diff --git a/modules/README.md b/modules/README.md
index fc13a0b6..7800edbb 100644
--- a/modules/README.md
+++ b/modules/README.md
@@ -2,4 +2,4 @@
 
 1. `darwin`: macOS-specific configuration.
 2. `nixos`: NixOS-specific configuration.
-3. `base.nix`: Common configuration for both NixOS and Nix-Darwin.
+3. `base`: Common configuration for both NixOS and Nix-Darwin.
diff --git a/modules/base.nix b/modules/base.nix
deleted file mode 100644
index 4ac98643..00000000
--- a/modules/base.nix
+++ /dev/null
@@ -1,126 +0,0 @@
-{
-  config,
-  pkgs,
-  myvars,
-  nuenv,
-  ...
-} @ args: {
-  nixpkgs.overlays =
-    [
-      nuenv.overlays.default
-    ]
-    ++ (import ../overlays args);
-
-  # Add my private PKI's CA certificate to the system-wide trust store.
-  security.pki.certificateFiles = [
-    ../certs/ecc-ca.crt
-  ];
-
-  # auto upgrade nix to the unstable version
-  # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/tools/package-management/nix/default.nix#L284
-  nix.package = pkgs.nixVersions.latest;
-
-  # for security reasons, do not load neovim's user config
-  # since EDITOR may be used to edit some critical files
-  environment.variables.EDITOR = "nvim --clean";
-
-  environment.systemPackages = with pkgs; [
-    # core tools
-    tealdeer # a very fast version of tldr
-    fastfetch
-    neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
-    just # justfile
-    nushell # nushell
-    git # used by nix flakes
-    git-lfs # used by huggingface models
-
-    # archives
-    zip
-    xz
-    zstd
-    unzipNLS
-    p7zip
-
-    # Text Processing
-    # Docs: https://github.com/learnbyexample/Command-line-text-processing
-    gnugrep # GNU grep, provides `grep`/`egrep`/`fgrep`
-    gnused # GNU sed, very powerful(mainly for replacing text in files)
-    gawk # GNU awk, a pattern scanning and processing language
-    jq # A lightweight and flexible command-line JSON processor
-
-    # networking tools
-    mtr # A network diagnostic tool
-    iperf3
-    dnsutils # `dig` + `nslookup`
-    ldns # replacement of `dig`, it provide the command `drill`
-    wget
-    curl
-    aria2 # A lightweight multi-protocol & multi-source command-line download utility
-    socat # replacement of openbsd-netcat
-    nmap # A utility for network discovery and security auditing
-    ipcalc # it is a calculator for the IPv4/v6 addresses
-
-    # misc
-    file
-    findutils
-    which
-    tree
-    gnutar
-    rsync
-  ];
-
-  users.users.${myvars.username} = {
-    description = myvars.userfullname;
-    # Public Keys that can be used to login to all my PCs, Macbooks, and servers.
-    #
-    # Since its authority is so large, we must strengthen its security:
-    # 1. The corresponding private key must be:
-    #    1. Generated locally on every trusted client via:
-    #      ```bash
-    #      # KDF: bcrypt with 256 rounds, takes 2s on Apple M2):
-    #      # Passphrase: digits + letters + symbols, 12+ chars
-    #      ssh-keygen -t ed25519 -a 256 -C "ryan@xxx" -f ~/.ssh/xxx`
-    #      ```
-    #    2. Never leave the device and never sent over the network.
-    # 2. Or just use hardware security keys like Yubikey/CanoKey.
-    openssh.authorizedKeys.keys = myvars.mainSshAuthorizedKeys;
-  };
-
-  programs.ssh = myvars.networking.ssh;
-
-  nix.settings = {
-    # enable flakes globally
-    experimental-features = ["nix-command" "flakes"];
-
-    # given the users in this list the right to specify additional substituters via:
-    #    1. `nixConfig.substituers` in `flake.nix`
-    #    2. command line args `--options substituers http://xxx`
-    trusted-users = [myvars.username];
-
-    # substituers that will be considered before the official ones(https://cache.nixos.org)
-    substituters = [
-      # cache mirror located in China
-      # status: https://mirrors.ustc.edu.cn/status/
-      "https://mirrors.ustc.edu.cn/nix-channels/store"
-      # status: https://mirror.sjtu.edu.cn/
-      # "https://mirror.sjtu.edu.cn/nix-channels/store"
-      # others
-      # "https://mirrors.sustech.edu.cn/nix-channels/store"
-      "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store"
-
-      "https://nix-community.cachix.org"
-      # my own cache server, currently not used.
-      # "https://ryan4yin.cachix.org"
-    ];
-
-    trusted-public-keys = [
