initial test config

nixos/flake-module.nix

@@ -0,0 +1,45 @@
+# copied and adopted from maralorns config
+# This automatically searches for nixos configs in ./machines/${name}/configuration.nix
+# and exposes them as outputs.nixosConfigurations.${name}
+{
+  withSystem,
+  lib,
+  inputs,
+  ...
+}:
+{
+  flake = {
+    nixosConfigurations = withSystem "x86_64-linux" (
+      { pkgs, ... }:
+      let
+        machines = builtins.attrNames (builtins.readDir ./machines);
+        makeSystem =
+          name:
+          let
+            importedConfig = import (./. + "/machines/${name}/configuration.nix");
+            systemConfig =
+              if lib.isFunction importedConfig then
+                x:
+                importedConfig (
+                  x
+                  // {
+                    flake-inputs = inputs;
+                    inherit pkgs;
+                  }
+                )
+              else
+                importedConfig;
+          in
+          pkgs.nixos {
+            imports = [
+              systemConfig
+              inputs.sops-nix.nixosModules.sops
+              inputs.impermanence.nixosModules.impermanence
+              inputs.home-manager.nixosModules.home-manager
+            ];
+          };
+      in
+      lib.genAttrs machines makeSystem
+    );
+  };
+}

nixos/machines/nerflap3/configuration.nix

@@ -0,0 +1,36 @@
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../roles
+  ];
+
+  networking.hostName = "nerflap3";
+  system.stateVersion = "25.05";
+
+  networking.networkmanager.enable = true;
+  users.users.nerf.extraGroups = [ "networkmanager" ];
+
+  services.pipewire = {
+    enable = true;
+    audio.enable = true;
+    pulse.enable = true;
+    jack.enable = true;
+    alsa.enable = true;
+  };
+
+  programs = {
+    git.enable = true;
+    steam = {
+      enable = true;
+      remotePlay.openFirewall = true;
+      dedicatedServer.openFirewall = true;
+      localNetworkGameTransfers.openFirewall = true;
+    };
+    hyprland.enable = true;
+  };
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+    users.nerf = ./home.nix;
+  };
+}

nixos/machines/nerflap3/hardware-configuration.nix

@@ -0,0 +1,44 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [ ];
+
+  fileSystems."/" = {
+    device = "root";
+    fsType = "tmpfs";
+    options = [
+      "size=1G"
+      "mode=755"
+    ];
+  };
+  fileSystems."/persist" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "btrfs";
+    options = [ "subvol=persist" ];
+    neededForBoot = true;
+  };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "ext4";
+  };
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "btrfs";
+    options = [ "subvol=nix" ];
+  };
+  fileSystems."/home" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "btrfs";
+    options = [ "subvol=home" ];
+  };
+
+  boot = {
+    loader.systemd-boot.enable = true;
+    initrd.luks.devices.cryptroot.device = "/dev/disk/by-uuid/597B-4974";
+  };
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

nixos/machines/nerflap3/home.nix

@@ -0,0 +1,93 @@
+{ pkgs, ... }:
+{
+  home = {
+    username = "nerf";
+    homeDirectory = "/home/nerf";
+    stateVersion = "25.05";
+    packages = [
+      pkgs.pavucontrol
+    ];
+  };
+  programs = {
+
+    kitty.enable = true;
+    wofi.enable = true;
+    helix.enable = true;
+    waybar.enable = true;
+
+  };
+  wayland.windowManager.hyprland = {
+    enable = true;
+    package = null;
+    portalPackage = null;
+    systemd.variables = [ "--all" ]; # import environment (like PATH) into the systemd unit
+    settings = {
+      input = {
+        kb_layout = "de";
+        kb_variant = "neo";
+      };
+      general = {
+        gaps_in = 0;
+        gaps_out = 0;
+        boarder_size = 1;
+        "col.active_border" = "rgba(22ccffee) rgba(00ff99ee) 45deg";
+        "col.inactive_border" = "rgba(595959aa)";
+        layout = "master";
+        allow_tearing = false;
+      };
+      decoration = {
+        rounding = 0;
+        blur = {
+          enabled = false;
+          size = 3;
+          passes = 1;
+        };
+      };
+      animations = {
+        enabled = true;
+        bezier = "myBezier, 0.05, 0.9, 0.1, 1.05";
+        animation = [
+          "windows, 1, 7, myBezier"
+          "windowsOut, 1, 7, default, popin 80%"
+          "border, 1, 8, default"
+          "fade, 1, 7, default"
+          "workspace, 1, 6, default"
+        ];
+      };
+      master = {
+        new_on_top = true;
+      };
+      "$mainMod" = "SUPER";
+      "$menu" = "wofi --show drun";
+      bind =
+        [
+          "$mainMod, Return, exec, kitty"
+          "$mainMod, C, killactive,"
+          "$mainMod, M, exit,"
+          "$mainMod, V, togglefloating,"
+          "$mainMod, P, exec, $menu"
+          "$mainMod, Space, layoutmsg, swapwithmaster auto"
+          "$mainMod, N, layoutmsg, cyclenext"
+          "$mainMod, R, layoutmsg, cycleprev"
+          "$mainMod, S, togglespecialwokspace, magic"
+          "$mainMod, SHIFT, S, movetoworkspace, special:magic"
+        ]
+        ++ (builtins.concatLists (
+          builtins.genList (
+            i:
+            let
+              ws = i + 1;
+            in
+            [
+              "$mainMod, code:1${toString i}, workspace, ${toString ws}"
+              "$mainMod SHIFT, code:1${toString i}, movetoworkspace, ${toString ws}"
+            ]
+          ) 9
+        ));
+      bindm = [
+        "$mainMod, mouse:272, movewindow"
+        "$mainMod, mouse:273, resizewindow"
+      ];
+    };
+  };
+}

