diff --git a/common/default.nix b/common/default.nix
index 2430901..70050d0 100644
--- a/common/default.nix
+++ b/common/default.nix
@@ -5,6 +5,7 @@
     ./environment.nix
     ./home-manager.nix
     ./nginx.nix
+    ./nixpkgs.nix
     ./openssh.nix
     ./security.nix
     ./zsh.nix
diff --git a/common/nixpkgs.nix b/common/nixpkgs.nix
new file mode 100644
index 0000000..b11cac9
--- /dev/null
+++ b/common/nixpkgs.nix
@@ -0,0 +1,14 @@
+{ config, lib, pkgs, inputs, ... }:
+
+{
+  nixpkgs = {
+    config = {
+      allowUnfree = true;
+      packageOverrides = pkgs: {
+        agenix = inputs.agenix.packages.${config.nixpkgs.hostPlatform.system}.default;
+      };
+    };
+
+    overlays = [ inputs.nur.overlay ];
+  };
+}
diff --git a/common/sysadmin/default.nix b/common/sysadmin/default.nix
index 5e0cdc0..3709583 100644
--- a/common/sysadmin/default.nix
+++ b/common/sysadmin/default.nix
@@ -8,6 +8,8 @@ in
   options.qenya.sysadmin.enable = mkEnableOption "Base configuration for headless servers";
 
   config = mkIf cfg.enable {
+    time.timeZone = "Etc/UTC";
+
     # Allow remote deployment with colmena
     deployment.targetUser = null;
     security.sudo.wheelNeedsPassword = false;
diff --git a/flake.nix b/flake.nix
index 68f65da..3ca3ae6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -27,25 +27,15 @@
         nodeNixpkgs = {
           kalessin = import nixpkgs { system = "aarch64-linux"; }; # TODO: this should be generated from the host config somehow
         };
+        specialArgs = {
+          inherit inputs;
+        };
       };
 
-      defaults = { name, nodes, config, lib, pkgs, ... }: {
+      defaults = { name, nodes, ... }: {
         networking.hostName = name;
 
         nix.settings.experimental-features = "nix-command flakes";
-        nixpkgs.flake.source = nixpkgs;
-        nix.nixPath = [ "nixpkgs=flake:nixpkgs" ];
-
-        nixpkgs = {
-          config = {
-            allowUnfree = true;
-            packageOverrides = pkgs: {
-              agenix = agenix.packages.${config.nixpkgs.hostPlatform.system}.default;
-            };
-          };
-
-          overlays = [ nur.overlay ];
-        };
 
         imports = [
           home-manager.nixosModules.home-manager
@@ -59,7 +49,6 @@
 
       tohru = { name, nodes, ... }: {
         networking.hostId = "31da19c1";
-        time.timeZone = "Europe/London";
         deployment = {
           allowLocalDeployment = true;
           targetHost = null; # disallow remote deployment
@@ -72,7 +61,6 @@
 
       yevaud = { name, nodes, ... }: {
         networking.hostId = "09673d65";
-        time.timeZone = "Etc/UTC";
         deployment.targetHost = "yevaud.birdsong.network";
 
         imports = [
@@ -82,7 +70,6 @@
 
       orm = { name, nodes, ... }: {
         networking.hostId = "00000000";
-        time.timeZone = "Etc/UTC";
         deployment.targetHost = "orm.birdsong.network";
 
         imports = [
@@ -92,7 +79,6 @@
 
       kalessin = { name, nodes, ... }: {
         networking.hostId = "534b538e";
-        time.timeZone = "Etc/UTC";
         deployment = {
           targetHost = "kalessin.birdsong.network";
           buildOnTarget = true;
diff --git a/hosts/tohru/configuration.nix b/hosts/tohru/configuration.nix
index f248b63..73c578c 100644
--- a/hosts/tohru/configuration.nix
+++ b/hosts/tohru/configuration.nix
@@ -11,7 +11,6 @@
   boot.loader.systemd-boot.editor = false;
 
   age.secrets.wireguard-peer-tohru.file = ../../secrets/wireguard-peer-tohru.age;
-
   birdsong.peering = {
     enable = true;
     privateKeyFile = config.age.secrets.wireguard-peer-tohru.path;
@@ -30,6 +29,8 @@
 
   networking.networkmanager.enable = true;
 
+  time.timeZone = "Europe/London";
+
   i18n.defaultLocale = "en_GB.UTF-8";
   console.keyMap = "uk";