update

flake.lock

@@ -1,5 +1,25 @@
 {
   "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1766150702,
+        "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "hardware": {
       "locked": {
         "lastModified": 1767070591,
@@ -35,6 +55,29 @@
         "type": "github"
       }
     },
+    "impermanence": {
+      "inputs": {
+        "home-manager": [
+          "home-manager"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1759327258,
+        "narHash": "sha256-aCEKGoPLZccGQBkjAjFFPfdyF9yWlM+4XSBRZZSvShY=",
+        "owner": "misterio77",
+        "repo": "impermanence",
+        "rev": "c69232cd3962b6b1b67ad4e38a3916ad67f20d76",
+        "type": "github"
+      },
+      "original": {
+        "owner": "misterio77",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1766902085,
@@ -53,11 +96,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1766885793,
+        "lastModified": 1767047869,
-        "narHash": "sha256-P6RVkrM9JLCW6xBjSwHfgTOQ1JwBUma5xe5LI8xAPC0=",
+        "narHash": "sha256-tzYsEzXEVa7op1LTnrLSiPGrcCY6948iD0EcNLWcmzo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9ef261221d1e72399f2036786498d78c38185c46",
+        "rev": "89dbf01df72eb5ebe3b24a86334b12c27d68016a",
         "type": "github"
       },
       "original": {
@@ -69,8 +112,10 @@
     },
     "root": {
       "inputs": {
+        "disko": "disko",
         "hardware": "hardware",
         "home-manager": "home-manager",
+        "impermanence": "impermanence",
         "nixpkgs": "nixpkgs",
         "nixpkgs-stable": "nixpkgs-stable",
         "sops-nix": "sops-nix",

flake.nix

@@ -12,6 +12,16 @@
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    impermanence = {
+      url = "github:misterio77/impermanence";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
+    };
+
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     sops-nix = {
       url = "github:mic92/sops-nix";
@@ -40,9 +50,9 @@
     inherit lib;
 
     nixosModules = import ./modules/nixos;
-    #homeManagerModules = import ./modules/home-manager;
+    homeManagerModules = import ./modules/home-manager;
 
-    #overlays = import ./overlays {inherit inputs outputs;};
+    overlays = import ./overlays {inherit inputs outputs;};
     hydraJobs = import ./hydra.nix {inherit inputs outputs;};
 
     packages  = forEachSystem (pkgs: import ./pkgs {inherit pkgs;});
@@ -56,6 +66,12 @@
 	  inherit inputs outputs;
 	};
       };
+      orpheus = lib.nixosSystem {
+        modules = [./hosts/orpheus];
+	specialArgs = {
+	  inherit inputs outputs;
+	};
+      };
     };
 
     homeConfigurations = {

home/dwessels/global/default.nix

@@ -0,0 +1,51 @@
+{
+  inputs,
+  lib,
+  pkgs,
+  config,
+  outputs,
+  ...
+}: {
+  imports =[
+    inputs.impermanence.homeManagerModules.impermanence
+  ] ++ (builtins.attrValues outputs.homeManagerModules);
+
+  nix = {
+    package = lib.mkDefault pkgs.nix;
+    settings = {
+      experiment-features = [
+        "nix-command"
+	"flakes"
+	"ca-derivations"
+      ];
+      warn-dirty = false;
+    };
+  };
+
+  programs = {
+    home-manager.enable = true;
+    git.enable = true;
+  };
+
+  home = {
+    username = lib.mkDefault "dwessels";
+    homeDirectory = lib.mkDefault "/home/${config.home.username}";
+    stateVersion = lib.mkDefault "22.11";
+    sessionPath = ["$HOME/.local/bin"];
+    sessionVariables = {
+      NH_FLAKE= "$HOME/Documents/NixConfig";
+    };
+
+    persistence = {
+      "/persist".directories = [
+        "Documents"
+	"Downloads"
+	"Pictures"
+	"Videos"
+	".local/bin"
+	".local/share/nix"
+      ];
+    };
+  };
+
+}

home/dwessels/orpheus.nix

@@ -0,0 +1,7 @@
+{pkgs, ...}: {
+
+  imports = [
+    ./global
+  ];
+
+}

hosts/common/global/default.nix

@@ -3,5 +3,42 @@
   outputs,
   ...
 }: {
+  imports = [
+    inputs.home-manager.nixosModules.home-manager
+    ./fish.nix
+    ./optin-persistence.nix
+    ./sops.nix
+  ] ++ (builtins.attrValues outputs.nixosModules);
 