-      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      "ryan4yin.cachix.org-1:Gbk27ZU5AYpGS9i3ssoLlwdvMIh0NxG0w8it/cv9kbU="
-    ];
-    builders-use-substitutes = true;
-  };
-
-  nix.extraOptions = ''
-    !include ${config.age.secrets.nix-access-tokens.path}
-  '';
-}
diff --git a/modules/base/default.nix b/modules/base/default.nix
new file mode 100644
index 00000000..eeb48a40
--- /dev/null
+++ b/modules/base/default.nix
@@ -0,0 +1,3 @@
+{mylib, ...}: {
+  imports = mylib.scanPaths ./.;
+}
diff --git a/modules/base/fonts.nix b/modules/base/fonts.nix
new file mode 100644
index 00000000..ed0ceb58
--- /dev/null
+++ b/modules/base/fonts.nix
@@ -0,0 +1,56 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.modules.desktop;
+in {
+  options.modules.desktop = {
+    fonts.enable = lib.mkEnableOption "Rich Fonts - Add NerdFonts Icons, emojis & CJK Fonts";
+  };
+
+  config.fonts.packages = with pkgs;
+    lib.mkIf cfg.fonts.enable
+    [
+      # icon fonts
+      material-design-icons
+      font-awesome
+
+      # nerdfonts
+      # https://github.com/NixOS/nixpkgs/blob/nixos-unstable-small/pkgs/data/fonts/nerd-fonts/manifests/fonts.json
+      nerd-fonts.symbols-only # symbols icon only
+      nerd-fonts.fira-code
+      nerd-fonts.jetbrains-mono
+      nerd-fonts.iosevka
+
+      # Noto 是 Google 开发的开源字体家族
+      # 名字的含义是「没有豆腐」（no tofu），因为缺字时显示的方框或者方框被叫作 tofu
+      #
+      # Noto 系列字族只支持西文，命名规则是 Noto + Sans 或 Serif + 文字名称。
+      noto-fonts # 大部分文字的常见样式，不包含汉字
+      noto-fonts-color-emoji # 彩色的表情符号字体
+      # Noto CJK 为「思源」系列汉字字体，由 Adobe + Google 共同开发
+      # Google 以 Noto Sans/Serif CJK SC/TC/HK/JP/KR 的名称发布该系列字体。
+      # 这俩跟 noto-fonts-cjk-sans/serif 实际为同一字体，只是分别由 Adobe/Google 以自己的品牌名发布
+      # noto-fonts-cjk-sans # 思源黑体
+      # noto-fonts-cjk-serif # 思源宋体
+
+      # Adobe 以 Source Han Sans/Serif 的名称发布此系列字体
+      source-sans # 无衬线字体，不含汉字。字族名叫 Source Sans 3，以及带字重的变体（VF）
+      source-serif # 衬线字体，不含汉字。字族名叫 Source Serif 4，以及带字重的变体
+      # Source Hans 系列汉字字体由 Adobe + Google 共同开发
+      source-han-sans # 思源黑体
+      source-han-serif # 思源宋体
+      source-han-mono # 思源等宽
+
+      # 霞鹜文楷 屏幕阅读版
+      # https://github.com/lxgw/LxgwWenKai-Screen
+      lxgw-wenkai-screen
+
+      # Maple Mono NF CN (连字 未微调版，适用于高分辨率屏幕)
+      # Full version, embed with nerdfonts icons, Chinese and Japanese glyphs
+      # https://github.com/subframe7536/maple-font
+      maple-mono.NF-CN-unhinted
+    ];
+}
diff --git a/modules/base/nix.nix b/modules/base/nix.nix
new file mode 100644
index 00000000..cdd58f01
--- /dev/null
+++ b/modules/base/nix.nix
@@ -0,0 +1,46 @@
+{
+  pkgs,
+  config,
+  myvars,
+  ...
+}: {
+  # auto upgrade nix to the unstable version
+  # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/tools/package-management/nix/default.nix#L284
+  nix.package = pkgs.nixVersions.latest;
+
+  nix.settings = {
+    # enable flakes globally
+    experimental-features = ["nix-command" "flakes"];
+
+    # given the users in this list the right to specify additional substituters via:
+    #    1. `nixConfig.substituers` in `flake.nix`
+    #    2. command line args `--options substituers http://xxx`
+    trusted-users = [myvars.username];
+
+    # substituers that will be considered before the official ones(https://cache.nixos.org)
+    substituters = [
+      # cache mirror located in China
+      # status: https://mirrors.ustc.edu.cn/status/
+      "https://mirrors.ustc.edu.cn/nix-channels/store"
+      # status: https://mirror.sjtu.edu.cn/
+      # "https://mirror.sjtu.edu.cn/nix-channels/store"
+      # others
+      # "https://mirrors.sustech.edu.cn/nix-channels/store"
+      "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store"
+
+      "https://nix-community.cachix.org"
+      # my own cache server, currently not used.
+      # "https://ryan4yin.cachix.org"
+    ];
+
+    trusted-public-keys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      "ryan4yin.cachix.org-1:Gbk27ZU5AYpGS9i3ssoLlwdvMIh0NxG0w8it/cv9kbU="
+    ];
+    builders-use-substitutes = true;
+  };
+
+  nix.extraOptions = ''
+    !include ${config.age.secrets.nix-access-tokens.path}
+  '';
+}
diff --git a/modules/base/overlays.nix b/modules/base/overlays.nix
new file mode 100644
index 00000000..5fa7172d
--- /dev/null
+++ b/modules/base/overlays.nix
@@ -0,0 +1,7 @@
+{nuenv, ...} @ args: {
+  nixpkgs.overlays =
+    [
