From 7a6ace2ef0895b5928df1337a72be5335ea98132 Mon Sep 17 00:00:00 2001
From: derped <derped@ophanim.de>
Date: Sat, 19 Jul 2025 11:57:58 +0200
Subject: [PATCH] machines: init Tehom

---
 .sops.yaml                                |   7 ++
 machines/Tehom/configuration.nix          |   5 +
 machines/Tehom/hardware-configuration.nix | 125 ++++++++++++++++++++++
 machines/Tehom/options.nix                |  68 ++++++++++++
 machines/Tehom/secrets.yaml               |  31 ++++++
 machines/Tehom/sops.nix                   |  11 ++
 6 files changed, 247 insertions(+)
 create mode 100644 machines/Tehom/configuration.nix
 create mode 100644 machines/Tehom/hardware-configuration.nix
 create mode 100644 machines/Tehom/options.nix
 create mode 100644 machines/Tehom/secrets.yaml
 create mode 100644 machines/Tehom/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
index db51d2d..8ee9e62 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -4,6 +4,7 @@ keys:
   - &marid age1uq4x5yqf92z343ycpf4jycv7fqwk2kk8t5gapzp0ayk8hay98fns5mwmt7
   - &ophanim age1q49xu8zdt77s6h2gcsf4842k4tzzuhc5svr6f7saqy90muf6c9eqfa9s3e
   - &sheol age12uvysactuucun05nk8l3azpaclz9k04ygcurtlqqjg6dsvarvcqs0s9d2y
+  - &tehom age1a0960zfd8njr9uc4letsar72kg52vgh0tgmxt5z2gacd2h38fqkqllm4g9
 creation_rules:
   - path_regex: machines/Lilim/[^/]+.yaml$
     key_groups:
@@ -29,3 +30,9 @@ creation_rules:
       - *admins
       age:
       - *sheol
+  - path_regex: machines/Tehom/[^/]+.yaml$
+    key_groups:
+    - pgp:
+      - *admins
+      age:
+      - *tehom
diff --git a/machines/Tehom/configuration.nix b/machines/Tehom/configuration.nix
new file mode 100644
index 0000000..fb987d0
--- /dev/null
+++ b/machines/Tehom/configuration.nix
@@ -0,0 +1,5 @@
+_:
+
+{
+  system.stateVersion = "25.05";
+}
diff --git a/machines/Tehom/hardware-configuration.nix b/machines/Tehom/hardware-configuration.nix
new file mode 100644
index 0000000..eb37cd4
--- /dev/null
+++ b/machines/Tehom/hardware-configuration.nix
@@ -0,0 +1,125 @@
+{
+  nixpkgs,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    "${nixpkgs}/nixos/modules/installer/scan/not-detected.nix"
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "nvme"
+        "xhci_pci"
+        "thunderbolt"
+        "usbhid"
+        "sdhci_pci"
+      ];
+      luks.devices."btrfs-crypt".device = "/dev/disk/by-uuid/f97bba41-e44d-4527-9e20-d09232a92323";
+    };
+    supportedFilesystems = [ "btrfs" ];
+    loader = {
+      efi.canTouchEfiVariables = true;
+      timeout = 0;
+      systemd-boot = {
+        enable = true;
+        consoleMode = "0";
+        editor = false;
+      };
+    };
+    kernelPackages = pkgs.linuxPackages_latest;
+    initrd.kernelModules = [ ];
+    kernelModules = [
+      "kvm-amd"
+      "amdgpu"
+    ];
+    extraModulePackages = with pkgs.linuxPackages_latest; [ acpi_call ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "none";
+      fsType = "tmpfs";
+      options = [
+        "defaults"
+        "size=512M"
+        "mode=755"
+      ];
+    };
+    "/tmp" = {
+      device = "/dev/mapper/btrfs-crypt";
+      fsType = "btrfs";
+      options = [
+        "subvol=tmp"
+        "noatime"
+        "compress=zstd"
+      ];
+      neededForBoot = true;
+    };
+    "/persist" = {
+      device = "/dev/mapper/btrfs-crypt";
+      fsType = "btrfs";
+      options = [
+        "subvol=persist"
+        "noatime"
+        "compress=zstd"
+      ];
+      neededForBoot = true;
+    };
+    "/nix" = {
+      device = "/dev/mapper/btrfs-crypt";
+      fsType = "btrfs";
+      options = [
+        "subvol=nix"
+        "noatime"
+        "compress=zstd"
+      ];
+      neededForBoot = true;
+    };
+    "/snapshots" = {
+      device = "/dev/mapper/btrfs-crypt";
+      fsType = "btrfs";
+      options = [
+        "subvol=snapshots"
+        "noatime"
+        "compress=zstd"
+        "noexec"
+      ];
+      neededForBoot = false;
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/12CE-A600";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+  };
+
+  services = {
+    upower.enable = true;
+    logind.extraConfig = ''
+      # don’t shutdown when power button is short-pressed
