feat(system): professionalize system configurations

- Consolidate imperative system settings into /etc/nixos/state.json
- Implement nomarchy.system options for DNS, Wifi powersave, Timezone, and hardware features
- Add declarative browser policies for Chromium/Brave based on theme
- Update toggles scripts to mutate system JSON and run sys-update --impure
- Remove obsolete imperative browser theme and redundant system modules

modules/home/default.nix

@@ -58,7 +58,7 @@ in
   ] ++ userPackages;
 
   home.shellAliases = {
-    sys-update = "sudo nixos-rebuild switch --flake /etc/nixos#default";
+    sys-update = "sudo nixos-rebuild switch --flake /etc/nixos#default --impure";
     env-update = "home-manager switch --flake /etc/nixos#default --impure";
   };
 }

modules/system/browser.nix

@@ -0,0 +1,22 @@
+{ config, pkgs, lib, ... }:
+
+let
+  palettes = import ../../themes/nomarchy-palettes.nix;
+  activeThemeName = config.nomarchy.system.theme;
+  currentPalette = (palettes.${activeThemeName} or palettes.nord).palette;
+  
+  # Hex color for browser theme (base00 is background)
+  themeColor = "#${currentPalette.base00}";
+  
+  policy = {
+    BrowserThemeColor = themeColor;
+    BrowserColorScheme = if lib.strings.hasInfix "light" activeThemeName then "light" else "dark";
+  };
+in
+{
+  # Chromium policies
+  programs.chromium.extraOpts = policy;
+  
+  # Brave policies (Brave on NixOS also respects some chromium policies if set via extraOpts)
+  # But better to use the specific brave module if available or just the same policy.
+}

modules/system/default.nix

@@ -2,12 +2,17 @@
 
 {
   imports = [
+    ./options.nix
+    ./state.nix
     ./plymouth.nix
     ./sddm.nix
     ./hardware.nix
     ./audio.nix
     ./bluetooth.nix
     ./network.nix
+    ./browser.nix
     ./impermanence.nix
   ];
+
+  time.timeZone = config.nomarchy.system.timezone;
 }

modules/system/hardware.nix

@@ -46,5 +46,22 @@ in
         options brcmfmac feature_disable=0x82000
       '';
     })
+
+    # System Features
+    (mkIf config.nomarchy.system.features.fingerprint {
+      services.fprintd.enable = true;
+    })
+
+    (mkIf config.nomarchy.system.features.fido2 {
+      security.pam.u2f = {
+        enable = true;
+        control = "sufficient";
+        cue = true;
+      };
+    })
+
+    (mkIf config.nomarchy.system.features.hybridGPU {
+      services.supergfxd.enable = true;
+    })
   ];
 }

modules/system/network.nix

@@ -1,5 +1,26 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
+let
+  cfg = config.nomarchy.system;
+in
 {
   networking.networkmanager.enable = true;
+  
+  networking.networkmanager.wifi.powersave = cfg.wifi.powersave;
+
+  # DNS Configuration
+  networking.nameservers = if cfg.dns == "Cloudflare" then [ "1.1.1.1" "1.0.0.1" ]
+                           else if cfg.dns == "Google" then [ "8.8.8.8" "8.8.4.4" ]
+                           else if cfg.dns == "Custom" then cfg.customDns
+                           else []; # DHCP lets NM handle it
+
+  services.resolved = {
+    enable = cfg.dns != "DHCP";
+    dnssec = "allow-downgrade";
+    domains = [ "~." ];
+    fallbackDns = [ "9.9.9.9" "149.112.112.112" ];
+    extraConfig = ''
+      DNSOverTLS=opportunistic
+    '';
+  };
 }

modules/system/options.nix

@@ -0,0 +1,50 @@
+{ lib, ... }:
+
+{
+  options.nomarchy.system = {
+    dns = lib.mkOption {
+      type = lib.types.enum [ "Cloudflare" "Google" "DHCP" "Custom" ];
+      default = "DHCP";
+      description = "Selected DNS provider.";
+    };
+    customDns = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [];
+      description = "List of custom DNS servers.";
+    };
+    wifi = {
+      powersave = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Whether to enable wifi power saving.";
+      };
+    };
+    timezone = lib.mkOption {
+      type = lib.types.str;
+      default = "UTC";
+      description = "System timezone.";
+    };
+    features = {
+      fingerprint = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "Whether to enable fingerprint support.";
+      };
+      fido2 = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "Whether to enable FIDO2 support.";
+      };
+      hybridGPU = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "Whether to enable hybrid GPU support (supergfxd).";
+      };
+    };
+    theme = lib.mkOption {
+      type = lib.types.str;
+      default = "nord";
+      description = "Selected system theme.";
+    };
+  };
+}

modules/system/state.nix

@@ -0,0 +1,28 @@
+{ lib, ... }:
+
+let
+  stateFile = "/etc/nixos/state.json";
+  
+  # Helper to read state from a file, with a default
+  readState = file: default:
+    if builtins.pathExists file then
+      builtins.fromJSON (builtins.readFile file)
+    else
+      default;
+
+  systemState = readState stateFile {};
+in
+{
+  config.nomarchy.system = {
+    dns = systemState.dns or "DHCP";
+    customDns = systemState.customDns or [];
+    wifi.powersave = systemState.wifi.powersave or true;
+    timezone = systemState.timezone or "UTC";
+    features = {
+      fingerprint = systemState.features.fingerprint or false;
+      fido2 = systemState.features.fido2 or false;
+      hybridGPU = systemState.features.hybridGPU or false;
+    };
+    theme = systemState.theme or "nord";
+  };
+}

modules/system/supergfxd.nix

@@ -1,6 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  services.supergfxd.enable = true;
-  # NixOS handles the configuration of supergfxd
-}