+      nuenv.overlays.default
+    ]
+    ++ (import ../../overlays args);
+}
diff --git a/modules/base/security.nix b/modules/base/security.nix
new file mode 100644
index 00000000..ca2ff666
--- /dev/null
+++ b/modules/base/security.nix
@@ -0,0 +1,6 @@
+{
+  # Add my private PKI's CA certificate to the system-wide trust store.
+  security.pki.certificateFiles = [
+    ../../certs/ecc-ca.crt
+  ];
+}
diff --git a/modules/base/system-packages.nix b/modules/base/system-packages.nix
new file mode 100644
index 00000000..6254f943
--- /dev/null
+++ b/modules/base/system-packages.nix
@@ -0,0 +1,50 @@
+{pkgs, ...}: {
+  # for security reasons, do not load neovim's user config
+  # since EDITOR may be used to edit some critical files
+  environment.variables.EDITOR = "nvim --clean";
+
+  environment.systemPackages = with pkgs; [
+    # core tools
+    tealdeer # a very fast version of tldr
+    fastfetch
+    neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+    just # justfile
+    nushell # nushell
+    git # used by nix flakes
+    git-lfs # used by huggingface models
+
+    # archives
+    zip
+    xz
+    zstd
+    unzipNLS
+    p7zip
+
+    # Text Processing
+    # Docs: https://github.com/learnbyexample/Command-line-text-processing
+    gnugrep # GNU grep, provides `grep`/`egrep`/`fgrep`
+    gnused # GNU sed, very powerful(mainly for replacing text in files)
+    gawk # GNU awk, a pattern scanning and processing language
+    jq # A lightweight and flexible command-line JSON processor
+
+    # networking tools
+    mtr # A network diagnostic tool
+    iperf3
+    dnsutils # `dig` + `nslookup`
+    ldns # replacement of `dig`, it provide the command `drill`
+    wget
+    curl
+    aria2 # A lightweight multi-protocol & multi-source command-line download utility
+    socat # replacement of openbsd-netcat
+    nmap # A utility for network discovery and security auditing
+    ipcalc # it is a calculator for the IPv4/v6 addresses
+
+    # misc
+    file
+    findutils
+    which
+    tree
+    gnutar
+    rsync
+  ];
+}
diff --git a/modules/base/users.nix b/modules/base/users.nix
new file mode 100644
index 00000000..17ca7a5b
--- /dev/null
+++ b/modules/base/users.nix
@@ -0,0 +1,20 @@
+{myvars, ...}: {
+  programs.ssh = myvars.networking.ssh;
+
+  users.users.${myvars.username} = {
+    description = myvars.userfullname;
+    # Public Keys that can be used to login to all my PCs, Macbooks, and servers.
+    #
+    # Since its authority is so large, we must strengthen its security:
+    # 1. The corresponding private key must be:
+    #    1. Generated locally on every trusted client via:
+    #      ```bash
+    #      # KDF: bcrypt with 256 rounds, takes 2s on Apple M2):
+    #      # Passphrase: digits + letters + symbols, 12+ chars
+    #      ssh-keygen -t ed25519 -a 256 -C "ryan@xxx" -f ~/.ssh/xxx`
+    #      ```
+    #    2. Never leave the device and never sent over the network.
+    # 2. Or just use hardware security keys like Yubikey/CanoKey.
+    openssh.authorizedKeys.keys = myvars.mainSshAuthorizedKeys;
+  };
+}
diff --git a/modules/darwin/default.nix b/modules/darwin/default.nix
index 7bbcce70..38a28fff 100644
--- a/modules/darwin/default.nix
+++ b/modules/darwin/default.nix
@@ -2,6 +2,6 @@
   imports =
     (mylib.scanPaths ./.)
     ++ [
-      ../base.nix
+      ../base
     ];
 }
diff --git a/modules/darwin/fonts.nix b/modules/darwin/fonts.nix
deleted file mode 100644
index 0b3f59e6..00000000
--- a/modules/darwin/fonts.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{pkgs, ...}: {
-  # Fonts
-  fonts = {
-    packages = with pkgs; [
-      # icon fonts
-      material-design-icons
-      font-awesome
-
-      source-sans # 无衬线字体，不含汉字。
-      source-serif # 衬线字体，不含汉字。
-      source-han-sans # 思源黑体
-      source-han-serif # 思源宋体
-
-      # nerdfonts
-      # https://github.com/NixOS/nixpkgs/blob/nixos-unstable-small/pkgs/data/fonts/nerd-fonts/manifests/fonts.json
-      nerd-fonts.symbols-only # symbols icon only
-      nerd-fonts.fira-code
-      nerd-fonts.jetbrains-mono
-      nerd-fonts.iosevka
-    ];
-  };
-}
diff --git a/modules/nixos/desktop.nix b/modules/nixos/desktop.nix
index e2f6c91a..ccbb912d 100644
--- a/modules/nixos/desktop.nix
+++ b/modules/nixos/desktop.nix
@@ -10,7 +10,7 @@ with lib; let
 in {
   imports = [
     ./base
-    ../base.nix
+    ../base
 
