initial commit

hosts/16ach6/boot.nix

@@ -0,0 +1,7 @@
+{
+  boot.loader.systemd-boot = {
+    enable = true;
+    configurationLimit = 20;
+  };
+  boot.loader.efi.canTouchEfiVariables = true;
+}

hosts/16ach6/default.nix

@@ -0,0 +1,77 @@
+{
+  inputs,
+  outputs,
+  ...
+}:
+
+{
+  imports = [
+    ./boot.nix
+    ./hardware.nix
+    ./packages.nix
+    ./secrets
+    ./virtualisation.nix
+    # ./winapps.nix # trying windows-oci for now
+    # ./wireguard.nix # TODO: use NM for client config
+
+    ../../users/sid
+
+    inputs.synix.nixosModules.common
+    inputs.synix.nixosModules.device.laptop
+    inputs.synix.nixosModules.hyprland
+    inputs.synix.nixosModules.i2pd
+    inputs.synix.nixosModules.openssh
+    inputs.synix.nixosModules.windows-oci
+
+    # outputs.nixosModules.anything-llm-oci
+    outputs.nixosModules.appimage
+    outputs.nixosModules.common
+    # outputs.nixosModules.docker # conflicts with `virtualisation.podman.dockerCompat`
+    outputs.nixosModules.docs
+    outputs.nixosModules.syncthing
+    outputs.nixosModules.tailscale
+    outputs.nixosModules.wine
+  ];
+
+  networking.hostName = "16ach6";
+
+  services = {
+    envfs.enable = true;
+    i2pd.enable = true;
+    openssh.enable = true;
+    windows-oci = {
+      # enable = true; # FIXME
+      sharedVolume = "/home/sid/pub";
+    };
+  };
+
+  boot.binfmt.emulatedSystems = [
+    "aarch64-linux"
+  ];
+
+  virtualisation.waydroid.enable = true;
+  # sudo waydroid init
+  # sudo systemctl enable --now waydroid-container.service
+  # waydroid session start
+  # waydroid app launch com.foo.bar
+
+  normalUsers = {
+    sid = {
+      extraGroups = [
+        "audio"
+        "dialout"
+        "floppy"
+        "input"
+        "lp"
+        "networkmanager"
+        "video"
+      ];
+    };
+  };
+
+  programs.steam.enable = true;
+
+  boot.enableContainers = true;
+
+  system.stateVersion = "24.11";
+}

hosts/16ach6/hardware.nix

@@ -0,0 +1,49 @@
+{
+  inputs,
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    # inputs.nixos-hardware.nixosModules.lenovo-ideapad-16ach6
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "ahci"
+    "usb_storage"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ "amdgpu" ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/ROOT";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/BOOT";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };
+
+  swapDevices = [ { device = "/dev/disk/by-label/SWAP"; } ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  hardware.graphics.enable = true;
+}

hosts/16ach6/packages.nix

@@ -0,0 +1,10 @@
+{ pkgs, ... }:
+
+{
+  environment = {
+    systemPackages = with pkgs; [
+      evtest
+      linuxConsoleTools
+    ];
+  };
+}

hosts/16ach6/secrets/default.nix

@@ -0,0 +1,5 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.synix.nixosModules.sops ];
+}