nixos/modules/impermanence.nix

@@ -0,0 +1,48 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    mkOption
+    types
+    ;
+  cfg = config.impermanence;
+in
+{
+  imports = [ ];
+
+  options.impermanence = {
+    enable = mkEnableOption "impermanence";
+    storagePath = mkOption {
+      type = types.path;
+      default = "/persist";
+      description = "The path where persistent data is stored";
+    };
+    name = mkOption {
+      type = types.str;
+      default = "persist";
+      description = "the name of the persistent data store";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.persistence.${cfg.name} = {
+      persistentStoragePath = cfg.storagePath;
+      directories = [
+        "/var/log"
+        "/var/lib/nixos"
+      ];
+      files = [
+        "/etc/ssh/ssh_host_ed25519_key"
+        "/etc/ssh/ssh_host_ed25519_key.pub"
+        "/etc/ssh/ssh_host_rsa_key"
+        "/etc/ssh/ssh_host_rsa_key.pub"
+      ];
+    };
+    environment.etc.machine-id.source = "${cfg.storagePath}/machine-id";
+  };
+}

nixos/roles/admins.nix

@@ -0,0 +1,42 @@
+{ lib, ... }:
+with lib;
+let
+  admins = {
+    nerf = {
+      hashedPassword = "$y$j9T$b3ZDy/YaHDNiqcFFZyEcS.$HlWj1JiqbEMTsD0bMKSwKcJGO7cfpC4P8W8VAlvUTK/";
+      sshKeys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2"
+        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEdfOWD1DLuB1Ho69uRC3VgQu+X3gExFzVHhu2CAl8JSAAAABHNzaDo= laptop_child-sk"
+      ];
+      nixKeys = [
+        "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc="
+      ];
+    };
+  };
+
+  mkAdmin =
+    name:
+    {
+      hashedPassword,
+      sshKeys,
+      ...
+    }:
+    {
+      "${name}" = {
+        isNormalUser = true;
+        createHome = true;
+        extraGroups = [ "wheel" ];
+        group = "users";
+        home = "/home/${name}";
+        openssh.authorizedKeys = {
+          keys = sshKeys;
+        };
+        inherit hashedPassword;
+      };
+    };
+  mkNixKeys = _: { nixKeys, ... }: nixKeys;
+in
+{
+  users.users = mkMerge (mapAttrsToList mkAdmin admins);
+  nix.settings.trusted-public-keys = lists.concatLists (mapAttrsToList mkNixKeys admins);
+}

nixos/roles/default.nix

@@ -0,0 +1,63 @@
+{
+  pkgs,
+  lib,
+  ...
+}:
+{
+  imports = [
+    ./admins.nix
+    ./nix.nix
+    ./keyboard.nix
+    ../modules/impermanence.nix
+  ];
+
+  networking = {
+    firewall = {
+      # these shoud be default, but better make sure!
+      enable = true;
+      allowPing = true;
+    };
+    nftables.enable = true;
+  };
+
+  users = {
+    mutableUsers = false;
+    users.root.hashedPassword = "!";
+  };
+
+  impermanence.enable = true;
+
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  environment = {
+    systemPackages = builtins.attrValues {
+      inherit (pkgs)
+        htop
+        lsof
+        tmux
+        btop
+        helix
+        ;
+    };
+  };
+
+  services = {
+    journald.extraConfig = "SystemMaxUse=1G";
+
+    nginx = {
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      recommendedTlsSettings = true;
+    };
+
+    openssh = {
+      enable = true;
+      settings = {
+        PermitRootLogin = "no";
+        PasswordAuthentication = false;
+      };
+    };
+    #Prevent clock drift due to interaction problem with xen hardware clock
+    timesyncd.enable = lib.mkForce true;
+  };
+}

nixos/roles/keyboard.nix

@@ -0,0 +1,7 @@
+{
+  services.xserver = {
+    xkb.layout = "de";
+    xkb.variant = "neo";
+  };
+  console.useXkbConfig = true;
+}

nixos/roles/nix.nix

@@ -0,0 +1,22 @@
+{
+  nix = {
+    settings = {
+      # trusted-public-keys belonging to specific persons are set in rolse/admins.nix
+      trusted-public-keys = [ ];
+      experimental-features = [
+        "flakes"
+        "nix-command"
+      ];
+      auto-optimise-store = true;
+      fallback = true;
+      builders-use-substitutes = true;
+    };
+    gc = {
+      automatic = true;
+      persistent = false;
+      dates = "weekly";
+      options = "-d";
+      randomizedDelaySec = "5h";
+    };
+  };
+}