From 28c8db6cb7c25550ca06bfa1110e012ed3b3d7a5 Mon Sep 17 00:00:00 2001
From: Danilo Reyes <danilo.reyes.251@proton.me>
Date: Mon, 16 Mar 2026 15:49:43 -0600
Subject: [PATCH] split home-manager into their own submodules

---
 .codex/rules/default.rules                  |   2 +
 config/base.nix                             |   2 +
 config/home-manager.nix                     |   1 +
 config/jawz-home.nix                        |  32 ++++++
 config/jawz.nix                             |  23 ----
 docs/constitution.md                        |  11 +-
 docs/playbooks/add-module.md                |   6 +-
 docs/playbooks/split-home-manager.md        |  19 ++++
 docs/reference/index.md                     |  34 +++---
 modules/apps/internet.nix                   |  66 ------------
 modules/apps/internet/home.nix              |  68 ++++++++++++
 modules/apps/internet/nixos.nix             |  19 ++++
 modules/dev/emacs.nix                       |  88 ---------------
 modules/dev/emacs/common.nix                |  44 ++++++++
 modules/dev/emacs/home.nix                  |  61 +++++++++++
 modules/dev/emacs/nixos.nix                 |  16 +++
 modules/dev/javascript.nix                  |  60 -----------
 modules/dev/javascript/common.nix           |  25 +++++
 modules/dev/javascript/home.nix             |  43 ++++++++
 modules/dev/javascript/nixos.nix            |  27 +++++
 modules/dev/nix.nix                         |  60 -----------
 modules/dev/nix/common.nix                  |  45 ++++++++
 modules/dev/nix/home.nix                    |  40 +++++++
 modules/dev/nix/nixos.nix                   |  30 ++++++
 modules/dev/python.nix                      |  66 ------------
 modules/dev/python/common.nix               |  31 ++++++
 modules/dev/python/home.nix                 |  36 +++++++
 modules/dev/python/nixos.nix                |  26 +++++
 modules/home-manager.nix                    |   4 +
 modules/modules.nix                         |   8 ++
 modules/scripts/download.nix                | 112 --------------------
 modules/scripts/download/common.nix         |  25 +++++
 modules/scripts/download/home.nix           |  25 +++++
 modules/scripts/download/nixos.nix          |  95 +++++++++++++++++
 modules/scripts/update-org-agenda-cache.nix |  32 +++---
 modules/shell/multimedia.nix                |  67 ------------
 modules/shell/multimedia/common.nix         |  10 ++
 modules/shell/multimedia/home.nix           |  62 +++++++++++
 modules/shell/multimedia/nixos.nix          |  27 +++++
 modules/shell/{tools.nix => tools/home.nix} | 100 +++++++++--------
 modules/shell/tools/nixos.nix               |  27 +++++
 parts/core.nix                              |  57 ++++++++++
 specs/001-ai-docs/research.md               |   5 +
 43 files changed, 1011 insertions(+), 626 deletions(-)
 create mode 100644 .codex/rules/default.rules
 create mode 100644 config/jawz-home.nix
 create mode 100644 docs/playbooks/split-home-manager.md
 delete mode 100644 modules/apps/internet.nix
 create mode 100644 modules/apps/internet/home.nix
 create mode 100644 modules/apps/internet/nixos.nix
 delete mode 100644 modules/dev/emacs.nix
 create mode 100644 modules/dev/emacs/common.nix
 create mode 100644 modules/dev/emacs/home.nix
 create mode 100644 modules/dev/emacs/nixos.nix
 delete mode 100644 modules/dev/javascript.nix
 create mode 100644 modules/dev/javascript/common.nix
 create mode 100644 modules/dev/javascript/home.nix
 create mode 100644 modules/dev/javascript/nixos.nix
 delete mode 100644 modules/dev/nix.nix
 create mode 100644 modules/dev/nix/common.nix
 create mode 100644 modules/dev/nix/home.nix
 create mode 100644 modules/dev/nix/nixos.nix
 delete mode 100644 modules/dev/python.nix
 create mode 100644 modules/dev/python/common.nix
 create mode 100644 modules/dev/python/home.nix
 create mode 100644 modules/dev/python/nixos.nix
 create mode 100644 modules/home-manager.nix
 delete mode 100644 modules/scripts/download.nix
 create mode 100644 modules/scripts/download/common.nix
 create mode 100644 modules/scripts/download/home.nix
 create mode 100644 modules/scripts/download/nixos.nix
 delete mode 100644 modules/shell/multimedia.nix
 create mode 100644 modules/shell/multimedia/common.nix
 create mode 100644 modules/shell/multimedia/home.nix
 create mode 100644 modules/shell/multimedia/nixos.nix
 rename modules/shell/{tools.nix => tools/home.nix} (53%)
 create mode 100644 modules/shell/tools/nixos.nix

diff --git a/.codex/rules/default.rules b/.codex/rules/default.rules
new file mode 100644
index 0000000..6e4c1b2
--- /dev/null
+++ b/.codex/rules/default.rules
@@ -0,0 +1,2 @@
+prefix_rule(pattern=["deadnix", "-e"], decision="allow")
+prefix_rule(pattern=["nix", "eval"], decision="allow")
diff --git a/config/base.nix b/config/base.nix
index 98e8729..496dff1 100644
--- a/config/base.nix
+++ b/config/base.nix
@@ -26,6 +26,7 @@
     backupFileExtension = "hbckup";
     useUserPackages = true;
     useGlobalPkgs = true;
+    sharedModules = [ ../modules/home-manager.nix ];
     extraSpecialArgs = {
       inherit inputs outputs;
     };
@@ -98,6 +99,7 @@
         "flakes"
         "pipe-operators"
       ];
+      download-buffer-size = 134217728;
       substituters = [
         "${config.my.servers.atticd.url}/nixos"
         "${config.my.servers.atticd.url}/webref"
diff --git a/config/home-manager.nix b/config/home-manager.nix
index 2d9622b..6005b61 100644
--- a/config/home-manager.nix
+++ b/config/home-manager.nix
@@ -21,6 +21,7 @@ let
   };
 in
 {
+  imports = [ ./jawz-home.nix ];
   home.stateVersion = "23.05";
   programs = {
     direnv = {
diff --git a/config/jawz-home.nix b/config/jawz-home.nix
new file mode 100644
index 0000000..44df969
--- /dev/null
+++ b/config/jawz-home.nix
@@ -0,0 +1,32 @@
+{
+  lib,
+  inputs,
+  osConfig,
+  ...
+}:
+let
+  inherit (osConfig.networking) hostName;
+  nixosHosts = inputs.self.lib.getNixosHosts osConfig.my.ips hostName lib;
+  nixosHostsMatch = lib.concatStringsSep " " nixosHosts;
+in
+{
+  home.file.".librewolf/.stignore".source = ../dotfiles/stignore;
+  programs.ssh = lib.mkIf osConfig.my.secureHost {
+    enable = true;
+    enableDefaultConfig = false;
+    matchBlocks = {
+      vps = {
+        hostname = osConfig.my.ips.vps;
+        user = "jawz";
+        port = 3456;
+        identityFile = osConfig.sops.secrets."private_keys/${hostName}".path;
+      };
+      "${nixosHostsMatch}" = {
+        user = "jawz";
+        identityFile = osConfig.sops.secrets."private_keys/${hostName}".path;
+      };
+      "${osConfig.my.servers.gitea.host} github.com gitlab.com bitbucket.org".identityFile =
+        osConfig.sops.secrets."git_private_keys/${hostName}".path;
+    };
+  };
+}
diff --git a/config/jawz.nix b/config/jawz.nix
index fd33b82..e986abf 100644
--- a/config/jawz.nix
+++ b/config/jawz.nix
@@ -6,8 +6,6 @@
 }:
 let
   inherit (config.networking) hostName;
-  nixosHosts = inputs.self.lib.getNixosHosts config.my.ips hostName lib;
-  nixosHostsMatch = lib.concatStringsSep " " nixosHosts;
 in
 {
   sops.secrets = lib.mkIf config.my.secureHost (
@@ -26,27 +24,6 @@ in
       "git_private_keys/${hostName}" = keyConfig "${baseDir}_git";
     }
   );
-  home-manager.users.jawz = {
-    home.file.".librewolf/.stignore".source = ../dotfiles/stignore;
-    programs.ssh = lib.mkIf config.my.secureHost {
-      enable = true;
-      enableDefaultConfig = false;
-      matchBlocks = {
-        vps = {
-          hostname = config.my.ips.vps;
-          user = "jawz";
-          port = 3456;
-          identityFile = config.sops.secrets."private_keys/${hostName}".path;
-        };
-        "${nixosHostsMatch}" = {
-          user = "jawz";
-          identityFile = config.sops.secrets."private_keys/${hostName}".path;
-        };
-        "${config.my.servers.gitea.host} github.com gitlab.com bitbucket.org".identityFile =
-          config.sops.secrets."git_private_keys/${hostName}".path;
-      };
-    };
-  };
   users.users.jawz = {
     uid = 1000;
     linger = true;
diff --git a/docs/constitution.md b/docs/constitution.md
index 6ebec3d..9d67a19 100644
--- a/docs/constitution.md
+++ b/docs/constitution.md
@@ -7,7 +7,7 @@
 
 ## Repository Overview
 - Architecture: Flake-based repo using `flake-parts` with inputs for pkgs (stable/unstable), stylix, home-manager, sops-nix, and service overlays. Common modules are composed through `parts/core.nix` and `parts/hosts.nix`.
-- Module auto-import: `modules/modules.nix` auto-imports `.nix` files under `modules/apps`, `modules/dev`, `modules/scripts`, `modules/servers`, `modules/services`, `modules/shell`, `modules/websites`, and `modules/network`, excluding `librewolf.nix`. Factories live in `modules/factories/` (`mkserver`, `mkscript`), and shared options are in `modules/nix` and `modules/users`.
+- Module auto-import: `modules/modules.nix` auto-imports legacy flat modules under `modules/apps`, `modules/dev`, `modules/scripts`, `modules/servers`, `modules/services`, `modules/shell`, `modules/websites`, and `modules/network`, excluding `librewolf.nix`, and also discovers nested `nixos.nix` files under those trees. `config/base.nix` registers `modules/home-manager.nix` as a Home Manager shared module, which discovers nested `home.nix` files under `modules/` for every Home Manager user. Factories live in `modules/factories/` (`mkserver`, `mkscript`), and shared options are in `modules/nix` and `modules/users`.
