From cc0d2d7b507ca1d3d53324d25b39eb12d8c04eb6 Mon Sep 17 00:00:00 2001
From: Mika Tammi <mika.tammi@unikie.com>
Date: Mon, 4 Mar 2024 17:16:27 +0200
Subject: [PATCH] Refactor module structure into groups of modules

Refactor module structure into specific groups of modules, which
integrate features from other flakes into the ghaf flake:
* common
* desktop
* disko
* host
* jetpack
* jetpack-microvm
* lanzaboote
* polarfire

Also fix targets to use these new module groups, and export them from
flake.

Signed-off-by: Mika Tammi <mika.tammi@unikie.com>
---
 .reuse/dep5                                   |  4 +-
 docs/src/architecture/hardening.md            | 10 +--
 flake.nix                                     |  1 +
 .../{ => common}/boot/systemd-boot-dtb.nix    |  0
 modules/common/common.nix                     | 48 ++++++++++++++
 modules/common/default.nix                    | 19 ++++++
 .../{ => common}/development/debug-tools.nix  |  0
 modules/common/development/default.nix        | 10 +++
 modules/{ => common}/development/nix.nix      |  0
 modules/{ => common}/development/ssh.nix      |  0
 .../{ => common}/development/usb-serial.nix   |  0
 modules/{ => common}/firewall/default.nix     |  0
 .../{ => common}/firewall/kernel-modules.nix  |  0
 modules/common/hardware/default.nix           |  9 +++
 modules/{ => common}/hardware/definition.nix  |  0
 .../lenovo-x1/kernel/guest/test/default.nix   |  0
 .../kernel/guest/test/test-configuration.nix  |  0
 .../hardware/x86_64-generic/default.nix       | 10 +++
 .../configs/ghaf_host_hardened_baseline-x86   |  0
 .../kernel/guest/configs/display-gpu.config   |  0
 .../kernel/guest/configs/guest.config         |  0
 .../x86_64-generic/kernel/guest/default.nix   |  0
 .../x86_64-generic/kernel/hardening.nix       |  0
 .../kernel/host/configs/debug.config          |  0
 .../kernel/host/configs/networking.config     |  0
 .../kernel/host/configs/usb.config            |  0
 .../host/configs/user-input-devices.config    |  0
 .../kernel/host/configs/virtualization.config |  0
 .../x86_64-generic/kernel/host/default.nix    |  2 +-
 .../kernel/host/pkvm/default.nix              |  0
 .../kernel/host/pkvm/test/default.nix         |  0
 .../host/pkvm/test/test-configuration.nix     |  0
 .../kernel/host/test/default.nix              |  0
 .../kernel/host/test/test-configuration.nix   |  0
 .../{ => common}/hardware/x86_64-linux.nix    |  0
 modules/{ => common}/profiles/debug.nix       |  5 --
 modules/common/profiles/default.nix           |  8 +++
 modules/{ => common}/profiles/release.nix     |  0
 .../tpm2.nix => common/tpm2/default.nix}      |  0
 modules/{ => common}/users/accounts.nix       |  0
 modules/{ => common}/version/default.nix      |  0
 .../{ => common}/virtualization/docker.nix    |  0
 ...kvm-enable-pkvm-on-intel-x86-6.1-lts.patch |  0
 modules/default.nix                           | 17 +++++
 modules/desktop/default.nix                   | 12 ++++
 modules/{ => desktop}/graphics/default.nix    |  0
 modules/{ => desktop}/graphics/demo-apps.nix  |  0
 modules/{ => desktop}/graphics/fonts.nix      |  0
 modules/{ => desktop}/graphics/gnome.nix      |  0
 modules/{ => desktop}/graphics/labwc.nix      |  0
 .../{ => desktop}/graphics/waybar.config.nix  |  2 +-
 modules/{ => desktop}/graphics/weston.ini.nix |  2 +-
 modules/{ => desktop}/graphics/weston.nix     |  0
 .../{ => desktop}/graphics/window-manager.nix |  0
 .../{ => desktop}/profiles/applications.nix   |  0
 modules/desktop/profiles/default.nix          |  8 +++
 modules/{ => desktop}/profiles/graphics.nix   |  0
 .../windows-launcher/default.nix              |  2 +-
 .../disko-basic-postboot.nix                  |  0
 .../lenovo-x1-disko-basic.nix                 |  0
 modules/host/default.nix                      | 62 ++++---------------
 .../agx-netvm-wlan-pci-passthrough.nix        |  0
 modules/jetpack-microvm/default.nix           |  8 +++
 .../nx-netvm-ethernet-pci-passthrough.nix     |  0
 .../pci-passthrough-agx-test.patch            |  0
 .../pci-passthrough-nx-test.patch             |  0
 modules/jetpack/default.nix                   | 11 ++++
 .../ghaf_host_hardened_baseline-jetson-orin   |  0
 .../nvidia-jetson-orin/default.nix            |  5 +-
 .../nvidia-jetson-orin/format-module.nix      |  0
 .../nvidia-jetson-orin/jetson-orin.nix        |  0
 .../nvidia-jetson-orin/mk-esp-contents.py     |  0
 .../nvidia-jetson-orin/optee.nix              |  0
 .../nvidia-jetson-orin/ota-utils-fix.nix      |  0
 .../nvidia-jetson-orin/partition-template.nix |  0
 .../pci-passthrough-common.nix                |  0
 .../nvidia-jetson-orin/sdimage.nix            |  0
 .../common/bpmp-virt-common/default.nix       |  0
 ...2-vfio_platform-reset-required-false.patch |  0
 .../patches/0003-bpmp-support-bpmp-virt.patch |  0
 .../patches/0004-bpmp-virt-drivers.patch      |  0
 .../patches/0005-bpmp-overlay.patch           |  0
 .../virtualization/default.nix                |  0
 .../host/bpmp-virt-host/default.nix           |  0
 .../bpmp-virt-host/overlays/qemu/default.nix  |  0
 .../patches/0001-qemu-v8.1.3_bpmp-virt.patch  |  0
 .../patches/0001-bpmp-host-proxy-dts.patch    |  0
 .../patches/0002-bpmp-host-uarta-dts.patch    |  0
 .../host/uarta-host/default.nix               |  0
 modules/jetpack/profiles/debug.nix            | 18 ++++++
 modules/jetpack/profiles/default.nix          |  7 +++
 .../secureboot.nix => lanzaboote/default.nix} |  2 +
 .../demo-secure-boot-keys/GUID                |  0
 .../demo-secure-boot-keys/GUID.license        |  0
 .../demo-secure-boot-keys/files.db            |  0
 .../demo-secure-boot-keys/keys/KEK/KEK.key    |  0
 .../demo-secure-boot-keys/keys/KEK/KEK.pem    |  0
 .../demo-secure-boot-keys/keys/PK/PK.key      |  0
 .../demo-secure-boot-keys/keys/PK/PK.pem      |  0
 .../demo-secure-boot-keys/keys/db/db.key      |  0
 .../demo-secure-boot-keys/keys/db/db.pem      |  0
 .../demo-secure-boot-keys/keys/dbx/dbx.key    |  0
 .../demo-secure-boot-keys/keys/dbx/dbx.pem    |  0
 modules/microvm/default.nix                   | 14 +++++
 modules/{host => microvm}/networking.nix      |  0
 .../virtualization/microvm/appvm.nix          |  5 +-
 .../microvm/common/vm-networking.nix          |  0
 .../virtualization/microvm/guivm.nix          |  7 ++-
 .../virtualization/microvm/microvm-host.nix   |  0
 .../virtualization/microvm/netvm.nix          |  2 +-
 modules/module-list.nix                       | 24 -------
 modules/polarfire/default.nix                 | 10 +++
 .../polarfire/mpfs-nixos-sdimage.nix          |  0
 nix/checks.nix                                |  6 +-
 nix/devshell/kernel.nix                       |  2 +-
 packages/kernel/default.nix                   |  6 +-
 targets/default.nix                           | 12 ++--
 targets/generic-x86_64.nix                    | 27 ++++----
 targets/imx8qm-mek.nix                        | 15 +++--
 targets/lenovo-x1/debugModules.nix            |  7 ---
 targets/lenovo-x1/default.nix                 |  3 +-
 targets/lenovo-x1/everything.nix              | 21 ++++---
 targets/microchip-icicle-kit.nix              | 13 ++--
 targets/nvidia-jetson-orin/default.nix        | 47 ++++++--------
 targets/vm.nix                                | 51 +++++++--------
 125 files changed, 339 insertions(+), 215 deletions(-)
 rename modules/{ => common}/boot/systemd-boot-dtb.nix (100%)
 create mode 100644 modules/common/common.nix
 create mode 100644 modules/common/default.nix
 rename modules/{ => common}/development/debug-tools.nix (100%)
 create mode 100644 modules/common/development/default.nix
 rename modules/{ => common}/development/nix.nix (100%)
