initial commit

hosts/rv2/boot.nix

@@ -0,0 +1,7 @@
+{
+  boot.loader.systemd-boot = {
+    enable = true;
+    configurationLimit = 10;
+  };
+  boot.loader.efi.canTouchEfiVariables = true;
+}

hosts/rv2/default.nix

@@ -0,0 +1,58 @@
+{ inputs, outputs, ... }:
+
+{
+  imports = [
+    ./boot.nix
+    ./hardware.nix
+    ./packages.nix
+    ./secrets
+    ./services.nix
+
+    ../../users/sid
+
+    inputs.synix.nixosModules.bluetooth
+    inputs.synix.nixosModules.common
+    inputs.synix.nixosModules.device.desktop
+    inputs.synix.nixosModules.hyprland
+    inputs.synix.nixosModules.virtualisation
+
+    outputs.nixosModules.appimage
+    outputs.nixosModules.common
+    # outputs.nixosModules.docker # conflicts with `virtualisation.podman.dockerCompat`
+    outputs.nixosModules.docs
+    outputs.nixosModules.syncthing
+    outputs.nixosModules.tailscale
+    outputs.nixosModules.wine
+  ];
+
+  networking.hostName = "rv2";
+
+  programs.steam.enable = true;
+
+  programs.adb.enable = true;
+  users.users.sid.extraGroups = [
+    "adbusers"
+    "kvm"
+  ];
+
+  boot.binfmt.emulatedSystems = [
+    "aarch64-linux"
+  ];
+
+  normalUsers = {
+    sid = {
+      extraGroups = [
+        "audio"
+        "dialout"
+        "floppy"
+        "input"
+        "libvirtd"
+        "lp"
+        "networkmanager"
+        "video"
+      ];
+    };
+  };
+
+  system.stateVersion = "25.05";
+}

hosts/rv2/disks.nix

@@ -0,0 +1,90 @@
+{
+  disko.devices = {
+    disk = {
+      root = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        rootFsOptions = {
+          mountpoint = "none";
+          compression = "zstd";
+          acltype = "posixacl";
+          xattr = "sa";
+          atime = "off";
+          "com.sun:auto-snapshot" = "true";
+        };
+        options.ashift = "12";
+        datasets = {
+          "root" = {
+            type = "zfs_fs";
+            options = {
+              encryption = "aes-256-gcm";
+              keyformat = "passphrase";
+              keylocation = "prompt";
+            };
+            mountpoint = "/";
+          };
+          "root/nix" = {
+            type = "zfs_fs";
+            mountpoint = "/nix";
+            options.atime = "off";
+          };
+          "root/home" = {
+            type = "zfs_fs";
+            mountpoint = "/home";
+          };
+          "root/swap" = {
+            type = "zfs_volume";
+            size = "8G";
+            content = {
+              type = "swap";
+              randomEncryption = true;
+            };
+            options = {
+              volblocksize = "4k";
+              compression = "off";
+              logbias = "throughput";
+              sync = "always";
+              primarycache = "metadata";
+              secondarycache = "none";
+              "com.sun:auto-snapshot" = "false";
+            };
+          };
+          "root/reserved" = {
+            type = "zfs_fs";
+            options = {
+              mountpoint = "none";
+              reservation = "5G";
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/rv2/disks.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+SSD='/dev/disk/by-id/nvme-TEAM_TM8FPD001T_TPBF2503240010201457'
+MNT='/mnt'
+SWAP_GB=16
+
+# Helper function to wait for devices
+wait_for_device() {
+  local device=$1
+  echo "Waiting for device: $device ..."
+  while [[ ! -e $device ]]; do
+    sleep 1
+  done
+  echo "Device $device is ready."
+}
+
+if ! command -v sgdisk &> /dev/null; then
+  nix-env -iA nixos.gptfdisk
+fi
+
+swapoff --all
+udevadm settle
+
+wait_for_device $SSD
+
+echo "Partitioning $SSD..."
+sgdisk -n5:0:+"$SWAP_GB"G -t5:8200 -c5:SWAP $SSD
+sgdisk -n6:0:0            -t6:8304 -c6:ROOT $SSD
+partprobe -s $SSD
+udevadm settle
+
+wait_for_device ${SSD}-part1 # Windows ESP
+wait_for_device ${SSD}-part5
+wait_for_device ${SSD}-part6
+
+echo "Formatting partitions..."
+mkswap -L SWAP "${SSD}-part5"
+mkfs.ext4 -L ROOT "${SSD}-part6"
+
+echo "Mounting partitions..."
+mount -o X-mount.mkdir "${SSD}-part6" "$MNT"
+mkdir -p "$MNT/boot"
+mount "${SSD}-part1" "$MNT/boot"
+
+echo "Enabling swap..."
+swapon "${SSD}-part5"
+
+echo "Partitioning and setup complete:"
+lsblk -o NAME,FSTYPE,SIZE,MOUNTPOINT,LABEL

hosts/rv2/hardware.nix

@@ -0,0 +1,50 @@
+{
+  inputs,
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    inputs.nixos-hardware.nixosModules.common-gpu-amd-southern-islands
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "ahci"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+  ];
+  boot.initrd.kernelModules = [ "amdgpu" ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/ROOT";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/SYSTEM";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-label/SWAP"; }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/rv2/packages.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+
+{
+  environment = {
+    systemPackages = with pkgs; [
+    ];
+  };
+}