 - Hosts and toggles: Host definitions live in `hosts/<name>/configuration.nix` with host-specific toggles in `hosts/<name>/toggles.nix`. The `my` namespace carries toggles for apps/dev/scripts/services/shell, feature flags like `enableProxy` and `enableContainers`, and per-host `interfaces` and `ips` maps.
 - Port assignment: Service ports should live with the service module when the port is intrinsic to a server definition under `modules/servers/`. Miscellaneous or host-specific ports that do not belong to a server module should be centralized in `my.ports` in `modules/modules.nix` and referenced via `config.my.ports.*` (use `toString config.my.ports.*` where a string is required).
 - Main server and proxies: `my.mainServer` selects the host that should serve traffic by default (default `vps`). Reverse proxies use helpers in `parts/core.nix` (`proxy`, `proxyReverse`, `proxyReverseFix`, `proxyReversePrivate`) and pick IPs from `my.ips` plus the hostName/ip set by `mkserver` options. Nginx defaults to `proxyReverse` for any server with `enableProxy = true` unless `useDefaultProxy = false` or the server is listed in the Fix/Private proxy lists.
@@ -30,10 +30,10 @@ config.services = {
 ```
 
 ## Terminology and Naming Standards
-- Module: A Nix module under `modules/<category>/<name>.nix` auto-imported into the system.
+- Module: Prefer a feature directory under `modules/<category>/<name>/` with `nixos.nix` for system concerns and `home.nix` for Home Manager concerns. Legacy flat modules at `modules/<category>/<name>.nix` remain valid during migration.
 - Factory: Shared option constructors in `modules/factories/` (use `mkserver` for server modules, `mkscript` for script units).
 - Options: Settings under the `my` namespace (e.g., `my.services.<service>`, `my.scripts.<script>`).
-- Toggles: Enablement maps in `hosts/<name>/toggles.nix` controlling categories (apps/dev/shell/scripts/services/servers/units) and features (`enableProxy`, `enableContainers`).
+- Toggles: Enablement maps in `hosts/<name>/toggles.nix` controlling categories (apps/dev/shell/scripts/services/servers/units) and features (`enableProxy`, `enableContainers`). Future standalone Home Manager or Darwin homes should mirror that shape in home-specific toggle files instead of embedding Home Manager settings in NixOS modules.
 - Servers: Reverse-proxied services under `modules/servers/`, normally created with `mkserver` options (including `useDefaultProxy` to opt out of default proxyReverse).
 - Websites: Static nginx vhosts under `modules/websites/` (portfolio/blog, mb-report), gated by `my.websites.*.enableProxy`.
 - Scripts: Units defined via `mkscript` with `enable`, `install`, `service`, `users`, `timer`, and `package` fields.
@@ -48,6 +48,8 @@ config.services = {
 
 ## Module Categories and Active Hosts
 - Module categories: apps, dev, scripts, servers, services, shell, websites, network, users, nix. Factories sit in `modules/factories/` and are imported explicitly; patch artifacts live at the repo root in `patches/`.
+- Split-module preference: For categories that need both system and Home Manager behavior, co-locate both surfaces in `modules/<category>/<name>/nixos.nix` and `modules/<category>/<name>/home.nix`. Keep helpers local to that directory only when they are feature-specific; otherwise promote them into shared helpers/factories.
+- User config split: Personal configs may also split across `config/<name>.nix` for NixOS-side account/secrets state and `config/<name>-home.nix` for Home Manager-only state imported from the user home module.
 - Active hosts: `workstation`, `server`, `miniserver`, `galaxy`, `emacs`, `vps`. Host roles and secure status are defined in `hosts/<name>/configuration.nix` and toggles in `hosts/<name>/toggles.nix`.
 
 ## Precedence and Conflict Resolution
@@ -55,7 +57,7 @@ config.services = {
 - Conflict handling steps: identify the divergent rule, cite the source files, decide the authoritative rule per this constitution, update both the source file and the relevant doc, and record the decision and timestamp.
 
 ## Maintenance Triggers and Update Process
-- Triggers: New factory/helper, new module category, new host, new toggle set, new proxy rule, new secret category/file, change to `my.mainServer` or `my.ips`, stylix scheme changes, or new auto-import filters.
+- Triggers: New factory/helper, new module category, new host, new toggle set, new proxy rule, new secret category/file, change to `my.mainServer` or `my.ips`, stylix scheme changes, or new auto-import filters/import trees.
 - Update flow: (1) Amend the relevant module or toggle files; (2) Update `docs/constitution.md` for rules/terminology changes; (3) Update playbooks under `docs/playbooks/` affected by the change; (4) Update `docs/reference/index.md` for navigation paths; (5) Note the decision in `specs/001-ai-docs/research.md` and refresh `quickstart.md` if discoverability shifts.
 - Validation: Confirm discoverability within two clicks (constitution → reference map/playbook), secrets map completeness, and alignment with success criteria SC-001–SC-004.
 
@@ -64,6 +66,7 @@ config.services = {
 - Reference map: `docs/reference/index.md` (paths, hosts, secrets, proxies, stylix)
 - MCP server reference: `docs/reference/mcp-server.md` (tools, invocation, sync checks)
 - Playbook: `docs/playbooks/add-module.md` — add a module in the right category and confirm auto-import.
+- Playbook: `docs/playbooks/split-home-manager.md` — migrate a mixed module into paired `nixos.nix` and `home.nix` files.
 - Playbook: `docs/playbooks/add-server.md` — add a reverse-proxied server via `mkserver` and proxy rules.
 - Playbook: `docs/playbooks/add-script.md` — add a script unit via `mkscript` with install/service/timer options.
 - Playbook: `docs/playbooks/add-host-toggle.md` — add or update host toggle maps under `hosts/<name>/toggles.nix`.
diff --git a/docs/playbooks/add-module.md b/docs/playbooks/add-module.md
index ed3ef6c..c9a3276 100644
--- a/docs/playbooks/add-module.md
+++ b/docs/playbooks/add-module.md
@@ -5,14 +5,14 @@
 - Prerequisites: Identify target host(s) and toggle category; confirm `my.secureHost` if secrets are involved.
 - Inputs: Module name, category (apps/dev/scripts/servers/services/shell/network), required options, secret needs, proxy requirements if server-facing.
 - Steps:
-  1. Choose the category path from `docs/reference/index.md` and create `modules/<category>/<name>.nix` (auto-import picks it up; avoid names filtered out such as `librewolf.nix`).
+  1. Choose the category path from `docs/reference/index.md`. Prefer `modules/<category>/<name>/nixos.nix` plus `modules/<category>/<name>/home.nix` when the feature spans both system and Home Manager; use a legacy flat `modules/<category>/<name>.nix` only for NixOS-only modules or temporary migration work.
   2. Define options under `my.<category>` or reuse factories (`mkserver` for servers, `mkscript` for scripts) instead of hand-rolled patterns.
   3. If the module needs secrets, guard references with `lib.mkIf config.my.secureHost` and map them to the correct secrets file (see secrets map).
   4. For networked services, align host selection with `my.mainServer` and `my.ips`; enable reverse proxy via `enableProxy` when applicable.
   5. Wire toggles for target hosts in `hosts/<host>/toggles.nix`, ensuring users/groups and containers/proxy flags are set.
 - Validation:
-  - Module loads without extra imports (auto-import applies).
+  - Module loads without extra imports (`nixos.nix` and `home.nix` are auto-discovered; legacy flat modules remain supported).
   - Toggle wiring matches intended hosts; secureHost gating present for secrets.
   - Proxy and port choices align with `my.mainServer`, `my.ips`, and firewall rules.
 - Outputs: New module file and updated host toggles if required.
-- References: `docs/constitution.md` (Module Categories, Secrets Map, Main server and proxies), `docs/reference/index.md` (Module Directories, Proxy rules, Secrets Map)
+- References: `docs/constitution.md` (Module Categories, Secrets Map, Main server and proxies), `docs/reference/index.md` (Module Directories, Auto-Import Rules, Proxy rules, Secrets Map)
diff --git a/docs/playbooks/split-home-manager.md b/docs/playbooks/split-home-manager.md
new file mode 100644
index 0000000..9c034f1
--- /dev/null
+++ b/docs/playbooks/split-home-manager.md
@@ -0,0 +1,19 @@
+# Playbook: Split a Mixed Module into NixOS and Home Manager
+
+- Name: Split a feature module into `nixos.nix` and `home.nix`
+- Purpose: Keep category-first organization while separating system concerns from Home Manager concerns for standalone homes and future Darwin usage.
+- Prerequisites: Identify the feature path, current toggle shape under `my.*`, and whether the module has shared helpers that should stay adjacent or move into a factory.
+- Inputs: Existing mixed module path, target category/name, host toggle impact, Home Manager consumers, secrets/proxy requirements.
+- Steps:
+  1. Create `modules/<category>/<name>/nixos.nix` for NixOS-only concerns such as `users.users`, `environment.systemPackages`, `services.*`, `programs.*`, firewall rules, and SOPS-backed system resources.
+  2. Create `modules/<category>/<name>/home.nix` for Home Manager concerns such as `programs.*`, `xdg.*`, `home.file.*`, `services.*` within Home Manager, and per-user shell aliases/config files.
+  3. Keep the toggle namespace aligned across both files so the same feature name remains recognizable. During migration, duplicate the option schema if needed rather than keeping Home Manager logic embedded in the NixOS module.
+  4. If the feature has truly shared logic, extract it into a local helper file within the feature directory or promote it into `modules/factories/` when reused across features.
+  5. Remove the legacy flat module only after the paired files evaluate cleanly and all references are updated.
+- Validation:
+  - `modules/modules.nix` discovers the feature’s `nixos.nix`.
+  - `config/base.nix` registers `modules/home-manager.nix` in `home-manager.sharedModules`, and that loader discovers the feature’s `home.nix`.
+  - System-only settings no longer reference `home-manager.users.*`.
+  - Home Manager settings no longer depend on `osConfig` unless that coupling is intentional and documented.
+- Outputs: Split module directory, retained toggle shape, and updated docs if the feature introduces new structure patterns.
