diff --git a/AGENTS.md b/AGENTS.md
index d3533b4..a4b4942 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -21,7 +21,7 @@ flake.nix                  # 3 hosts, 2 channels
 deploy.sh                  # wrapper: current-host rebuild or `muffin` deploy-rs
 hosts/<host>/              # host entrypoints (default.nix, home.nix, disk.nix, …)
 modules/                   # flat namespace; see module naming below
-  common-*.nix             # imported by ALL hosts (nix settings, doas, fish shim)
+  common.nix               # imported by ALL hosts (nix settings, doas, fish shim)
   desktop-*.nix            # imported by mreow/yarn only
   server-*.nix             # imported by muffin only
   <bare>.nix               # scoped by filename (age-secrets, zfs, no-rgb, …)
diff --git a/hosts/muffin/default.nix b/hosts/muffin/default.nix
index 652ef45..6334d8e 100644
--- a/hosts/muffin/default.nix
+++ b/hosts/muffin/default.nix
@@ -11,10 +11,7 @@
 }:
 {
   imports = [
-    # common across all hosts
-    ../../modules/common-doas.nix
-    ../../modules/common-shell-fish.nix
-    ../../modules/common-nix.nix
+    ../../modules/common.nix
 
     # muffin-only system modules
     ./hardware.nix
@@ -95,8 +92,6 @@
 
   services.deployGuard.enable = true;
 
-  services.kmscon.enable = true;
-
   # Disable serial getty on ttyS0 to prevent dmesg warnings
   systemd.services."serial-getty@ttyS0".enable = false;
 
@@ -154,10 +149,6 @@
     };
   };
 
-  environment.etc = {
-    "issue".text = "";
-  };
-
   # Set your time zone.
   time.timeZone = "America/New_York";
 
@@ -170,19 +161,12 @@
     ];
   };
 
-  #fwupd for updating firmware
-  services.fwupd = {
-    enable = true;
-    extraRemotes = [ "lvfs-testing" ];
-  };
-
   environment.systemPackages = with pkgs; [
     helix
     lm_sensors
     bottom
     htop
 
-    doas-sudo-shim
     neofetch
 
     borgbackup
@@ -275,9 +259,6 @@
     hashedPasswordFile = config.age.secrets.hashedPass.path;
   };
 
-  # programs.fish + bash→fish redirect and security.doas block are in
-  # modules/common-shell-fish.nix and modules/common-doas.nix.
-
   services.murmur = {
     enable = true;
     openFirewall = true;
diff --git a/modules/common-doas.nix b/modules/common-doas.nix
deleted file mode 100644
index 2e0875a..0000000
--- a/modules/common-doas.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{ username, ... }:
-{
-  # doas replaces sudo on every host
-  security = {
-    doas.enable = true;
-    sudo.enable = false;
-    doas.extraRules = [
-      {
-        users = [ username ];
-        keepEnv = true;
-        persist = true;
-      }
-    ];
-  };
-}
diff --git a/modules/common-nix.nix b/modules/common-nix.nix
deleted file mode 100644
index 458a947..0000000
--- a/modules/common-nix.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ lib, ... }:
-{
-  # Common Nix daemon settings. Host-specific overrides (binary cache substituters,
-  # gc retention) live in the host's default.nix.
-  nix = {
-    optimise.automatic = true;
-
-    gc = {
-      automatic = true;
-      dates = "weekly";
-      # Default retention: override per-host via lib.mkForce if different.
-      options = lib.mkDefault "--delete-older-than 30d";
-    };
-
-    settings = {
-      experimental-features = [
-        "nix-command"
-        "flakes"
-      ];
-    };
-  };
-}
diff --git a/modules/common-shell-fish.nix b/modules/common-shell-fish.nix
deleted file mode 100644
index 13d0505..0000000
--- a/modules/common-shell-fish.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{ pkgs, lib, ... }:
-{
-  # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
-  # Login shells stay bash but immediately `exec fish` so fish is the effective shell
-  # without breaking scripts that hardcode #!/bin/bash.
-  programs.fish.enable = true;
-  programs.bash = {
-    interactiveShellInit = ''
-      if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
-      then
-        shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
-        exec ${lib.getExe pkgs.fish} $LOGIN_OPTION
-      fi
-    '';
-  };
-}
diff --git a/modules/common.nix b/modules/common.nix
new file mode 100644
index 0000000..db4dd38
--- /dev/null
+++ b/modules/common.nix
@@ -0,0 +1,75 @@
+{
+  config,
+  lib,
+  pkgs,
+  username,
+  ...
+}:
+{
+  # Common Nix daemon settings. Host-specific overrides (binary cache substituters,
+  # gc retention) live in the host's default.nix.
+  nix = {
+    optimise.automatic = true;
+
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      # Default retention: override per-host via lib.mkForce if different.
+      options = lib.mkDefault "--delete-older-than 30d";
+    };
+
+    settings = {
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
+    };
+  };
+
+  # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
+  # Login shells stay bash but immediately `exec fish` so fish is the effective shell
+  # without breaking scripts that hardcode #!/bin/bash.
+  programs.fish.enable = true;
+  programs.bash = {
+    interactiveShellInit = ''
+      if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
+      then
+        shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
+        exec ${lib.getExe pkgs.fish} $LOGIN_OPTION
+      fi
+    '';
+  };
+
+  # doas replaces sudo on every host
+  security = {
+    doas.enable = true;
+    sudo.enable = false;
+    doas.extraRules = [
+      {
+        users = [ username ];
+        keepEnv = true;
+        persist = true;
+      }
+    ];
+  };
+
+  services.kmscon.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    doas-sudo-shim
+  ];
+
+  hardware.enableRedistributableFirmware = true;
+  hardware.cpu.amd.updateMicrocode = true;
+
+  environment.etc = {
+    # override default nixos /etc/issue
+    "issue".text = "";
+  };
+
+  # for updating firmware
+  services.fwupd = {
+    enable = true;
+    extraRemotes = [ "lvfs-testing" ];
+  };
+}
diff --git a/modules/desktop-common.nix b/modules/desktop-common.nix
index 0ce026c..26cddd0 100644
--- a/modules/desktop-common.nix
+++ b/modules/desktop-common.nix
@@ -10,10 +10,7 @@
 }:
 {
   imports = [
-    # shared across all hosts
-    ./common-doas.nix
-    ./common-shell-fish.nix
-    ./common-nix.nix
+    ./common.nix
 
     # desktop-only modules
     ./desktop-vm.nix
@@ -31,11 +28,6 @@
   # allow overclocking (I actually underclock but lol)
   hardware.amdgpu.overdrive.ppfeaturemask = "0xFFFFFFFF";
 
-  hardware.enableRedistributableFirmware = true;
-  hardware.cpu.amd.updateMicrocode = true;
-
-  services.kmscon.enable = true;
-
   # Add niri to display manager session packages
   services.displayManager.sessionPackages = [ niri-package ];
 
@@ -350,23 +342,10 @@
       # 1gb huge pages
       "hugepagesz=1G"
       "hugepages=3"
-
     ];
-
-  };
-
-  environment.etc = {
-    # override default nixos /etc/issue
-    "issue".text = "";
   };
 
   services = {
-    # fwupd for updating firmware
-    fwupd = {
-      enable = true;
-      extraRemotes = [ "lvfs-testing" ];
-    };
-
     # auto detect network printers
     avahi = {
       enable = true;
@@ -466,8 +445,6 @@
 
     dmidecode
 
-    doas-sudo-shim
-
     glib
     usbutils
     libmtp