hosts/16ach6/secrets/secrets.yaml

@@ -0,0 +1,36 @@
+wireguard:
+    wg0:
+        private-key: ENC[AES256_GCM,data:6G+VkNsoFK1zyurW/xuaw5ZawpGXYdT3YbYMwiYvpsqNiGhB9CMT/0v2HuE=,iv:vg7OcXghMzbQL0NYdnuAue2MC8l6l++TCoXJjGtpk/g=,tag:urVD9LfMtO5c95tHouX7YQ==,type:str]
+tailscale:
+    auth-key: ENC[AES256_GCM,data:u1TCO6pEKnOemhWSnb9UPCURFoKcR0uuipGzwu5QYVtzm7MLtvd5llhha8/H7WYQ,iv:0rwuQ3b6UOJth7YqaLJGNp0OqRYCb/z/HFK0vOY9ACw=,tag:H79JGEfBYB8hNrGZKAxHzg==,type:str]
+anything-llm-oci:
+    openrouter-api-key: ENC[AES256_GCM,data:iEi1ZDGnhNaFjuL/cv/XkMH/GtEgW4cmRPc/PrSgCBcJai2uA2NfhpS4ZJfzvzXyhvCEBVK05932N0PFAkYqryFD4PhGPE6N7g==,iv:tWlM8NlzV9/6vpbIEM0lt39ZJQGm/trEwYbnqpTCpro=,tag:OAUbTc4PbJsy7jqLixZOvw==,type:str]
+    jwt-secret: ENC[AES256_GCM,data:TBgjAwOH8pzRYxSvGaqaY5kFk0vVQjbKu+i2o3xPl4pRILQrzll0R4Sll5Qu7kW8WqyBBEEsEBBvY0sz2YR6aQ==,iv:8/yViXyTpxdRWthJt4D0KhZJ2+uTKXUV8UZUEsy8+kk=,tag:eWkaFZg2rtqziUAcjdcs1g==,type:str]
+    sig-key: ENC[AES256_GCM,data:VRFkIK2ywV0b1Dz40XtdcFk3aZ/iIaNxiB4C1zbh8P5EQbkIEE0AcSHlWc3gFwhLEjrAz37D/Js7lmGaR9XLaQ==,iv:pBv/cuciNXbV5IHmNbu8MCwiVK4MSwaBsiJ6SjpXjyU=,tag:VB9RuEC7orBBdR0qECOalQ==,type:str]
+    sig-salt: ENC[AES256_GCM,data:I3ggthhiehT54ad5O4Y7sqR4yo9Cs2RBnAB3jUem755N3MqjaPhw6PVpE92/UacNfqkMeHVINImUUo/nvuwr1w==,iv:qextgxloGUs0dSDrK29XnF68P89WICywktolqXJpY8k=,tag:9ilT8TKdAKu18J422uhN5Q==,type:str]
+syncthing:
+    gui-pw: ENC[AES256_GCM,data:dDccKohXulosuG4JQzLCtdf0+cY=,iv:Yk41rJqt4y4QhWkcP2upMd4h/orNMYTX4wO0TObrYpI=,tag:X3/ig+Kv2t7Wy8muxX3RGw==,type:str]
+sops:
+    age:
+        - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxM2pkS3lOaVpuUFdHVy9h
+            UU9ZcVIyTGlUUVpqdHFzU3llVENyOXV2eTFZCnVwVWlzR0N4QXZsNEZvRFFScHpl
+            cnBucWp6ZkN2Q3VKMmJMWlhOVVNtYmcKLS0tIG5ENjVtVjhqeWlBMFFRM3RoS0pC
+            bml1R3djSEgxbDVxZ1Jwc28zQWoycEkKUwt/8zCkhD1b7dVMYd7FHxABjwPhTQxA
+            Lw1sBePiKQxeZTiWVucMrrHk85omGQEPNECTdhBqF4aOS0glRrwCEQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1km907lx69fwvmwgt7rspkuyxtkdrhr7r7t0mw20e5rymsu364exs3rl28q
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJNGdEd3hJcTc0QzF5ZitN
+            SnNTV1NSOWRRV1VTczZmcStjRmJ5Q01mSEZFCi80cFN0TVY0WmJseFVBM1JEaTlK
+            WmNiWFBMT1dudVp1REsyYU1OUm1haVUKLS0tIFRZdE11WnpNQW1kbEZzNlpSWE5m
+            T1JDdVlwRVYwLy9ud0EyNldFcXNDaUUKdXq2ulChfK6XBpX/bkP/fz9XCm/YVHkX
+            QRPemdtP2Sp7VBcAtlWNbXFcr3osRR2nLKxDl+NntEHRCNs3ffnGew==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-01-13T21:05:39Z"
+    mac: ENC[AES256_GCM,data:aSOlu1iuSDuUdSt6cZhbzorY37ECHqIkz73iPi2Sn6WyDNCsEwn2rJpQxXSDG/O0+HLoyCgkyR9PwrI0Gn0sDAtcPHhVjOQC8656muNEV3fZWBPIJ+K4++xZDAH66L1UN7Y210EnYtYT6pY61jrFz2NWVjd1V9hTcCmbfpySrAA=,iv:gmPRLuMagjY/Dgc3VvurvLz4qgfTsMp/YIgqHXuG6ag=,tag:I5hKLnEXDvMRXOY2YuFG9g==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/16ach6/virtualisation.nix