     ./desktop
   ];
diff --git a/modules/nixos/desktop/fonts.nix b/modules/nixos/desktop/fonts.nix
index d8f4ebb1..55512d44 100644
--- a/modules/nixos/desktop/fonts.nix
+++ b/modules/nixos/desktop/fonts.nix
@@ -5,47 +5,8 @@
     enableDefaultPackages = false;
     fontDir.enable = true;
 
-    packages = with pkgs; [
-      # icon fonts
-      material-design-icons
-      font-awesome
-
-      # nerdfonts
-      # https://github.com/NixOS/nixpkgs/blob/nixos-unstable-small/pkgs/data/fonts/nerd-fonts/manifests/fonts.json
-      nerd-fonts.symbols-only # symbols icon only
-      nerd-fonts.fira-code
-      nerd-fonts.jetbrains-mono
-      nerd-fonts.iosevka
-
-      # Noto 是 Google 开发的开源字体家族
-      # 名字的含义是「没有豆腐」（no tofu），因为缺字时显示的方框或者方框被叫作 tofu
-      #
-      # Noto 系列字族只支持西文，命名规则是 Noto + Sans 或 Serif + 文字名称。
-      noto-fonts # 大部分文字的常见样式，不包含汉字
-      noto-fonts-color-emoji # 彩色的表情符号字体
-      # Noto CJK 为「思源」系列汉字字体，由 Adobe + Google 共同开发
-      # Google 以 Noto Sans/Serif CJK SC/TC/HK/JP/KR 的名称发布该系列字体。
-      # 这俩跟 noto-fonts-cjk-sans/serif 实际为同一字体，只是分别由 Adobe/Google 以自己的品牌名发布
-      # noto-fonts-cjk-sans # 思源黑体
-      # noto-fonts-cjk-serif # 思源宋体
-
-      # Adobe 以 Source Han Sans/Serif 的名称发布此系列字体
-      source-sans # 无衬线字体，不含汉字。字族名叫 Source Sans 3，以及带字重的变体（VF）
-      source-serif # 衬线字体，不含汉字。字族名叫 Source Serif 4，以及带字重的变体
-      # Source Hans 系列汉字字体由 Adobe + Google 共同开发
-      source-han-sans # 思源黑体
-      source-han-serif # 思源宋体
-      source-han-mono # 思源等宽
-
-      # 霞鹜文楷屏幕阅读版
-      # https://github.com/lxgw/LxgwWenKai-Screen
-      lxgw-wenkai-screen
-
-      # Maple Mono NF CN (连字 未微调版，适用于高分辨率屏幕)
-      # Full version, embed with nerdfonts icons, Chinese and Japanese glyphs
-      # https://github.com/subframe7536/maple-font
-      maple-mono.NF-CN-unhinted
-    ];
+    # fonts are defined in /modules/base/fonts.nix, used by both NixOS & Darwin.
+    # packages = [ ... ];
 
