nix-home-manager/hosts/vps04_08/home.nix

{ config, pkgs, ... }:

{
  imports = [ ../../home/_home.nix ];

  home.username = "wieerwill";
  home.homeDirectory = "/home/wieerwill";
  programs.home-manager.enable = true;
  home.stateVersion = "25.05";

  # Basic packages
  home.packages = with pkgs; [
    neovim
    git
    curl
    gnupg
    bash-completion
    sops
  ];

  # Harden SSH known_hosts, prevent password auth
  programs.ssh = {
    enable = true;
    extraConfig = ''
      PasswordAuthentication no
      PermitRootLogin no
    '';
  };

  # Optional: Docker CLI tools (remote management only!)
  home.file.".docker/config.json".text = builtins.toJSON {
    detachKeys = "ctrl-e,e";
  };

  # Automatic updates
  systemd.user.services."autoupdate-nix" = {
    Unit = {
      Description = "Regular nix flake update";
    };
    Service = {
      ExecStart = "${pkgs.nix}/bin/nix flake update --commit-lock-file";
    };
    Install.WantedBy = [ "default.target" ];
  };

  # Hardened Bash profile
  programs.bash = {
    enable = true;
    enableCompletion = true;
    initExtra = ''
      set -o errexit
      set -o nounset
      set -o pipefail
    '';
  };


  homeModules = {
    #androidstudio.enable = true;
    #backup.enable = true;
    #chromium.enable = true;
    #design.enable = true;
    #embedded.enable = true;
    fonts.enable = true;
    #git.enable = true;
    #javascript.enable = true;
    #keepass.enable = true;
    #llm.enable  = true;
    #logseq.enable = true;
    #mail.enable = true;
    #obsidian.enable = true;
    #redshift.enable = true;
    secrets.enable = true;
    #security.enable = true;
    #social.enable = true;
    #sway.enable = true;
    #syncthing.enable = true;
    terminal.enable = true;
    #tor.enable = true;
    #vim.enable = true;
    #vpnpia.enable = true;
    #vscode.enable = false;
    #zenbrowser.enable = true;
  };
}