+- References: `docs/constitution.md` (Repository Overview, Terminology and Naming Standards, Maintenance Triggers), `docs/reference/index.md` (Module Directories, Auto-Import Rules)
diff --git a/docs/reference/index.md b/docs/reference/index.md
index 65443b9..7ba88d1 100644
--- a/docs/reference/index.md
+++ b/docs/reference/index.md
@@ -1,24 +1,33 @@
 # Reference Map
 
 ## Module Directories
-- apps → `modules/apps/` (desktop/workstation apps, auto-imported)
-- dev → `modules/dev/` (language toolchains and dev shells, auto-imported)
-- scripts → `modules/scripts/` (script units built via `mkscript`, auto-imported)
-- servers → `modules/servers/` (reverse-proxied services built via `mkserver`)
-- services → `modules/services/` (supporting services like syncthing, wireguard)
-- shell → `modules/shell/` (shell customizations and CLI tooling)
-- websites → `modules/websites/` (static nginx vhosts for portfolio/blog and reports)
-- network → `modules/network/` (networking rules, firewall helpers)
+- apps → `modules/apps/` (desktop/workstation apps; supports legacy flat modules and preferred split feature directories)
+- dev → `modules/dev/` (language toolchains and dev shells; supports legacy flat modules and preferred split feature directories)
+- scripts → `modules/scripts/` (script units built via `mkscript`; supports legacy flat modules and preferred split feature directories)
+- servers → `modules/servers/` (reverse-proxied services built via `mkserver`; supports legacy flat modules and preferred split feature directories)
+- services → `modules/services/` (supporting services like syncthing, wireguard; supports legacy flat modules and preferred split feature directories)
+- shell → `modules/shell/` (shell customizations and CLI tooling; supports legacy flat modules and preferred split feature directories)
+- websites → `modules/websites/` (static nginx vhosts for portfolio/blog and reports; supports legacy flat modules and preferred split feature directories)
+- network → `modules/network/` (networking rules, firewall helpers; supports legacy flat modules and preferred split feature directories)
 - users → `modules/users/` (user-related options)
 - nix → `modules/nix/` (Nix configuration and helpers)
 - factories → `modules/factories/` (`mkserver.nix`, `mkscript.nix` shared helpers)
+- home-manager loader → `modules/home-manager.nix` (discovers nested `home.nix` files under `modules/`)
 ## Root Directories
 - patches → `patches/` (patch artifacts referenced by modules)
 
+## User Config Split
+- System-side user config: `config/<name>.nix` for NixOS user accounts, host secrets, groups, and other OS-owned state.
+- Home-side user config: `config/<name>-home.nix` for Home Manager-only files, shell/program configuration, and per-user match blocks.
+- Current example: `config/jawz.nix` and `config/jawz-home.nix`.
+
 ## Auto-Import Rules
-- Source: `modules/modules.nix` uses `inputs.self.lib.autoImport` to load `.nix` files from module directories.
-- Filter: Excludes `librewolf.nix`; all other `.nix` files in target dirs are loaded automatically.
-- Implication: Place new modules in the correct category directory with a `.nix` filename; no manual import wiring required unless adding a new factory. Patch artifacts under `patches/` are not auto-imported.
+- Source: `modules/modules.nix` uses `inputs.self.lib.autoImport` for legacy flat `.nix` files and `inputs.self.lib.autoImportLeaf` for nested `nixos.nix` files.
+- Home Manager source: `config/base.nix` registers `modules/home-manager.nix` in `home-manager.sharedModules`, and that module uses `inputs.self.lib.autoImportLeaf` to discover nested `home.nix` files anywhere under `modules/`.
+- Filter: Legacy flat auto-import excludes `librewolf.nix`; nested split modules are discovered by exact leaf name (`nixos.nix` or `home.nix`).
+- Preferred layout: `modules/<category>/<name>/nixos.nix` and `modules/<category>/<name>/home.nix`.
+- Migration rule: Legacy flat `modules/<category>/<name>.nix` modules remain supported while features are moved into split directories.
+- Implication: Place new dual-surface modules in a feature directory so NixOS and Home Manager stay adjacent; no manual import wiring is required unless adding a new factory.
 
 ## Hosts and Roles
 - Configs: `hosts/<name>/configuration.nix` with toggles in `hosts/<name>/toggles.nix`.
@@ -58,6 +67,7 @@
 ## Playbooks and Templates
 - Playbook template: `docs/playbooks/template.md`
 - Playbook: `docs/playbooks/add-module.md` — add a module in the right category and confirm auto-import.
+- Playbook: `docs/playbooks/split-home-manager.md` — migrate a mixed module into paired `nixos.nix` and `home.nix` files.
 - Playbook: `docs/playbooks/add-server.md` — add a reverse-proxied server via `mkserver` and proxy rules.
 - Playbook: `docs/playbooks/add-script.md` — add a script unit via `mkscript` with install/service/timer options.
 - Playbook: `docs/playbooks/add-host-toggle.md` — add or update host toggle maps under `hosts/<name>/toggles.nix`.
@@ -69,7 +79,7 @@
 - MCP server reference: `docs/reference/mcp-server.md` (tool catalog, `nixos-mcp` wrapper, invocation, sync-docs)
 
 ## Quick Audit Checklist
-- Module coverage: All categories (apps, dev, scripts, servers, services, shell, websites, network, users, nix) have corresponding entries and auto-import rules; `patches/` is documented as a root directory.
+- Module coverage: All categories (apps, dev, scripts, servers, services, shell, websites, network, users, nix) have corresponding entries and auto-import rules for both legacy flat modules and split `nixos.nix`/`home.nix` modules; `patches/` is documented as a root directory.
 - Host coverage: Active hosts listed with roles and secureHost status; `mainServer` noted.
 - Proxy rules: `enableProxy` usage, proxy helper selection, and `my.ips` mappings documented.
 - Secrets map: Every secrets file and secureHost gating captured; new secret types aligned to file purposes.
diff --git a/modules/apps/internet.nix b/modules/apps/internet.nix
deleted file mode 100644
index d3a4a54..0000000
--- a/modules/apps/internet.nix
+++ /dev/null
@@ -1,66 +0,0 @@
-{
-  config,
-  inputs,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  krisp-settings = {
-    libraries = builtins.attrValues {
-      inherit (pkgs.python3Packages)
-        capstone
-        pyelftools
-        ;
-    };
-    flakeIgnore = [
-      "E501" # line too long (82 > 79 characters)
-      "F403" # 'from module import *' used; unable to detect undefined names
-      "F405" # name may be undefined, or defined from star imports: module
-    ];
-  };
-  krisp-patch = builtins.readFile (
-    pkgs.fetchurl {
-      url = "https://pastebin.com/raw/8tQDsMVd";
-      sha256 = "sha256-IdXv0MfRG1/1pAAwHLS2+1NESFEz2uXrbSdvU9OvdJ8=";
-    }
-  );
-  krisp-patcher = pkgs.writers.writePython3Bin "krisp-patcher" krisp-settings krisp-patch;
-in
-{
-  options.my.apps.internet = {
-    enable = lib.mkEnableOption "internet browsers and communication apps";
-    users = lib.mkOption {
-      type = inputs.self.lib.usersOptionType lib;
-      default = config.my.toggleUsers.apps;
-      description = "Users to install internet packages for";
-    };
-  };
-  config = lib.mkIf config.my.apps.internet.enable {
-    home-manager.users = inputs.self.lib.mkHomeManagerUsers lib config.my.apps.internet.users (_user: {
-      programs.librewolf = import ./librewolf.nix;
-    });
-    programs.geary.enable = true;
-    users.users =
-      let
-        packages = builtins.attrValues {
-          # inherit (inputs.zen-browser.packages.x86_64-linux) twilight;
-          inherit krisp-patcher;
-          inherit (pkgs)
-            # thunderbird # email client
-            warp # transfer files with based ppl
-            nextcloud-client # self-hosted google-drive alternative
-            fragments # beautiful torrent client
-            tor-browser # dark web, so dark!
-            telegram-desktop # furry chat
-            nicotine-plus # remember Ares?
-            discord # :3
-            vdhcoapp # video download helper assistant
-            nextcloud-talk-desktop # nextcloud talk client
-            fractal # matrix client
-            ;
-        };
-      in
-      inputs.self.lib.mkUserPackages lib config.my.apps.internet.users packages;
-  };
-}
diff --git a/modules/apps/internet/home.nix b/modules/apps/internet/home.nix
new file mode 100644
index 0000000..ae642ce
--- /dev/null
+++ b/modules/apps/internet/home.nix
@@ -0,0 +1,68 @@
+{
+  config,
+  inputs,
+  lib,
+  osConfig ? null,
+  pkgs,
+  ...
+}:
+let
+  hm = inputs.self.lib.hmModule {
+    inherit
+      config
+      inputs
+      osConfig
+      ;
+    optionPath = [
+      "apps"
+      "internet"
+    ];
+  };
+  cfg = config.my.apps.internet;
+  krisp-settings = {
+    libraries = builtins.attrValues {
+      inherit (pkgs.python3Packages)
+        capstone
+        pyelftools
+        ;
+    };
+    flakeIgnore = [
+      "E501"
+      "F403"
+      "F405"
+    ];
+  };
+  krisp-patch = builtins.readFile (
+    pkgs.fetchurl {
+      url = "https://pastebin.com/raw/8tQDsMVd";
+      sha256 = "sha256-IdXv0MfRG1/1pAAwHLS2+1NESFEz2uXrbSdvU9OvdJ8=";
+    }
+  );
+  krisp-patcher = pkgs.writers.writePython3Bin "krisp-patcher" krisp-settings krisp-patch;
+in
+{
+  options.my.apps.internet.enable = lib.mkEnableOption "internet browsers and communication apps";
+  config = lib.mkMerge [
+    {
+      my.apps.internet.enable = lib.mkDefault hm.enabledByDefault;
+    }
+    (lib.mkIf cfg.enable {
+      programs.librewolf = import ../librewolf.nix;
+      home.packages = builtins.attrValues {
+        inherit krisp-patcher;
+        inherit (pkgs)
+          warp
+          nextcloud-client
+          fragments
+          tor-browser
+          telegram-desktop
+          nicotine-plus
+          discord
+          vdhcoapp
+          nextcloud-talk-desktop
+          fractal
+          ;
+      };
+    })
+  ];
+}
diff --git a/modules/apps/internet/nixos.nix b/modules/apps/internet/nixos.nix
new file mode 100644
index 0000000..124badb
--- /dev/null
+++ b/modules/apps/internet/nixos.nix
@@ -0,0 +1,19 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+{
+  options.my.apps.internet = {
+    enable = lib.mkEnableOption "internet browsers and communication apps";
+    users = lib.mkOption {
+      type = inputs.self.lib.usersOptionType lib;
+      default = config.my.toggleUsers.apps;
+      description = "Users to install internet packages for";
+    };
+  };
+  config = lib.mkIf config.my.apps.internet.enable {
+    programs.geary.enable = true;
+  };
+}
diff --git a/modules/dev/emacs.nix b/modules/dev/emacs.nix
deleted file mode 100644
index 9c0c67c..0000000
--- a/modules/dev/emacs.nix
+++ /dev/null
@@ -1,88 +0,0 @@
-{
-  config,
-  inputs,
-  lib,
-  pkgs,
-  ...