     fontconfig = {
       # User defined default fonts
diff --git a/modules/nixos/server/server-aarch64.nix b/modules/nixos/server/server-aarch64.nix
index fb30e36e..e2879a7b 100644
--- a/modules/nixos/server/server-aarch64.nix
+++ b/modules/nixos/server/server-aarch64.nix
@@ -13,7 +13,7 @@
     ../base/ssh.nix
     ../base/user-group.nix
 
-    ../../base.nix
+    ../../base
   ];
 
   # Fix: jasper is marked as broken, refusing to evaluate.
diff --git a/modules/nixos/server/server-riscv64.nix b/modules/nixos/server/server-riscv64.nix
index c6956d7c..b62e0e73 100644
--- a/modules/nixos/server/server-riscv64.nix
+++ b/modules/nixos/server/server-riscv64.nix
@@ -12,6 +12,6 @@
     ../base/ssh.nix
     ../base/user-group.nix
 
-    ../../base.nix
+    ../../base
   ];
 }
diff --git a/modules/nixos/server/server.nix b/modules/nixos/server/server.nix
index 5c7821cd..1b33e534 100644
--- a/modules/nixos/server/server.nix
+++ b/modules/nixos/server/server.nix
@@ -1,6 +1,6 @@
 {lib, ...}: {
   imports = [
     ../base
-    ../../base.nix
+    ../../base
   ];
 }
diff --git a/nixos-installer/flake.nix b/nixos-installer/flake.nix
index 7f8afae5..5612536e 100644
--- a/nixos-installer/flake.nix
+++ b/nixos-installer/flake.nix
@@ -28,7 +28,7 @@
 
           ./configuration.nix
 
-          ../modules/base.nix
+          ../modules/base
           ../modules/nixos/base/i18n.nix
           ../modules/nixos/base/user-group.nix
           ../modules/nixos/base/networking.nix
@@ -58,7 +58,7 @@
 
           ./configuration.nix
 
-          ../modules/base.nix
+          ../modules/base
           ../modules/nixos/base/i18n.nix
           ../modules/nixos/base/user-group.nix
           ../modules/nixos/base/networking.nix
diff --git a/outputs/aarch64-darwin/src/fern.nix b/outputs/aarch64-darwin/src/fern.nix
index d9cc8cf2..da77775c 100644
--- a/outputs/aarch64-darwin/src/fern.nix
+++ b/outputs/aarch64-darwin/src/fern.nix
@@ -21,7 +21,12 @@
         # host specific
         "hosts/darwin-${name}"
       ])
-      ++ [];
+      ++ [
+        {
+          modules.desktop.fonts.enable = true;
+        }
+      ];
+
     home-modules = map mylib.relativeToRoot [
       "hosts/darwin-${name}/home.nix"
       "home/darwin"
diff --git a/outputs/aarch64-darwin/src/frieren.nix b/outputs/aarch64-darwin/src/frieren.nix
index e3d844a4..6874050b 100644
--- a/outputs/aarch64-darwin/src/frieren.nix
+++ b/outputs/aarch64-darwin/src/frieren.nix
@@ -21,7 +21,11 @@
         # host specific
         "hosts/darwin-${name}"
       ])
-      ++ [];
+      ++ [
+        {
+          modules.desktop.fonts.enable = true;
+        }
+      ];
     home-modules = map mylib.relativeToRoot [
       "hosts/darwin-${name}/home.nix"
       "home/darwin"
diff --git a/outputs/x86_64-linux/src/idols-ai.nix b/outputs/x86_64-linux/src/idols-ai.nix
index 000d5607..14c8ef5d 100644
--- a/outputs/x86_64-linux/src/idols-ai.nix
+++ b/outputs/x86_64-linux/src/idols-ai.nix
@@ -36,6 +36,7 @@
     nixos-modules =
       [
         {
+          modules.desktop.fonts.enable = true;
           modules.desktop.wayland.enable = true;
           modules.secrets.desktop.enable = true;
           modules.secrets.impermanence.enable = true;