@@ -0,0 +1,42 @@
+{
+  inputs,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ inputs.synix.nixosModules.virtualisation ];
+
+  virtualisation = {
+    vfio = {
+      enable = true;
+      IOMMUType = "amd";
+      devices = [
+        "10de:1f9d"
+      ];
+      blacklistNvidia = true;
+      ignoreMSRs = true;
+    };
+    libvirtd.deviceACL = [
+      "/dev/kvm"
+      "/dev/net/tun"
+      "/dev/vfio/vfio"
+      "/dev/null"
+      "/dev/ptmx"
+    ];
+    hugepages.enable = true;
+    quickemu.enable = true;
+  };
+
+  users.extraGroups.libvirtd.members = [ "sid" ];
+  users.extraGroups.qemu-libvirtd.members = [ "sid" ];
+  users.extraGroups.kvm.members = [ "sid" ];
+
+  systemd.tmpfiles.rules = [ "f /dev/shm/looking-glass 0660 sid libvirtd -" ];
+
+  environment.systemPackages = [
+    pkgs.looking-glass-client
+  ];
+}

hosts/16ach6/winapps.nix

@@ -0,0 +1,11 @@
+{ inputs, pkgs, ... }:
+
+let
+  inherit (pkgs.stdenv.hostPlatform) system;
+in
+{
+  environment.systemPackages = with inputs.winapps.packages."${system}"; [
+    winapps
+    winapps-launcher
+  ];
+}

hosts/16ach6/wireguard.nix

@@ -0,0 +1,18 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.synix.nixosModules.wg-client ];
+
+  networking.wg-client = {
+    enable = true;
+    interfaces = {
+      wg0 = {
+        clientAddress = "10.0.0.2";
+        peer = {
+          publicIP = "91.99.172.127";
+          publicKey = "hRrnXl1heROHfpXkHOmjITUpG/ht3omVsWurLcChIS4=";
+        };
+      };
+    };
+  };
+}

hosts/nuc8/README.md

@@ -0,0 +1,45 @@
+# Windows 10 installation
+
+> Important: Install Windows 10 *before* NixOS
+
+Before setup, press `SHIFT+F10`. Then, enter the following commands in the terminal window:
+
+```
+diskpart
+```
+
+Get your drive number with:
+
+```
+list disk
+```
+
+> most likely `0`
+
+```
+select disk 0
+clean
+convert gpt
+
+create partition efi size=1024
+format quick fs=fat32 label="System"
+
+create partition msr size=16
+
+create partition primary
+shrink minimum=1024
+format quick fs=ntfs label="Windows"
+
+create partition primary
+format quick fs=ntfs label="Recovery"
+
+exit
+```
+
+Close the terminal and proceed as usual.
+
+After booting into your finished Windows installation, resize the C drive to make some space for your Linux root and swap partitions.
+
+# NixOS config
+
+See [*Autodetection with systemd-boot*](https://nixos.wiki/wiki/Dual_Booting_NixOS_and_Windows).

hosts/nuc8/boot.nix

@@ -0,0 +1,7 @@
+{
+  boot.loader.systemd-boot = {
+    enable = true;
+    configurationLimit = 10;
+  };
+  boot.loader.efi.canTouchEfiVariables = true;
+}

hosts/nuc8/default.nix

@@ -0,0 +1,46 @@
+{ inputs, outputs, ... }:
+
+{
+  imports = [
+    ./boot.nix
+    ./hardware.nix
+    ./packages.nix
+
+    ../../users/sid
+
+    inputs.synix.nixosModules.bluetooth
+    inputs.synix.nixosModules.common
+    inputs.synix.nixosModules.device.desktop
+    inputs.synix.nixosModules.hyprland
+    inputs.synix.nixosModules.openssh
+    inputs.synix.nixosModules.virtualisation
+
+    outputs.nixosModules.common
+    outputs.nixosModules.docs
+  ];
+
+  networking.hostName = "nuc8";
+
+  services = {
+    openssh.enable = true;
+    pipewire.enable = true;
+  };
+
+  normalUsers = {
+    sid = {
+      extraGroups = [
+        "audio"
+        "floppy"
+        "input"
+        "libvirtd"
+        "lp"
+        "networkmanager"
+        "video"
+      ];
+    };
+  };
+
+  time.hardwareClockInLocalTime = true; # Windows compatibility
+
+  system.stateVersion = "24.11";
+}

