diff --git a/configuration.nix b/configuration.nix
index 80f501c..8e2d9a5 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -13,10 +13,10 @@
 
 {
   imports = [
-    # Generated by `nixos-generate-config`. Drop your real
-    # hardware-configuration.nix in alongside this file before the
-    # first build.
-    # ./hardware-configuration.nix
+    # Ships as a placeholder (unbootable values) so `nix flake check`
+    # evaluates cleanly. Overwrite with `nixos-generate-config` output
+    # before the first real `nixos-rebuild switch`.
+    ./hardware-configuration.nix
 
     # Shared helpers (config.lnbits-sensei.lib).
     ./modules/lib.nix
@@ -42,6 +42,15 @@
   networking.hostName = settings.hostName;
   time.timeZone = settings.timeZone;
 
+  # Primary user. Group declared explicitly per NixOS warning about
+  # implicit `nogroup` defaults. Consumer extends extraGroups as needed.
+  users.users.${settings.user} = {
+    isNormalUser = true;
+    group = settings.user;
+    extraGroups = [ "wheel" ];
+  };
+  users.groups.${settings.user} = { };
+
   nix.settings.experimental-features = [
     "nix-command"
     "flakes"
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..b1dafb6
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,65 @@
+{
+  "nodes": {
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1779678629,
+        "narHash": "sha256-gHcIFg0mm+KFsg7iZQt67kni3+qR5U3PhEC9P7vKlZ4=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "612bbe3b405ad5f71d7bf9edecc04b678a061652",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "lnbits-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1779693880,
+        "narHash": "sha256-Gp+Dwj+zxMS7HaNksazfygMIFrAwW1nyWlNvKnaUta8=",
+        "owner": "lnbits",
+        "repo": "lnbits",
+        "rev": "88672501d8dbb3a77e2ebb5dfc7878dc43adadbd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnbits",
+        "repo": "lnbits",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1779508470,
+        "narHash": "sha256-Ap9KJX+5xHIn3bPIpfNgT6MEXdAECECwo4/rmlQD74M=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "29916453413845e54a65b8a1cf996842300cd299",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "home-manager": "home-manager",
+        "lnbits-src": "lnbits-src",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/hardware-configuration.nix b/hardware-configuration.nix
new file mode 100644
index 0000000..c6c897d
--- /dev/null
+++ b/hardware-configuration.nix
@@ -0,0 +1,38 @@
+# PLACEHOLDER — do not boot from this.
+#
+# This file ships with the scaffold purely so `nix flake check` and
+# `nixos-rebuild build` evaluate without screaming about missing
+# `fileSystems."/"` and `boot.loader.*`. The values are syntactically
+# valid but intentionally unusable — `/dev/null` is not a real root.
+#
+# Before the first real `nixos-rebuild switch`, overwrite this file:
+#
+#   sudo nixos-generate-config --root / --dir /etc/nixos
+#
+# or, if your repo lives elsewhere, copy the generated file in by hand.
+# The autogenerated version pins your actual disks, kernel modules,
+# and bootloader to the running machine.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  fileSystems."/" = {
+    device = "/dev/null";
+    fsType = "ext4";
+  };
+
+  boot.loader.grub = {
+    enable = true;
+    devices = [ "nodev" ];
+  };
+
+  # Required for evaluation. The consumer's real configuration will
+  # almost always overwrite this with `nixos-generate-config` output.
+  boot.initrd.availableKernelModules = [ ];
+  boot.kernelModules = [ ];
+}
diff --git a/home.nix b/home.nix
index 10d8df4..3f02f44 100644
--- a/home.nix
+++ b/home.nix
@@ -14,7 +14,9 @@
 
 {
   home.username = settings.user;
-  home.homeDirectory = "/home/${settings.user}";
+  # `lib.mkForce` because home-manager's nixos module sets a default
+  # homeDirectory of /var/empty that we always want to override.
+  home.homeDirectory = lib.mkForce "/home/${settings.user}";
 
   # State version pins the schema of files this generation produces.
   # Match the NixOS stateVersion in configuration.nix.
@@ -24,8 +26,10 @@
   # for the whole host.
   programs.git = {
     enable = true;
-    userName = settings.gitName;
-    userEmail = settings.gitEmail;
+    settings.user = {
+      name = settings.gitName;
+      email = settings.gitEmail;
+    };
   };
 
   # Future passes: shell prompt, editor, lnbits dev shell aliases,