:
     {
@@ -145,7 +146,10 @@
         };
       };
 
-      programs.eza.enable = true;
+      programs.eza = {
+        enable = true;
+        extraOptions = [ "--group-directories-first" ];
+      };
       programs.fzf = {
         enable = true;
         enableZshIntegration = true;
diff --git a/modules/features/ssh.nix b/modules/features/ssh.nix
index 312329c..e4e4cd4 100644
--- a/modules/features/ssh.nix
+++ b/modules/features/ssh.nix
@@ -1,5 +1,5 @@
 {
-  flake.modules.homeManager.sshClient =
+  flake.modules.homeManager."ssh-client" =
     { config, ... }:
     {
       programs.ssh = {
diff --git a/modules/features/standard-boot.nix b/modules/features/standard-boot.nix
index 031b33e..45ca816 100644
--- a/modules/features/standard-boot.nix
+++ b/modules/features/standard-boot.nix
@@ -1,7 +1,7 @@
 { ... }:
 {
-  flake.modules.nixos.standardBoot =
-    { pkgs, ... }:
+  flake.modules.nixos."standard-boot" =
+    { config, pkgs, ... }:
     {
       boot = {
         loader = {
@@ -10,6 +10,21 @@
             enable = true;
             consoleMode = "auto";
             configurationLimit = 5;
+            extraInstallCommands = ''
+              ENTRIES="${config.boot.loader.efi.efiSysMountPoint}/loader/entries"
+              PROFILES="/nix/var/nix/profiles"
+
+              for file in "$ENTRIES"/nixos-generation-*.conf; do
+                generation=$(${pkgs.coreutils}/bin/basename "$file" | ${pkgs.gnugrep}/bin/grep -o -E '[0-9]+')
+                timestamp=$(${pkgs.coreutils}/bin/stat -c %y "$PROFILES/system-$generation-link" 2>/dev/null | ${pkgs.coreutils}/bin/cut -d. -f1)
+
+                if [ -z "$timestamp" ]; then
+                  timestamp="Unknown Date"
+                fi
+
+                ${pkgs.gnused}/bin/sed -i "s/^version .*/version Generation $generation - $timestamp/" "$file"
+              done
+            '';
           };
         };
 
diff --git a/modules/features/system-base.nix b/modules/features/system-base.nix
deleted file mode 100644
index f9b4b70..0000000
--- a/modules/features/system-base.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-  flake.modules.nixos.systemBase = {
-    users.mutableUsers = false;
-
-    services.dbus.implementation = "broker";
-
-    programs.nix-ld.enable = true;
-    environment.localBinInPath = true;
-  };
-}
diff --git a/modules/features/user-base.nix b/modules/features/user-base.nix
index 9074c34..e1f4564 100644
--- a/modules/features/user-base.nix
+++ b/modules/features/user-base.nix
@@ -3,17 +3,17 @@ let
   homeModules = config.flake.modules.homeManager;
 in
 {
-  flake.modules.homeManager.userBase = {
-    imports = with homeModules; [
-      terminal
-      shell
-      neovim
-      sshClient
-      sopsAdmin
-      git
-      devTools
-      podman
-      gemini
+  flake.modules.homeManager."user-base" = {
+    imports = [
+      homeModules.terminal
+      homeModules.shell
+      homeModules.neovim
+      homeModules."ssh-client"
+      homeModules."sops-admin"
+      homeModules.git
+      homeModules."dev-tools"
+      homeModules.podman
+      homeModules.gemini
     ];
   };
 }
diff --git a/modules/hosts/orion/default.nix b/modules/hosts/orion/default.nix
index e44ffa0..9031ae1 100644
--- a/modules/hosts/orion/default.nix
+++ b/modules/hosts/orion/default.nix
@@ -1,45 +1,12 @@
-{
-  inputs,
-  config,
-  ...