hosts/nuc8/disks.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+SSD='/dev/disk/by-id/nvme-Micron_MTFDHBA512TDV_21212F5AAB85'
+MNT='/mnt'
+SWAP_GB=16
+
+# Helper function to wait for devices
+wait_for_device() {
+  local device=$1
+  echo "Waiting for device: $device ..."
+  while [[ ! -e $device ]]; do
+    sleep 1
+  done
+  echo "Device $device is ready."
+}
+
+if ! command -v sgdisk &> /dev/null; then
+  nix-env -iA nixos.gptfdisk
+fi
+
+swapoff --all
+udevadm settle
+
+wait_for_device $SSD
+
+echo "Partitioning $SSD..."
+sgdisk -n5:0:+"$SWAP_GB"G -t5:8200 -c5:SWAP $SSD
+sgdisk -n6:0:0            -t6:8304 -c6:ROOT $SSD
+partprobe -s $SSD
+udevadm settle
+
+wait_for_device ${SSD}-part1 # Windows ESP
+wait_for_device ${SSD}-part5
+wait_for_device ${SSD}-part6
+
+echo "Formatting partitions..."
+mkswap -L SWAP "${SSD}-part5"
+mkfs.ext4 -L ROOT "${SSD}-part6"
+
+echo "Mounting partitions..."
+mount -o X-mount.mkdir "${SSD}-part6" "$MNT"
+mkdir -p "$MNT/boot"
+mount "${SSD}-part1" "$MNT/boot"
+
+echo "Enabling swap..."
+swapon "${SSD}-part5"
+
+echo "Partitioning and setup complete:"
+lsblk -o NAME,FSTYPE,SIZE,MOUNTPOINT,LABEL

hosts/nuc8/hardware.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "nvme"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+    "rtsx_pci_sdmmc"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/ROOT";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/SYSTEM";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-label/SWAP"; }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/nuc8/packages.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+
+{
+  environment = {
+    systemPackages = with pkgs; [
+    ];
+  };
+}

hosts/pc/boot.nix

@@ -0,0 +1,7 @@
+{
+  boot.loader.systemd-boot = {
+    enable = true;
+    configurationLimit = 20;
+  };
+  boot.loader.efi.canTouchEfiVariables = true;
+}

hosts/pc/default.nix

@@ -0,0 +1,49 @@
+{
+  inputs,
+  outputs,
+  ...
+}:
+
+{
+  imports = [
+    ./boot.nix
+    ./hardware.nix
+    ./networking.nix
+    ./packages.nix
+    ./secrets
+    ./services.nix
+
+    ../../users/sid
+
+    inputs.synix.nixosModules.bluetooth
+    inputs.synix.nixosModules.common
+    inputs.synix.nixosModules.device.desktop
+    inputs.synix.nixosModules.hyprland
+
+    outputs.nixosModules.common
+    outputs.nixosModules.docs
+    # outputs.nixosModules.syncthing
+    outputs.nixosModules.tailscale
+    outputs.nixosModules.wine
+  ];
+
+  normalUsers = {
+    sid = {
+      extraGroups = [
+        "audio"
+        "dialout"
+        "floppy"
+        "input"
+        "lp"
+        "networkmanager"
+        "video"
+      ];
+    };
+  };
+
+  programs.steam.enable = true;
+
+  boot.enableContainers = true;
+
+  system.stateVersion = "25.11";
+}