-}:
-{
-  options.my.emacs = {
-    enable = lib.mkEnableOption "Doom Emacs configuration";
-    users = lib.mkOption {
-      type = inputs.self.lib.usersOptionType lib;
-      default = config.my.toggleUsers.dev;
-      description = "Users to install Emacs packages for";
-    };
-  };
-  config = lib.mkIf config.my.emacs.enable {
-    home-manager.users = inputs.self.lib.mkHomeManagerUsers lib config.my.emacs.users (_user: {
-      xdg.dataFile = {
-        "doom/templates/events.org".source = ../../dotfiles/doom/templates/events.org;
-        "doom/templates/default.org".source = ../../dotfiles/doom/templates/default.org;
-        "doom/templates/programming.org".source = ../../dotfiles/doom/templates/programming.org;
-      };
-      services.lorri.enable = true;
-      programs.${config.my.shell.type}.shellAliases =
-        inputs.self.lib.mergeAliases inputs.self.lib.commonAliases
-          {
-            edit = "emacsclient -t";
-            e = "edit";
-          };
-    });
-    users.users =
-      let
-        packages = builtins.attrValues {
-          inherit (pkgs.xorg) xwininfo;
-          inherit (pkgs)
-            #emacs everywhere
-            xdotool
-            xclip
-            wl-clipboard-rs
-            fd # modern find, faster searches
-            fzf # fuzzy finder! super cool and useful
-            ripgrep # modern grep
-            tree-sitter # code parsing based on symbols and shit, I do not get it
-            graphviz # graphs
-            tetex # export pdf
-            languagetool # proofreader for English
-            # lsps
-            yaml-language-server
-            markdownlint-cli
-            ;
-          inherit (pkgs.nodePackages)
-            vscode-json-languageserver
-            prettier # multi-language linter
-            ;
-        };
-      in
-      inputs.self.lib.mkUserPackages lib config.my.emacs.users packages;
-    services.emacs = {
-      enable = true;
-      defaultEditor = true;
-      package = pkgs.emacsWithDoom {
-        doomDir = ../../dotfiles/doom;
-        doomLocalDir = "/home/${inputs.self.lib.getFirstUser config.my.emacs.users}/.local/share/nix-doom";
-        tangleArgs = "--all config.org";
-        extraPackages =
-          epkgs:
-          let
-            inherit
-              (config.home-manager.users.${inputs.self.lib.getFirstUser config.my.emacs.users}.programs.emacs)
-              extraPackages
-              extraConfig
-              ;
-            extra = extraPackages epkgs;
-            themes = lib.optional config.my.stylix.enable [
-              (epkgs.trivialBuild {
-                pname = "stylix-theme";
-                src = pkgs.writeText "stylix-theme.el" extraConfig;
-                version = "0.1.0";
-                packageRequires = extra;
-              })
-            ];
-          in
-          extra ++ themes;
-      };
-    };
-  };
-}
diff --git a/modules/dev/emacs/common.nix b/modules/dev/emacs/common.nix
new file mode 100644
index 0000000..d1f0c65
--- /dev/null
+++ b/modules/dev/emacs/common.nix
@@ -0,0 +1,44 @@
+{
+  lib,
+  pkgs,
+  stylixEnabled,
+  emacsExtraConfig,
+  emacsExtraPackages,
+}:
+{
+  packages = builtins.attrValues {
+    inherit (pkgs.xorg) xwininfo;
+    inherit (pkgs)
+      xdotool
+      xclip
+      wl-clipboard-rs
+      fd
+      fzf
+      ripgrep
+      tree-sitter
+      graphviz
+      tetex
+      languagetool
+      yaml-language-server
+      markdownlint-cli
+      ;
+    inherit (pkgs.nodePackages)
+      vscode-json-languageserver
+      prettier
+      ;
+  };
+  extraPackages =
+    epkgs:
+    let
+      extra = emacsExtraPackages epkgs;
+      themes = lib.optional stylixEnabled [
+        (epkgs.trivialBuild {
+          pname = "stylix-theme";
+          src = pkgs.writeText "stylix-theme.el" emacsExtraConfig;
+          version = "0.1.0";
+          packageRequires = extra;
+        })
+      ];
+    in
+    extra ++ themes;
+}
diff --git a/modules/dev/emacs/home.nix b/modules/dev/emacs/home.nix
new file mode 100644
index 0000000..4c74781
--- /dev/null
+++ b/modules/dev/emacs/home.nix
@@ -0,0 +1,61 @@
+{
+  config,
+  inputs,
+  lib,
+  osConfig ? null,
+  pkgs,
+  ...
+}:
+let
+  shellType = inputs.self.lib.hmShellType config osConfig;
+  hm = inputs.self.lib.hmModule {
+    inherit
+      config
+      inputs
+      osConfig
+      ;
+    optionPath = [ "emacs" ];
+  };
+  cfg = config.my.emacs;
+  emacs = import ./common.nix {
+    inherit lib pkgs;
+    stylixEnabled = if osConfig == null then false else osConfig.my.stylix.enable;
+    emacsExtraConfig = config.programs.emacs.extraConfig;
+    emacsExtraPackages = config.programs.emacs.extraPackages;
+  };
+in
+{
+  imports = [ inputs.doom-emacs.homeModule ];
+  options.my.emacs.enable = lib.mkEnableOption "Doom Emacs configuration";
+  config = lib.mkMerge [
+    {
+      my.emacs.enable = lib.mkDefault hm.enabledByDefault;
+    }
+    (lib.mkIf cfg.enable {
+      home.packages = emacs.packages;
+      xdg.dataFile = {
+        "doom/templates/events.org".source = ../../../dotfiles/doom/templates/events.org;
+        "doom/templates/default.org".source = ../../../dotfiles/doom/templates/default.org;
+        "doom/templates/programming.org".source = ../../../dotfiles/doom/templates/programming.org;
+      };
+      services = {
+        lorri.enable = true;
+        emacs = {
+          enable = true;
+          defaultEditor = true;
+        };
+      };
+      programs.${shellType}.shellAliases = inputs.self.lib.mergeAliases inputs.self.lib.commonAliases {
+        edit = "emacsclient -t";
+        e = "edit";
+      };
+      programs.doom-emacs = {
+        enable = true;
+        doomDir = ../../../dotfiles/doom;
+        doomLocalDir = "${config.xdg.dataHome}/nix-doom";
+        tangleArgs = "--all config.org";
+        inherit (emacs) extraPackages;
+      };
+    })
+  ];
+}
diff --git a/modules/dev/emacs/nixos.nix b/modules/dev/emacs/nixos.nix
new file mode 100644
index 0000000..7b60bac
--- /dev/null
+++ b/modules/dev/emacs/nixos.nix
@@ -0,0 +1,16 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+{
+  options.my.emacs = {
+    enable = lib.mkEnableOption "Doom Emacs configuration";
+    users = lib.mkOption {
+      type = inputs.self.lib.usersOptionType lib;
+      default = config.my.toggleUsers.dev;
+      description = "Users to install Emacs packages for";
+    };
+  };
+}
diff --git a/modules/dev/javascript.nix b/modules/dev/javascript.nix
deleted file mode 100644
index 2a79749..0000000
--- a/modules/dev/javascript.nix
+++ /dev/null
@@ -1,60 +0,0 @@
-{
-  config,
-  inputs,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  packages = builtins.attrValues {
-    inherit (pkgs) nodejs; # Node.js runtime
-    inherit (pkgs.nodePackages) pnpm; # Fast package manager alternative to npm
-  };
-in
-{
-  options = {
-    my.dev.javascript = {
-      enable = lib.mkEnableOption "Install JavaScript tooling globally";
-      users = lib.mkOption {
-        type = inputs.self.lib.usersOptionType lib;
-        default = config.my.toggleUsers.dev;
-        description = "Users to install JavaScript packages for";
-      };
-    };
-    devShells.javascript = lib.mkOption {
-      type = lib.types.package;
-      default = pkgs.mkShell {
-        inherit packages;
-        name = "javascript-dev-shell";
-        shellHook = ''
-          echo "📦 JavaScript dev environment"
-        '';
-      };
-      description = "JavaScript/Node development shell with npm/pnpm support";
-    };
-  };
-  config = lib.mkMerge [
-    (lib.mkIf config.my.dev.javascript.enable {
-      users.users = inputs.self.lib.mkUserAttrs lib config.my.dev.javascript.users { inherit packages; };
-    })
-    {
-      home-manager.users = inputs.self.lib.mkHomeManagerUsers lib config.my.dev.javascript.users (_user: {
-        xdg.configFile = {
-          "npm/npmrc".source = ../../dotfiles/npmrc;
-          "configstore/update-notifier-npm-check.json".text = builtins.toJSON {
-            optOut = false;
-            lastUpdateCheck = 1646662583446;
-          };
-        };
-      });
-      environment.variables = {
-        NPM_CONFIG_USERCONFIG = "\${XDG_CONFIG_HOME}/npm/npmrc";
-        PNPM_HOME = "\${XDG_DATA_HOME}/pnpm";
-        PATH = [
-          "\${XDG_DATA_HOME}/npm/bin"
-          "\${XDG_DATA_HOME}/pnpm"
-        ];
-      };
-    }
-  ];
-}
diff --git a/modules/dev/javascript/common.nix b/modules/dev/javascript/common.nix
new file mode 100644
index 0000000..d78a429
--- /dev/null
+++ b/modules/dev/javascript/common.nix
@@ -0,0 +1,25 @@
+{ pkgs }:
+let
+  packages = builtins.attrValues {
+    inherit (pkgs) nodejs;
+    inherit (pkgs.nodePackages) pnpm;
+  };
+in
+{
+  inherit packages;
+  devShell = pkgs.mkShell {
+    inherit packages;
+    name = "javascript-dev-shell";
+    shellHook = ''
+      echo "📦 JavaScript dev environment"
+    '';
+  };
+  sessionVariables = {
+    NPM_CONFIG_USERCONFIG = "\${XDG_CONFIG_HOME}/npm/npmrc";
+    PNPM_HOME = "\${XDG_DATA_HOME}/pnpm";
+  };
+  sessionPath = [
+    "\${XDG_DATA_HOME}/npm/bin"
+    "\${XDG_DATA_HOME}/pnpm"
+  ];
+}
diff --git a/modules/dev/javascript/home.nix b/modules/dev/javascript/home.nix
new file mode 100644
index 0000000..95145d0
--- /dev/null
+++ b/modules/dev/javascript/home.nix
@@ -0,0 +1,43 @@
+{
+  config,
+  inputs,
+  lib,
+  osConfig ? null,
+  pkgs,
+  ...