-}:
+{ config, ... }:
 let
   nixosModules = config.flake.modules.nixos;
+  metaLib = config.meta.lib;
 in
 {
-  flake.modules.nixos.orion =
+  flake.modules.nixos."orion-admin" =
     { pkgs, ... }:
     {
-      _module.args.hostType = "server";
-
-      imports = [
-        inputs.home-manager.nixosModules.home-manager
-        nixosModules.sopsHost
-        nixosModules.caddy
-        nixosModules.openssh
-        nixosModules.vaultwarden
-        nixosModules.radicale
-        nixosModules.actual
-        nixosModules.gitea
-        nixosModules.kiri
-        ./_hardware.nix
-        ./_disk.nix
-      ];
-
-      system.stateVersion = "24.05";
-
-      home-manager = {
-        useGlobalPkgs = true;
-        backupFileExtension = "bak";
-        extraSpecialArgs = { inherit inputs; };
-      };
-
-      networking.hostName = "orion";
-
-      security.sudo.extraConfig = ''
-        Defaults env_keep+=SSH_AUTH_SOCK
-      '';
-
       users.users.kiri = {
         linger = true;
         openssh.authorizedKeys.keys = [
@@ -50,16 +17,28 @@ in
       environment.systemPackages = [
         pkgs.kitty
       ];
-
-      networking = {
-        firewall.enable = true;
-        firewall.allowPing = false;
-        nftables.enable = true;
-      };
-
-      security.pam = {
-        sshAgentAuth.enable = true;
-        services.sudo.sshAgentAuth = true;
-      };
     };
+
+  flake.modules.nixos.orion = metaLib.mkHost {
+    name = "orion";
+    kind = "server";
+    users = {
+      inherit (metaLib.users) kiri;
+    };
+
+    imports = [
+      nixosModules."server-base"
+      nixosModules.caddy
+      nixosModules."server-firewall"
+      nixosModules."ssh-agent-auth"
+      nixosModules."orion-admin"
+      nixosModules.vaultwarden
+      nixosModules.radicale
+      nixosModules.actual
+      nixosModules.gitea
+      nixosModules."user-kiri"
+      ./_hardware.nix
+      ./_disk.nix
+    ];
+  };
 }
diff --git a/modules/hosts/polaris/default.nix b/modules/hosts/polaris/default.nix
index 16f9a22..cac3f17 100644
--- a/modules/hosts/polaris/default.nix
+++ b/modules/hosts/polaris/default.nix
@@ -5,83 +5,45 @@
 }:
 let
   nixosModules = config.flake.modules.nixos;
-  homeModules = config.flake.modules.homeManager;
+  metaLib = config.meta.lib;
 in
 {
-  flake.modules.nixos.polaris =
-    {
-      config,
-      pkgs,
-      ...
-    }:
-    {
-      _module.args.hostType = "desktop";
+  flake.modules.nixos.polaris = metaLib.mkHost {
+    name = "polaris";
+    kind = "workstation";
 
-      imports = [
-        nixosModules.desktopBase
-        nixosModules.steam
-        nixosModules.kiri
-        nixosModules.ergon
-        ./_hardware.nix
-      ]
-      ++ (with inputs.nixos-hardware.nixosModules; [
-        common-pc
-        common-pc-ssd
-        common-cpu-amd
-        common-gpu-amd
-      ]);
-
-      system.stateVersion = "24.05";
-
-      networking.hostName = "polaris";
-
-      home-manager.users.kiri.imports = with homeModules; [
-        nix
-        bitwarden
-        email
-        pim
-        mpv
-        niri
-        clipboard
-        localApps
-        qbittorrentClient
-        vicinae
-        xdg
-        theme
-        noctalia
-      ];
-
-      home-manager.users.kiri.programs.niri.settings.outputs = {
-        "LG Electronics LG ULTRAGEAR 103NTYT8R290" = {
-          "focus-at-startup" = true;
-          position = {
-            x = 0;
-            y = 0;
-          };
-        };
-
-        "LG Electronics LG ULTRAGEAR 103NTJJ8R332" = {
-          position = {
-            x = 2560;
-            y = 0;
-          };
-        };
+    displays = {
+      "LG Electronics LG ULTRAGEAR 103NTYT8R290" = {
+        primary = true;
+        x = 0;
+        y = 0;
       };
 
-      boot.loader.systemd-boot.extraInstallCommands = ''
-        ENTRIES="${config.boot.loader.efi.efiSysMountPoint}/loader/entries"