hosts/pc/disks.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+
+SSD='/dev/disk/by-id/nvme-SPCC_M.2_PCIe_SSD_7E1D079A184C00191521'
+MNT='/mnt'
+SWAP_GB=8
+
+# Helper function to wait for devices
+wait_for_device() {
+  local device=$1
+  echo "Waiting for device: $device ..."
+  while [[ ! -e $device ]]; do
+    sleep 1
+  done
+  echo "Device $device is ready."
+}
+
+# Function to install a package if it's not already installed
+install_if_missing() {
+  local cmd="$1"
+  local package="$2"
+  if ! command -v "$cmd" &> /dev/null; then
+    echo "$cmd not found, installing $package..."
+    nix-env -iA "nixos.$package"
+  fi
+}
+
+install_if_missing "sgdisk" "gptfdisk"
+install_if_missing "partprobe" "parted"
+
+wait_for_device $SSD
+
+echo "Wiping filesystem on $SSD..."
+wipefs -a $SSD
+
+echo "Clearing partition table on $SSD..."
+sgdisk --zap-all $SSD
+
+echo "Partitioning $SSD..."
+sgdisk -n1:1M:+1G         -t1:EF00 -c1:BOOT $SSD
+sgdisk -n2:0:+"$SWAP_GB"G -t2:8200 -c2:SWAP $SSD
+sgdisk -n3:0:0            -t3:8304 -c3:ROOT $SSD
+partprobe -s $SSD
+udevadm settle
+
+wait_for_device ${SSD}-part1
+wait_for_device ${SSD}-part2
+wait_for_device ${SSD}-part3
+
+echo "Formatting partitions..."
+mkfs.vfat -F 32 -n BOOT "${SSD}-part1"
+mkswap -L SWAP "${SSD}-part2"
+mkfs.ext4 -L ROOT "${SSD}-part3"
+
+echo "Mounting partitions..."
+mount -o X-mount.mkdir "${SSD}-part3" "$MNT"
+mkdir -p "$MNT/boot"
+mount -t vfat -o fmask=0077,dmask=0077,iocharset=iso8859-1 "${SSD}-part1" "$MNT/boot"
+
+echo "Enabling swap..."
+swapon "${SSD}-part2"
+
+echo "Partitioning and setup complete:"
+lsblk -o NAME,FSTYPE,SIZE,MOUNTPOINT,LABEL

hosts/pc/hardware.nix

@@ -0,0 +1,50 @@
+{
+  inputs,
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "ahci"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/ROOT";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/BOOT";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };
+
+  swapDevices = [ { device = "/dev/disk/by-label/SWAP"; } ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  hardware.graphics.enable = true;
+  hardware.nvidia.open = false;
+  services.xserver.videoDrivers = lib.mkDefault [ "nvidia" ];
+}

hosts/pc/networking.nix

@@ -0,0 +1,7 @@
+{
+  networking.hostName = "pc";
+  networking.interfaces.enp6s0.wakeOnLan = {
+    enable = true;
+    policy = [ "magic" ];
+  };
+}

hosts/pc/packages.nix

@@ -0,0 +1,10 @@
+{ pkgs, ... }:
+
+{
+  environment = {
+    systemPackages = with pkgs; [
+      evtest
+      linuxConsoleTools
+    ];
+  };
+}

hosts/pc/secrets/default.nix

@@ -0,0 +1,5 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.synix.nixosModules.sops ];
+}