 rename modules/{ => common}/development/ssh.nix (100%)
 rename modules/{ => common}/development/usb-serial.nix (100%)
 rename modules/{ => common}/firewall/default.nix (100%)
 rename modules/{ => common}/firewall/kernel-modules.nix (100%)
 create mode 100644 modules/common/hardware/default.nix
 rename modules/{ => common}/hardware/definition.nix (100%)
 rename modules/{ => common}/hardware/lenovo-x1/kernel/guest/test/default.nix (100%)
 rename modules/{ => common}/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix (100%)
 create mode 100644 modules/common/hardware/x86_64-generic/default.nix
 rename modules/{ => common}/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86 (100%)
 rename modules/{ => common}/hardware/x86_64-generic/kernel/guest/configs/display-gpu.config (100%)
 rename modules/{ => common}/hardware/x86_64-generic/kernel/guest/configs/guest.config (100%)
 rename modules/{ => common}/hardware/x86_64-generic/kernel/guest/default.nix (100%)
 rename modules/{ => common}/hardware/x86_64-generic/kernel/hardening.nix (100%)
 rename modules/{ => common}/hardware/x86_64-generic/kernel/host/configs/debug.config (100%)
 rename modules/{ => common}/hardware/x86_64-generic/kernel/host/configs/networking.config (100%)
 rename modules/{ => common}/hardware/x86_64-generic/kernel/host/configs/usb.config (100%)
 rename modules/{ => common}/hardware/x86_64-generic/kernel/host/configs/user-input-devices.config (100%)
 rename modules/{ => common}/hardware/x86_64-generic/kernel/host/configs/virtualization.config (100%)
 rename modules/{ => common}/hardware/x86_64-generic/kernel/host/default.nix (95%)
 rename modules/{ => common}/hardware/x86_64-generic/kernel/host/pkvm/default.nix (100%)
 rename modules/{ => common}/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix (100%)
 rename modules/{ => common}/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix (100%)
 rename modules/{ => common}/hardware/x86_64-generic/kernel/host/test/default.nix (100%)
 rename modules/{ => common}/hardware/x86_64-generic/kernel/host/test/test-configuration.nix (100%)
 rename modules/{ => common}/hardware/x86_64-linux.nix (100%)
 rename modules/{ => common}/profiles/debug.nix (86%)
 create mode 100644 modules/common/profiles/default.nix
 rename modules/{ => common}/profiles/release.nix (100%)
 rename modules/{security/tpm2.nix => common/tpm2/default.nix} (100%)
 rename modules/{ => common}/users/accounts.nix (100%)
 rename modules/{ => common}/version/default.nix (100%)
 rename modules/{ => common}/virtualization/docker.nix (100%)
 rename modules/{ => common}/virtualization/pkvm/0001-pkvm-enable-pkvm-on-intel-x86-6.1-lts.patch (100%)
 create mode 100644 modules/default.nix
 create mode 100644 modules/desktop/default.nix
 rename modules/{ => desktop}/graphics/default.nix (100%)
 rename modules/{ => desktop}/graphics/demo-apps.nix (100%)
 rename modules/{ => desktop}/graphics/fonts.nix (100%)
 rename modules/{ => desktop}/graphics/gnome.nix (100%)
 rename modules/{ => desktop}/graphics/labwc.nix (100%)
 rename modules/{ => desktop}/graphics/waybar.config.nix (98%)
 rename modules/{ => desktop}/graphics/weston.ini.nix (96%)
 rename modules/{ => desktop}/graphics/weston.nix (100%)
 rename modules/{ => desktop}/graphics/window-manager.nix (100%)
 rename modules/{ => desktop}/profiles/applications.nix (100%)
 create mode 100644 modules/desktop/profiles/default.nix
 rename modules/{ => desktop}/profiles/graphics.nix (100%)
 rename modules/{ => desktop}/windows-launcher/default.nix (91%)
 rename modules/{partitioning => disko}/disko-basic-postboot.nix (100%)
 rename modules/{partitioning => disko}/lenovo-x1-disko-basic.nix (100%)
 rename modules/{hardware/nvidia-jetson-orin => jetpack-microvm}/agx-netvm-wlan-pci-passthrough.nix (100%)
 create mode 100644 modules/jetpack-microvm/default.nix
 rename modules/{hardware/nvidia-jetson-orin => jetpack-microvm}/nx-netvm-ethernet-pci-passthrough.nix (100%)
 rename modules/{hardware/nvidia-jetson-orin => jetpack-microvm}/pci-passthrough-agx-test.patch (100%)
 rename modules/{hardware/nvidia-jetson-orin => jetpack-microvm}/pci-passthrough-nx-test.patch (100%)
 create mode 100644 modules/jetpack/default.nix
 rename modules/{host => jetpack}/ghaf_host_hardened_baseline-jetson-orin (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/default.nix (72%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/format-module.nix (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/jetson-orin.nix (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/mk-esp-contents.py (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/optee.nix (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/ota-utils-fix.nix (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/partition-template.nix (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/pci-passthrough-common.nix (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/sdimage.nix (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/default.nix (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0002-vfio_platform-reset-required-false.patch (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0003-bpmp-support-bpmp-virt.patch (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0004-bpmp-virt-drivers.patch (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0005-bpmp-overlay.patch (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/virtualization/default.nix (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/default.nix (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/overlays/qemu/default.nix (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/overlays/qemu/patches/0001-qemu-v8.1.3_bpmp-virt.patch (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/patches/0001-bpmp-host-proxy-dts.patch (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/patches/0002-bpmp-host-uarta-dts.patch (100%)
 rename modules/{hardware => jetpack}/nvidia-jetson-orin/virtualization/host/uarta-host/default.nix (100%)
 create mode 100644 modules/jetpack/profiles/debug.nix
 create mode 100644 modules/jetpack/profiles/default.nix
 rename modules/{host/secureboot.nix => lanzaboote/default.nix} (96%)
 rename modules/{host => lanzaboote}/demo-secure-boot-keys/GUID (100%)
 rename modules/{host => lanzaboote}/demo-secure-boot-keys/GUID.license (100%)
 rename modules/{host => lanzaboote}/demo-secure-boot-keys/files.db (100%)
 rename modules/{host => lanzaboote}/demo-secure-boot-keys/keys/KEK/KEK.key (100%)
 rename modules/{host => lanzaboote}/demo-secure-boot-keys/keys/KEK/KEK.pem (100%)
 rename modules/{host => lanzaboote}/demo-secure-boot-keys/keys/PK/PK.key (100%)
 rename modules/{host => lanzaboote}/demo-secure-boot-keys/keys/PK/PK.pem (100%)
 rename modules/{host => lanzaboote}/demo-secure-boot-keys/keys/db/db.key (100%)
 rename modules/{host => lanzaboote}/demo-secure-boot-keys/keys/db/db.pem (100%)
 rename modules/{host => lanzaboote}/demo-secure-boot-keys/keys/dbx/dbx.key (100%)
 rename modules/{host => lanzaboote}/demo-secure-boot-keys/keys/dbx/dbx.pem (100%)
 create mode 100644 modules/microvm/default.nix
 rename modules/{host => microvm}/networking.nix (100%)
 rename modules/{ => microvm}/virtualization/microvm/appvm.nix (97%)
 rename modules/{ => microvm}/virtualization/microvm/common/vm-networking.nix (100%)
 rename modules/{ => microvm}/virtualization/microvm/guivm.nix (97%)
 rename modules/{ => microvm}/virtualization/microvm/microvm-host.nix (100%)
 rename modules/{ => microvm}/virtualization/microvm/netvm.nix (98%)
 delete mode 100644 modules/module-list.nix
 create mode 100644 modules/polarfire/default.nix
 rename modules/{hardware => }/polarfire/mpfs-nixos-sdimage.nix (100%)