+      HandlePowerKey=suspend
+    '';
+    xserver.videoDrivers = [ "amdgpu" ];
+  };
+
+  hardware = {
+    cpu.amd.updateMicrocode = true;
+    graphics = {
+      enable = true;
+      enable32Bit = true;
+    };
+    bluetooth = {
+      enable = true;
+      powerOnBoot = true;
+    };
+  };
+
+  time.timeZone = "Europe/Berlin";
+}
diff --git a/machines/Tehom/options.nix b/machines/Tehom/options.nix
new file mode 100644
index 0000000..f55eb25
--- /dev/null
+++ b/machines/Tehom/options.nix
@@ -0,0 +1,68 @@
+_:
+
+{
+  machine = {
+    allowUnfree = true;
+    hostName = "Tehom";
+    networkD = {
+      enable = true;
+      waitOnline = false;
+    };
+    users = [
+      {
+        name = "derped";
+        id = 1337;
+        isAdmin = true;
+        services = [
+          "kdeconnect"
+        ];
+      }
+    ];
+    conffiles = [
+      "etcvars"
+      "fonts"
+      "networkmanager"
+      "zsh"
+    ];
+    pkgs = [
+      "base"
+      "python3"
+      "xpkgs"
+    ];
+    services = [
+      "appimage"
+      "btrfs"
+      "gamescope"
+      "handheld-daemon"
+      "home"
+      "impermanence"
+      "nvim"
+      "nvim::blink"
+      "nvim::fugitive"
+      "nvim::harpoon"
+      "nvim::kanagawa-nvim"
+      "nvim::lsp"
+      "nvim::lsp::bash"
+      "nvim::lsp::harper"
+      "nvim::lsp::lua"
+      "nvim::lsp::nix-nil"
+      "nvim::nvim-highlight"
+      "nvim::oil-nvim"
+      "nvim::telescope"
+      "nvim::tmux-navigate"
+      "nvim::treesitter"
+      "nvim::trim"
+      "nvim::undotree"
+      "nvim::which-key"
+      "openssh"
+      "pipewire"
+      "plasmamobile"
+      "stylix"
+      "tmux"
+    ];
+    firewall = {
+      enable = true;
+      allowPing = true;
+    };
+  };
+}
diff --git a/machines/Tehom/secrets.yaml b/machines/Tehom/secrets.yaml
new file mode 100644
index 0000000..6d8b760
--- /dev/null
+++ b/machines/Tehom/secrets.yaml
@@ -0,0 +1,31 @@
+users:
+    derped:
+        password: ENC[AES256_GCM,data:vOZBPzBYIi0SvGmquBwdGNaqRu9vq97odnUubIuMZuRjdltBsU7WfhuDpzybkYnQqqW6CPBtnEcA/FIEzHqO7IAusRsYGtSK+g==,iv:fZvwWOwplMm6cbTkvURcWp0LUQEeEZ79udDhQ/RU7Hc=,tag:rd/ASyUjHP3gmDKedJUKHw==,type:str]
+        publicKey: ENC[AES256_GCM,data:Zv2FPrafaiIfDSpmD0D2XzEbN7e4G3eUiD+sQDpnsSna19THPT3OtrZ8zT5qxcVVfwey3b9Gep14wLOMmbI43iCtnAgmctN6YTiZ2FaZrpcOexBivNNhTD1oqjoBxIwLy7uKNbZbQPs/pm+Tpieu7LVRmevoeaqckg==,iv:NRRbX7rKCVlv4avxrYnQ9OZ1dtmeF/frAiefKx2aQ3U=,tag:6VPjDEMfPj72TGQIy0/abg==,type:str]
+sops:
+    age:
+        - recipient: age1a0960zfd8njr9uc4letsar72kg52vgh0tgmxt5z2gacd2h38fqkqllm4g9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwM1VEKy9nbVd5bFRmSmtn
+            UmxYRDRHUTdWWU0yT0VjcjBySkxrT1RpMDFBCmMvYm5LS2J4c0Q4OG8xWUViOTJk
+            bVZ5emlodWRLVEhEUnlURjFoWEhZd1kKLS0tIGloejhXajhiUVI4cDl1dU51SHho
+            VWhsNXlMWjlEdmVPdk85U3pQUm1aeEUKZPTAOfRmu5Y9sw/ha2dy1T7gxe8uHUN+
+            xqMRRubsTheFa3aTzNuk9qpUFyjSFcviAO3Ja4b85HONn0YuIUlv9Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-19T09:18:34Z"
+    mac: ENC[AES256_GCM,data:tZ+1ghRFMHTo6UaQkQ4LBMKy/FIzMlOTgqPg2RqZwGHvn8GZ0UHsfuDGghUOpZGG9rvYBWA8/NhoFjUjKR40Z3FTioAS3lPk6Q3z1wmgpNBXvn9RiWwDsar3vbofFVtv9VMM1pro+jIL/WUrtjXVSrqhe/2Zx9HIn3y1tpiSVIY=,iv:WnAgGo+8btNKc07a0MiMZ/zoX6biQkNf994WQUenHxQ=,tag:hp200rV2MmOkGEEkIC7KNg==,type:str]
+    pgp:
+        - created_at: "2025-07-19T09:21:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DVbZwA9DOvl8SAQdApO9AdHQqmjHmCn2hHUj2PSK8dn1o2Zd31o8qHceNzUcw
+            cvYgWlvyCy57TKKkxvVrpBeBw8DSEXClyIk2Cd6Xd8CW9SOh9zoL/dqZoDI4frfv
+            0l4BrX9UVBhYLQVF9BH5ErWaWNPH4zuW/9P1HEdlp9IlxiDc+EuP1/398PbjCEHO
+            dX2PfiPEyx3sogcVIdKSyjZ3+zTkotYM2KIY6mA/Hq/8IbZpu4Xe5mrV3v5eDE+m
+            =43Sp
+            -----END PGP MESSAGE-----
+          fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
diff --git a/machines/Tehom/sops.nix b/machines/Tehom/sops.nix
new file mode 100644
index 0000000..c0beee2
--- /dev/null
+++ b/machines/Tehom/sops.nix
@@ -0,0 +1,11 @@
+_:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age = {
+      keyFile = "/persist/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+  };
+}