hosts/pc/secrets/secrets.yaml

@@ -0,0 +1,28 @@
+tailscale:
+    auth-key: ENC[AES256_GCM,data:ieDjXpk1YJ2+rb5X5dV3NPtr8+FGwcQtdinSbB+SIuyNbLoSogKrutsBqa+v0I5g,iv:0bV4VwRGCf0yIKpR850/CuTvGFUPXOnFaHpWkdyokjk=,tag:vlRo7cZqgYnvSJiCPSutmw==,type:str]
+forgejo-runner:
+    token: ENC[AES256_GCM,data:rDwc/w9RpL/++VXg+YEYTP0CPz+trQp2OP5rHgWrPU0qODh1VjHjJA==,iv:SEFGOTB4YVnZqaJ2Lg87MSPV++8kAgtYMabvqouLuaw=,tag:NvRQHU8yvc6BdyTsnmIqyg==,type:str]
+sops:
+    age:
+        - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBucExCZjNtNGFnUTlnMjl0
+            RVpCU1NxazNXSjBma2tTTlIvWDlPcy9EcGxZCmp2WC9xa2ptVkQvaWFYcnRqcHgz
+            Mk1scjBWY3g1TzNWalNVYVVqN3JLS0UKLS0tIGJQTG42aXFENFdVd0hkWGxLWVVu
+            STI4aWJxR3A4VUNyek5JMEtHeG1RZUUKKRDWdOXfarN7UZZzIBoSpmGlcWFsyJtX
+            bZgccbigI6TJpnssTkFT89FysD6i++mmC0mmTeZ/oNOXUk5OuwrCgA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zdd344x69n8umt2qjjvz8pjnt43lacvvqfdquc5jqz4x9x7pnu3sg0as0k
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeThiZGhmNTB6Uk1YdGg3
+            WFlvNGtENnNlOU1wUXJyOWFPb3M2bm5UQVd3CkE0ck81ZjRwa2hIY1hQLzF2VmY3
+            NWN4Z0x5MVlJY2Z5OGszbnBxd3ZIM1EKLS0tIGlMUUlXN1ZLRUlwRmhCek5ZR29l
+            OHNTYTFFYTJQeXkzWDN3bE91RFgyMzAKV49+02ik78/chrQ1arlkQZH4G6oeRHCa
+            Gp/WhuuOUJ7gwERNxhduhl4+IOSGcepgN5EJeTDXppUtiKXvNzmxpA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-18T17:43:14Z"
+    mac: ENC[AES256_GCM,data:1QcpQcLQ/TQwfzzHSGsoveB4HoN5ByCURoJn+TZjXd/szx0dBtUIxzc4ktkQZ388HFgYJ4rqpNudlc4AvYvDJULSpfP7KRADKG1reSuqpInGjU79t5U4Wwp+KJ+o29lulTV4fIqfCuqB9QhD4lqLjMSjnKUx5wkmtPuvIEjvWDw=,iv:T3ygIFwbXA/GLAbRAbQn9AP+V6evdmUCOlUfVbZc4fs=,tag:V7tLIukIAo5jyN/HkrciAw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/pc/services.nix

@@ -0,0 +1,32 @@
+{
+  inputs,
+  outputs,
+  config,
+  ...
+}:
+
+{
+  imports = [
+    inputs.synix.nixosModules.openssh
+
+    outputs.nixosModules.forgejo-runner
+  ];
+
+  services = {
+    openssh.enable = true;
+  };
+
+  services.forgejo-runner = {
+    enable = true;
+    url = "https://git.sid.ovh";
+    tokenFile = config.sops.templates."forgejo-runner/token".path;
+    label = "runner";
+  };
+
+  sops = {
+    secrets."forgejo-runner/token" = { };
+    templates."forgejo-runner/token".content = ''
+      TOKEN=${config.sops.placeholder."forgejo-runner/token"}
+    '';
+  };
+}

hosts/rv2/boot.nix

@@ -0,0 +1,7 @@
+{
+  boot.loader.systemd-boot = {
+    enable = true;
+    configurationLimit = 10;
+  };
+  boot.loader.efi.canTouchEfiVariables = true;
+}

hosts/rv2/default.nix

@@ -0,0 +1,58 @@
+{ inputs, outputs, ... }:
+
+{
+  imports = [
+    ./boot.nix
+    ./hardware.nix
+    ./packages.nix
+    ./secrets
+    ./services.nix
+
+    ../../users/sid
+
+    inputs.synix.nixosModules.bluetooth
+    inputs.synix.nixosModules.common
+    inputs.synix.nixosModules.device.desktop
+    inputs.synix.nixosModules.hyprland
+    inputs.synix.nixosModules.virtualisation
+
+    outputs.nixosModules.appimage
+    outputs.nixosModules.common
+    # outputs.nixosModules.docker # conflicts with `virtualisation.podman.dockerCompat`
+    outputs.nixosModules.docs
+    outputs.nixosModules.syncthing
+    outputs.nixosModules.tailscale
+    outputs.nixosModules.wine
+  ];
+
+  networking.hostName = "rv2";
+
+  programs.steam.enable = true;
+
+  programs.adb.enable = true;
+  users.users.sid.extraGroups = [
+    "adbusers"
+    "kvm"
+  ];
+
+  boot.binfmt.emulatedSystems = [
+    "aarch64-linux"
+  ];
+
+  normalUsers = {
+    sid = {
+      extraGroups = [
+        "audio"
+        "dialout"
+        "floppy"
+        "input"
+        "libvirtd"
+        "lp"
+        "networkmanager"
+        "video"
+      ];
+    };
+  };
+
+  system.stateVersion = "25.05";
+}