+}:
+let
+  hm = inputs.self.lib.hmModule {
+    inherit
+      config
+      inputs
+      osConfig
+      ;
+    optionPath = [
+      "dev"
+      "javascript"
+    ];
+  };
+  cfg = config.my.dev.javascript;
+  javascript = import ./common.nix { inherit pkgs; };
+in
+{
+  options.my.dev.javascript.enable = lib.mkEnableOption "Install JavaScript tooling globally";
+  config = lib.mkMerge [
+    {
+      my.dev.javascript.enable = lib.mkDefault hm.enabledByDefault;
+    }
+    (lib.mkIf cfg.enable {
+      home.packages = javascript.packages;
+      xdg.configFile = {
+        "npm/npmrc".source = ../../../dotfiles/npmrc;
+        "configstore/update-notifier-npm-check.json".text = builtins.toJSON {
+          optOut = false;
+          lastUpdateCheck = 1646662583446;
+        };
+      };
+      home.sessionVariables = javascript.sessionVariables;
+      home.sessionPath = javascript.sessionPath;
+    })
+  ];
+}
diff --git a/modules/dev/javascript/nixos.nix b/modules/dev/javascript/nixos.nix
new file mode 100644
index 0000000..16022b3
--- /dev/null
+++ b/modules/dev/javascript/nixos.nix
@@ -0,0 +1,27 @@
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  javascript = import ./common.nix { inherit pkgs; };
+in
+{
+  options = {
+    my.dev.javascript = {
+      enable = lib.mkEnableOption "Install JavaScript tooling globally";
+      users = lib.mkOption {
+        type = inputs.self.lib.usersOptionType lib;
+        default = config.my.toggleUsers.dev;
+        description = "Users to install JavaScript packages for";
+      };
+    };
+    devShells.javascript = lib.mkOption {
+      type = lib.types.package;
+      default = javascript.devShell;
+      description = "JavaScript/Node development shell with npm/pnpm support";
+    };
+  };
+}
diff --git a/modules/dev/nix.nix b/modules/dev/nix.nix
deleted file mode 100644
index fe0f84c..0000000
--- a/modules/dev/nix.nix
+++ /dev/null
@@ -1,60 +0,0 @@
-{
-  config,
-  inputs,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  shellType = config.my.shell.type;
-  packages = builtins.attrValues {
-    inherit (pkgs)
-      nixfmt-rfc-style # formatting
-      cachix # binary cache management
-      nixd # language server for Nix
-      deadnix # detext unused/uneeded dependencies
-      statix # linter for Nix expressions
-      mcp-nixos # mcp server
-      ;
-  };
-in
-{
-  options = {
-    my.dev.nix = {
-      enable = lib.mkEnableOption "Install Nix tooling globally";
-      users = lib.mkOption {
-        type = inputs.self.lib.usersOptionType lib;
-        default = config.my.toggleUsers.dev;
-        description = "Users to install Nix packages for";
-      };
-    };
-    devShells.nix = lib.mkOption {
-      type = lib.types.package;
-      default = pkgs.mkShell {
-        inherit packages;
-        name = "nix-dev-shell";
-        shellHook = ''
-          echo "❄️  Nix dev environment"
-        '';
-      };
-      description = "Nix/NixOS development shell with formatter, linter, LSP, and Cachix";
-    };
-  };
-  config = lib.mkIf config.my.dev.nix.enable {
-    users.users = inputs.self.lib.mkUserAttrs lib config.my.dev.nix.users { inherit packages; };
-    home-manager.users = inputs.self.lib.mkHomeManagerUsers lib config.my.dev.nix.users (_user: {
-      programs.${shellType}.shellAliases = inputs.self.lib.mergeAliases inputs.self.lib.commonAliases {
-        nixformat = ''
-          deadnix -e && \
-          nix run nixpkgs#nixfmt-tree && \
-          statix fix
-        '';
-        nix-push-cache = ''
-          nix build $NH_FLAKE#nixosConfigurations.${config.networking.hostName}.config.system.build.toplevel \
-          --print-out-paths --fallback --max-jobs 100 --cores 0 |
-          nix run nixpkgs#attic-client -- push lan:nixos --stdin
-        '';
-      };
-    });
-  };
-}
diff --git a/modules/dev/nix/common.nix b/modules/dev/nix/common.nix
new file mode 100644
index 0000000..c0268b8
--- /dev/null
+++ b/modules/dev/nix/common.nix
@@ -0,0 +1,45 @@
+{
+  pkgs,
+  hostName ? null,
+}:
+let
+  packages = builtins.attrValues {
+    inherit (pkgs)
+      nixfmt-rfc-style
+      cachix
+      nixd
+      deadnix
+      statix
+      mcp-nixos
+      ;
+  };
+in
+{
+  inherit packages;
+  devShell = pkgs.mkShell {
+    inherit packages;
+    name = "nix-dev-shell";
+    shellHook = ''
+      echo "❄️  Nix dev environment"
+    '';
+  };
+  shellAliases = {
+    nixformat = ''
+      deadnix -e && \
+      nix run nixpkgs#nixfmt-tree && \
+      statix fix
+    '';
+  }
+  // (
+    if hostName == null then
+      { }
+    else
+      {
+        nix-push-cache = ''
+          nix build $NH_FLAKE#nixosConfigurations.${hostName}.config.system.build.toplevel \
+          --print-out-paths --fallback --max-jobs 100 --cores 0 |
+          nix run nixpkgs#attic-client -- push lan:nixos --stdin
+        '';
+      }
+  );
+}
diff --git a/modules/dev/nix/home.nix b/modules/dev/nix/home.nix
new file mode 100644
index 0000000..ceba689
--- /dev/null
+++ b/modules/dev/nix/home.nix
@@ -0,0 +1,40 @@
+{
+  config,
+  inputs,
+  lib,
+  osConfig ? null,
+  pkgs,
+  ...
+}:
+let
+  shellType = inputs.self.lib.hmShellType config osConfig;
+  hm = inputs.self.lib.hmModule {
+    inherit
+      config
+      inputs
+      osConfig
+      ;
+    optionPath = [
+      "dev"
+      "nix"
+    ];
+  };
+  cfg = config.my.dev.nix;
+  nix = import ./common.nix {
+    inherit pkgs;
+    hostName = if osConfig == null then null else osConfig.networking.hostName;
+  };
+in
+{
+  options.my.dev.nix.enable = lib.mkEnableOption "Install Nix tooling globally";
+  config = lib.mkMerge [
+    {
+      my.dev.nix.enable = lib.mkDefault hm.enabledByDefault;
+    }
+    (lib.mkIf cfg.enable {
+      home.packages = nix.packages;
+      programs.${shellType}.shellAliases =
+        inputs.self.lib.mergeAliases inputs.self.lib.commonAliases nix.shellAliases;
+    })
+  ];
+}
diff --git a/modules/dev/nix/nixos.nix b/modules/dev/nix/nixos.nix
new file mode 100644
index 0000000..65c6c30
--- /dev/null
+++ b/modules/dev/nix/nixos.nix
@@ -0,0 +1,30 @@
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  nix = import ./common.nix {
+    inherit pkgs;
+    inherit (config.networking) hostName;
+  };
+in
+{
+  options = {
+    my.dev.nix = {
+      enable = lib.mkEnableOption "Install Nix tooling globally";
+      users = lib.mkOption {
+        type = inputs.self.lib.usersOptionType lib;
+        default = config.my.toggleUsers.dev;
+        description = "Users to install Nix packages for";
+      };
+    };
+    devShells.nix = lib.mkOption {
+      type = lib.types.package;
+      default = nix.devShell;
+      description = "Nix/NixOS development shell with formatter, linter, LSP, and Cachix";
+    };
+  };
+}
diff --git a/modules/dev/python.nix b/modules/dev/python.nix
deleted file mode 100644
index 2ea3741..0000000
--- a/modules/dev/python.nix
+++ /dev/null
@@ -1,66 +0,0 @@
-{
-  config,
-  inputs,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  python = pkgs.python3.withPackages (
-    ps:
-    builtins.attrValues {
-      inherit (ps)
-        black # Python code formatter
-        editorconfig # follow rules of contributin
-        flake8 # wraper for pyflakes, pycodestyle and mccabe
-        isort # sort Python imports
-        pyflakes # checks source code for errors
-        pylint # bug and style checker for python
-        pytest # tests
-        speedtest-cli # check internet speed from the comand line
-        ;
-    }
-  );
-  packages = builtins.attrValues {
-    inherit python;
-    inherit (pkgs)
-      pipenv # python development workflow for humans
-      pyright # LSP
-      ;
-  };
-in
-{
-  options = {
-    my.dev.python = {
-      enable = lib.mkEnableOption "Install Python tools globally";
-      users = lib.mkOption {
-        type = inputs.self.lib.usersOptionType lib;
-        default = config.my.toggleUsers.dev;
-        description = "Users to install Python packages for";
-      };
-    };
-    devShells.python = lib.mkOption {
-      type = lib.types.package;
-      default = pkgs.mkShell {
-        inherit packages;
-        name = "python-dev-shell";
-        shellHook = ''
-          echo "🐍 Python dev environment"
-          which python
-        '';
-        description = "Python development shell";
-      };
-    };
-  };
-  config = lib.mkMerge [
-    (lib.mkIf config.my.dev.python.enable {
-      users.users = inputs.self.lib.mkUserAttrs lib config.my.dev.python.users { inherit packages; };
-    })
-    {
-      home-manager.users = inputs.self.lib.mkHomeManagerUsers lib config.my.dev.python.users (_user: {
-        xdg.configFile."python/pythonrc".source = ../../dotfiles/pythonrc;
-      });
-      environment.variables.PYTHONSTARTUP = "\${XDG_CONFIG_HOME}/python/pythonrc";
-    }
-  ];
-}
diff --git a/modules/dev/python/common.nix b/modules/dev/python/common.nix
new file mode 100644
index 0000000..cbf79b7
--- /dev/null
+++ b/modules/dev/python/common.nix
@@ -0,0 +1,31 @@
+{ pkgs }:
+let
+  packages = builtins.attrValues {
+    inherit (pkgs)
+      pipenv
+      pyright
+      ;
+    inherit (pkgs.python3Packages)
+      black
+      editorconfig
+      flake8
+      isort
+      pyflakes
+      pylint
+      pytest
+      speedtest-cli
+      ;
+  };
+in
+{
+  inherit packages;
+  devShell = pkgs.mkShell {
+    inherit packages;
+    name = "python-dev-shell";
+    shellHook = ''
+      echo "🐍 Python dev environment"
+      which python
+    '';
+    description = "Python development shell";
+  };
+}
diff --git a/modules/dev/python/home.nix b/modules/dev/python/home.nix
new file mode 100644
index 0000000..b2f2c99
--- /dev/null
+++ b/modules/dev/python/home.nix
@@ -0,0 +1,36 @@
+{
+  config,
+  inputs,
+  lib,
+  osConfig ? null,
+  pkgs,
+  ...
