diff --git a/modules/nixos/desktop.nix b/modules/nixos/desktop.nix
new file mode 100644
index 0000000..d2faff1
--- /dev/null
+++ b/modules/nixos/desktop.nix
@@ -0,0 +1,51 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+{
+  options = {
+    desktop = {
+      enable = lib.mkEnableOption "base desktop environment";
+    };
+  };
+
+  config = lib.mkIf config.desktop.enable {
+    # Audio
+    services.pipewire = {
+      enable = true;
+      pulse.enable = true;
+    };
+
+    # Bluetooth
+    hardware.bluetooth.enable = true;
+    services.blueman.enable = true;
+
+    # Security
+    security.polkit.enable = true;
+
+    # D-Bus
+    services.dbus.enable = true;
+
+    # Player control
+    services.playerctld.enable = true;
+
+    # XDG Portals
+    xdg.portal = {
+      enable = true;
+      xdgOpenUsePortal = true;
+      extraPortals = [
+        pkgs.xdg-desktop-portal-wlr
+        pkgs.xdg-desktop-portal-gtk
+      ];
+    };
+
+    # Fonts
+    fonts.packages = with pkgs; [
+      font-awesome
+      nerd-fonts.jetbrains-mono
+      maple-mono.NF
+    ];
+  };
+}
diff --git a/modules/nixos/gnupg.nix b/modules/nixos/gnupg.nix
new file mode 100644
index 0000000..e3cec8a
--- /dev/null
+++ b/modules/nixos/gnupg.nix
@@ -0,0 +1,20 @@
+{
+  lib,
+  config,
+  ...
+}:
+{
+  options = {
+    gnupg = {
+      enable = lib.mkEnableOption "GnuPG agent with SSH support";
+    };
+  };
+
+  config = lib.mkIf config.gnupg.enable {
+    programs.gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+      enableExtraSocket = true;
+    };
+  };
+}
diff --git a/modules/nixos/openssh.nix b/modules/nixos/openssh.nix
new file mode 100644
index 0000000..daeb04a
--- /dev/null
+++ b/modules/nixos/openssh.nix
@@ -0,0 +1,30 @@
+{
+  lib,
+  config,
+  ...
+}:
+{
+  options = {
+    openssh = {
+      enable = lib.mkEnableOption "hardened SSH server";
+      port = lib.mkOption {
+        type = lib.types.port;
+        default = 22;
+        description = "SSH server port";
+      };
+    };
+  };
+
+  config = lib.mkIf config.openssh.enable {
+    services.openssh = {
+      enable = true;
+      ports = [ config.openssh.port ];
+      settings = {
+        PasswordAuthentication = false;
+        AllowUsers = null;
+        PermitRootLogin = "no";
+        StreamLocalBindUnlink = "yes";
+      };
+    };
+  };
+}
diff --git a/modules/nixos/printing.nix b/modules/nixos/printing.nix
new file mode 100644
index 0000000..0b9c49c
--- /dev/null
+++ b/modules/nixos/printing.nix
@@ -0,0 +1,21 @@
+{
+  lib,
+  config,
+  ...
+}:
+{
+  options = {
+    printing = {
+      enable = lib.mkEnableOption "CUPS printing with Avahi discovery";
+    };
+  };
+
+  config = lib.mkIf config.printing.enable {
+    services.printing.enable = true;
+    services.avahi = {
+      enable = true;
+      nssmdns4 = true;
+      openFirewall = true;
+    };
+  };
+}
diff --git a/modules/nixos/zsh.nix b/modules/nixos/zsh.nix
new file mode 100644
index 0000000..039b339
--- /dev/null
+++ b/modules/nixos/zsh.nix
@@ -0,0 +1,19 @@
+{
+  lib,
+  config,
+  ...
+}:
+{
+  options = {
+    zsh = {
+      enable = lib.mkEnableOption "zsh with ZDOTDIR in ~/.config/zsh";
+    };
+  };
+
+  config = lib.mkIf config.zsh.enable {
+    programs.zsh.enable = true;
+    environment.etc."zshenv".text = ''
+      export ZDOTDIR=$HOME/.config/zsh
+    '';
+  };
+}