-        PROFILES="/nix/var/nix/profiles"
-
-        for file in "$ENTRIES"/nixos-generation-*.conf; do
-          generation=$(${pkgs.coreutils}/bin/basename "$file" | ${pkgs.gnugrep}/bin/grep -o -E '[0-9]+')
-          timestamp=$(${pkgs.coreutils}/bin/stat -c %y "$PROFILES/system-$generation-link" 2>/dev/null | ${pkgs.coreutils}/bin/cut -d. -f1)
-
-          if [ -z "$timestamp" ]; then
-            timestamp="Unknown Date"
-          fi
-
-          ${pkgs.gnused}/bin/sed -i "s/^version .*/version Generation $generation - $timestamp/" "$file"
-        done
-      '';
+      "LG Electronics LG ULTRAGEAR 103NTJJ8R332" = {
+        x = 2560;
+        y = 0;
+      };
     };
+
+    users = {
+      inherit (metaLib.users)
+        ergon
+        kiri
+        ;
+    };
+
+    imports = [
+      nixosModules."workstation-base"
+      nixosModules.steam
+      nixosModules."user-kiri"
+      nixosModules."user-ergon"
+      ./_hardware.nix
+    ]
+    ++ (with inputs.nixos-hardware.nixosModules; [
+      common-pc
+      common-pc-ssd
+      common-cpu-amd
+      common-gpu-amd
+    ]);
+  };
 }
diff --git a/modules/hosts/zenith/default.nix b/modules/hosts/zenith/default.nix
index 02279e2..6e6d7e8 100644
--- a/modules/hosts/zenith/default.nix
+++ b/modules/hosts/zenith/default.nix
@@ -5,59 +5,42 @@
 }:
 let
   nixosModules = config.flake.modules.nixos;
-  homeModules = config.flake.modules.homeManager;
+  metaLib = config.meta.lib;
 in
 {
-  flake.modules.nixos.zenith =
-    { ... }:
-    {
-      _module.args.hostType = "laptop";
+  flake.modules.nixos.zenith = metaLib.mkHost {
+    name = "zenith";
+    kind = "workstation";
+    traits = [ "portable" ];
 
-      imports = [
-        nixosModules.desktopBase
-        nixosModules.kiri
-        nixosModules.ergon
-        ./_hardware.nix
-        inputs.nixos-hardware.nixosModules.lenovo-yoga-7-14ARH7-amdgpu
-      ];
-
-      system.stateVersion = "24.05";
-
-      networking.hostName = "zenith";
-
-      home-manager.users.kiri.imports = with homeModules; [
-        nix
-        bitwarden
-        email
-        pim
-        mpv
-        niri
-        clipboard
-        localApps
-        qbittorrentClient
-        vicinae
-        xdg
-        theme
-        noctalia
-      ];
-
-      home-manager.users.kiri.programs.niri.settings.outputs = {
-        "California Institute of Technology 0x1410 Unknown" = {
-          "focus-at-startup" = true;
-          position = {
-            x = 0;
-            y = 0;
-          };
-          scale = 1.5;
-          mode = {
-            width = 3072;
-            height = 1920;
-            refresh = 120.002;
-          };
+    displays = {
+      "California Institute of Technology 0x1410 Unknown" = {
+        primary = true;
+        x = 0;
+        y = 0;
+        scale = 1.5;
+        mode = {
+          width = 3072;
+          height = 1920;
+          refresh = 120.002;
         };
       };
-
-      hardware.enableRedistributableFirmware = true;
-      services.fwupd.enable = true;
     };
+
+    users = {
+      inherit (metaLib.users)
+        ergon
+        kiri
+        ;
+    };
+
+    imports = [
+      nixosModules."workstation-base"
+      nixosModules."portable-host"
+      nixosModules."user-kiri"
+      nixosModules."user-ergon"
+      ./_hardware.nix
+      inputs.nixos-hardware.nixosModules.lenovo-yoga-7-14ARH7-amdgpu
+    ];
+  };
 }
diff --git a/modules/lib.nix b/modules/lib.nix
new file mode 100644
index 0000000..5cc627c
--- /dev/null
+++ b/modules/lib.nix
@@ -0,0 +1,89 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  mkHost =
+    {
+      name,
+      kind,
+      traits ? [ ],
+      displays ? { },
+      users ? { },
+      imports ? [ ],
+      stateVersion ? "24.05",
+    }:
+    {
+      meta.host = {
+        inherit
+          displays
+          kind
+          name
+          traits
+          users