+  home-manager.useGlobalPkgs = true;
+  home-manager.extraSpecialArgs = {
+    inherit inputs outputs;
+  };
+
+  nixpkgs = {
+    overlays = builtins.attrValues outputs.overlays;
+    config = {
+      allowUnfree = true;
+    };
+  };
+
+  hardware.enableRedistributableFirmware = true;
+  networking.domain = "wessels.local";
+
+  security.pam.loginLimits = [
+    {
+      domain = "@wheel";
+      item = "nofile";
+      type = "soft";
+      value = "524288";
+    }
+    {
+      domain = "@wheel";
+      item = "nofile";
+      type = "hard";
+      value = "1048576";
+    }
+  ];
+
+  services.speechd.enable = false;
 }

hosts/common/global/fish.nix

@@ -0,0 +1,10 @@
+{
+  programs.fish = {
+    enable = true;
+    vendor = {
+      completions.enable = true;
+      config.enable = true;
+      functions.enable = true;
+    };
+  };
+}

hosts/common/global/optin-persistence.nix

@@ -0,0 +1,35 @@
+{
+  lib,
+  inputs,
+  config,
+  ...
+}: {
+  imports = [inputs.impermanence.nixosModules.impermanence];
+
+  environment.persistence = {
+    "/persist" = {
+      files = [
+        "/etc/machine-id"
+      ];
+      directories = [
+        "/var/lib/fprint"
+	"/var/lib/systemd"
+	"/var/lib/nixos"
+	"/var/log"
+	"/srv"
+      ];
+    };
+  };
+
+  programs.fuse.userAllowOther = true;
+  system.activationScripts.persistent-dirs.text = let
+    mkHomePersist = user:
+      lib.optionalString user.createHome ''
+        mkdir -p /persist/${user.home}
+        chown ${user.name}:${user.group} /persist/${user.home}
+        chmod ${user.homeMode} /persist/${user.home}
+      '';
+    users = lib.attrValues config.users.users;
+  in
+    lib.concatLines (map mkHomePersist users);
+}

hosts/common/global/sops.nix

@@ -0,0 +1,15 @@
+{
+  inputs,
+  config,
+  ...
+}: let
+  isEd25519 = k: k.type == "ed25519";
+  getKeyPath = k: k.path;
+  keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
+in {
+  imports = [inputs.sops-nix.nixosModules.sops];
+
+  sops = {
+    age.sshKeyPaths = map getKeyPath keys;
+  };
+}

hosts/common/optional/ephemeral-btrfs.nix

@@ -0,0 +1,49 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  root = config.fileSystems."/";
+
+  wipeScript = ''
+    mkdir /tmp -p
+    MNTPOINT=$(mktemp -d)
+    (
+      mount -t btrfs -o subvol=/ ${root.device} "$MNTPOINT"
+      trap 'umount "$MNTPOINT"' EXIT
+
+      echo "Creating needed directories"
+      mkdir -p "$MNTPOINT"/persist/var/{log,lib/{nixos,systemd}}
+      if [ -e "$MNTPOINT/dont-wipe" ]; then
+        echo "Skipping wipe"
+      else
+        echo "Cleaning root subvolume"
+        btrfs subvolume delete -R "$MNTPOINT/root"
+        echo "Restoring blank subvolume"
+        btrfs subvolume snapshot "$MNTPOINT/root-blank" "$MNTPOINT/root"
+      fi
+    )
+  '';
+
+  # Convert a device path to a systemd .device
+  toSystemdDevice = device: lib.concatStringsSep "-" (lib.tail (map (lib.replaceString "-" "\\x2d" ) (lib.splitString "/" device))) + ".device";
+
+  phase1Systemd = config.boot.initrd.systemd.enable;
+in {
+  boot.initrd = {
+    supportedFilesystems = ["btrfs"];
+    postDeviceCommands = lib.mkIf (!phase1Systemd) (lib.mkBefore wipeScript);
+    systemd.services.restore-root = lib.mkIf phase1Systemd {
+      description = "Rollback btrfs rootfs";
+      wantedBy = ["initrd.target"];
+      requires = [(toSystemdDevice root.device)];
+      after = [(toSystemdDevice root.device)];
+      before = ["sysroot.mount"];
+      unitConfig.DefaultDependencies = "no";
+      serviceConfig.Type = "oneshot";
+      script = wipeScript;
+    };
+  };
+
+  fileSystems."/persist".neededForBoot = lib.mkDefault true;
+}