diff --git a/.reuse/dep5 b/.reuse/dep5
index dbf91775b..4e230012c 100644
--- a/.reuse/dep5
+++ b/.reuse/dep5
@@ -7,5 +7,5 @@ Copyright: 2022-2024 Technology Innovation Institute (TII) <https://github.com/t
 License: Apache-2.0
 Files: 
   *.lock *.png *.svg *.patch *.db *.key *.pem *.cer *.p12
-  modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86
-  modules/host/ghaf_host_hardened_baseline-jetson-orin
+  modules/common/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86
+  modules/jetpack/ghaf_host_hardened_baseline-jetson-orin
diff --git a/docs/src/architecture/hardening.md b/docs/src/architecture/hardening.md
index ea8281ee3..198e81335 100644
--- a/docs/src/architecture/hardening.md
+++ b/docs/src/architecture/hardening.md
@@ -25,7 +25,7 @@ NixOS provides several mechanisms to customize the kernel. The main methods are:
   ```
   ~/ghaf $ nix develop .#devShells.x86_64-linux.kernel-x86
   ...
-  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/common/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config
   [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ make menuconfig
   ...
   [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ make -j$(nproc)
@@ -42,8 +42,8 @@ NixOS provides several mechanisms to customize the kernel. The main methods are:
 * [Validating with kernel hardening checker](https://github.com/a13xp0p0v/kernel-hardening-checker):
 
   ```
-  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config
-  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ HS=../modules/hardware/x86_64-generic/kernel/host/configs GS=../modules/hardware/x86_64-generic/kernel/guest/configs
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/common/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ HS=../modules/common/hardware/x86_64-generic/kernel/host/configs GS=../modules/common/hardware/x86_64-generic/kernel/guest/configs
   [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ ./scripts/kconfig/merge_config.sh .config $HS/virtualization.config $HS/networking.config $HS/usb.config $HS/user-input-devices.config $HS/debug.config $GS/guest.config $GS/display-gpu.config
   [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ kernel-hardening-checker -c .config
   [+] Kconfig file to check: .config
@@ -74,7 +74,7 @@ The host kernel runs on bare metal. The kernel is provided either with Linux ups
 The host kernel hardening is based on Linux `make tinyconfig`. The
 default `tinyconfig` fails to assertions on NixOS without
 modifications. Assertions are fixed in the `ghaf_host_hardened_baseline` Linux configuration under Ghaf
-`modules/hardware/x86_64-generic/kernel/configs`. Resulting baseline
+`modules/common/hardware/x86_64-generic/kernel/configs`. Resulting baseline
 kernel configuration is generic for x86_64 hardware architecture devices.
 
 In addition, NixOS (Ghaf baseline dependency) requires several kernel modules that are added to the config or ignored with `allowMissing = true`. As of now, the kernel builds and early boots on Lenovo X1.
@@ -115,4 +115,4 @@ It can be enabled with the following flag `guest.hardening.enable` for Lenovo X1
 
 The Guest Graphics support will add the required kernel config dependency to the Ghaf baseline by which NixOS has guest graphics enabled. The added functionality is for guest with graphics support enabled.
 
