update

flake.lock

@@ -1,5 +1,25 @@
 {
   "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1766150702,
+        "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "hardware": {
       "locked": {
         "lastModified": 1767070591,
@@ -35,6 +55,29 @@
         "type": "github"
       }
     },
+    "impermanence": {
+      "inputs": {
+        "home-manager": [
+          "home-manager"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1759327258,
+        "narHash": "sha256-aCEKGoPLZccGQBkjAjFFPfdyF9yWlM+4XSBRZZSvShY=",
+        "owner": "misterio77",
+        "repo": "impermanence",
+        "rev": "c69232cd3962b6b1b67ad4e38a3916ad67f20d76",
+        "type": "github"
+      },
+      "original": {
+        "owner": "misterio77",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1766902085,
@@ -53,11 +96,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1766885793,
-        "narHash": "sha256-P6RVkrM9JLCW6xBjSwHfgTOQ1JwBUma5xe5LI8xAPC0=",
+        "lastModified": 1767047869,
+        "narHash": "sha256-tzYsEzXEVa7op1LTnrLSiPGrcCY6948iD0EcNLWcmzo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9ef261221d1e72399f2036786498d78c38185c46",
+        "rev": "89dbf01df72eb5ebe3b24a86334b12c27d68016a",
         "type": "github"
       },
       "original": {
@@ -69,8 +112,10 @@
     },
     "root": {
       "inputs": {
+        "disko": "disko",
         "hardware": "hardware",
         "home-manager": "home-manager",
+        "impermanence": "impermanence",
         "nixpkgs": "nixpkgs",
         "nixpkgs-stable": "nixpkgs-stable",
         "sops-nix": "sops-nix",

flake.nix

@@ -12,6 +12,16 @@
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    impermanence = {
+      url = "github:misterio77/impermanence";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
+    };
+
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     sops-nix = {
       url = "github:mic92/sops-nix";
@@ -40,9 +50,9 @@
     inherit lib;
 
     nixosModules = import ./modules/nixos;
-    #homeManagerModules = import ./modules/home-manager;
+    homeManagerModules = import ./modules/home-manager;
 
-    #overlays = import ./overlays {inherit inputs outputs;};
+    overlays = import ./overlays {inherit inputs outputs;};
     hydraJobs = import ./hydra.nix {inherit inputs outputs;};
 
     packages  = forEachSystem (pkgs: import ./pkgs {inherit pkgs;});
@@ -56,6 +66,12 @@
 	  inherit inputs outputs;
 	};
       };
+      orpheus = lib.nixosSystem {
+        modules = [./hosts/orpheus];
+	specialArgs = {
+	  inherit inputs outputs;
+	};
+      };
     };
 
     homeConfigurations = {

home/dwessels/global/default.nix

@@ -0,0 +1,51 @@
+{
+  inputs,
+  lib,
+  pkgs,
+  config,
+  outputs,
+  ...
+}: {
+  imports =[
+    inputs.impermanence.homeManagerModules.impermanence
+  ] ++ (builtins.attrValues outputs.homeManagerModules);
+
+  nix = {
+    package = lib.mkDefault pkgs.nix;
+    settings = {
+      experimental-features = [
+        "nix-command"
+	"flakes"
+	"ca-derivations"
+      ];
+      warn-dirty = false;
+    };
+  };
+
+  programs = {
+    home-manager.enable = true;
+    git.enable = true;
+  };
+
+  home = {
+    username = lib.mkDefault "dwessels";
+    homeDirectory = lib.mkDefault "/home/${config.home.username}";
+    stateVersion = lib.mkDefault "22.11";
+    sessionPath = ["$HOME/.local/bin"];
+    sessionVariables = {
+      NH_FLAKE= "$HOME/Documents/NixConfig";
+    };
+
+    persistence = {
+      "/persist".directories = [
+        "Documents"
+	"Downloads"
+	"Pictures"
+	"Videos"
+	".local/bin"
+	".local/share/nix"
+      ];
+    };
+  };
+
+}

home/dwessels/orpheus.nix

@@ -0,0 +1,7 @@
+{pkgs, ...}: {
+
+  imports = [
+    ./global
+  ];
+
+}

hosts/common/global/default.nix

@@ -3,5 +3,42 @@
   outputs,
   ...
 }: {
+  imports = [
+    inputs.home-manager.nixosModules.home-manager
+    ./fish.nix
+    ./optin-persistence.nix
+    ./sops.nix
+  ] ++ (builtins.attrValues outputs.nixosModules);
 