hosts/common/users/dwessels/default.nix

@@ -25,6 +25,7 @@ in {
       "wireshark"
    ];
    hashedPasswordFile = config.sops.secrets.dwessels-password.path;
+   packages = [pkgs.home-manager];
   };
 
   sops.secrets.dwessels-password = {

hosts/orpheus/default.nix

@@ -0,0 +1,33 @@
+{
+  pkgs,
+  inputs,
+  ...
+}: {
+  imports = [
+    #inputs.hardware.nixosModules.common-cpu-amd
+    #inputs.hardware.nixosModules.common-gpu-amd
+    #inputs.hardware.nixosModules.common-pc-ssd
+
+    ./hardware-configuration.nix
+    ../common/global
+    ../common/users/dwessels
+
+  ];
+
+  networking = {
+    hostName = "orpheus";
+    useDHCP = true;
+  };
+
+  boot.kernelPackages = pkgs.linuxKernel.packages.linux_xanmod_latest;
+
+  powerManagement.powertop.enable = true;
+  programs = {
+    adb.enable = true;
+    dconf.enable = true;
+  };
+
+  hardware.graphics.enable = true;
+
+  system.stateVersion = "25.11";
+}

hosts/orpheus/hardware-configuration.nix

@@ -0,0 +1,94 @@
+
+{inputs, lib, ... }: {
+  imports = [
+      inputs.disko.nixosModules.disko
+      ../common/optional/ephemeral-btrfs.nix
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "nvme"
+	"xhci_pci"
+        "ahci"
+	"usb_storage"
+	"usbhid"
+	"sd_mod"
+      ];
+      kernelModules = ["kvm-amd"];
+    };
+    loader = {
+      systemd-boot = {
+        enable = true;
+	consoleMode = "max";
+      };
+      efi.canTouchEfiVariables = true;
+    };
+  };
+
+  disko.devices.disk.main = {
+    device = "/dev/nvme0n1";
+    type = "disk";
+    content = {
+      type = "gpt";
+      partitions = {
+        boot = {
+	  size = "1M";
+	  type = "EF02";
+	};
+	esp = {
+	  name = "ESP";
+	  size = "512M";
+	  type = "EF00";
+	  content = {
+	    type = "filesystem";
+	    format = "vfat";
+	    mountpoint = "/boot";
+	  };
+	};
+	luks = {
+	  size = "100%";
+	  content = {
+	    name = "root";
+	    type = "luks";
+	    settings.allowDiscards = true;
+	    content = {
+	      type = "btrfs";
+	      postCreateHook = ''
+	        MNTPOINT=$(mktemp -d)
+		mount -t btrfs "$device" "$MNTPOINT"
+		trap 'umount $MNTPOINT; rm -d $MNTPOINT' EXIT
+		btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+	      '';
+	      subvolumes = {
+	        "/root" = {
+		  mountOptions = ["compress=zstd"];
+		  mountpoint = "/";
+		};
+		"/nix" = {
+		  mountOptions = ["compress=zstd" "noatime"];
+		  mountpoint = "/nix";
+		};
+		"/persist" = {
+		  mountOptions = ["compress=zstd"];
+		  mountpoint = "/persist";
+		};
+		"/swap" = {
+		  mountOptions = ["compress=zstd" "noatime"];
+		  mountpoint = "/swap";
+		  swap.swapfile = {
+		    size = "60G";
+		    path = "swapfile";
+		  };
+		};
+	      };
+	    };
+	  };
+	};
+      };
+    };
+  };
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
+
+

modules/home-manager/default.nix

@@ -0,0 +1,3 @@
+{
+
+}

overlays/default.nix

@@ -0,0 +1,6 @@
+{
+  outputs,
+  inputs,
+}: {
+
+}