-It can be enabled with the following flag `guest.graphics_hardening.enable` for Lenovo X1.
\ No newline at end of file
+It can be enabled with the following flag `guest.graphics_hardening.enable` for Lenovo X1.
diff --git a/flake.nix b/flake.nix
index 57a9be329..976b0130a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -168,6 +168,7 @@
 
       imports = [
         ./overlays
+        ./modules
         ./nix
         ./packages
         ./targets
diff --git a/modules/boot/systemd-boot-dtb.nix b/modules/common/boot/systemd-boot-dtb.nix
similarity index 100%
rename from modules/boot/systemd-boot-dtb.nix
rename to modules/common/boot/systemd-boot-dtb.nix
diff --git a/modules/common/common.nix b/modules/common/common.nix
new file mode 100644
index 000000000..39333e5ab
--- /dev/null
+++ b/modules/common/common.nix
@@ -0,0 +1,48 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# TODO: Refactor even more.
+#       This is the old "host/default.nix" file.
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    # TODO remove this when the minimal config is defined
+    # Replace with the baseModules definition
+    # UPDATE 26.07.2023:
+    # This line breaks build of GUIVM. No investigations of a
+    # root cause are done so far.
+    #(modulesPath + "/profiles/minimal.nix")
+  ];
+
+  config = {
+    system.stateVersion = lib.trivial.release;
+
+    ####
+    # temp means to reduce the image size
+    # TODO remove this when the minimal config is defined
+    appstream.enable = false;
+
+    systemd.package = pkgs.systemd.override ({
+        withCryptsetup = false;
+        withDocumentation = false;
+        withFido2 = false;
+        withHomed = false;
+        withHwdb = false;
+        withLibBPF = true;
+        withLocaled = false;
+        withPCRE2 = false;
+        withPortabled = false;
+        withTpm2Tss = false;
+        withUserDb = false;
+      }
+      // lib.optionalAttrs (lib.hasAttr "withRepart" (lib.functionArgs pkgs.systemd.override)) {
+        withRepart = false;
+      });
+
+    boot.enableContainers = false;
+    ##### Remove to here
+  };
+}
diff --git a/modules/common/default.nix b/modules/common/default.nix
new file mode 100644
index 000000000..ebd340ccc
--- /dev/null
+++ b/modules/common/default.nix
@@ -0,0 +1,19 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# Common ghaf modules
+#
+{
+  imports = [
+    ./boot/systemd-boot-dtb.nix
+    ./common.nix
+    ./development
+    ./firewall
+    ./hardware
+    ./profiles
+    ./tpm2
+    ./users/accounts.nix
+    ./version
+    ./virtualization/docker.nix
+  ];
+}
diff --git a/modules/development/debug-tools.nix b/modules/common/development/debug-tools.nix
similarity index 100%
rename from modules/development/debug-tools.nix
rename to modules/common/development/debug-tools.nix
diff --git a/modules/common/development/default.nix b/modules/common/development/default.nix
new file mode 100644
index 000000000..55620bf2a
--- /dev/null
+++ b/modules/common/development/default.nix
@@ -0,0 +1,10 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  imports = [
+    ./debug-tools.nix
+    ./usb-serial.nix
+    ./nix.nix
+    ./ssh.nix
+  ];
+}
diff --git a/modules/development/nix.nix b/modules/common/development/nix.nix
similarity index 100%
rename from modules/development/nix.nix
rename to modules/common/development/nix.nix
diff --git a/modules/development/ssh.nix b/modules/common/development/ssh.nix
similarity index 100%
rename from modules/development/ssh.nix
rename to modules/common/development/ssh.nix
diff --git a/modules/development/usb-serial.nix b/modules/common/development/usb-serial.nix
similarity index 100%
rename from modules/development/usb-serial.nix
rename to modules/common/development/usb-serial.nix
diff --git a/modules/firewall/default.nix b/modules/common/firewall/default.nix
similarity index 100%
rename from modules/firewall/default.nix
rename to modules/common/firewall/default.nix
diff --git a/modules/firewall/kernel-modules.nix b/modules/common/firewall/kernel-modules.nix
similarity index 100%
rename from modules/firewall/kernel-modules.nix
rename to modules/common/firewall/kernel-modules.nix
diff --git a/modules/common/hardware/default.nix b/modules/common/hardware/default.nix
new file mode 100644
index 000000000..051f1cec0
--- /dev/null
+++ b/modules/common/hardware/default.nix
@@ -0,0 +1,9 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  imports = [
+    ./x86_64-linux.nix
+    ./x86_64-generic
+    ./definition.nix
+  ];
+}
diff --git a/modules/hardware/definition.nix b/modules/common/hardware/definition.nix
similarity index 100%
rename from modules/hardware/definition.nix
rename to modules/common/hardware/definition.nix
diff --git a/modules/hardware/lenovo-x1/kernel/guest/test/default.nix b/modules/common/hardware/lenovo-x1/kernel/guest/test/default.nix
similarity index 100%
rename from modules/hardware/lenovo-x1/kernel/guest/test/default.nix
rename to modules/common/hardware/lenovo-x1/kernel/guest/test/default.nix
diff --git a/modules/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix b/modules/common/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix
similarity index 100%
rename from modules/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix
rename to modules/common/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix
diff --git a/modules/common/hardware/x86_64-generic/default.nix b/modules/common/hardware/x86_64-generic/default.nix
new file mode 100644
index 000000000..6ce0c0f5a
--- /dev/null
+++ b/modules/common/hardware/x86_64-generic/default.nix
@@ -0,0 +1,10 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  imports = [
+    ./kernel/guest
+    ./kernel/hardening.nix
+    ./kernel/host
+    ./kernel/host/pkvm
+  ];
+}
diff --git a/modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86 b/modules/common/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86
similarity index 100%
rename from modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86
rename to modules/common/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86
diff --git a/modules/hardware/x86_64-generic/kernel/guest/configs/display-gpu.config b/modules/common/hardware/x86_64-generic/kernel/guest/configs/display-gpu.config
similarity index 100%
rename from modules/hardware/x86_64-generic/kernel/guest/configs/display-gpu.config
rename to modules/common/hardware/x86_64-generic/kernel/guest/configs/display-gpu.config
diff --git a/modules/hardware/x86_64-generic/kernel/guest/configs/guest.config b/modules/common/hardware/x86_64-generic/kernel/guest/configs/guest.config
similarity index 100%
rename from modules/hardware/x86_64-generic/kernel/guest/configs/guest.config
rename to modules/common/hardware/x86_64-generic/kernel/guest/configs/guest.config
diff --git a/modules/hardware/x86_64-generic/kernel/guest/default.nix b/modules/common/hardware/x86_64-generic/kernel/guest/default.nix
similarity index 100%
rename from modules/hardware/x86_64-generic/kernel/guest/default.nix
rename to modules/common/hardware/x86_64-generic/kernel/guest/default.nix
diff --git a/modules/hardware/x86_64-generic/kernel/hardening.nix b/modules/common/hardware/x86_64-generic/kernel/hardening.nix
similarity index 100%
rename from modules/hardware/x86_64-generic/kernel/hardening.nix
rename to modules/common/hardware/x86_64-generic/kernel/hardening.nix
diff --git a/modules/hardware/x86_64-generic/kernel/host/configs/debug.config b/modules/common/hardware/x86_64-generic/kernel/host/configs/debug.config
similarity index 100%
rename from modules/hardware/x86_64-generic/kernel/host/configs/debug.config
rename to modules/common/hardware/x86_64-generic/kernel/host/configs/debug.config
diff --git a/modules/hardware/x86_64-generic/kernel/host/configs/networking.config b/modules/common/hardware/x86_64-generic/kernel/host/configs/networking.config
similarity index 100%
rename from modules/hardware/x86_64-generic/kernel/host/configs/networking.config
rename to modules/common/hardware/x86_64-generic/kernel/host/configs/networking.config
diff --git a/modules/hardware/x86_64-generic/kernel/host/configs/usb.config b/modules/common/hardware/x86_64-generic/kernel/host/configs/usb.config
similarity index 100%
rename from modules/hardware/x86_64-generic/kernel/host/configs/usb.config
rename to modules/common/hardware/x86_64-generic/kernel/host/configs/usb.config
diff --git a/modules/hardware/x86_64-generic/kernel/host/configs/user-input-devices.config b/modules/common/hardware/x86_64-generic/kernel/host/configs/user-input-devices.config
similarity index 100%
rename from modules/hardware/x86_64-generic/kernel/host/configs/user-input-devices.config
rename to modules/common/hardware/x86_64-generic/kernel/host/configs/user-input-devices.config
diff --git a/modules/hardware/x86_64-generic/kernel/host/configs/virtualization.config b/modules/common/hardware/x86_64-generic/kernel/host/configs/virtualization.config
similarity index 100%
rename from modules/hardware/x86_64-generic/kernel/host/configs/virtualization.config
rename to modules/common/hardware/x86_64-generic/kernel/host/configs/virtualization.config
diff --git a/modules/hardware/x86_64-generic/kernel/host/default.nix b/modules/common/hardware/x86_64-generic/kernel/host/default.nix
similarity index 95%
rename from modules/hardware/x86_64-generic/kernel/host/default.nix
rename to modules/common/hardware/x86_64-generic/kernel/host/default.nix
index 636923430..1a2cc2cb9 100644
--- a/modules/hardware/x86_64-generic/kernel/host/default.nix
+++ b/modules/common/hardware/x86_64-generic/kernel/host/default.nix
@@ -7,7 +7,7 @@
   ...
 }: let
   # Importing kernel builder function from packages and checking hardening options
-  buildKernel = import ../../../../../packages/kernel {inherit config pkgs lib;};
+  buildKernel = import ../../../../../../packages/kernel {inherit config pkgs lib;};
   config_baseline = ../configs/ghaf_host_hardened_baseline-x86;
   host_hardened_kernel = buildKernel {
     inherit config_baseline;
diff --git a/modules/hardware/x86_64-generic/kernel/host/pkvm/default.nix b/modules/common/hardware/x86_64-generic/kernel/host/pkvm/default.nix
similarity index 100%
rename from modules/hardware/x86_64-generic/kernel/host/pkvm/default.nix
rename to modules/common/hardware/x86_64-generic/kernel/host/pkvm/default.nix
diff --git a/modules/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix b/modules/common/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix
similarity index 100%
rename from modules/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix
rename to modules/common/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix
diff --git a/modules/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix b/modules/common/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix
similarity index 100%
rename from modules/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix
rename to modules/common/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix
diff --git a/modules/hardware/x86_64-generic/kernel/host/test/default.nix b/modules/common/hardware/x86_64-generic/kernel/host/test/default.nix
similarity index 100%
rename from modules/hardware/x86_64-generic/kernel/host/test/default.nix
rename to modules/common/hardware/x86_64-generic/kernel/host/test/default.nix
diff --git a/modules/hardware/x86_64-generic/kernel/host/test/test-configuration.nix b/modules/common/hardware/x86_64-generic/kernel/host/test/test-configuration.nix
similarity index 100%
rename from modules/hardware/x86_64-generic/kernel/host/test/test-configuration.nix
rename to modules/common/hardware/x86_64-generic/kernel/host/test/test-configuration.nix
diff --git a/modules/hardware/x86_64-linux.nix b/modules/common/hardware/x86_64-linux.nix
similarity index 100%
rename from modules/hardware/x86_64-linux.nix
rename to modules/common/hardware/x86_64-linux.nix
diff --git a/modules/profiles/debug.nix b/modules/common/profiles/debug.nix
similarity index 86%
rename from modules/profiles/debug.nix
rename to modules/common/profiles/debug.nix
index ec82daaae..f17fd9830 100644
--- a/modules/profiles/debug.nix
+++ b/modules/common/profiles/debug.nix
@@ -25,11 +25,6 @@ in
           # Let us in.
           ssh.daemon.enable = true;
         };
-
-        hardware.nvidia.orin.optee = {
-          xtest = true;
-          pkcs11-tool = true;
-        };
       };
     };
   }
diff --git a/modules/common/profiles/default.nix b/modules/common/profiles/default.nix
new file mode 100644
index 000000000..dd8f95441
--- /dev/null
+++ b/modules/common/profiles/default.nix
@@ -0,0 +1,8 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  imports = [
+    ./debug.nix
+    ./release.nix
+  ];
+}
diff --git a/modules/profiles/release.nix b/modules/common/profiles/release.nix
similarity index 100%
rename from modules/profiles/release.nix
rename to modules/common/profiles/release.nix
diff --git a/modules/security/tpm2.nix b/modules/common/tpm2/default.nix
similarity index 100%
rename from modules/security/tpm2.nix
rename to modules/common/tpm2/default.nix
diff --git a/modules/users/accounts.nix b/modules/common/users/accounts.nix
similarity index 100%
rename from modules/users/accounts.nix
rename to modules/common/users/accounts.nix
diff --git a/modules/version/default.nix b/modules/common/version/default.nix
similarity index 100%
rename from modules/version/default.nix
rename to modules/common/version/default.nix
diff --git a/modules/virtualization/docker.nix b/modules/common/virtualization/docker.nix
similarity index 100%
rename from modules/virtualization/docker.nix
rename to modules/common/virtualization/docker.nix
diff --git a/modules/virtualization/pkvm/0001-pkvm-enable-pkvm-on-intel-x86-6.1-lts.patch b/modules/common/virtualization/pkvm/0001-pkvm-enable-pkvm-on-intel-x86-6.1-lts.patch
similarity index 100%
rename from modules/virtualization/pkvm/0001-pkvm-enable-pkvm-on-intel-x86-6.1-lts.patch
rename to modules/common/virtualization/pkvm/0001-pkvm-enable-pkvm-on-intel-x86-6.1-lts.patch
diff --git a/modules/default.nix b/modules/default.nix
new file mode 100644
index 000000000..e23f7adbe
--- /dev/null
+++ b/modules/default.nix
@@ -0,0 +1,17 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# Modules to be exported from Flake
+#
+_: {
+  flake.nixosModules = {
+    common = import ./common;
+    desktop = import ./desktop;
+    host = import ./host;
+    jetpack = import ./jetpack;
+    jetpack-microvm = import ./jetpack-microvm;
+    lanzaboote = import ./lanzaboote;
+    microvm = import ./microvm;
+    polarfire = import ./polarfire;
+  };
+}
diff --git a/modules/desktop/default.nix b/modules/desktop/default.nix
new file mode 100644
index 000000000..a0b4e68e1
--- /dev/null
+++ b/modules/desktop/default.nix
@@ -0,0 +1,12 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# Ghaf Desktop Experience
+#
+{
+  imports = [
+    ./graphics
+    ./profiles
+    ./windows-launcher
+  ];
+}
diff --git a/modules/graphics/default.nix b/modules/desktop/graphics/default.nix
similarity index 100%
rename from modules/graphics/default.nix
rename to modules/desktop/graphics/default.nix
diff --git a/modules/graphics/demo-apps.nix b/modules/desktop/graphics/demo-apps.nix
similarity index 100%
rename from modules/graphics/demo-apps.nix
rename to modules/desktop/graphics/demo-apps.nix
diff --git a/modules/graphics/fonts.nix b/modules/desktop/graphics/fonts.nix
similarity index 100%
rename from modules/graphics/fonts.nix
rename to modules/desktop/graphics/fonts.nix
diff --git a/modules/graphics/gnome.nix b/modules/desktop/graphics/gnome.nix
similarity index 100%
rename from modules/graphics/gnome.nix
rename to modules/desktop/graphics/gnome.nix
diff --git a/modules/graphics/labwc.nix b/modules/desktop/graphics/labwc.nix
similarity index 100%
rename from modules/graphics/labwc.nix
rename to modules/desktop/graphics/labwc.nix
diff --git a/modules/graphics/waybar.config.nix b/modules/desktop/graphics/waybar.config.nix
similarity index 98%
rename from modules/graphics/waybar.config.nix
rename to modules/desktop/graphics/waybar.config.nix
index 7ed5b66f5..4cea4c745 100644
--- a/modules/graphics/waybar.config.nix
+++ b/modules/desktop/graphics/waybar.config.nix
@@ -59,7 +59,7 @@
     }
   ];
 