+  home-manager.useGlobalPkgs = true;
+  home-manager.extraSpecialArgs = {
+    inherit inputs outputs;
+  };
+
+  nixpkgs = {
+    overlays = builtins.attrValues outputs.overlays;
+    config = {
+      allowUnfree = true;
+    };
+  };
+
+  hardware.enableRedistributableFirmware = true;
+  networking.domain = "wessels.local";
+
+  security.pam.loginLimits = [
+    {
+      domain = "@wheel";
+      item = "nofile";
+      type = "soft";
+      value = "524288";
+    }
+    {
+      domain = "@wheel";
+      item = "nofile";
+      type = "hard";
+      value = "1048576";
+    }
+  ];
+
+  services.speechd.enable = false;
 }

hosts/common/global/fish.nix

@@ -0,0 +1,10 @@
+{
+  programs.fish = {
+    enable = true;
+    vendor = {
+      completions.enable = true;
+      config.enable = true;
+      functions.enable = true;
+    };
+  };
+}

hosts/common/global/optin-persistence.nix

@@ -0,0 +1,35 @@
+{
+  lib,
+  inputs,
+  config,
+  ...
+}: {
+  imports = [inputs.impermanence.nixosModules.impermanence];
+
+  environment.persistence = {
+    "/persist" = {
+      files = [
+        "/etc/machine-id"
+      ];
+      directories = [
+        "/var/lib/fprint"
+	"/var/lib/systemd"
+	"/var/lib/nixos"
+	"/var/log"
+	"/srv"
+      ];
+    };
+  };
+
+  programs.fuse.userAllowOther = true;
+  system.activationScripts.persistent-dirs.text = let
+    mkHomePersist = user:
+      lib.optionalString user.createHome ''
+        mkdir -p /persist/${user.home}
+        chown ${user.name}:${user.group} /persist/${user.home}
+        chmod ${user.homeMode} /persist/${user.home}
+      '';
+    users = lib.attrValues config.users.users;
+  in
+    lib.concatLines (map mkHomePersist users);
+}

hosts/common/global/sops.nix

@@ -0,0 +1,15 @@
+{
+  inputs,
+  config,
+  ...
+}: let
+  isEd25519 = k: k.type == "ed25519";
+  getKeyPath = k: k.path;
+  keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
+in {
+  imports = [inputs.sops-nix.nixosModules.sops];
+
+  sops = {
+    age.sshKeyPaths = map getKeyPath keys;
+  };
+}

hosts/common/optional/ephemeral-btrfs.nix

@@ -0,0 +1,49 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  root = config.fileSystems."/";
+
+  wipeScript = ''
+    mkdir /tmp -p
+    MNTPOINT=$(mktemp -d)
+    (
+      mount -t btrfs -o subvol=/ ${root.device} "$MNTPOINT"
+      trap 'umount "$MNTPOINT"' EXIT
+
+      echo "Creating needed directories"
+      mkdir -p "$MNTPOINT"/persist/var/{log,lib/{nixos,systemd}}
+      if [ -e "$MNTPOINT/dont-wipe" ]; then
+        echo "Skipping wipe"
+      else
+        echo "Cleaning root subvolume"
+        btrfs subvolume delete -R "$MNTPOINT/root"
+        echo "Restoring blank subvolume"
+        btrfs subvolume snapshot "$MNTPOINT/root-blank" "$MNTPOINT/root"
+      fi
+    )
+  '';
+
+  # Convert a device path to a systemd .device
+  toSystemdDevice = device: lib.concatStringsSep "-" (lib.tail (map (lib.replaceString "-" "\\x2d" ) (lib.splitString "/" device))) + ".device";
+
+  phase1Systemd = config.boot.initrd.systemd.enable;
+in {
+  boot.initrd = {
+    supportedFilesystems = ["btrfs"];
+    postDeviceCommands = lib.mkIf (!phase1Systemd) (lib.mkBefore wipeScript);
+    systemd.services.restore-root = lib.mkIf phase1Systemd {
+      description = "Rollback btrfs rootfs";
+      wantedBy = ["initrd.target"];
+      requires = [(toSystemdDevice root.device)];
+      after = [(toSystemdDevice root.device)];
+      before = ["sysroot.mount"];
+      unitConfig.DefaultDependencies = "no";
+      serviceConfig.Type = "oneshot";
+      script = wipeScript;
+    };
+  };
+
+  fileSystems."/persist".neededForBoot = lib.mkDefault true;
+}

