sops hosts layout

.sops.yaml

@@ -0,0 +1,21 @@
+keys:
+  - &person_hunner age17sdp0gguexd88qel74fa4zeckxh93gqpkayz366fz6yvjauw7vcq7w6y45
+  - &host_zima age16ptwug2yygtfh2dyy5dahaz85pfv3nvqyks03wltyymhyal25uyskz3q9v
+  - &host_cryochamber age122r8wrurhfjwple2ykd4wxafxezjd78mpkrzzyplcdju8q5ykecs3wycee
+  - &host_liminal age1jv3t4pltlsympq86vjhjjr66hvm25hv9utlk2nwa99qxfapc2amq2vmkel
+creation_rules:
+  - path_regex: hosts/zima/secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *person_hunner
+      - *host_zima
+  - path_regex: hosts/cryochamber/secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *person_hunner
+      - *host_cryochamber
+  - path_regex: hosts/liminal/secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *person_hunner
+      - *host_liminal

README.md

@@ -0,0 +1,3 @@
+# Notes
+
+I generated the sops keys via `ssh <host> 'cat /etc/ssh/ssh_host_ed25519_key.pub'|nix run 'nixpkgs#ssh-to-age'`

flake.nix

@@ -0,0 +1,60 @@
+{
+  description = "NixOS configurations for zima, cryochamber, and liminal";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+    nixos-hardware.url = "github:NixOS/nixos-hardware";
+    impermanence.url = "github:nix-community/impermanence";
+    talon-nix.url = "github:nix-community/talon-nix";
+    plover-flake.url = "github:openstenoproject/plover-flake";
+    beads-flake.url = "github:steveyegge/beads";
+  };
+
+  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, nixos-hardware, impermanence, talon-nix, plover-flake, beads-flake, ... }:
+    let
+      system = "x86_64-linux";
+      overlay-unstable = final: prev: {
+        unstable = import nixpkgs-unstable {
+          inherit system;
+          config.allowUnfree = true;
+        };
+      };
+    in
+    {
+      nixosConfigurations.zima = nixpkgs.lib.nixosSystem {
+        inherit system;
+        specialArgs = {
+          inherit impermanence;
+        };
+        modules = [
+          ./hosts/zima/configuration.nix
+          sops-nix.nixosModules.sops
+        ];
+      };
+
+      nixosConfigurations.cryochamber = nixpkgs.lib.nixosSystem {
+        inherit system;
+        specialArgs = {
+          inherit impermanence;
+        };
+        modules = [
+          ./hosts/cryochamber/configuration.nix
+          sops-nix.nixosModules.sops
+        ];
+      };
+
+      nixosConfigurations.liminal = nixpkgs.lib.nixosSystem {
+        inherit system;
+        specialArgs = {
+          inherit nixos-hardware impermanence talon-nix plover-flake beads-flake;
+        };
+        modules = [
+          ({ ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+          ./hosts/liminal/configuration.nix
+        ];
+      };
+    };
+}

hosts/cryochamber/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, impermanence, ... }:
 
 #zpool import -f rpool
 #mount -t zfs rpool/local/root /mnt
@@ -9,9 +9,7 @@
 #mount -t zfs rpool/safe/persist /mnt/persist
 #mount -t zfs rpool/local/var/lib /mnt/var/lib
 #mount -t zfs rpool/local/var/log /mnt/var/log
-let
-  impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz";
-in
+
 {
   imports =
     [
@@ -137,11 +135,16 @@ in
     };
   };
 
+  # sops-nix secrets
+  sops.defaultSopsFile = ./secrets/config.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.secrets.hashedPassword.neededForUsers = true;
+
   # Define a user account
   users.users.hunner = {
     isNormalUser = true;
     extraGroups = [ "wheel" "docker" "networkmanager" ];
-    hashedPassword = "$y$j9T$hLqdzlz7dbJZgUnKs.eo3/$25s/2X18vGtDKj53qD1sn/.Omp/6CBJWbn7d9KAiOK7";
+    hashedPasswordFile = config.sops.secrets.hashedPassword.path;
     shell = pkgs.zsh;
     packages = with pkgs; [
       fzf

hosts/cryochamber/flake.nix

@@ -0,0 +1,23 @@
+{
+  inputs = {
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs = {
+    self,
+    nixpkgs,
+    sops-nix,
+  }:
+    let
+      system = "x86_64-linux";
+    in
+    {
+      nixosConfigurations.cryochamber = nixpkgs.lib.nixosSystem {
+        modules = [
+          ./configuration.nix
+          sops-nix.nixosModules.sops
+        ];
+      };
+    };
+}