hosts/rv2/disks.nix

@@ -0,0 +1,90 @@
+{
+  disko.devices = {
+    disk = {
+      root = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        rootFsOptions = {
+          mountpoint = "none";
+          compression = "zstd";
+          acltype = "posixacl";
+          xattr = "sa";
+          atime = "off";
+          "com.sun:auto-snapshot" = "true";
+        };
+        options.ashift = "12";
+        datasets = {
+          "root" = {
+            type = "zfs_fs";
+            options = {
+              encryption = "aes-256-gcm";
+              keyformat = "passphrase";
+              keylocation = "prompt";
+            };
+            mountpoint = "/";
+          };
+          "root/nix" = {
+            type = "zfs_fs";
+            mountpoint = "/nix";
+            options.atime = "off";
+          };
+          "root/home" = {
+            type = "zfs_fs";
+            mountpoint = "/home";
+          };
+          "root/swap" = {
+            type = "zfs_volume";
+            size = "8G";
+            content = {
+              type = "swap";
+              randomEncryption = true;
+            };
+            options = {
+              volblocksize = "4k";
+              compression = "off";
+              logbias = "throughput";
+              sync = "always";
+              primarycache = "metadata";
+              secondarycache = "none";
+              "com.sun:auto-snapshot" = "false";
+            };
+          };
+          "root/reserved" = {
+            type = "zfs_fs";
+            options = {
+              mountpoint = "none";
+              reservation = "5G";
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/rv2/disks.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+SSD='/dev/disk/by-id/nvme-TEAM_TM8FPD001T_TPBF2503240010201457'
+MNT='/mnt'
+SWAP_GB=16
+
+# Helper function to wait for devices
+wait_for_device() {
+  local device=$1
+  echo "Waiting for device: $device ..."
+  while [[ ! -e $device ]]; do
+    sleep 1
+  done
+  echo "Device $device is ready."
+}
+
+if ! command -v sgdisk &> /dev/null; then
+  nix-env -iA nixos.gptfdisk
+fi
+
+swapoff --all
+udevadm settle
+
+wait_for_device $SSD
+
+echo "Partitioning $SSD..."
+sgdisk -n5:0:+"$SWAP_GB"G -t5:8200 -c5:SWAP $SSD
+sgdisk -n6:0:0            -t6:8304 -c6:ROOT $SSD
+partprobe -s $SSD
+udevadm settle
+
+wait_for_device ${SSD}-part1 # Windows ESP
+wait_for_device ${SSD}-part5
+wait_for_device ${SSD}-part6
+
+echo "Formatting partitions..."
+mkswap -L SWAP "${SSD}-part5"
+mkfs.ext4 -L ROOT "${SSD}-part6"
+
+echo "Mounting partitions..."
+mount -o X-mount.mkdir "${SSD}-part6" "$MNT"
+mkdir -p "$MNT/boot"
+mount "${SSD}-part1" "$MNT/boot"
+
+echo "Enabling swap..."
+swapon "${SSD}-part5"
+
+echo "Partitioning and setup complete:"
+lsblk -o NAME,FSTYPE,SIZE,MOUNTPOINT,LABEL

hosts/rv2/hardware.nix

@@ -0,0 +1,50 @@
+{
+  inputs,
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    inputs.nixos-hardware.nixosModules.common-gpu-amd-southern-islands
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "ahci"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+  ];
+  boot.initrd.kernelModules = [ "amdgpu" ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/ROOT";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/SYSTEM";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-label/SWAP"; }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/rv2/packages.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+
+{
+  environment = {
+    systemPackages = with pkgs; [
+    ];
+  };
+}

hosts/rv2/secrets/default.nix

@@ -0,0 +1,5 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.synix.nixosModules.sops ];
+}