hosts/common/secrets.yaml

@@ -0,0 +1,17 @@
+dwessels-password: ENC[AES256_GCM,data:yVd9EjTjcPP0YYYHO5/CTpT6rzONNCr3X7BJ97BRjvgktLsvfLrlufEIEHsv+uawiPxf/p+NPbC1Ki7BDydemMIdl/7xx9JYcw==,iv:P1yAMOTBoP9JNIzTlgNC5HKeExo4IxNRzTVgvGiAb2s=,tag:1H+mefyBGP3qrWVjLiX/XQ==,type:str]
+sops:
+    age:
+        - recipient: age1yubikey1qvztykl49tq9njv2qhaqs9lm43mpfjkrgjlddhyp9tu6mgngxzg8v7v9rql
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDgwUnBpQSBBL1N5RFFj
+            U3ZIMWw0aVJKSXhydmJMM3dSZXlsaFV0Y1orUFJjMUNYaUp3bApXOU1VNzQweTVU
+            RlhOMFFmNU9RcnNoZWMrZG51NXh2VGFsa2JlQjVwem5vCi0tLSA2d3dVWXZiZmhM
+            VU0zSnJwRnVKT2N3OW1TTmdRWVV5L0FWS3I5aTk5bnRrCi8o71O5xJ/sAcjxdA6V
+            oYK/TnW3gf7KZGsoi/g0h5xT+b9QBspl560spU3ZOipbw36qh9d6Nwwm1zUW9FPW
+            zg4=
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-31T16:45:50Z"
+    mac: ENC[AES256_GCM,data:QghA6Wd6EKA4iCxWXOohBs3j6RLFwPrcsZMjzdtcoU9eH3JEC+ph9kOiF6s5LHIHzQfFrWxepnU3AdNsrNoYa7bHG0nUcGqZyiBKlFTXDnU3Q0Ifjs5Jn3nBE6QF3hnrFuiKjP64g8Gr5iTnvfAR/Gq1Nej5bjsVz268VA5xv4Y=,iv:syOKd1NKbrRB06W1Qf7Vx0vVUcl1PKqc+9tviQyNjcI=,tag:1fXxeZSV2RMm5fmAapTcEg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/common/users/dwessels/default.nix

@@ -25,6 +25,7 @@ in {
       "wireshark"
    ];
    hashedPasswordFile = config.sops.secrets.dwessels-password.path;
+   packages = [pkgs.home-manager];
   };
 
   sops.secrets.dwessels-password = {
@@ -34,6 +35,8 @@ in {
 
   home-manager.users.dwessels = import ../../../../home/dwessels/${config.networking.hostName}.nix;
 
+  services.getty.autologinUser = "dwessels";
+
   security.pam.services = {
     swaylock = {};
     hyprlock = {};

hosts/common/users/secrets.yaml

@@ -1,17 +0,0 @@
-dwessels-password: ENC[AES256_GCM,data:5FIfaQxiCOWT/uaf,iv:KyYcbVYyzC6lj4B4SOKtAgLLDIuB1HPbszBf654USSc=,tag:ndZ6BWqMAWeGv/y+htLizw==,type:str]
-sops:
-    age:
-        - recipient: age1yubikey1qvztykl49tq9njv2qhaqs9lm43mpfjkrgjlddhyp9tu6mgngxzg8v7v9rql
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDgwUnBpQSBBN0JXQW5Q
-            bzhUUjNtdmp6MUFjcG1UMlBaa2RNUDlYalJpOEdxNUhjQ3FHNQpEWE1idHp6ZFc1
-            VmdGUFRHNmZ5VHhyRzRHOCt0dmZMeEUyb1A4OE9yWm5nCi0tLSBhaU80aEJMZWxE
-            dkd5cnNYb3VNUFM0aGE3cUdsZDFORTNha2Z3UTZ6dWlFChMForXFy2Z0vq/ba0Fb
-            vlWRL14GHg2LinIyS1+2z8KwYfEp2mkIhg1y8/j+uraqFH2HQEM/3TOzTg9D/7Dw
-            JoQ=
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-30T23:40:22Z"
-    mac: ENC[AES256_GCM,data:4czv8j8VZ7WsU1cpULCgZDazoeI5f9vtrK8fuP2Y4y/H1HG1iRPq8TsEvB7Y5xIdXc8ZF9ff6r30KaNgt0IYBrPNoEZhsymiF7nsck43uPE51Utlhk/T1epJ7uvPYnLppSIGq6Gtzm2rlgiTGpM+H3KAC/0x+1bfz5WGcdSnr1w=,iv:liApOUtDkGBc3ct5A6k9EDafzODQxBzW7x1dREtGJJU=,tag:jPgQ+15821z5ENLS7ruljw==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.11.0

