initial commit

hosts/16ach6/boot.nix

@@ -0,0 +1,7 @@
+{
+  boot.loader.systemd-boot = {
+    enable = true;
+    configurationLimit = 20;
+  };
+  boot.loader.efi.canTouchEfiVariables = true;
+}

hosts/16ach6/default.nix

@@ -0,0 +1,77 @@
+{
+  inputs,
+  outputs,
+  ...
+}:
+
+{
+  imports = [
+    ./boot.nix
+    ./hardware.nix
+    ./packages.nix
+    ./secrets
+    ./virtualisation.nix
+    # ./winapps.nix # trying windows-oci for now
+    # ./wireguard.nix # TODO: use NM for client config
+
+    ../../users/sid
+
+    inputs.synix.nixosModules.common
+    inputs.synix.nixosModules.device.laptop
+    inputs.synix.nixosModules.hyprland
+    inputs.synix.nixosModules.i2pd
+    inputs.synix.nixosModules.openssh
+    inputs.synix.nixosModules.windows-oci
+
+    # outputs.nixosModules.anything-llm-oci
+    outputs.nixosModules.appimage
+    outputs.nixosModules.common
+    # outputs.nixosModules.docker # conflicts with `virtualisation.podman.dockerCompat`
+    outputs.nixosModules.docs
+    outputs.nixosModules.syncthing
+    outputs.nixosModules.tailscale
+    outputs.nixosModules.wine
+  ];
+
+  networking.hostName = "16ach6";
+
+  services = {
+    envfs.enable = true;
+    i2pd.enable = true;
+    openssh.enable = true;
+    windows-oci = {
+      # enable = true; # FIXME
+      sharedVolume = "/home/sid/pub";
+    };
+  };
+
+  boot.binfmt.emulatedSystems = [
+    "aarch64-linux"
+  ];
+
+  virtualisation.waydroid.enable = true;
+  # sudo waydroid init
+  # sudo systemctl enable --now waydroid-container.service
+  # waydroid session start
+  # waydroid app launch com.foo.bar
+
+  normalUsers = {
+    sid = {
+      extraGroups = [
+        "audio"
+        "dialout"
+        "floppy"
+        "input"
+        "lp"
+        "networkmanager"
+        "video"
+      ];
+    };
+  };
+
+  programs.steam.enable = true;
+
+  boot.enableContainers = true;
+
+  system.stateVersion = "24.11";
+}

hosts/16ach6/hardware.nix

@@ -0,0 +1,49 @@
+{
+  inputs,
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    # inputs.nixos-hardware.nixosModules.lenovo-ideapad-16ach6
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "ahci"
+    "usb_storage"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ "amdgpu" ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/ROOT";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/BOOT";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };
+
+  swapDevices = [ { device = "/dev/disk/by-label/SWAP"; } ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  hardware.graphics.enable = true;
+}

hosts/16ach6/packages.nix

@@ -0,0 +1,10 @@
+{ pkgs, ... }:
+
+{
+  environment = {
+    systemPackages = with pkgs; [
+      evtest
+      linuxConsoleTools
+    ];
+  };
+}

hosts/16ach6/secrets/default.nix

@@ -0,0 +1,5 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.synix.nixosModules.sops ];
+}