hosts/rv2/secrets/default.nix

@@ -0,0 +1,5 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.synix.nixosModules.sops ];
+}

hosts/rv2/secrets/secrets.yaml

@@ -0,0 +1,30 @@
+wireguard:
+    private-key: ENC[AES256_GCM,data:xUOZdGM2Wbi3ih6yankUMPqot4gDyj6AA4nMQKkHhM0dlsswyxnDQlEsNrQ=,iv:EtScTgdBYAuQUfa2TOMqCcCyVR5D60B8aA67W7uxnK4=,tag:RMd+ZplQDKaEl7qIIGIkoA==,type:str]
+tailscale:
+    auth-key: ENC[AES256_GCM,data:oR4rdZlsq+gA5SMWXZW/2aOLU589EQGyfXl+u/CnXWPNbYRMDdmiHtZO/13PVOjJ,iv:B9RgTEom8naZxDZR9RPoQo3DNQeY4meyFcqqBqSBblA=,tag:BkCxbt67ErdidrLzjkEYnw==,type:str]
+syncthing:
+    gui-pw: ENC[AES256_GCM,data:yu8e1JCzZxu/VIQ4mmyqPNBkxd0=,iv:X8U91uI5VlOluQmpkcdP2b3uf1rTI3j+RcBmK1gBqKI=,tag:SmMqsW+gfSZS/dA8GObnig==,type:str]
+sops:
+    age:
+        - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3U2Z0UkxBL0xDOEgvNGlJ
+            SDQxNk9ndFRIZmdvdUZzUUpvZkR0dzZ1Um1FCm1sdFd2VU5CWmdsZk9lTzVqdXpP
+            ZXYvU3lkVXdxZlZaaGs0K1BBT0t3Z28KLS0tIHUvZ0R1ZTh1a25xQVRLTEFqVGVG
+            bU5CRm1iZGpZeTRvSjArQlBmQlhQelEKIhbrAQycS6WaCahA0PDPINEq12CKi0Ac
+            Z3o6puDD1v1QIqAHvZBvn1o2V/xN4gj/jHo73El1BJavgXvMBEneyg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1j6s2ec3ltm9004fhvmd7xqq0zna2fr4m8kw4f235r9k0hfryjctq050vs2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrd2xwbmYwQytkUi9aY2JH
+            SUNiZXAwb0lYbFluYWw2eDlJV2RyNGg1bWpjCkpOUlUxSGpXbXl0NjBLZDAwaFF2
+            UFBuaXhlZzloa0VCZFg1eTFldVQxV1UKLS0tIHVtKyt6czg2NGJNbldsZ1JiVzZa
+            MUVCWWVHbmVCRnlnRjI0TUt6cFVnazQKZeDi8y5khMHG2uEIXdxSDAU+Eew0AMv3
+            jiEUyyClSas7BVaJvAGl56cIg1jfjrNEBb5rQD2mISsuM2rIuRNc/Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-02T12:15:13Z"
+    mac: ENC[AES256_GCM,data:HpbL6uC0wZTSsjGU4DrQE8NTd+DaImXqvRObReF4uDtBgUlKYmn0/UZIThL1QCMiwUYN/SeOwNtGiT5lH/xZeoBdS683AIGfULqXxPx1EZ3NRBkSmQfayt8ltGJwozitJ59Tipv2buDEEcefCw1aG8l3qrQRc0eM09iOIeoZv5o=,iv:wdn0I7YQ4f3IgdjEZP5MdpOO2WL3dKKVF3RryJZ2ODQ=,tag:0Ri3AoYwN9SuzXo92zf6FA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/rv2/services.nix

@@ -0,0 +1,52 @@
+{
+  inputs,
+  outputs,
+  config,
+  ...
+}:
+
+{
+  imports = [
+    inputs.synix.nixosModules.openssh
+    inputs.synix.nixosModules.windows-oci
+
+    outputs.nixosModules.forgejo-runner
+  ];
+
+  services.openssh.enable = true;
+
+  # FIXME:
+  # connect in weechat:
+  # /server add local localhost/6667
+  # /set irc.server.local.password "abc"
+  # /set irc.server.local.tls off
+  # Access denied: Bad password?
+  services.ngircd = {
+    enable = true;
+    config = ''
+      [Global]
+      Name = irc.local
+      Info = Minimal ngIRCd Server
+      Password = yourmom69
+    '';
+  };
+
+  services.windows-oci = {
+    # enable = true;
+    sharedVolume = "/home/sid/pub";
+  };
+  time.hardwareClockInLocalTime = true; # Windows compatibility
+
+  services.forgejo-runner = {
+    # enable = true;
+    url = "https://git.sid.ovh";
+    # tokenFile = config.sops.templates."forgejo-runner/token".path;
+    label = "runner";
+  };
+  # sops = {
+  #   secrets."forgejo-runner/token" = { };
+  #   templates."forgejo-runner/token".content = ''
+  #     TOKEN=${config.sops.placeholder."forgejo-runner/token"}
+  #   '';
+  # };
+}