-  wifi-signal-strength = pkgs.callPackage ../../packages/wifi-signal-strength {wifiDevice = (lib.lists.findFirst (d: d.name != null) null networkDevice).name;};
+  wifi-signal-strength = pkgs.callPackage ../../../packages/wifi-signal-strength {wifiDevice = (lib.lists.findFirst (d: d.name != null) null networkDevice).name;};
 in {
   config = lib.mkIf cfg.enable {
     ghaf.graphics.launchers = defaultLauncher;
diff --git a/modules/graphics/weston.ini.nix b/modules/desktop/graphics/weston.ini.nix
similarity index 96%
rename from modules/graphics/weston.ini.nix
rename to modules/desktop/graphics/weston.ini.nix
index f474fc5a5..144752c92 100644
--- a/modules/graphics/weston.ini.nix
+++ b/modules/desktop/graphics/weston.ini.nix
@@ -49,7 +49,7 @@ in {
 
           [shell]
           locking=false
-          background-image=${../../assets/wallpaper.png}
+          background-image=${../../../assets/wallpaper.png}
           background-type=scale-crop
           num-workspaces=2
 
diff --git a/modules/graphics/weston.nix b/modules/desktop/graphics/weston.nix
similarity index 100%
rename from modules/graphics/weston.nix
rename to modules/desktop/graphics/weston.nix
diff --git a/modules/graphics/window-manager.nix b/modules/desktop/graphics/window-manager.nix
similarity index 100%
rename from modules/graphics/window-manager.nix
rename to modules/desktop/graphics/window-manager.nix
diff --git a/modules/profiles/applications.nix b/modules/desktop/profiles/applications.nix
similarity index 100%
rename from modules/profiles/applications.nix
rename to modules/desktop/profiles/applications.nix
diff --git a/modules/desktop/profiles/default.nix b/modules/desktop/profiles/default.nix
new file mode 100644
index 000000000..7d5f62129
--- /dev/null
+++ b/modules/desktop/profiles/default.nix
@@ -0,0 +1,8 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  imports = [
+    ./applications.nix
+    ./graphics.nix
+  ];
+}
diff --git a/modules/profiles/graphics.nix b/modules/desktop/profiles/graphics.nix
similarity index 100%
rename from modules/profiles/graphics.nix
rename to modules/desktop/profiles/graphics.nix
diff --git a/modules/windows-launcher/default.nix b/modules/desktop/windows-launcher/default.nix
similarity index 91%
rename from modules/windows-launcher/default.nix
rename to modules/desktop/windows-launcher/default.nix
index 4c9df80e6..4f113aa5d 100644
--- a/modules/windows-launcher/default.nix
+++ b/modules/desktop/windows-launcher/default.nix
@@ -7,7 +7,7 @@
   ...
 }: let
   cfg = config.ghaf.windows-launcher;
-  windows-launcher = pkgs.callPackage ../../packages/windows-launcher {enableSpice = cfg.spice;};
+  windows-launcher = pkgs.callPackage ../../../packages/windows-launcher {enableSpice = cfg.spice;};
 in {
   options.ghaf.windows-launcher = {
     enable = lib.mkEnableOption "Windows launcher";
diff --git a/modules/partitioning/disko-basic-postboot.nix b/modules/disko/disko-basic-postboot.nix
similarity index 100%
rename from modules/partitioning/disko-basic-postboot.nix
rename to modules/disko/disko-basic-postboot.nix
diff --git a/modules/partitioning/lenovo-x1-disko-basic.nix b/modules/disko/lenovo-x1-disko-basic.nix
similarity index 100%
rename from modules/partitioning/lenovo-x1-disko-basic.nix
rename to modules/disko/lenovo-x1-disko-basic.nix
diff --git a/modules/host/default.nix b/modules/host/default.nix
index 054d9a7f3..802a37a08 100644
--- a/modules/host/default.nix
+++ b/modules/host/default.nix
@@ -1,53 +1,15 @@
-# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
 # SPDX-License-Identifier: Apache-2.0
-{
-  lib,
-  pkgs,
-  ...
-}: {
-  imports = [
-    # TODO remove this when the minimal config is defined
-    # Replace with the baseModules definition
-    # UPDATE 26.07.2023:
-    # This line breaks build of GUIVM. No investigations of a
-    # root cause are done so far.
-    #(modulesPath + "/profiles/minimal.nix")
-
-    # TODO: Refactor this under virtualization/microvm/host/networking.nix
-    ./networking.nix
+#
+# Modules that should be only imported to host
+#
+{lib, ...}: {
+  networking.hostName = lib.mkDefault "ghaf-host";
+
+  # Overlays should be only defined for host, because microvm.nix uses the
+  # pkgs that already has overlays in place. Otherwise the overlay will be
+  # applied twice.
+  nixpkgs.overlays = [
+    (import ../../overlays/custom-packages)
   ];
-
-  config = {
-    networking.hostName = "ghaf-host";
-    system.stateVersion = lib.trivial.release;
-
-    nixpkgs.overlays = [
-      (import ../../overlays/custom-packages)
-    ];
-
-    ####
-    # temp means to reduce the image size
-    # TODO remove this when the minimal config is defined
-    appstream.enable = false;
-
-    systemd.package = pkgs.systemd.override ({
-        withCryptsetup = false;
-        withDocumentation = false;
-        withFido2 = false;
-        withHomed = false;
-        withHwdb = false;
-        withLibBPF = true;
-        withLocaled = false;
-        withPCRE2 = false;
-        withPortabled = false;
-        withTpm2Tss = false;
-        withUserDb = false;
-      }
-      // lib.optionalAttrs (lib.hasAttr "withRepart" (lib.functionArgs pkgs.systemd.override)) {
-        withRepart = false;
-      });
-
-    boot.enableContainers = false;
-    ##### Remove to here
-  };
 }
diff --git a/modules/hardware/nvidia-jetson-orin/agx-netvm-wlan-pci-passthrough.nix b/modules/jetpack-microvm/agx-netvm-wlan-pci-passthrough.nix
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/agx-netvm-wlan-pci-passthrough.nix
rename to modules/jetpack-microvm/agx-netvm-wlan-pci-passthrough.nix
diff --git a/modules/jetpack-microvm/default.nix b/modules/jetpack-microvm/default.nix
new file mode 100644
index 000000000..7f8146272
--- /dev/null
+++ b/modules/jetpack-microvm/default.nix
@@ -0,0 +1,8 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  imports = [
+    ./nx-netvm-ethernet-pci-passthrough.nix
+    ./agx-netvm-wlan-pci-passthrough.nix
+  ];
+}
diff --git a/modules/hardware/nvidia-jetson-orin/nx-netvm-ethernet-pci-passthrough.nix b/modules/jetpack-microvm/nx-netvm-ethernet-pci-passthrough.nix
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/nx-netvm-ethernet-pci-passthrough.nix
rename to modules/jetpack-microvm/nx-netvm-ethernet-pci-passthrough.nix
diff --git a/modules/hardware/nvidia-jetson-orin/pci-passthrough-agx-test.patch b/modules/jetpack-microvm/pci-passthrough-agx-test.patch
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/pci-passthrough-agx-test.patch
rename to modules/jetpack-microvm/pci-passthrough-agx-test.patch
diff --git a/modules/hardware/nvidia-jetson-orin/pci-passthrough-nx-test.patch b/modules/jetpack-microvm/pci-passthrough-nx-test.patch
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/pci-passthrough-nx-test.patch
rename to modules/jetpack-microvm/pci-passthrough-nx-test.patch
diff --git a/modules/jetpack/default.nix b/modules/jetpack/default.nix
new file mode 100644
index 000000000..6cd0bf2ef
--- /dev/null
+++ b/modules/jetpack/default.nix
@@ -0,0 +1,11 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# ghaf's integration to jetpack-nixos
+#
+{
+  imports = [
+    ./profiles
+    ./nvidia-jetson-orin
+  ];
+}
diff --git a/modules/host/ghaf_host_hardened_baseline-jetson-orin b/modules/jetpack/ghaf_host_hardened_baseline-jetson-orin
similarity index 100%
rename from modules/host/ghaf_host_hardened_baseline-jetson-orin
rename to modules/jetpack/ghaf_host_hardened_baseline-jetson-orin
diff --git a/modules/hardware/nvidia-jetson-orin/default.nix b/modules/jetpack/nvidia-jetson-orin/default.nix
similarity index 72%
rename from modules/hardware/nvidia-jetson-orin/default.nix
rename to modules/jetpack/nvidia-jetson-orin/default.nix
index 28d4032da..b97ede26b 100644
--- a/modules/hardware/nvidia-jetson-orin/default.nix
+++ b/modules/jetpack/nvidia-jetson-orin/default.nix
@@ -5,14 +5,13 @@
 {
   imports = [
     ./partition-template.nix
-    ../../boot/systemd-boot-dtb.nix
     ./jetson-orin.nix
 
     ./pci-passthrough-common.nix
-    ./agx-netvm-wlan-pci-passthrough.nix
-    ./nx-netvm-ethernet-pci-passthrough.nix
 