hosts/cryochamber/secrets/config.yaml

@@ -0,0 +1,25 @@
+hashedPassword: ENC[AES256_GCM,data:iUN2iaC2RPDa/vq6H7Xp2KqHYcHfQHU6IhZ2FWXEuaNhByFzpyMbJC7N2bmbDUD3ERLudHg686Uqt6XJV2PevQoXa1iYhv9cLw==,iv:ekGMzP2TXSrxLkqZVclHgN1NQIv6OqtsVLHdvsTgXQc=,tag:RRSZCHjmhn8ClrUTYteWWA==,type:str]
+sops:
+    age:
+        - recipient: age17sdp0gguexd88qel74fa4zeckxh93gqpkayz366fz6yvjauw7vcq7w6y45
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3TWlKSGppbzRaZ0dUOUNz
+            cXpReDF5UUZIbVg1MGkyZGNneGNiK0t3eEdRCk9jRjIvL25hREI3c1pVOU5JS1l2
+            Q0tkNWU0RndiZEI4Z1dDSlFUQzAyZVUKLS0tIEVyc0JPVnBxNDlJSEVXc3V1WDY0
+            bzlsWjVJZGx6eHk1MFh6ZFVpN0FOelUKaNsnY+6+t4lGv1e35BQjwPmI7AcQqpiu
+            uiDxPhaXmGrlBDdpHaEjNYBvZjp0YA/0LwEX7uUipQD+Xrop5Snm4w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age122r8wrurhfjwple2ykd4wxafxezjd78mpkrzzyplcdju8q5ykecs3wycee
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYYjdUWjQxL0UrWnNWSUpi
+            ZWlsUVNTK0xXZVVFd2pNSitldnFaVzdoQnhnCkNma2llSDVmTzZGL1Y0VUhFSk9h
+            NEVUM3MwU2RQMTJpdFdEVWtPa2tCdzQKLS0tIGxrU3hzUzh4MGZQcElyRG1CZ3RS
+            NDJWOEMyU1hwcHRXMUh6RkEzOFhndG8KY/fCz/+MfGQlnLC3Kzo5hYOmd0fRakDQ
+            JjVD+zxHFqN5b3U03iS9WIsdjF3hRFqqnZMOeXTUDezDfTNPdmUuMg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-29T20:30:43Z"
+    mac: ENC[AES256_GCM,data:4tBtaoDxLrLIyIXi51TKB2U5eP9kkEpz1UaW2eBTGXkdmn+k/oiouQ4spigQ8O0dKvdy4SmvOSksCC7TSDeZ0ToKbyorqFrTbnhvUdACjw6O6I8WJ8daaOGuvKHjiYk1CWhn8zdC+QTa/gpjVoQhTfiEFuPXgFMMoI24h7000XE=,iv:6taR8qzv/liCLAeqkYnUV+9D0b9z0zCOPHsOo+JMXnw=,tag:TUg6Z9GQLPLnyvW6lCHFpw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/liminal/configuration.nix

@@ -201,12 +201,17 @@
   services.libinput.enable = true;
   services.touchegg.enable = true;
 
+  # sops-nix secrets
+  sops.defaultSopsFile = ./secrets/config.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.secrets.hashedPassword.neededForUsers = true;
+
   # Define a user account. Don't forget to set a password with 'passwd'.
   users.users.hunner = {
     isNormalUser = true;
     description = "Hunter Haugen";
     extraGroups = [ "docker" "networkmanager" "wheel" "audio" "video" "dialout" ];
-    hashedPassword = "$y$j9T$hLqdzlz7dbJZgUnKs.eo3/$25s/2X18vGtDKj53qD1sn/.Omp/6CBJWbn7d9KAiOK7";
+    hashedPasswordFile = config.sops.secrets.hashedPassword.path;
     shell = pkgs.zsh;
     packages = with pkgs; [
       fzf