+}:
+let
+  python = import ./common.nix { inherit pkgs; };
+  hm = inputs.self.lib.hmModule {
+    inherit
+      config
+      inputs
+      osConfig
+      ;
+    optionPath = [
+      "dev"
+      "python"
+    ];
+  };
+  cfg = config.my.dev.python;
+in
+{
+  options.my.dev.python.enable = lib.mkEnableOption "Install Python tools globally";
+  config = lib.mkMerge [
+    {
+      my.dev.python.enable = lib.mkDefault hm.enabledByDefault;
+    }
+    (lib.mkIf cfg.enable {
+      home.packages = python.packages;
+      xdg.configFile."python/pythonrc".source = ../../../dotfiles/pythonrc;
+      home.sessionVariables.PYTHONSTARTUP = "\${XDG_CONFIG_HOME}/python/pythonrc";
+    })
+  ];
+}
diff --git a/modules/dev/python/nixos.nix b/modules/dev/python/nixos.nix
new file mode 100644
index 0000000..2716ea6
--- /dev/null
+++ b/modules/dev/python/nixos.nix
@@ -0,0 +1,26 @@
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  python = import ./common.nix { inherit pkgs; };
+in
+{
+  options = {
+    my.dev.python = {
+      enable = lib.mkEnableOption "Install Python tools globally";
+      users = lib.mkOption {
+        type = inputs.self.lib.usersOptionType lib;
+        default = config.my.toggleUsers.dev;
+        description = "Users to install Python packages for";
+      };
+    };
+    devShells.python = lib.mkOption {
+      type = lib.types.package;
+      default = python.devShell;
+    };
+  };
+}
diff --git a/modules/home-manager.nix b/modules/home-manager.nix
new file mode 100644
index 0000000..2b340fc
--- /dev/null
+++ b/modules/home-manager.nix
@@ -0,0 +1,4 @@
+{ inputs, ... }:
+{
+  imports = inputs.self.lib.autoImportLeaf ./. "home.nix";
+}
diff --git a/modules/modules.nix b/modules/modules.nix
index 85f3dc0..83293c6 100644
--- a/modules/modules.nix
+++ b/modules/modules.nix
@@ -10,13 +10,21 @@ in
 {
   imports =
     inputs.self.lib.autoImport ./apps filterNames
+    ++ inputs.self.lib.autoImportLeaf ./apps "nixos.nix"
     ++ inputs.self.lib.autoImport ./dev filterNames
+    ++ inputs.self.lib.autoImportLeaf ./dev "nixos.nix"
     ++ inputs.self.lib.autoImport ./scripts filterNames
+    ++ inputs.self.lib.autoImportLeaf ./scripts "nixos.nix"
     ++ inputs.self.lib.autoImport ./servers filterNames
+    ++ inputs.self.lib.autoImportLeaf ./servers "nixos.nix"
     ++ inputs.self.lib.autoImport ./services filterNames
+    ++ inputs.self.lib.autoImportLeaf ./services "nixos.nix"
     ++ inputs.self.lib.autoImport ./shell filterNames
+    ++ inputs.self.lib.autoImportLeaf ./shell "nixos.nix"
     ++ inputs.self.lib.autoImport ./websites filterNames
+    ++ inputs.self.lib.autoImportLeaf ./websites "nixos.nix"
     ++ inputs.self.lib.autoImport ./network filterNames
+    ++ inputs.self.lib.autoImportLeaf ./network "nixos.nix"
     ++ [
       ./factories/mkscript.nix
       ./nix/build.nix
diff --git a/modules/scripts/download.nix b/modules/scripts/download.nix
deleted file mode 100644
index 876c41f..0000000
--- a/modules/scripts/download.nix
+++ /dev/null
@@ -1,112 +0,0 @@
-{
-  inputs,
-  pkgs,
-  lib,
-  config,
-  ...
-}:
-{
-  options.my.units = {
-    download.enable = lib.mkEnableOption "media download automation scripts";
-    downloadManga.enable = lib.mkEnableOption "manga download automation";
-  };
-  config =
-    let
-      inherit (inputs.jawz-scripts.packages.x86_64-linux) download;
-      gallerySecretsPath = lib.attrByPath [ "sops" "secrets" "gallery-dl/secrets" "path" ] null config;
-      wrappedDownload =
-        if gallerySecretsPath != null then
-          pkgs.symlinkJoin {
-            name = "download-with-secrets";
-            paths = [ download ];
-            buildInputs = [ pkgs.makeWrapper ];
-            postBuild = ''
-              wrapProgram $out/bin/download --run 'if [ -r "${gallerySecretsPath}" ]; then set -a; source "${gallerySecretsPath}"; set +a; fi'
-            '';
-          }
-        else
-          download;
-    in
-    {
-      home-manager.users.jawz.programs.${config.my.shell.type}.shellAliases =
-        inputs.self.lib.mergeAliases inputs.self.lib.commonAliases
-          {
-            dl = "${wrappedDownload}/bin/download -u jawz -i";
-          };
-      systemd.user = {
-        services =
-          let
-            mkDownloadService = desc: execStartCmd: {
-              restartIfChanged = true;
-              description = "Downloads ${desc}";
-              wantedBy = [ "default.target" ];
-              path = [ pkgs.bash ];
-              serviceConfig = {
-                TimeoutStartSec = 2000;
-                TimeoutStopSec = 2000;
-                Restart = "on-failure";
-                RestartSec = 30;
-                ExecStart = "${wrappedDownload}/bin/download ${execStartCmd}";
-              }
-              // lib.optionalAttrs (gallerySecretsPath != null) {
-                EnvironmentFile = gallerySecretsPath;
-              };
-            };
-          in
-          {
-            tuhmayto = lib.mkIf config.my.units.download.enable (
-              mkDownloadService "tuhmayto stuff" ''
-                -u jawz -i https://x.com/tuhmayto/media \
-                https://www.furaffinity.net/user/tuhmayto/ \
-                https://bsky.app/profile/tumayto.bsky.social''
-            );
-            "download@" = lib.mkIf (config.my.units.download.enable || config.my.units.downloadManga.enable) (
-              mkDownloadService "post from multiple sources" "%I"
-            );
-            "instagram@" = lib.mkIf config.my.units.download.enable (
-              mkDownloadService "post types from instagram" "instagram -u jawz -t %I"
-            );
-          };
-        timers =
-          let
-            downloadTimer = time: delay: {
-              enable = true;
-              description = "Downloads post types from different sites";
-              wantedBy = [ "timers.target" ];
-              timerConfig = {
-                OnCalendar = time;
-                RandomizedDelaySec = delay;
-                Persistent = true;
-              };
-            };
-          in
-          {
-            # "instagram@stories" = lib.mkIf config.my.units.download.enable (
-            #   downloadTimer "*-*-* 12:34:00" 120 // { }
-            # );
-            "download@main" = lib.mkIf config.my.units.download.enable (
-              downloadTimer "*-*-* 06,18:02:00" 30 // { }
-            );
-            "download@push" = lib.mkIf config.my.units.download.enable (downloadTimer "*:0/5" 30 // { });
-            "download@manga" = lib.mkIf config.my.units.downloadManga.enable (
-              downloadTimer "*-*-* 03:08:00" 30 // { }
-            );
-            tuhmayto = lib.mkIf config.my.units.download.enable {
-              enable = true;
-              description = "Downloads tuhmayto stuff";
-              wantedBy = [ "timers.target" ];
-              timerConfig = {
-                OnCalendar = "*:0/10";
-              };
-            };
-          };
-      };
-      my.scripts.download = {
-        enable = lib.mkDefault false;
-        install = true;
-        service = false;
-        name = "download";
-        package = wrappedDownload;
-      };
-    };
-}
diff --git a/modules/scripts/download/common.nix b/modules/scripts/download/common.nix
new file mode 100644
index 0000000..f5075b4
--- /dev/null
+++ b/modules/scripts/download/common.nix
@@ -0,0 +1,25 @@
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+}:
+let
+  inherit (inputs.jawz-scripts.packages.x86_64-linux) download;
+  gallerySecretsPath = lib.attrByPath [ "sops" "secrets" "gallery-dl/secrets" "path" ] null config;
+in
+{
+  inherit gallerySecretsPath;
+  wrappedDownload =
+    if gallerySecretsPath != null then
+      pkgs.symlinkJoin {
+        name = "download-with-secrets";
+        paths = [ download ];
+        buildInputs = [ pkgs.makeWrapper ];
+        postBuild = ''
+          wrapProgram $out/bin/download --run 'if [ -r "${gallerySecretsPath}" ]; then set -a; source "${gallerySecretsPath}"; set +a; fi'
+        '';
+      }
+    else
+      download;
+}
diff --git a/modules/scripts/download/home.nix b/modules/scripts/download/home.nix
new file mode 100644
index 0000000..c03374b
--- /dev/null
+++ b/modules/scripts/download/home.nix
@@ -0,0 +1,25 @@
+{
+  config,
+  inputs,
+  lib,
+  osConfig ? null,
+  pkgs,
+  ...