+          ;
+      };
+
+      inherit imports;
+
+      networking.hostName = name;
+      system.stateVersion = stateVersion;
+    };
+
+  mkCaddyReverseProxy =
+    {
+      domain,
+      port,
+      extraHeaders ? [ ],
+      extraConfigText ? "",
+    }:
+    let
+      headerLines = map (header: "  header_up ${header.name} ${header.value}") extraHeaders;
+      extraConfigLines = map (line: "  ${line}") (
+        lib.filter (line: line != "") (lib.splitString "\n" extraConfigText)
+      );
+      bodyLines = headerLines ++ extraConfigLines;
+      body = lib.concatStringsSep "\n" bodyLines;
+    in
+    {
+      services.caddy.virtualHosts.${domain}.extraConfig =
+        if body == "" then
+          "reverse_proxy :${toString port}"
+        else
+          ''
+            reverse_proxy :${toString port} {
+          ${body}
+            }
+          '';
+    };
+in
+{
+  options.meta.lib.mkHost = lib.mkOption {
+    type = lib.types.raw;
+    description = "Internal host constructor shared between flake-parts modules.";
+    internal = true;
+    readOnly = true;
+  };
+
+  options.meta.lib.mkCaddyReverseProxy = lib.mkOption {
+    type = lib.types.raw;
+    description = "Internal Caddy reverse proxy helper shared between flake-parts modules.";
+    internal = true;
+    readOnly = true;
+  };
+
+  options.meta.lib.users = lib.mkOption {
+    type = lib.types.attrs;
+    description = "Canonical user attrsets shared by host definitions.";
+    internal = true;
+    readOnly = true;
+  };
+
+  config.meta.lib = {
+    inherit
+      mkCaddyReverseProxy
+      mkHost
+      ;
+  };
+}
diff --git a/modules/secrets/sops.nix b/modules/secrets/sops.nix
index 7a7bb09..d046866 100644
--- a/modules/secrets/sops.nix
+++ b/modules/secrets/sops.nix
@@ -6,15 +6,15 @@ let
   sopsAdminKeyPath = "/var/lib/sops/keys.txt";
 in
 {
-  flake.modules.nixos.sopsHost =
+  flake.modules.nixos."sops-host" =
     {
-      hostType ? "desktop",
+      config,
       lib,
       ...
     }:
     let
-      useHostSshKey = hostType == "server";
-      useAdminKeyFile = hostType != "server";
+      useHostSshKey = config.meta.host.kind == "server";
+      useAdminKeyFile = config.meta.host.kind != "server";
       adminKeyDir = builtins.dirOf sopsAdminKeyPath;
     in
     {
@@ -37,7 +37,7 @@ in
       ];
     };
 
-  flake.modules.homeManager.sopsAdmin =
+  flake.modules.homeManager."sops-admin" =
     {
       pkgs,
       ...
diff --git a/modules/users.nix b/modules/users.nix
index 2449752..0db3e07 100644
--- a/modules/users.nix
+++ b/modules/users.nix
@@ -1,78 +1,157 @@
-{ config, ... }:
+{
+  config,
+  lib,
+  ...
+}:
 let
   homeModules = config.flake.modules.homeManager;
 
-  realName = "Jelle Spreeuwenberg";
-
   kiri = {
     name = "kiri";
+    realName = "Jelle Spreeuwenberg";
     homeDirectory = "/home/kiri";
-    gitEmail = "mail@jelles.net";
-    vaultEmail = "mail@jelles.net";
-    extraHomeImports = with homeModules; [ syncthing ];
+    emails = {
+      main = {
+        address = "mail@jelles.net";
+        primary = true;
+        type = "mxrouting";
+      };
+      old = {
+        address = "mail@jellespreeuwenberg.nl";
+        primary = false;
+        type = "mxrouting";
+      };
+      uni = {
+        address = "j.spreeuwenberg@student.tue.nl";
+        primary = false;
+        type = "office365";
+      };
+      work = {
+        address = "jelle.spreeuwenberg@yookr.org";
+        primary = false;
+        type = "office365";
+      };
+    };
   };
 
   ergon = {
     name = "ergon";
+    realName = "Jelle Spreeuwenberg";
     homeDirectory = "/home/ergon";
-    gitEmail = "jelle.spreeuwenberg@yookr.org";
-    vaultEmail = "jelle.spreeuwenberg@yookr.org";
-    extraHomeImports = with homeModules; [ nix ];
-  };
-
-  mkUser =
-    account:
-    {
-      config,
-      hostType ? "desktop",
-      lib,
-      pkgs,
-      ...