hosts/liminal/secrets/config.yaml

@@ -0,0 +1,25 @@
+hashedPassword: ENC[AES256_GCM,data:FvSo0j1H/FpP8ljQTYNSRvAPDvvXi1TcIJnIY+WgTRiHZ0vb426+Pp8FNCqA06Rr/a+5T23ni2s1gOgX143LA4rI9xo9CgLxyw==,iv:QlenOW5mUdbS9+mnpoHfmVG/qnKLETuyVn8zOatTY98=,tag:6jslZ2Lth512XioIgHL92Q==,type:str]
+sops:
+    age:
+        - recipient: age17sdp0gguexd88qel74fa4zeckxh93gqpkayz366fz6yvjauw7vcq7w6y45
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLdzBYdlZiQXZpNVVkMSs0
+            QzdtTU82bzFsSHlPY2tSYVB4THFZbmxyVUdzCkZqODVEZlRSSm9SMnFmZnhKTk5U
+            WEh3V1Zua1QyNTlvVGRHNktyQi9ualUKLS0tIGZFaEIxT0NVZTkvOXZQNFI5VTlP
+            TDM5czFEc1lCU281R0NKQkQ1bjNLL0kKHtVBtagNiz2fyyudwBJpxhfQBUMt++Be
+            tE1SGo+TirLPCgFK/ynw2zXUj7IZ8+qANOpGmStroUBgJGfoEHHlwg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1jv3t4pltlsympq86vjhjjr66hvm25hv9utlk2nwa99qxfapc2amq2vmkel
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWL2dOcWpFWnZXYWdOZzhx
+            Z1hLUnRzTXo4N21ESXd6N1VhTVZUVVNHSFNNCnE2QkJ5clQvaExyY2dWMUZic3RI
+            NVJyVUNFZXdOTktjQ2ZYT0xER2x6Z1EKLS0tIHQxTFFTYlVnYjdiRUZnQXRDWHVB
+            WHVZYkQvN1MxaEV4NElLcHFPZmNjZVkKbUHXfK4Wt7MRS2XYBy9v/SQ3a6T4V5FK
+            bjd0nVVTJeMnE6V9avjNuOCVUkug4PylIzSMSohfpR6AmSy68jYElw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-29T21:00:07Z"
+    mac: ENC[AES256_GCM,data:IEWEy84qU3Lzq4tuNITS1JjxfNSNMksQMVTJbDHNyaN+gpVhjgS/SIX3ESU36S+CcgR/iczRvUvURA+s0csiMXCKfx2IwVuTIKqtTArDubjlqivr7fhY94VTkFz2e3ohfcHiJt6uzhzxHNDAAE5Ju9TzIAVyf+FRFZFUMRQwddc=,iv:oqnvxQg7mN7yWYoIahdJnKUestSeIMKvawt7+fDC38o=,tag:fcpPcvy+HTFSPTUM2GZ+0w==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/zima/configuration.nix

