Split shared host config into dedicated modules

- Add shared modules for boot, hardware, networking, input, and host defaults
- Move host-specific TOML flags to new option namespaces
- Update SSH and service defaults for the new layout

modules/nixos/shared/boot/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./secure-boot.nix
+    ./tpm-disk-unlock.nix
+  ];
+}

modules/nixos/shared/boot/secure-boot.nix

@@ -0,0 +1,15 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkDefault mkEnableOption;
+  cfg = config.unexplrd.boot.secureBoot;
+in {
+  options.unexplrd.boot.secureBoot.enable =
+    mkEnableOption "secure boot support";
+
+  config = {
+    boot.loader.systemd-boot.enable = mkDefault (!cfg.enable);
+  };
+}

modules/nixos/shared/boot/tpm-disk-unlock.nix

@@ -0,0 +1,15 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkDefault mkEnableOption;
+  cfg = config.unexplrd.boot.tpmDiskUnlock;
+in {
+  options.unexplrd.boot.tpmDiskUnlock.enable =
+    mkEnableOption "TPM2 disk unlock support";
+
+  config = {
+    boot.initrd.systemd.tpm2.enable = mkDefault cfg.enable;
+  };
+}