-    }:
-    let
-      username = account.name;
-      isServer = hostType == "server";
-    in
-    {
-      sops.secrets = lib.optionalAttrs (!isServer) {
-        "hashed-password-${username}".neededForUsers = true;
-      };
-
-      programs.zsh.enable = true;
-
-      users.users.${username} = {
-        name = username;
-        home = account.homeDirectory;
-        isNormalUser = true;
-        shell = pkgs.zsh;
-        extraGroups = [
-          "wheel"
-          "networkmanager"
-        ];
-      }
-      // lib.optionalAttrs (!isServer) {
-        hashedPasswordFile = config.sops.secrets."hashed-password-${username}".path;
-      };
-
-      home-manager.users.${username} = {
-        home = {
-          inherit username;
-          homeDirectory = account.homeDirectory;
-          stateVersion = "24.05";
-        };
-
-        imports = [ homeModules.userBase ] ++ account.extraHomeImports;
-
-        programs.git.settings.user = {
-          name = realName;
-          email = account.gitEmail;
-        };
-
-        programs.rbw.settings.email = account.vaultEmail;
+    emails = {
+      work = {
+        address = "jelle.spreeuwenberg@yookr.org";
+        primary = true;
+        type = "office365";
       };
     };
+  };
+
+  mkUserModules =
+    {
+      name,
+      extraHomeImports ? [ ],
+    }:
+    let
+      userModuleName = "user-${name}";
+      workstationModuleName = "${name}-workstation";
+    in
+    {
+      nixos =
+        {
+          config,
+          pkgs,
+          ...
+        }:
+        let
+          account = config.meta.host.users.${name};
+          primaryEmails = lib.filter (email: email.primary) (builtins.attrValues account.emails);
+          isWorkstation = config.meta.host.kind == "workstation";
+          hasWorkstationModule = builtins.hasAttr workstationModuleName homeModules;
+        in
+        {
+          assertions = [
+            {
+              assertion = builtins.length primaryEmails == 1;
+              message = "User ${name} must define exactly one primary email entry.";
+            }
+          ];
+
+          programs.zsh.enable = true;
+
+          sops.secrets = lib.optionalAttrs isWorkstation {
+            "hashed-password-${name}".neededForUsers = true;
+          };
+
+          users.users.${name} = {
+            name = account.name;
+            home = account.homeDirectory;
+            isNormalUser = true;
+            shell = pkgs.zsh;
+            extraGroups = [
+              "wheel"
+              "networkmanager"
+            ];
+          }
+          // lib.optionalAttrs isWorkstation {
+            hashedPasswordFile = config.sops.secrets."hashed-password-${name}".path;
+          };
+
+          home-manager.users.${name} = {
+            imports = [
+              homeModules.${userModuleName}
+            ]
+            ++ lib.optionals (isWorkstation && hasWorkstationModule) [
+              homeModules.${workstationModuleName}
+            ];
+            meta = {
+              host = config.meta.host;
+              user = account;
+            };
+          };
+        };
+
+      homeManager =
+        { config, ... }:
+        let
+          account = config.meta.user;
+        in
+        {
+          home = {
+            username = account.name;
+            homeDirectory = account.homeDirectory;
+            stateVersion = "24.05";
+          };
+
+          imports = [
+            homeModules."user-base"
+          ]
+          ++ extraHomeImports;
+        };
+    };
+
+  kiriModules = mkUserModules {
+    name = "kiri";
+    extraHomeImports = [
+      homeModules.syncthing
+    ];
+  };
+
+  ergonModules = mkUserModules {
+    name = "ergon";
+  };
 in
 {
-  flake.modules.nixos.kiri = mkUser kiri;
-  flake.modules.nixos.ergon = mkUser ergon;
+  meta.lib.users = {
+    inherit
+      ergon
+      kiri
+      ;
+  };
+
+  flake.modules.nixos."user-kiri" = kiriModules.nixos;
+  flake.modules.nixos."user-ergon" = ergonModules.nixos;
+
+  flake.modules.homeManager."user-kiri" = kiriModules.homeManager;
+  flake.modules.homeManager."user-ergon" = ergonModules.homeManager;
 }