diff --git a/flake.nix b/flake.nix
index 98226d9..714a3e7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -230,50 +230,6 @@
       ];
     };
     # TODO: move this to a file or separate flake
-    mkReport = extra-modules: domain: system: inputs: stateVersion: modules: hostname: let
-      nixos = mkConfig extra-modules domain system inputs stateVersion modules hostname;
-      cfg = nixos.config;
-      inherit (nixos.pkgs) lib;
-      # TODO: make it work, is it faster?
-      #inherit (inputs.nixpkgs.legacyPackages.${system}) lib;
-      #nixos = lib.evalModules { modules = [ (mkModule (extra-modules ++ { _module.check = false; }) domain system inputs stateVersion modules hostname) ]; };
-      #cfg = nixos.config;
-    in {
-      inherit system; # TODO: cross system
-      inherit (cfg.boot.binfmt) emulatedSystems;
-      #inherit (cfg.system.build.toplevel) outPath;
-      inherit (cfg.networking) fqdn;
-      inherit (cfg.networking.firewall) allowedTCPPorts allowedUDPPorts;
-      buildMachines = lib.forEach cfg.nix.buildMachines (buildMachine: "${buildMachine.sshUser}@${buildMachine.hostName}");
-      users = lib.pipe cfg.users.users [
-        (lib.filterAttrs  (uname: user: user.isNormalUser))
-        (builtins.mapAttrs (uname: user: {
-          inherit (user) home;
-          authorizedKeys = lib.forEach user.openssh.authorizedKeys.keys (key: builtins.concatStringsSep " " (
-            lib.take
-            (lib.length (lib.splitString " " key))
-            [
-              (builtins.elemAt (lib.splitString " " key) 0)
-              "..."
-              (builtins.elemAt (lib.splitString " " key) 2)
-            ]
-          ));
-        }))
-      ];
-      nix-system-features = cfg.nix.settings.system-features;
-      bootloader = if cfg.boot.loader.grub.enable then "grub"
-        else if cfg.boot.loader.systemd-boot.enable then "systemd-boot"
-        else null;
-      mounts = lib.pipe cfg.fileSystems [
-        (lib.filterAttrs (mount: fs: fs.fsType != "nfs"))
-        (lib.mapAttrs (mount: fs: "${fs.fsType}://${fs.device}"))
-      ];
-    } // lib.optionalAttrs cfg.services.nginx.enable {
-      nginx-vhosts = lib.pipe cfg.services.nginx.virtualHosts [
-        #(lib.filterAttrs (domain: vhost: )
-        (lib.mapAttrs (domain: vhost: vhost.serverAliases or []))
-      ];
-    };
     mkHosts = mk: let
       ls = imports: { inherit imports; };
       hw = nixos-hardware.nixosModules;
@@ -318,15 +274,11 @@
   in {
     inputs = inputs';
 
-    lib = {
-      # pass
-    } // forAllSystems ({ system, ... }: {
-      # pass
-    });
+    lib = import ./lib.nix { inputs = inputs'; };
 
     nixosModules        = mkHosts (mkModule []);
     nixosConfigurations = mkHosts (mkConfig []);
-    nixosReports        = mkHosts (mkReport []);
+    nixosReports        = builtins.mapAttrs (key: self.lib.mkNixosConfigSummary) self.nixosConfigurations;
 
     overlays = {
       pbsdspkgs = final: prev: let pkgs = final; inherit (pkgs) lib; in {
diff --git a/lib.nix b/lib.nix
new file mode 100644
index 0000000..56961b5
--- /dev/null
+++ b/lib.nix
@@ -0,0 +1,83 @@
+{ inputs }:
+let
+  nlib = inputs.nixpkgs-edge.lib;
+
+  ellipsis =
+    maxlen: take: str:
+    if builtins.stringLength str > maxlen then builtins.substring 0 take str + "..." else str;
+
+  denix =
+    str:
+    builtins.concatStringsSep "/nix/store/..." (
+      builtins.filter builtins.isString (builtins.split "(/nix/store/[^ /-]+.?)" str)
+    );
+
+  # make a pretty summary of a lib.nixosSystem
+  mkNixosConfigSummary =
+    nixosSystem:
+    let
+      cfg = nixosSystem.config;
+      inherit (nixosSystem.pkgs) lib;
+    in
+    {
+      # inherit cfg.nixpkgs.system; # TODO: cross systems
+      system =
+        if cfg.nixpkgs.hostPlatform.system == cfg.nixpkgs.buildPlatform.system then
+          cfg.nixpkgs.system
+        else
+          {
+            hostPlatform = cfg.nixpkgs.hostPlatform.system;
+            buildPlatform = cfg.nixpkgs.buildPlatform.system;
+          };
+      inherit (cfg.boot.binfmt) emulatedSystems;
+      inherit (cfg.networking) fqdn;
+      inherit (cfg.networking.firewall) allowedTCPPorts allowedUDPPorts;
+      buildMachines = lib.pipe cfg.nix.buildMachines [
+        (map (buildMachine: "${buildMachine.protocol}:${buildMachine.sshUser}@${buildMachine.hostName}"))
+        (lib.sort (a: b: a < b))
+      ];
+      users = lib.pipe cfg.users.users [
+        (lib.filterAttrs (uname: user: user.isNormalUser || user.openssh.authorizedKeys.keys != [ ]))
+        (lib.mapAttrs (
+          uname: user: {
+            inherit (user) home;
+            authorizedKeys = lib.sort (a: b: a < b) (
+              lib.forEach user.openssh.authorizedKeys.keys (
+                key:
+                lib.pipe key [
+                  (lib.splitString " ")
+                  (map denix)
+                  (map (ellipsis 60 12))
+                  (lib.concatStringsSep " ")
+                ]
+              )
+            );
+          }
+        ))
+      ];
+      nix-system-features = cfg.nix.settings.system-features;
+      bootloader =
+        if cfg.boot.loader.grub.enable then
+          "grub"
+        else if cfg.boot.loader.systemd-boot.enable then
+          "systemd-boot"
+        else if cfg.boot.isContainer then
+          "container"
+        else
+          null;
+      mounts = lib.pipe cfg.fileSystems [
+        (lib.filterAttrs (mount: fs: fs.fsType != "nfs")) # spammy
+        (lib.mapAttrs (mount: fs: "${fs.fsType}://${fs.device}"))
+      ];
+    }
+    // lib.optionalAttrs cfg.services.nginx.enable {
+      nginx-vhosts = lib.pipe cfg.services.nginx.virtualHosts [
+        (lib.filterAttrs (domain: vhost: vhost == "_"))
+        (lib.mapAttrs (domain: vhost: vhost.serverAliases or [ ]))
+      ];
+    };
+
+in
+{
+  inherit mkNixosConfigSummary;
+}