hosts/16ach6/secrets/secrets.yaml

@@ -0,0 +1,36 @@
+wireguard:
+    wg0:
+        private-key: ENC[AES256_GCM,data:6G+VkNsoFK1zyurW/xuaw5ZawpGXYdT3YbYMwiYvpsqNiGhB9CMT/0v2HuE=,iv:vg7OcXghMzbQL0NYdnuAue2MC8l6l++TCoXJjGtpk/g=,tag:urVD9LfMtO5c95tHouX7YQ==,type:str]
+tailscale:
+    auth-key: ENC[AES256_GCM,data:u1TCO6pEKnOemhWSnb9UPCURFoKcR0uuipGzwu5QYVtzm7MLtvd5llhha8/H7WYQ,iv:0rwuQ3b6UOJth7YqaLJGNp0OqRYCb/z/HFK0vOY9ACw=,tag:H79JGEfBYB8hNrGZKAxHzg==,type:str]
+anything-llm-oci:
+    openrouter-api-key: ENC[AES256_GCM,data:iEi1ZDGnhNaFjuL/cv/XkMH/GtEgW4cmRPc/PrSgCBcJai2uA2NfhpS4ZJfzvzXyhvCEBVK05932N0PFAkYqryFD4PhGPE6N7g==,iv:tWlM8NlzV9/6vpbIEM0lt39ZJQGm/trEwYbnqpTCpro=,tag:OAUbTc4PbJsy7jqLixZOvw==,type:str]
+    jwt-secret: ENC[AES256_GCM,data:TBgjAwOH8pzRYxSvGaqaY5kFk0vVQjbKu+i2o3xPl4pRILQrzll0R4Sll5Qu7kW8WqyBBEEsEBBvY0sz2YR6aQ==,iv:8/yViXyTpxdRWthJt4D0KhZJ2+uTKXUV8UZUEsy8+kk=,tag:eWkaFZg2rtqziUAcjdcs1g==,type:str]
+    sig-key: ENC[AES256_GCM,data:VRFkIK2ywV0b1Dz40XtdcFk3aZ/iIaNxiB4C1zbh8P5EQbkIEE0AcSHlWc3gFwhLEjrAz37D/Js7lmGaR9XLaQ==,iv:pBv/cuciNXbV5IHmNbu8MCwiVK4MSwaBsiJ6SjpXjyU=,tag:VB9RuEC7orBBdR0qECOalQ==,type:str]
+    sig-salt: ENC[AES256_GCM,data:I3ggthhiehT54ad5O4Y7sqR4yo9Cs2RBnAB3jUem755N3MqjaPhw6PVpE92/UacNfqkMeHVINImUUo/nvuwr1w==,iv:qextgxloGUs0dSDrK29XnF68P89WICywktolqXJpY8k=,tag:9ilT8TKdAKu18J422uhN5Q==,type:str]
+syncthing:
+    gui-pw: ENC[AES256_GCM,data:dDccKohXulosuG4JQzLCtdf0+cY=,iv:Yk41rJqt4y4QhWkcP2upMd4h/orNMYTX4wO0TObrYpI=,tag:X3/ig+Kv2t7Wy8muxX3RGw==,type:str]
+sops:
+    age:
+        - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxM2pkS3lOaVpuUFdHVy9h
+            UU9ZcVIyTGlUUVpqdHFzU3llVENyOXV2eTFZCnVwVWlzR0N4QXZsNEZvRFFScHpl
+            cnBucWp6ZkN2Q3VKMmJMWlhOVVNtYmcKLS0tIG5ENjVtVjhqeWlBMFFRM3RoS0pC
+            bml1R3djSEgxbDVxZ1Jwc28zQWoycEkKUwt/8zCkhD1b7dVMYd7FHxABjwPhTQxA
+            Lw1sBePiKQxeZTiWVucMrrHk85omGQEPNECTdhBqF4aOS0glRrwCEQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1km907lx69fwvmwgt7rspkuyxtkdrhr7r7t0mw20e5rymsu364exs3rl28q
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJNGdEd3hJcTc0QzF5ZitN
+            SnNTV1NSOWRRV1VTczZmcStjRmJ5Q01mSEZFCi80cFN0TVY0WmJseFVBM1JEaTlK
+            WmNiWFBMT1dudVp1REsyYU1OUm1haVUKLS0tIFRZdE11WnpNQW1kbEZzNlpSWE5m
+            T1JDdVlwRVYwLy9ud0EyNldFcXNDaUUKdXq2ulChfK6XBpX/bkP/fz9XCm/YVHkX
+            QRPemdtP2Sp7VBcAtlWNbXFcr3osRR2nLKxDl+NntEHRCNs3ffnGew==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-01-13T21:05:39Z"
+    mac: ENC[AES256_GCM,data:aSOlu1iuSDuUdSt6cZhbzorY37ECHqIkz73iPi2Sn6WyDNCsEwn2rJpQxXSDG/O0+HLoyCgkyR9PwrI0Gn0sDAtcPHhVjOQC8656muNEV3fZWBPIJ+K4++xZDAH66L1UN7Y210EnYtYT6pY61jrFz2NWVjd1V9hTcCmbfpySrAA=,iv:gmPRLuMagjY/Dgc3VvurvLz4qgfTsMp/YIgqHXuG6ag=,tag:I5hKLnEXDvMRXOY2YuFG9g==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/16ach6/virtualisation.nix

@@ -0,0 +1,42 @@
+{
+  inputs,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ inputs.synix.nixosModules.virtualisation ];
+
+  virtualisation = {
+    vfio = {
+      enable = true;
+      IOMMUType = "amd";
+      devices = [
+        "10de:1f9d"
+      ];
+      blacklistNvidia = true;
+      ignoreMSRs = true;
+    };
+    libvirtd.deviceACL = [
+      "/dev/kvm"
+      "/dev/net/tun"
+      "/dev/vfio/vfio"
+      "/dev/null"
+      "/dev/ptmx"
+    ];
+    hugepages.enable = true;
+    quickemu.enable = true;
+  };
+
+  users.extraGroups.libvirtd.members = [ "sid" ];
+  users.extraGroups.qemu-libvirtd.members = [ "sid" ];
+  users.extraGroups.kvm.members = [ "sid" ];
+
+  systemd.tmpfiles.rules = [ "f /dev/shm/looking-glass 0660 sid libvirtd -" ];
+
+  environment.systemPackages = [
+    pkgs.looking-glass-client
+  ];
+}

hosts/16ach6/winapps.nix

@@ -0,0 +1,11 @@
+{ inputs, pkgs, ... }:
+
+let
+  inherit (pkgs.stdenv.hostPlatform) system;
+in
+{
+  environment.systemPackages = with inputs.winapps.packages."${system}"; [
+    winapps
+    winapps-launcher
+  ];
+}

hosts/16ach6/wireguard.nix

@@ -0,0 +1,18 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.synix.nixosModules.wg-client ];
+
+  networking.wg-client = {
+    enable = true;
+    interfaces = {
+      wg0 = {
+        clientAddress = "10.0.0.2";
+        peer = {
+          publicIP = "91.99.172.127";
+          publicKey = "hRrnXl1heROHfpXkHOmjITUpG/ht3omVsWurLcChIS4=";
+        };
+      };
+    };
+  };
+}