hosts/orpheus/default.nix

@@ -0,0 +1,33 @@
+{
+  pkgs,
+  inputs,
+  ...
+}: {
+  imports = [
+    #inputs.hardware.nixosModules.common-cpu-amd
+    #inputs.hardware.nixosModules.common-gpu-amd
+    #inputs.hardware.nixosModules.common-pc-ssd
+
+    ./hardware-configuration.nix
+    ../common/global
+    ../common/users/dwessels
+
+  ];
+
+  networking = {
+    hostName = "orpheus";
+    useDHCP = true;
+  };
+
+  boot.kernelPackages = pkgs.linuxKernel.packages.linux_xanmod_latest;
+
+  powerManagement.powertop.enable = true;
+  programs = {
+    adb.enable = true;
+    dconf.enable = true;
+  };
+
+  hardware.graphics.enable = true;
+
+  system.stateVersion = "25.11";
+}

hosts/orpheus/hardware-configuration.nix

@@ -0,0 +1,94 @@
+
+{inputs, lib, ... }: {
+  imports = [
+      inputs.disko.nixosModules.disko
+      ../common/optional/ephemeral-btrfs.nix
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "nvme"
+	"xhci_pci"
+        "ahci"
+	"usb_storage"
+	"usbhid"
+	"sd_mod"
+      ];
+      kernelModules = ["kvm-amd"];
+    };
+    loader = {
+      systemd-boot = {
+        enable = true;
+	consoleMode = "max";
+      };
+      efi.canTouchEfiVariables = true;
+    };
+  };
+
+  disko.devices.disk.main = {
+    device = "/dev/nvme0n1";
+    type = "disk";
+    content = {
+      type = "gpt";
+      partitions = {
+        boot = {
+	  size = "1M";
+	  type = "EF02";
+	};
+	esp = {
+	  name = "ESP";
+	  size = "512M";
+	  type = "EF00";
+	  content = {
+	    type = "filesystem";
+	    format = "vfat";
+	    mountpoint = "/boot";
+	  };
+	};
+	luks = {
+	  size = "100%";
+	  content = {
+	    name = "root";
+	    type = "luks";
+	    settings.allowDiscards = true;
+	    content = {
+	      type = "btrfs";
+	      postCreateHook = ''
+	        MNTPOINT=$(mktemp -d)
+		mount -t btrfs "$device" "$MNTPOINT"
+		trap 'umount $MNTPOINT; rm -d $MNTPOINT' EXIT
+		btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+	      '';
+	      subvolumes = {
+	        "/root" = {
+		  mountOptions = ["compress=zstd"];
+		  mountpoint = "/";
+		};
+		"/nix" = {
+		  mountOptions = ["compress=zstd" "noatime"];
+		  mountpoint = "/nix";
+		};
+		"/persist" = {
+		  mountOptions = ["compress=zstd"];
+		  mountpoint = "/persist";
+		};
+		"/swap" = {
+		  mountOptions = ["compress=zstd" "noatime"];
+		  mountpoint = "/swap";
+		  swap.swapfile = {
+		    size = "60G";
+		    path = "swapfile";
+		  };
+		};
+	      };
+	    };
+	  };
+	};
+      };
+    };
+  };
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
+
+

modules/home-manager/default.nix

@@ -0,0 +1,3 @@
+{
+
+}

overlays/default.nix

@@ -0,0 +1,6 @@
+{
+  outputs,
+  inputs,
+}: {
+
+}