     ./ota-utils-fix.nix
     ./virtualization
+
+    ./optee.nix
   ];
 }
diff --git a/modules/hardware/nvidia-jetson-orin/format-module.nix b/modules/jetpack/nvidia-jetson-orin/format-module.nix
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/format-module.nix
rename to modules/jetpack/nvidia-jetson-orin/format-module.nix
diff --git a/modules/hardware/nvidia-jetson-orin/jetson-orin.nix b/modules/jetpack/nvidia-jetson-orin/jetson-orin.nix
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/jetson-orin.nix
rename to modules/jetpack/nvidia-jetson-orin/jetson-orin.nix
diff --git a/modules/hardware/nvidia-jetson-orin/mk-esp-contents.py b/modules/jetpack/nvidia-jetson-orin/mk-esp-contents.py
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/mk-esp-contents.py
rename to modules/jetpack/nvidia-jetson-orin/mk-esp-contents.py
diff --git a/modules/hardware/nvidia-jetson-orin/optee.nix b/modules/jetpack/nvidia-jetson-orin/optee.nix
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/optee.nix
rename to modules/jetpack/nvidia-jetson-orin/optee.nix
diff --git a/modules/hardware/nvidia-jetson-orin/ota-utils-fix.nix b/modules/jetpack/nvidia-jetson-orin/ota-utils-fix.nix
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/ota-utils-fix.nix
rename to modules/jetpack/nvidia-jetson-orin/ota-utils-fix.nix
diff --git a/modules/hardware/nvidia-jetson-orin/partition-template.nix b/modules/jetpack/nvidia-jetson-orin/partition-template.nix
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/partition-template.nix
rename to modules/jetpack/nvidia-jetson-orin/partition-template.nix
diff --git a/modules/hardware/nvidia-jetson-orin/pci-passthrough-common.nix b/modules/jetpack/nvidia-jetson-orin/pci-passthrough-common.nix
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/pci-passthrough-common.nix
rename to modules/jetpack/nvidia-jetson-orin/pci-passthrough-common.nix
diff --git a/modules/hardware/nvidia-jetson-orin/sdimage.nix b/modules/jetpack/nvidia-jetson-orin/sdimage.nix
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/sdimage.nix
rename to modules/jetpack/nvidia-jetson-orin/sdimage.nix
diff --git a/modules/hardware/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/default.nix b/modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/default.nix
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/default.nix
rename to modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/default.nix
diff --git a/modules/hardware/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0002-vfio_platform-reset-required-false.patch b/modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0002-vfio_platform-reset-required-false.patch
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0002-vfio_platform-reset-required-false.patch
rename to modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0002-vfio_platform-reset-required-false.patch
diff --git a/modules/hardware/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0003-bpmp-support-bpmp-virt.patch b/modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0003-bpmp-support-bpmp-virt.patch
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0003-bpmp-support-bpmp-virt.patch
rename to modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0003-bpmp-support-bpmp-virt.patch
diff --git a/modules/hardware/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0004-bpmp-virt-drivers.patch b/modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0004-bpmp-virt-drivers.patch
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0004-bpmp-virt-drivers.patch
rename to modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0004-bpmp-virt-drivers.patch
diff --git a/modules/hardware/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0005-bpmp-overlay.patch b/modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0005-bpmp-overlay.patch
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0005-bpmp-overlay.patch
rename to modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/0005-bpmp-overlay.patch
diff --git a/modules/hardware/nvidia-jetson-orin/virtualization/default.nix b/modules/jetpack/nvidia-jetson-orin/virtualization/default.nix
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/virtualization/default.nix
rename to modules/jetpack/nvidia-jetson-orin/virtualization/default.nix
diff --git a/modules/hardware/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/default.nix b/modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/default.nix
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/default.nix
rename to modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/default.nix
diff --git a/modules/hardware/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/overlays/qemu/default.nix b/modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/overlays/qemu/default.nix
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/overlays/qemu/default.nix
rename to modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/overlays/qemu/default.nix
diff --git a/modules/hardware/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/overlays/qemu/patches/0001-qemu-v8.1.3_bpmp-virt.patch b/modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/overlays/qemu/patches/0001-qemu-v8.1.3_bpmp-virt.patch
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/overlays/qemu/patches/0001-qemu-v8.1.3_bpmp-virt.patch
rename to modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/overlays/qemu/patches/0001-qemu-v8.1.3_bpmp-virt.patch
diff --git a/modules/hardware/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/patches/0001-bpmp-host-proxy-dts.patch b/modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/patches/0001-bpmp-host-proxy-dts.patch
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/patches/0001-bpmp-host-proxy-dts.patch
rename to modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/patches/0001-bpmp-host-proxy-dts.patch
diff --git a/modules/hardware/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/patches/0002-bpmp-host-uarta-dts.patch b/modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/patches/0002-bpmp-host-uarta-dts.patch
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/patches/0002-bpmp-host-uarta-dts.patch
rename to modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/patches/0002-bpmp-host-uarta-dts.patch
diff --git a/modules/hardware/nvidia-jetson-orin/virtualization/host/uarta-host/default.nix b/modules/jetpack/nvidia-jetson-orin/virtualization/host/uarta-host/default.nix
similarity index 100%
rename from modules/hardware/nvidia-jetson-orin/virtualization/host/uarta-host/default.nix
rename to modules/jetpack/nvidia-jetson-orin/virtualization/host/uarta-host/default.nix
diff --git a/modules/jetpack/profiles/debug.nix b/modules/jetpack/profiles/debug.nix
new file mode 100644
index 000000000..63009e03e
--- /dev/null
+++ b/modules/jetpack/profiles/debug.nix
@@ -0,0 +1,18 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.ghaf.profiles.debug;
+in {
+  config = lib.mkIf cfg.enable {
+    # Enable default accounts and passwords
+    ghaf.hardware.nvidia.orin.optee = {
+      xtest = true;
+      pkcs11-tool = true;
+    };
+  };
+}
diff --git a/modules/jetpack/profiles/default.nix b/modules/jetpack/profiles/default.nix
new file mode 100644
index 000000000..23deb7be2
--- /dev/null
+++ b/modules/jetpack/profiles/default.nix
@@ -0,0 +1,7 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  imports = [
+    ./debug.nix
+  ];
+}
diff --git a/modules/host/secureboot.nix b/modules/lanzaboote/default.nix
similarity index 96%
rename from modules/host/secureboot.nix
rename to modules/lanzaboote/default.nix
index b69e176e7..00952d051 100644
--- a/modules/host/secureboot.nix
+++ b/modules/lanzaboote/default.nix
@@ -1,5 +1,7 @@
 # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
 # SPDX-License-Identifier: Apache-2.0
+#
+# ghaf's integration to lanzaboote
 {
   lib,
   pkgs,
diff --git a/modules/host/demo-secure-boot-keys/GUID b/modules/lanzaboote/demo-secure-boot-keys/GUID
similarity index 100%
rename from modules/host/demo-secure-boot-keys/GUID
rename to modules/lanzaboote/demo-secure-boot-keys/GUID
diff --git a/modules/host/demo-secure-boot-keys/GUID.license b/modules/lanzaboote/demo-secure-boot-keys/GUID.license
similarity index 100%
rename from modules/host/demo-secure-boot-keys/GUID.license
rename to modules/lanzaboote/demo-secure-boot-keys/GUID.license
diff --git a/modules/host/demo-secure-boot-keys/files.db b/modules/lanzaboote/demo-secure-boot-keys/files.db
similarity index 100%
rename from modules/host/demo-secure-boot-keys/files.db
rename to modules/lanzaboote/demo-secure-boot-keys/files.db
diff --git a/modules/host/demo-secure-boot-keys/keys/KEK/KEK.key b/modules/lanzaboote/demo-secure-boot-keys/keys/KEK/KEK.key
similarity index 100%
rename from modules/host/demo-secure-boot-keys/keys/KEK/KEK.key
rename to modules/lanzaboote/demo-secure-boot-keys/keys/KEK/KEK.key
diff --git a/modules/host/demo-secure-boot-keys/keys/KEK/KEK.pem b/modules/lanzaboote/demo-secure-boot-keys/keys/KEK/KEK.pem
similarity index 100%
rename from modules/host/demo-secure-boot-keys/keys/KEK/KEK.pem
rename to modules/lanzaboote/demo-secure-boot-keys/keys/KEK/KEK.pem
diff --git a/modules/host/demo-secure-boot-keys/keys/PK/PK.key b/modules/lanzaboote/demo-secure-boot-keys/keys/PK/PK.key
similarity index 100%
rename from modules/host/demo-secure-boot-keys/keys/PK/PK.key
rename to modules/lanzaboote/demo-secure-boot-keys/keys/PK/PK.key
diff --git a/modules/host/demo-secure-boot-keys/keys/PK/PK.pem b/modules/lanzaboote/demo-secure-boot-keys/keys/PK/PK.pem
similarity index 100%
rename from modules/host/demo-secure-boot-keys/keys/PK/PK.pem
rename to modules/lanzaboote/demo-secure-boot-keys/keys/PK/PK.pem
diff --git a/modules/host/demo-secure-boot-keys/keys/db/db.key b/modules/lanzaboote/demo-secure-boot-keys/keys/db/db.key
similarity index 100%
rename from modules/host/demo-secure-boot-keys/keys/db/db.key
rename to modules/lanzaboote/demo-secure-boot-keys/keys/db/db.key
diff --git a/modules/host/demo-secure-boot-keys/keys/db/db.pem b/modules/lanzaboote/demo-secure-boot-keys/keys/db/db.pem
similarity index 100%
rename from modules/host/demo-secure-boot-keys/keys/db/db.pem
rename to modules/lanzaboote/demo-secure-boot-keys/keys/db/db.pem
diff --git a/modules/host/demo-secure-boot-keys/keys/dbx/dbx.key b/modules/lanzaboote/demo-secure-boot-keys/keys/dbx/dbx.key
similarity index 100%
rename from modules/host/demo-secure-boot-keys/keys/dbx/dbx.key
rename to modules/lanzaboote/demo-secure-boot-keys/keys/dbx/dbx.key
diff --git a/modules/host/demo-secure-boot-keys/keys/dbx/dbx.pem b/modules/lanzaboote/demo-secure-boot-keys/keys/dbx/dbx.pem
similarity index 100%
rename from modules/host/demo-secure-boot-keys/keys/dbx/dbx.pem
rename to modules/lanzaboote/demo-secure-boot-keys/keys/dbx/dbx.pem
diff --git a/modules/microvm/default.nix b/modules/microvm/default.nix
new file mode 100644
index 000000000..d9c58bcfb
--- /dev/null
+++ b/modules/microvm/default.nix
@@ -0,0 +1,14 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# Implementation of ghaf's virtual machines based on microvm.nix
+#
+{
+  imports = [
+    ./virtualization/microvm/microvm-host.nix
+    ./virtualization/microvm/netvm.nix
+    ./virtualization/microvm/appvm.nix
+    ./virtualization/microvm/guivm.nix
+    ./networking.nix
+  ];
+}
diff --git a/modules/host/networking.nix b/modules/microvm/networking.nix
similarity index 100%
rename from modules/host/networking.nix
rename to modules/microvm/networking.nix
diff --git a/modules/virtualization/microvm/appvm.nix b/modules/microvm/virtualization/microvm/appvm.nix
similarity index 97%
rename from modules/virtualization/microvm/appvm.nix
rename to modules/microvm/virtualization/microvm/appvm.nix
index e8562ffb8..3caca10f8 100644
--- a/modules/virtualization/microvm/appvm.nix
+++ b/modules/microvm/virtualization/microvm/appvm.nix
@@ -41,9 +41,6 @@
           ghaf = {
             users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable;
 
-            # Don't enable Wayland compositor inside every AppVM
-            profiles.graphics.enable = false;
-
             development = {
               ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable;
               debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable;
@@ -106,7 +103,7 @@
           };
           fileSystems."/run/waypipe-ssh-public-key".options = ["ro"];
 
-          imports = import ../../module-list.nix;
+          imports = [../../../common];
         })
       ];
     };
diff --git a/modules/virtualization/microvm/common/vm-networking.nix b/modules/microvm/virtualization/microvm/common/vm-networking.nix
similarity index 100%
rename from modules/virtualization/microvm/common/vm-networking.nix
rename to modules/microvm/virtualization/microvm/common/vm-networking.nix
diff --git a/modules/virtualization/microvm/guivm.nix b/modules/microvm/virtualization/microvm/guivm.nix
similarity index 97%
rename from modules/virtualization/microvm/guivm.nix
rename to modules/microvm/virtualization/microvm/guivm.nix
index 6fe45c9ff..81f129c4c 100644
--- a/modules/virtualization/microvm/guivm.nix
+++ b/modules/microvm/virtualization/microvm/guivm.nix
@@ -90,7 +90,10 @@
           ];
         };
 
-        imports = import ../../module-list.nix;
+        imports = [
+          ../../../common
+          ../../../desktop
+        ];
 
         # Waypipe service runs in the GUIVM and listens for incoming connections from AppVMs
         systemd.user.services.waypipe = {
@@ -117,7 +120,7 @@
     ];
   };
   cfg = config.ghaf.virtualization.microvm.guivm;
-  vsockproxy = pkgs.callPackage ../../../packages/vsockproxy {};
+  vsockproxy = pkgs.callPackage ../../../../packages/vsockproxy {};
 
   # Importing kernel builder function and building guest_graphics_hardened_kernel
   buildKernel = import ../../../packages/kernel {inherit config pkgs lib;};
diff --git a/modules/virtualization/microvm/microvm-host.nix b/modules/microvm/virtualization/microvm/microvm-host.nix
similarity index 100%
rename from modules/virtualization/microvm/microvm-host.nix
rename to modules/microvm/virtualization/microvm/microvm-host.nix
diff --git a/modules/virtualization/microvm/netvm.nix b/modules/microvm/virtualization/microvm/netvm.nix
similarity index 98%
rename from modules/virtualization/microvm/netvm.nix
rename to modules/microvm/virtualization/microvm/netvm.nix
index 1f6229a2e..373791499 100644
--- a/modules/virtualization/microvm/netvm.nix
+++ b/modules/microvm/virtualization/microvm/netvm.nix
@@ -91,7 +91,7 @@
           writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store";
         };
 