+}:
+let
+  shellType = inputs.self.lib.hmShellType config osConfig;
+  enabled =
+    inputs.self.lib.hmOnlyUser config osConfig "jawz"
+    && (osConfig.my.units.download.enable || osConfig.my.units.downloadManga.enable);
+  download = import ./common.nix {
+    config = if osConfig == null then { } else osConfig;
+    inherit inputs lib pkgs;
+  };
+in
+{
+  config = lib.mkIf enabled {
+    programs.${shellType}.shellAliases = inputs.self.lib.mergeAliases inputs.self.lib.commonAliases {
+      dl = "${download.wrappedDownload}/bin/download -u jawz -i";
+    };
+  };
+}
diff --git a/modules/scripts/download/nixos.nix b/modules/scripts/download/nixos.nix
new file mode 100644
index 0000000..6df8500
--- /dev/null
+++ b/modules/scripts/download/nixos.nix
@@ -0,0 +1,95 @@
+{
+  inputs,
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  download = import ./common.nix {
+    inherit
+      config
+      inputs
+      lib
+      pkgs
+      ;
+  };
+in
+{
+  options.my.units = {
+    download.enable = lib.mkEnableOption "media download automation scripts";
+    downloadManga.enable = lib.mkEnableOption "manga download automation";
+  };
+  config = {
+    systemd.user = {
+      services =
+        let
+          mkDownloadService = desc: execStartCmd: {
+            restartIfChanged = true;
+            description = "Downloads ${desc}";
+            wantedBy = [ "default.target" ];
+            path = [ pkgs.bash ];
+            serviceConfig = {
+              TimeoutStartSec = 2000;
+              TimeoutStopSec = 2000;
+              Restart = "on-failure";
+              RestartSec = 30;
+              ExecStart = "${download.wrappedDownload}/bin/download ${execStartCmd}";
+            }
+            // lib.optionalAttrs (download.gallerySecretsPath != null) {
+              EnvironmentFile = download.gallerySecretsPath;
+            };
+          };
+        in
+        {
+          tuhmayto = lib.mkIf config.my.units.download.enable (
+            mkDownloadService "tuhmayto stuff" ''
+              -u jawz -i https://x.com/tuhmayto/media \
+              https://www.furaffinity.net/user/tuhmayto/ \
+              https://bsky.app/profile/tumayto.bsky.social''
+          );
+          "download@" = lib.mkIf (config.my.units.download.enable || config.my.units.downloadManga.enable) (
+            mkDownloadService "post from multiple sources" "%I"
+          );
+          "instagram@" = lib.mkIf config.my.units.download.enable (
+            mkDownloadService "post types from instagram" "instagram -u jawz -t %I"
+          );
+        };
+      timers =
+        let
+          downloadTimer = time: delay: {
+            enable = true;
+            description = "Downloads post types from different sites";
+            wantedBy = [ "timers.target" ];
+            timerConfig = {
+              OnCalendar = time;
+              RandomizedDelaySec = delay;
+              Persistent = true;
+            };
+          };
+        in
+        {
+          "download@main" = lib.mkIf config.my.units.download.enable (
+            downloadTimer "*-*-* 06,18:02:00" 30 // { }
+          );
+          "download@push" = lib.mkIf config.my.units.download.enable (downloadTimer "*:0/5" 30 // { });
+          "download@manga" = lib.mkIf config.my.units.downloadManga.enable (
+            downloadTimer "*-*-* 03:08:00" 30 // { }
+          );
+          tuhmayto = lib.mkIf config.my.units.download.enable {
+            enable = true;
+            description = "Downloads tuhmayto stuff";
+            wantedBy = [ "timers.target" ];
+            timerConfig.OnCalendar = "*:0/10";
+          };
+        };
+    };
+    my.scripts.download = {
+      enable = lib.mkDefault false;
+      install = true;
+      service = false;
+      name = "download";
+      package = download.wrappedDownload;
+    };
+  };
+}
diff --git a/modules/scripts/update-org-agenda-cache.nix b/modules/scripts/update-org-agenda-cache.nix
index ef6b814..72c3e30 100644
--- a/modules/scripts/update-org-agenda-cache.nix
+++ b/modules/scripts/update-org-agenda-cache.nix
@@ -1,21 +1,27 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
 }:
 {
-  config.my.scripts.update-org-agenda-cache = {
-    enable = lib.mkDefault false;
-    install = config.my.emacs.enable;
-    service = config.my.emacs.enable;
-    name = "update-org-agenda-cache";
-    timer = "*:0/30";
-    description = "runs a function which builds a cache file.";
-    package = pkgs.writeScriptBin "update-org-agenda-cache" ''
-      #!/usr/bin/env nix-shell
-      #! nix-shell -i bash -p bash
-      ${config.services.emacs.package}/bin/emacsclient --eval '(my/update-org-agenda-cache)'
-    '';
-  };
+  config.my.scripts.update-org-agenda-cache =
+    let
+      user = inputs.self.lib.getFirstUser config.my.emacs.users;
+      emacsPackage = config.home-manager.users.${user}.programs.doom-emacs.finalEmacsPackage;
+    in
+    {
+      enable = lib.mkDefault false;
+      install = config.my.emacs.enable;
+      service = config.my.emacs.enable;
+      name = "update-org-agenda-cache";
+      timer = "*:0/30";
+      description = "runs a function which builds a cache file.";
+      package = pkgs.writeScriptBin "update-org-agenda-cache" ''
+        #!/usr/bin/env nix-shell
+        #! nix-shell -i bash -p bash
+        ${emacsPackage}/bin/emacsclient --eval '(my/update-org-agenda-cache)'
+      '';
+    };
 }
diff --git a/modules/shell/multimedia.nix b/modules/shell/multimedia.nix
deleted file mode 100644
index 4c3a391..0000000
--- a/modules/shell/multimedia.nix
+++ /dev/null
@@ -1,67 +0,0 @@
-{
-  config,
-  inputs,
-  lib,
-  pkgs,
-  ...
-}:
-{
-  options.my.shell.multimedia = {
-    enable = lib.mkEnableOption "multimedia CLI tools and codecs";
-    users = lib.mkOption {
-      type = inputs.self.lib.usersOptionType lib;
-      default = config.my.toggleUsers.shell;
-      description = "Users to install multimedia shell tools for";
-    };
-  };
-  config = lib.mkIf (config.my.shell.multimedia.enable && config.my.secureHost) {
-    sops.secrets."gallery-dl/secrets" =
-      let
-        user = inputs.self.lib.getFirstUser config.my.shell.multimedia.users;
-      in
-      {
-        sopsFile = ../../secrets/gallery.yaml;
-        owner = user;
-        mode = "0400";
-      };
-    home-manager.users =
-      inputs.self.lib.mkHomeManagerUsers lib config.my.shell.multimedia.users
-        (user: {
-          programs = {
-            yt-dlp = {
-              enable = true;
-              settings = {
-                embed-thumbnail = true;
-                embed-subs = true;
-                sub-langs = "all";
-                cookies-from-browser = "firefox+gnomekeyring:/home/${user}/.librewolf/${user}";
-              };
-            };
-            gallery-dl = {
-              enable = true;
-              settings = inputs.self.lib.importDotfile ../../dotfiles/gallery-dl.nix;
-            };
-            ${config.my.shell.type} = {
-              initExtra = lib.mkAfter ''
-                if [ -r "${config.sops.secrets."gallery-dl/secrets".path}" ]; then
-                  set -a  # automatically export all variables
-                  source "${config.sops.secrets."gallery-dl/secrets".path}"
-                  set +a  # stop automatically exporting
-                fi
-              '';
-            };
-          };
-        });
-    users.users =
-      let
-        packages = builtins.attrValues {
-          inherit (pkgs)
-            ffmpeg # not ffmpreg, the coolest video conversion tool!
-            imagemagick # photoshop what??
-            ffpb # make ffmpeg encoding... a bit fun
-            ;
-        };
-      in
-      inputs.self.lib.mkUserPackages lib config.my.shell.multimedia.users packages;
-  };
-}
diff --git a/modules/shell/multimedia/common.nix b/modules/shell/multimedia/common.nix
new file mode 100644
index 0000000..90b15d3
--- /dev/null
+++ b/modules/shell/multimedia/common.nix
@@ -0,0 +1,10 @@
+{ pkgs }:
+{
+  packages = builtins.attrValues {
+    inherit (pkgs)
+      ffmpeg
+      imagemagick
+      ffpb
+      ;
+  };
+}
diff --git a/modules/shell/multimedia/home.nix b/modules/shell/multimedia/home.nix
new file mode 100644
index 0000000..fb9af1b
--- /dev/null
+++ b/modules/shell/multimedia/home.nix
@@ -0,0 +1,62 @@
+{
+  config,
+  inputs,
+  lib,
+  osConfig ? null,
+  pkgs,
+  ...