hosts/rv2/secrets/secrets.yaml

@@ -0,0 +1,30 @@
+wireguard:
+    private-key: ENC[AES256_GCM,data:xUOZdGM2Wbi3ih6yankUMPqot4gDyj6AA4nMQKkHhM0dlsswyxnDQlEsNrQ=,iv:EtScTgdBYAuQUfa2TOMqCcCyVR5D60B8aA67W7uxnK4=,tag:RMd+ZplQDKaEl7qIIGIkoA==,type:str]
+tailscale:
+    auth-key: ENC[AES256_GCM,data:oR4rdZlsq+gA5SMWXZW/2aOLU589EQGyfXl+u/CnXWPNbYRMDdmiHtZO/13PVOjJ,iv:B9RgTEom8naZxDZR9RPoQo3DNQeY4meyFcqqBqSBblA=,tag:BkCxbt67ErdidrLzjkEYnw==,type:str]
+syncthing:
+    gui-pw: ENC[AES256_GCM,data:yu8e1JCzZxu/VIQ4mmyqPNBkxd0=,iv:X8U91uI5VlOluQmpkcdP2b3uf1rTI3j+RcBmK1gBqKI=,tag:SmMqsW+gfSZS/dA8GObnig==,type:str]
+sops:
+    age:
+        - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3U2Z0UkxBL0xDOEgvNGlJ
+            SDQxNk9ndFRIZmdvdUZzUUpvZkR0dzZ1Um1FCm1sdFd2VU5CWmdsZk9lTzVqdXpP
+            ZXYvU3lkVXdxZlZaaGs0K1BBT0t3Z28KLS0tIHUvZ0R1ZTh1a25xQVRLTEFqVGVG
+            bU5CRm1iZGpZeTRvSjArQlBmQlhQelEKIhbrAQycS6WaCahA0PDPINEq12CKi0Ac
+            Z3o6puDD1v1QIqAHvZBvn1o2V/xN4gj/jHo73El1BJavgXvMBEneyg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1j6s2ec3ltm9004fhvmd7xqq0zna2fr4m8kw4f235r9k0hfryjctq050vs2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrd2xwbmYwQytkUi9aY2JH
+            SUNiZXAwb0lYbFluYWw2eDlJV2RyNGg1bWpjCkpOUlUxSGpXbXl0NjBLZDAwaFF2
+            UFBuaXhlZzloa0VCZFg1eTFldVQxV1UKLS0tIHVtKyt6czg2NGJNbldsZ1JiVzZa
+            MUVCWWVHbmVCRnlnRjI0TUt6cFVnazQKZeDi8y5khMHG2uEIXdxSDAU+Eew0AMv3
+            jiEUyyClSas7BVaJvAGl56cIg1jfjrNEBb5rQD2mISsuM2rIuRNc/Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-02T12:15:13Z"
+    mac: ENC[AES256_GCM,data:HpbL6uC0wZTSsjGU4DrQE8NTd+DaImXqvRObReF4uDtBgUlKYmn0/UZIThL1QCMiwUYN/SeOwNtGiT5lH/xZeoBdS683AIGfULqXxPx1EZ3NRBkSmQfayt8ltGJwozitJ59Tipv2buDEEcefCw1aG8l3qrQRc0eM09iOIeoZv5o=,iv:wdn0I7YQ4f3IgdjEZP5MdpOO2WL3dKKVF3RryJZ2ODQ=,tag:0Ri3AoYwN9SuzXo92zf6FA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/rv2/services.nix

@@ -0,0 +1,52 @@
+{
+  inputs,
+  outputs,
+  config,
+  ...
+}:
+
+{
+  imports = [
+    inputs.synix.nixosModules.openssh
+    inputs.synix.nixosModules.windows-oci
+
+    outputs.nixosModules.forgejo-runner
+  ];
+
+  services.openssh.enable = true;
+
+  # FIXME:
+  # connect in weechat:
+  # /server add local localhost/6667
+  # /set irc.server.local.password "abc"
+  # /set irc.server.local.tls off
+  # Access denied: Bad password?
+  services.ngircd = {
+    enable = true;
+    config = ''
+      [Global]
+      Name = irc.local
+      Info = Minimal ngIRCd Server
+      Password = yourmom69
+    '';
+  };
+
+  services.windows-oci = {
+    # enable = true;
+    sharedVolume = "/home/sid/pub";
+  };
+  time.hardwareClockInLocalTime = true; # Windows compatibility
+
+  services.forgejo-runner = {
+    # enable = true;
+    url = "https://git.sid.ovh";
+    # tokenFile = config.sops.templates."forgejo-runner/token".path;
+    label = "runner";
+  };
+  # sops = {
+  #   secrets."forgejo-runner/token" = { };
+  #   templates."forgejo-runner/token".content = ''
+  #     TOKEN=${config.sops.placeholder."forgejo-runner/token"}
+  #   '';
+  # };
+}