-        imports = import ../../module-list.nix;
+        imports = [../../../common];
       })
     ];
   };
diff --git a/modules/module-list.nix b/modules/module-list.nix
deleted file mode 100644
index a585301ba..000000000
--- a/modules/module-list.nix
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-#
-[
-  ./development/debug-tools.nix
-  ./development/nix.nix
-  ./development/ssh.nix
-  ./firewall
-  ./graphics
-  ./hardware/definition.nix
-  ./hardware/nvidia-jetson-orin/optee.nix
-  ./hardware/x86_64-linux.nix
-  ./hardware/x86_64-generic/kernel/hardening.nix
-  ./profiles/applications.nix
-  ./profiles/debug.nix
-  ./profiles/graphics.nix
-  ./profiles/release.nix
-  ./security/tpm2.nix
-  ./users/accounts.nix
-  ./version
-  ./virtualization/docker.nix
-  ./windows-launcher
-]
diff --git a/modules/polarfire/default.nix b/modules/polarfire/default.nix
new file mode 100644
index 000000000..3f64e4f29
--- /dev/null
+++ b/modules/polarfire/default.nix
@@ -0,0 +1,10 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# Support for Microchip Polarfire Icicle-Kit
+#
+{
+  imports = [
+    ./mpfs-nixos-sdimage.nix
+  ];
+}
diff --git a/modules/hardware/polarfire/mpfs-nixos-sdimage.nix b/modules/polarfire/mpfs-nixos-sdimage.nix
similarity index 100%
rename from modules/hardware/polarfire/mpfs-nixos-sdimage.nix
rename to modules/polarfire/mpfs-nixos-sdimage.nix
diff --git a/nix/checks.nix b/nix/checks.nix
index 767058c14..47b2c062a 100644
--- a/nix/checks.nix
+++ b/nix/checks.nix
@@ -17,11 +17,11 @@
             touch $out
           '';
         module-test-hardened-generic-host-kernel =
-          pkgs.callPackage ../modules/hardware/x86_64-generic/kernel/host/test {inherit pkgs;};
+          pkgs.callPackage ../modules/common/hardware/x86_64-generic/kernel/host/test {inherit pkgs;};
         module-test-hardened-lenovo-x1-guest-guivm-kernel =
-          pkgs.callPackage ../modules/hardware/lenovo-x1/kernel/guest/test {inherit pkgs;};
+          pkgs.callPackage ../modules/common/hardware/lenovo-x1/kernel/guest/test {inherit pkgs;};
         module-test-hardened-pkvm-kernel =
-          pkgs.callPackage ../modules/hardware/x86_64-generic/kernel/host/pkvm/test {inherit pkgs;};
+          pkgs.callPackage ../modules/common/hardware/x86_64-generic/kernel/host/pkvm/test {inherit pkgs;};
       }
       // (lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages);
   };
diff --git a/nix/devshell/kernel.nix b/nix/devshell/kernel.nix
index 8702c0d3d..5cdc41249 100644
--- a/nix/devshell/kernel.nix
+++ b/nix/devshell/kernel.nix
@@ -45,7 +45,7 @@
           export PS1="[ghaf-kernel-${platform}-devshell:\w]$ "
         '';
         # use "eval $checkPhase" - see https://discourse.nixos.org/t/nix-develop-and-checkphase/25707
-        checkPhase = "cp ../modules/hardware/${platform}/kernel/configs/ghaf_host_hardened_baseline-${arch} ./.config && make -j$(nproc)";
+        checkPhase = "cp ../modules/common/hardware/${platform}/kernel/configs/ghaf_host_hardened_baseline-${arch} ./.config && make -j$(nproc)";
       };
   in {
     devShells.kernel-x86 = mkKernelShell {
diff --git a/packages/kernel/default.nix b/packages/kernel/default.nix
index eef8a3500..81ce5cd1f 100644
--- a/packages/kernel/default.nix
+++ b/packages/kernel/default.nix
@@ -1,5 +1,7 @@
 # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
 # SPDX-License-Identifier: CC-BY-SA-4.0
+#
+# TODO: This is not a package but a module
 {
   config,
   pkgs,
@@ -53,8 +55,8 @@
       configfile = config_baseline;
     };
 
-  generic_host_configs = ../../modules/hardware/x86_64-generic/kernel/host/configs;
-  generic_guest_configs = ../../modules/hardware/x86_64-generic/kernel/guest/configs;
+  generic_host_configs = ../../modules/common/hardware/x86_64-generic/kernel/host/configs;
+  generic_guest_configs = ../../modules/common/hardware/x86_64-generic/kernel/guest/configs;
   # TODO: refactor - do we yet have any X1 specific host kernel configuration options?
   # - we could add a configuration fragment for host debug via usb-ethernet-adapter(s)
 
diff --git a/targets/default.nix b/targets/default.nix
index 0027c2b68..9b4c46d95 100644
--- a/targets/default.nix
+++ b/targets/default.nix
@@ -10,11 +10,11 @@
   inherit (inputs) jetpack-nixos lanzaboote microvm nixos-generators nixos-hardware nixpkgs disko self;
 in
   lib.foldr lib.recursiveUpdate {} [
-    (import ./nvidia-jetson-orin {inherit lib nixpkgs nixos-generators microvm jetpack-nixos;})
-    (import ./vm.nix {inherit lib nixos-generators microvm;})
-    (import ./generic-x86_64.nix {inherit lib nixos-generators microvm;})
-    (import ./lenovo-x1 {inherit lib microvm lanzaboote disko;})
+    (import ./nvidia-jetson-orin {inherit self lib nixpkgs nixos-generators microvm jetpack-nixos;})
+    (import ./vm.nix {inherit self lib nixos-generators microvm;})
+    (import ./generic-x86_64.nix {inherit self lib nixos-generators microvm;})
+    (import ./lenovo-x1 {inherit self lib microvm lanzaboote disko;})
     (import ./lenovo-x1-carbon-installer.nix {inherit self lib;})
-    (import ./imx8qm-mek.nix {inherit lib nixos-generators nixos-hardware microvm;})
-    (import ./microchip-icicle-kit.nix {inherit lib nixpkgs nixos-hardware;})
+    (import ./imx8qm-mek.nix {inherit self lib nixos-generators nixos-hardware microvm;})
+    (import ./microchip-icicle-kit.nix {inherit self lib nixpkgs nixos-hardware;})
   ]
diff --git a/targets/generic-x86_64.nix b/targets/generic-x86_64.nix
index a5508e5b4..dd99ddfcd 100644
--- a/targets/generic-x86_64.nix
+++ b/targets/generic-x86_64.nix
@@ -3,13 +3,13 @@
 #
 # Generic x86_64 computer -target
 {
+  self,
   lib,
   nixos-generators,
   microvm,
 }: let
   name = "generic-x86_64";
   system = "x86_64-linux";
-  formatModule = nixos-generators.nixosModules.raw-efi;
   generic-x86 = variant: extraModules: let
     netvmExtraModules = [
       {
@@ -36,9 +36,12 @@
       modules =
         [
           microvm.nixosModules.host
-          ../modules/host
-          ../modules/virtualization/microvm/microvm-host.nix
-          ../modules/virtualization/microvm/netvm.nix
+          nixos-generators.nixosModules.raw-efi
+          self.nixosModules.common
+          self.nixosModules.desktop
+          self.nixosModules.host
+          self.nixosModules.microvm
+
           {
             ghaf = {
               hardware.x86_64.common.enable = true;
@@ -53,22 +56,17 @@
               # Enable all the default UI applications
               profiles = {
                 applications.enable = true;
-                #TODO clean this up when the microvm is updated to latest
                 release.enable = variant == "release";
                 debug.enable = variant == "debug";
               };
               windows-launcher.enable = true;
             };
-          }
 
-          formatModule
+            #TODO: how to handle the majority of laptops that need a little
+            # something extra?
+            # SEE: https://github.com/NixOS/nixos-hardware/blob/master/flake.nix
+            # nixos-hardware.nixosModules.lenovo-thinkpad-x1-10th-gen
 
-          #TODO: how to handle the majority of laptops that need a little
-          # something extra?
-          # SEE: https://github.com/NixOS/nixos-hardware/blob/master/flake.nix
-          # nixos-hardware.nixosModules.lenovo-thinkpad-x1-10th-gen
-
-          {
             boot.kernelParams = [
               "intel_iommu=on,igx_off,sm_on"
               "iommu=pt"
@@ -79,7 +77,6 @@
             ];
           }
         ]
-        ++ (import ../modules/module-list.nix)
         ++ extraModules;
     };
   in {
@@ -87,7 +84,7 @@
     name = "${name}-${variant}";
     package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr};
   };
-  debugModules = [../modules/development/usb-serial.nix {ghaf.development.usb-serial.enable = true;}];
+  debugModules = [{ghaf.development.usb-serial.enable = true;}];
   targets = [
     (generic-x86 "debug" debugModules)
     (generic-x86 "release" [])
diff --git a/targets/imx8qm-mek.nix b/targets/imx8qm-mek.nix
index bd45ae419..98690c1c1 100644
--- a/targets/imx8qm-mek.nix
+++ b/targets/imx8qm-mek.nix
@@ -3,6 +3,7 @@
 #
 # i.MX8QuadMax Multisensory Enablement Kit
 {
+  self,
   lib,
   nixos-generators,
   nixos-hardware,
@@ -10,19 +11,20 @@
 }: let
   name = "imx8qm-mek";
   system = "aarch64-linux";
-  formatModule = nixos-generators.nixosModules.raw-efi;
   imx8qm-mek = variant: extraModules: let
     hostConfiguration = lib.nixosSystem {
       inherit system;
       specialArgs = {inherit lib;};
       modules =
         [
+          microvm.nixosModules.host
+          nixos-generators.nixosModules.raw-efi
           nixos-hardware.nixosModules.nxp-imx8qm-mek
+          self.nixosModules.common
+          self.nixosModules.desktop
+          self.nixosModules.host
+          self.nixosModules.microvm
 