+}:
+let
+  shellType = inputs.self.lib.hmShellType config osConfig;
+  hm = inputs.self.lib.hmModule {
+    inherit
+      config
+      inputs
+      osConfig
+      ;
+    optionPath = [
+      "shell"
+      "multimedia"
+    ];
+  };
+  cfg = config.my.shell.multimedia;
+  multimedia = import ./common.nix { inherit pkgs; };
+in
+{
+  options.my.shell.multimedia.enable = lib.mkEnableOption "multimedia CLI tools and codecs";
+  config = lib.mkMerge [
+    {
+      my.shell.multimedia.enable = lib.mkDefault hm.enabledByDefault;
+    }
+    (lib.mkIf cfg.enable {
+      home.packages = multimedia.packages;
+      programs = {
+        yt-dlp = {
+          enable = true;
+          settings = {
+            embed-thumbnail = true;
+            embed-subs = true;
+            sub-langs = "all";
+            cookies-from-browser = "firefox+gnomekeyring:${config.home.homeDirectory}/.librewolf/${config.home.username}";
+          };
+        };
+        gallery-dl = {
+          enable = true;
+          settings = inputs.self.lib.importDotfile ../../../dotfiles/gallery-dl.nix;
+        };
+        ${shellType}.initExtra = lib.mkAfter (
+          if osConfig == null then
+            ""
+          else
+            ''
+              if [ -r "${osConfig.sops.secrets."gallery-dl/secrets".path}" ]; then
+                set -a
+                source "${osConfig.sops.secrets."gallery-dl/secrets".path}"
+                set +a
+              fi
+            ''
+        );
+      };
+    })
+  ];
+}
diff --git a/modules/shell/multimedia/nixos.nix b/modules/shell/multimedia/nixos.nix
new file mode 100644
index 0000000..c60f5ec
--- /dev/null
+++ b/modules/shell/multimedia/nixos.nix
@@ -0,0 +1,27 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+{
+  options.my.shell.multimedia = {
+    enable = lib.mkEnableOption "multimedia CLI tools and codecs";
+    users = lib.mkOption {
+      type = inputs.self.lib.usersOptionType lib;
+      default = config.my.toggleUsers.shell;
+      description = "Users to install multimedia shell tools for";
+    };
+  };
+  config = lib.mkIf (config.my.shell.multimedia.enable && config.my.secureHost) {
+    sops.secrets."gallery-dl/secrets" =
+      let
+        user = inputs.self.lib.getFirstUser config.my.shell.multimedia.users;
+      in
+      {
+        sopsFile = ../../../secrets/gallery.yaml;
+        owner = user;
+        mode = "0400";
+      };
+  };
+}
diff --git a/modules/shell/tools.nix b/modules/shell/tools/home.nix
similarity index 53%
rename from modules/shell/tools.nix
rename to modules/shell/tools/home.nix
index eba4f84..0a65da0 100644
--- a/modules/shell/tools.nix
+++ b/modules/shell/tools/home.nix
@@ -3,22 +3,46 @@
   lib,
   pkgs,
   inputs,
+  osConfig ? null,
   ...
 }:
 let
-  shellType = config.my.shell.type;
+  shellType = inputs.self.lib.hmShellType config osConfig;
+  hm = inputs.self.lib.hmModule {
+    inherit
+      config
+      inputs
+      osConfig
+      ;
+    optionPath = [
+      "shell"
+      "tools"
+    ];
+  };
+  cfg = config.my.shell.tools;
 in
 {
-  options.my.shell.tools = {
-    enable = lib.mkEnableOption "shell tools and utilities";
-    users = lib.mkOption {
-      type = inputs.self.lib.usersOptionType lib;
-      default = config.my.toggleUsers.shell;
-      description = "Users to install shell tools for";
-    };
-  };
-  config = lib.mkIf config.my.shell.tools.enable {
-    home-manager.users = inputs.self.lib.mkHomeManagerUsers lib config.my.shell.tools.users (user: {
+  options.my.shell.tools.enable = lib.mkEnableOption "shell tools and utilities";
+  config = lib.mkMerge [
+    {
+      my.shell.tools.enable = lib.mkDefault hm.enabledByDefault;
+    }
+    (lib.mkIf cfg.enable {
+      home.packages = builtins.attrValues {
+        inherit (pkgs)
+          ripgrep
+          dust
+          fd
+          fzf
+          gdu
+          tealdeer
+          trash-cli
+          jq
+          yq
+          smartmontools
+          rmlint
+          ;
+      };
       programs = {
         hstr.enable = true;
         htop = {
@@ -40,12 +64,12 @@ in
           config.pager = "less -FR";
           extraPackages = builtins.attrValues {
             inherit (pkgs.bat-extras)
-              batman # man pages
-              batpipe # piping
-              batgrep # ripgrep
-              batdiff # this is getting crazy!
-              batwatch # probably my next best friend
-              prettybat # trans your sourcecode!
+              batman
+              batpipe
+              batgrep
+              batdiff
+              batwatch
+              prettybat
               ;
           };
         };
@@ -60,7 +84,7 @@ in
             PASSWORD_STORE_NOPAGER = "false";
             PASSWORD_STORE_NOTIFICATIONS = "false";
             PASSWORD_STORE_PARSING = "true";
-            PASSWORD_STORE_PATH = "/home/${user}/.local/share/pass";
+            PASSWORD_STORE_PATH = "${config.home.homeDirectory}/.local/share/pass";
             PASSWORD_STORE_SAFECONTENT = "true";
           };
         };
@@ -93,39 +117,11 @@ in
               fi
             '';
       };
-    });
-    programs = {
-      starship.enable = true;
-      tmux.enable = true;
-      fzf.fuzzyCompletion = true;
-      neovim = {
-        enable = true;
-        vimAlias = true;
+      home.sessionVariables = {
+        HISTFILE = "\${XDG_STATE_HOME}/bash/history";
+        LESSHISTFILE = "-";
+        RIPGREP_CONFIG_PATH = "\${XDG_CONFIG_HOME}/ripgrep/ripgreprc";
       };
-    };
-    users.users =
-      let
-        packages = builtins.attrValues {
-          inherit (pkgs)
-            ripgrep # modern grep
-            dust # rusty du similar to gdu
-            fd # modern find, faster searches
-            fzf # fuzzy finder! super cool and useful
-            gdu # disk-space utility checker, somewhat useful
-            tealdeer # man for retards
-            trash-cli # oop! did not meant to delete that
-            jq # json parser
-            yq # yaml parser
-            smartmontools # check hard drie health
-            rmlint # amazing dupe finder that integrates well with BTRFS
-            ;
-        };
-      in
-      inputs.self.lib.mkUserPackages lib config.my.shell.tools.users packages;
-    environment.variables = {
-      HISTFILE = "\${XDG_STATE_HOME}/bash/history";
-      LESSHISTFILE = "-";
-      RIPGREP_CONFIG_PATH = "\${XDG_CONFIG_HOME}/ripgrep/ripgreprc";
-    };
-  };
+    })
+  ];
 }
diff --git a/modules/shell/tools/nixos.nix b/modules/shell/tools/nixos.nix
new file mode 100644
index 0000000..390bf0d
--- /dev/null
+++ b/modules/shell/tools/nixos.nix
@@ -0,0 +1,27 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+{
+  options.my.shell.tools = {
+    enable = lib.mkEnableOption "shell tools and utilities";
+    users = lib.mkOption {
+      type = inputs.self.lib.usersOptionType lib;
+      default = config.my.toggleUsers.shell;
+      description = "Users to install shell tools for";
+    };
+  };
+  config = lib.mkIf config.my.shell.tools.enable {
+    programs = {
+      starship.enable = true;
+      tmux.enable = true;
+      fzf.fuzzyCompletion = true;
+      neovim = {
+        enable = true;
+        vimAlias = true;
+      };
+    };
+  };
+}
diff --git a/parts/core.nix b/parts/core.nix
index 8dcc530..16e3269 100644
--- a/parts/core.nix
+++ b/parts/core.nix
@@ -55,6 +55,32 @@ in
         |> builtins.attrNames
         |> builtins.filter (file: builtins.match ".*\\.nix" file != null && filterFn file)
         |> map (file: dir + "/${file}");
+      autoImportLeaf =
+        dir: leafName:
+        let
+          visit =
+            current:
+            let
+              entries = builtins.readDir current;
+            in
+            entries
+            |> builtins.attrNames
+            |> map (
+              name:
+              let
+                entryType = entries.${name};
+                path = current + "/${name}";
+              in
+              if entryType == "directory" then
+                visit path
+              else if entryType == "regular" && name == leafName then
+                [ path ]
+              else
+                [ ]
+            )
+            |> builtins.concatLists;
+        in
+        visit dir;
       proxy = locations: {
         inherit locations;
         forceSSL = true;
@@ -252,6 +278,37 @@ in
           }) (inputs.self.lib.normalizeUsers users)
         );
       getFirstUser = users: if builtins.isString users then users else (builtins.head users);
+      hmModule =
+        {
+          config,
+          inputs,
+          osConfig ? null,
+          optionPath,
+        }:
+        let
+          getPath =
+            path: attrs:
+            builtins.foldl' (acc: key: if acc == null then null else acc.${key} or null) attrs path;
+          osCfg = if osConfig == null then null else getPath optionPath osConfig.my;
+          enabledByDefault =
+            if osCfg == null then
+              false
+            else
+              (osCfg.enable or false)
+              && builtins.elem config.home.username (inputs.self.lib.normalizeUsers (osCfg.users or [ ]));
+        in
+        {
+          inherit osCfg enabledByDefault;
+        };
+      hmShellType =
+        config: osConfig:
+        if osConfig == null then
+          if config.programs.bash.enable then "bash" else "zsh"
+        else
+          osConfig.my.shell.type;
+      hmOnlyUser =
+        config: osConfig: user:
+        osConfig != null && config.home.username == user;
       usersOptionType =
         lib:
         lib.mkOptionType {
diff --git a/specs/001-ai-docs/research.md b/specs/001-ai-docs/research.md
index a618a2c..e598ade 100644
--- a/specs/001-ai-docs/research.md
+++ b/specs/001-ai-docs/research.md
@@ -34,3 +34,8 @@
 - **Decision**: Treat `patches/` as a root-level directory (not a module category) and update active hosts to include `vps`.
 - **Rationale**: Repo structure places patches at the root and hosts include `vps`; documentation must reflect actual paths and host inventory.
 - **Alternatives considered**: (a) Move `patches/` under `modules/` (rejected: would change repo layout); (b) Keep `vps` undocumented (rejected: causes host list drift).
+
+## Decision 8 (2026-03-16): Preferred split layout for Home Manager and NixOS modules
+- **Decision**: Support a gradual migration from mixed flat modules to feature directories with paired `nixos.nix` and `home.nix` files, discovered automatically by NixOS and Home Manager import loaders.
+- **Rationale**: Keeps the current category-first browsing model while removing the need to embed Home Manager config inside NixOS modules, which is a cleaner fit for future standalone Home Manager and Darwin hosts.
+- **Alternatives considered**: (a) Keep mixed modules and branch on platform forever (rejected: keeps NixOS/Home Manager tightly coupled); (b) Split into separate top-level `modules/nixos` and `modules/home` trees (rejected: loses adjacency between the two surfaces of a single feature).