-          microvm.nixosModules.host
-          ../modules/host
-          ../modules/virtualization/microvm/microvm-host.nix
-          ../modules/virtualization/microvm/netvm.nix
           {
             ghaf = {
               virtualization.microvm-host.enable = true;
@@ -40,10 +42,7 @@
               };
             };
           }
-
-          formatModule
         ]
-        ++ (import ../modules/module-list.nix)
         ++ extraModules;
     };
   in {
diff --git a/targets/lenovo-x1/debugModules.nix b/targets/lenovo-x1/debugModules.nix
index 29bbef3ac..189f91cdf 100644
--- a/targets/lenovo-x1/debugModules.nix
+++ b/targets/lenovo-x1/debugModules.nix
@@ -2,17 +2,10 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 [
-  ../../modules/development/usb-serial.nix
   {
     ghaf.development.usb-serial.enable = true;
     ghaf.profiles.debug.enable = true;
-  }
-  ../../modules/host/secureboot.nix
-  {
     ghaf.host.secureboot.enable = false;
-  }
-  ../../modules/hardware/x86_64-generic/kernel/host
-  {
     ghaf.host.kernel.hardening.usb.enable = false;
     ghaf.host.kernel.hardening.debug.enable = false;
   }
diff --git a/targets/lenovo-x1/default.nix b/targets/lenovo-x1/default.nix
index e28dc37b3..b81663897 100644
--- a/targets/lenovo-x1/default.nix
+++ b/targets/lenovo-x1/default.nix
@@ -3,6 +3,7 @@
 #
 # Configuration for Lenovo X1 Carbon Gen 11
 {
+  self,
   lib,
   microvm,
   lanzaboote,
@@ -11,7 +12,7 @@
 }: let
   name = "lenovo-x1-carbon-gen11";
   system = "x86_64-linux";
-  targets = import ./everything.nix {inherit lib microvm lanzaboote disko name system;};
+  targets = import ./everything.nix {inherit self lib microvm lanzaboote disko name system;};
 in {
   flake.nixosConfigurations =
     builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets);
diff --git a/targets/lenovo-x1/everything.nix b/targets/lenovo-x1/everything.nix
index 5db226791..93d5733d2 100644
--- a/targets/lenovo-x1/everything.nix
+++ b/targets/lenovo-x1/everything.nix
@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 {
+  self,
   lib,
   microvm,
   lanzaboote,
@@ -47,16 +48,19 @@
       specialArgs = {inherit lib;};
       modules =
         [
+          disko.nixosModules.disko
           lanzaboote.nixosModules.lanzaboote
           microvm.nixosModules.host
-          disko.nixosModules.disko
-          (import ../../modules/partitioning/lenovo-x1-disko-basic.nix {device = "/dev/nvme0n1";}) #TODO define device in hw def file
-          ../../modules/partitioning/disko-basic-postboot.nix
-          ../../modules/host
-          ../../modules/virtualization/microvm/microvm-host.nix
-          ../../modules/virtualization/microvm/netvm.nix
-          ../../modules/virtualization/microvm/guivm.nix
-          ../../modules/virtualization/microvm/appvm.nix
+          self.nixosModules.common
+          self.nixosModules.desktop
+          self.nixosModules.host
+          self.nixosModules.lanzaboote
+          self.nixosModules.microvm
+
+          # TODO: Refactor the disko module a bit
+          (import ../../modules/disko/lenovo-x1-disko-basic.nix {device = "/dev/nvme0n1";}) #TODO define device in hw def file
+          ../../modules/disko/disko-basic-postboot.nix
+
           ./sshkeys.nix
           ({
             pkgs,
@@ -292,7 +296,6 @@
             boot.initrd.availableKernelModules = ["nvme"];
           })
         ]
-        ++ (import ../../modules/module-list.nix)
         ++ extraModules;
     };
   in {
diff --git a/targets/microchip-icicle-kit.nix b/targets/microchip-icicle-kit.nix
index c0eda2461..ca1788895 100644
--- a/targets/microchip-icicle-kit.nix
+++ b/targets/microchip-icicle-kit.nix
@@ -3,6 +3,7 @@
 #
 # Polarfire Enablement Kit
 {
+  self,
   lib,
   nixpkgs,
   nixos-hardware,
@@ -16,13 +17,12 @@
       modules =
         [
           nixos-hardware.nixosModules.microchip-icicle-kit
-          ../modules/hardware/polarfire/mpfs-nixos-sdimage.nix
-          ../modules/host
+          self.nixosModules.common
+          self.nixosModules.host
+          self.nixosModules.polarfire
 
           {
-            appstream.enable = false;
             boot = {
-              enableContainers = false;
               loader = {
                 grub.enable = false;
                 generic-extlinux-compatible.enable = true;
@@ -32,9 +32,6 @@
             # Disable all the default UI applications
             ghaf = {
               profiles = {
-                applications.enable = false;
-                graphics.enable = false;
-                #TODO clean this up when the microvm is updated to latest
                 release.enable = variant == "release";
                 debug.enable = variant == "debug";
               };
@@ -43,7 +40,6 @@
                 ssh.daemon.enable = true;
               };
               firewall.kernel-modules.enable = true;
-              windows-launcher.enable = false;
             };
             nixpkgs = {
               buildPlatform.system = "x86_64-linux";
@@ -56,7 +52,6 @@
             disabledModules = ["profiles/all-hardware.nix"];
           }
         ]
-        ++ (import ../modules/module-list.nix)
         ++ extraModules;
     };
   in {
diff --git a/targets/nvidia-jetson-orin/default.nix b/targets/nvidia-jetson-orin/default.nix
index 963e6af06..be72a07af 100644
--- a/targets/nvidia-jetson-orin/default.nix
+++ b/targets/nvidia-jetson-orin/default.nix
@@ -4,6 +4,7 @@
 # Configuration for NVIDIA Jetson Orin AGX/NX
 #
 {
+  self,
   lib,
   nixpkgs,
   nixos-generators,
@@ -12,31 +13,24 @@
 }: let
   name = "nvidia-jetson-orin";
   system = "aarch64-linux";
-
-  # Import custom format module
-  formatModule = {
-    imports = [
-      # Needed for formatAttr
-      (nixos-generators + "/format-module.nix")
-
-      ../../modules/hardware/nvidia-jetson-orin/format-module.nix
-    ];
-  };
   nvidia-jetson-orin = som: variant: extraModules: let
     netvmExtraModules = [
       {
         # The Nvidia Orin hardware dependent configuration is in
-        # modules/hardware/nvidia-jetson-orin/jetson-orin.nx
-        # Please refer to that section for hardware dependent netvm configuration.
+        # modules/jetpack and modules/jetpack-microvm. Please refer to that
+        # section for hardware dependent netvm configuration.
+
+        # Wireless Configuration. Orin AGX has WiFi enabled where Orin NX does
+        # not.
+
         # To enable or disable wireless
         networking.wireless.enable = som == "agx";
-        # Wireless Configuration
-        # Orin AGX has WiFi enabled where Orin Nx does not
 
         # For WLAN firmwares
-        hardware.enableRedistributableFirmware = som == "agx";
-        # Note: When 21.11 arrives replace the below statement with
-        # wirelessRegulatoryDatabase = true;
+        hardware = {
+          enableRedistributableFirmware = som == "agx";
+          wirelessRegulatoryDatabase = true;
+        };
       }
     ];
     hostConfiguration = lib.nixosSystem {
@@ -45,12 +39,17 @@
 
       modules =
         [
+          (nixos-generators + "/format-module.nix")
+          ../../modules/jetpack/nvidia-jetson-orin/format-module.nix
           jetpack-nixos.nixosModules.default
-          ../../modules/hardware/nvidia-jetson-orin
           microvm.nixosModules.host
-          ../../modules/host
-          ../../modules/virtualization/microvm/microvm-host.nix
-          ../../modules/virtualization/microvm/netvm.nix
+          self.nixosModules.common
+          self.nixosModules.desktop
+          self.nixosModules.host
+          self.nixosModules.jetpack
+          self.nixosModules.jetpack-microvm
+          self.nixosModules.microvm
+
           {
             ghaf = {
               hardware.nvidia.orin = {
@@ -75,21 +74,15 @@
               # Enable all the default UI applications
               profiles = {
                 applications.enable = true;
-
-                #TODO clean this up when the microvm is updated to latest
                 release.enable = variant == "release";
                 debug.enable = variant == "debug";
               };
-              # TODO when supported on x86 move under virtualization
               windows-launcher.enable = true;
             };
           }
 
           (import ./optee.nix {inherit jetpack-nixos;})
-
-          formatModule
         ]
-        ++ (import ../../modules/module-list.nix)
         ++ extraModules;
     };
   in {
diff --git a/targets/vm.nix b/targets/vm.nix
index f49c5837a..8f71be7ae 100644
--- a/targets/vm.nix
+++ b/targets/vm.nix
@@ -1,47 +1,44 @@
 # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
 # SPDX-License-Identifier: Apache-2.0
 {
+  self,
   lib,
   nixos-generators,
   microvm,
 }: let
   name = "vm";
   system = "x86_64-linux";
-  formatModule = nixos-generators.nixosModules.vm;
   vm = variant: let
     hostConfiguration = lib.nixosSystem {
       inherit system;
       specialArgs = {inherit lib;};
-      modules =
-        [
-          microvm.nixosModules.host
-          ../modules/host
-          ../modules/virtualization/microvm/microvm-host.nix
-          ../modules/virtualization/microvm/netvm.nix
+      modules = [
+        microvm.nixosModules.host
+        nixos-generators.nixosModules.vm
+        self.nixosModules.common
+        self.nixosModules.desktop
+        self.nixosModules.host
+        self.nixosModules.microvm
 
-          {
-            ghaf = {
-              hardware.x86_64.common.enable = true;
+        {
+          ghaf = {
+            hardware.x86_64.common.enable = true;
 
-              virtualization.microvm-host.enable = true;
-              host.networking.enable = true;
-              # TODO: NetVM enabled, but it does not include anything specific
-              #       for this Virtual Machine target
-              virtualization.microvm.netvm.enable = true;
+            virtualization.microvm-host.enable = true;
+            host.networking.enable = true;
+            # TODO: NetVM enabled, but it does not include anything specific
+            #       for this Virtual Machine target
+            virtualization.microvm.netvm.enable = true;
 
-              # Enable all the default UI applications
-              profiles = {
-                applications.enable = true;
-                #TODO clean this up when the microvm is updated to latest
-                release.enable = variant == "release";
-                debug.enable = variant == "debug";
-              };
+            # Enable all the default UI applications
+            profiles = {
+              applications.enable = true;
+              release.enable = variant == "release";
+              debug.enable = variant == "debug";
             };
-          }
-
-          formatModule
-        ]
-        ++ (import ../modules/module-list.nix);
+          };
+        }
+      ];
     };
   in {
     inherit hostConfiguration;