@@ -0,0 +1,304 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ config, lib, pkgs, impermanence, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      "${impermanence}/nixos.nix"
+    ];
+
+  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_7;
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.zfs.extraPools = [ "bitrot" ];
+  hardware.enableAllFirmware = true;
+  nixpkgs.config.allowUnfree = true;
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  fileSystems = {
+    "/persist" = {
+      device = "rpool/safe/persist";
+      fsType = "zfs";
+      neededForBoot = true;
+    };
+  };
+  # TODO postResumeCommands after update
+  boot.initrd.postDeviceCommands = lib.mkAfter ''
+    zfs rollback -r rpool/local/root@blank
+  '';
+
+  networking.hostName = "zima"; # Define your hostname.
+  networking.hostId = "78599900";
+  # Pick only one of the below networking options.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+
+  # Set your time zone.
+  time.timeZone = "America/Los_Angeles";
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+  # Select internationalisation properties.
+  # i18n.defaultLocale = "en_US.UTF-8";
+  # console = {
+  #   font = "Lat2-Terminus16";
+  #   keyMap = "us";
+  #   useXkbConfig = true; # use xkb.options in tty.
+  # };
+
+  # Enable the X11 windowing system.
+  # services.xserver.enable = true;
+  virtualisation.docker.enable = true;
+
+
+  services.cron = {
+    enable = true;
+    systemCronJobs = [
+      "*/5 * * * *      hunner    widget drive zima $(zfs list -o available -H /bitrot) free"
+    ];
+  };
+  
+
+  # Configure keymap in X11
+  # services.xserver.xkb.layout = "us";
+  # services.xserver.xkb.options = "eurosign:e,caps:escape";
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  # Enable sound.
+  # sound.enable = true;
+  # hardware.pulseaudio.enable = true;
+
+  # Enable touchpad support (enabled default in most desktopManager).
+  # services.xserver.libinput.enable = true;
+
+  # sops-nix secrets
+  sops.defaultSopsFile = ./secrets/config.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.secrets.hashedPassword.neededForUsers = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.hunner = {
+    uid = 1000;
+    isNormalUser = true;
+    extraGroups = [ "wheel" "docker" ]; # Enable ‘sudo’ for the user.
+    hashedPasswordFile = config.sops.secrets.hashedPassword.path;
+    packages = with pkgs; [
+      tree
+    ];
+  };
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+    git
+    wget
+    tmux
+    awscli2
+    nix-search-cli
+    smartmontools
+    python3
+    ffmpeg
+    jq
+    sanoid
+    unrar
+    unzip
+    docker-compose
+    lzop # for syncoid
+    pv # for syncoid
+    mbuffer # for syncoid
+    restic
+    openssl
+  ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # List services that you want to enable:
+  services.avahi = {
+    enable = true;
+    nssmdns = true;
+    publish = {
+      enable = true;
+      addresses = true;
+      workstation = true;
+    };
+  };
+
+  services.zfs.autoScrub = {
+    enable = true;
+    interval = "weekly";
+    pools = [ "bitrot" ];
+  };
+
+  services.sanoid = {
+    enable = true;
+
+    templates.production = {
+      frequently = 0;
+      hourly = 12;
+      daily = 10; 
+      monthly = 2;
+      yearly = 1;
+      autosnap = true;
+      autoprune = true;
+      recursive = true;
+    };
+
+    datasets."bitrot" = {
+      useTemplate = [ "production" ];
+    };
+
+    datasets."rpool/safe" = {
+      useTemplate = [ "production" ];
+    };
+  };
+
+  users.users.backup = {
+    uid = 1001;
+    isNormalUser = true;
+    description = "Backup replication user";
+    shell = pkgs.bash;
+    packages = with pkgs; [
+      sanoid
+    ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtgW+cxPjo70k6dkYPqzP0FR5G9zvbArp/85ZHRrMRL backup@cryochamber"
+    ];
+  };
+  services.syncoid = {
+    enable = true;
+    user = "backup";
+    sshKey = "/var/lib/syncoid/.ssh/id_ed25519";
+    commonArgs = [
+      #"--sshoption=StrictHostKeyChecking=off"
+      "--sshoption=UserKnownHostsFile=/var/lib/syncoid/.ssh/known_hosts"
+      "--sshoption=IdentitiesOnly=yes"
+      "--no-sync-snap"
+    ];
+    commands."backup-zima-bitrot" = {
+      source = "bitrot";
+      target = "root@cryochamber:tank/backups/zima/bitrot";
+      recursive = true;
+    };
+    commands."backup-zima-rpool-safe" = {
+      source = "rpool/safe";
+      target = "root@cryochamber:tank/backups/zima/rpool-safe";
+      recursive = true;
+    };
+  };
+  # This was needed when trying to get the backup user to work instead of using
+  # root; probably not needed now
+  systemd.services.syncoid-backup-zima-bitrot.serviceConfig = {
+    Environment = [
+      "HOME=/var/lib/syncoid"
+      "SSH_AUTH_SOCK="
+    ];
+    ExecStartPre = [
+      "+${pkgs.coreutils}/bin/mkdir -p /var/lib/syncoid/.ssh"
+      "+${pkgs.coreutils}/bin/cp /home/backup/.ssh/id_ed25519 /var/lib/syncoid/.ssh/"
+      "+${pkgs.coreutils}/bin/cp /home/backup/.ssh/known_hosts /var/lib/syncoid/.ssh/"
+      "+${pkgs.coreutils}/bin/chown -R backup:syncoid /var/lib/syncoid/.ssh"
+      "+${pkgs.coreutils}/bin/chmod 700 /var/lib/syncoid/.ssh"
+      "+${pkgs.coreutils}/bin/chmod 600 /var/lib/syncoid/.ssh/id_ed25519"
+    ];
+  };
+
+  services.tailscale.enable = true;
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+  services.openssh.settings.Macs = [
+    "hmac-sha2-256"
+    "hmac-sha2-512-etm@openssh.com"
+    "hmac-sha2-256-etm@openssh.com"
+    "umac-128-etm@openssh.com"
+  ];
+  services.openssh.settings.AcceptEnv = "LANG LC_*";
+
+  # Old style
+  #environment.etc = {
+  #  nixos.source = "/persist/etc/nixos";
+  #  adjtime.source = "/persist/etc/adjtime";
+  #  NIXOS.source = "/persist/etc/NIXOS";
+  #  machine-id.source = "/persist/etc/machine-id";
+  #  "ssh/ssh_host_rsa_key".source = "/persist/etc/ssh/ssh_host_rsa_key";
+  #  "ssh/ssh_host_rsa_key.pub".source = "/persist/etc/ssh/ssh_host_rsa_key.pub";
+  #  "ssh/ssh_host_ed25519_key".source = "/persist/etc/ssh/ssh_host_ed25519_key";
+  #  "ssh/ssh_host_ed25519_key.pub".source = "/persist/etc/ssh/ssh_host_ed25519_key.pub";
+  #};
+
+  # https://www.reddit.com/r/NixOS/comments/13j64qh/how_to_add_impermanence_afterwards/?rdt=38929 also suggests
+  # - /var/log
+  # - /var/tmp
+  # - /var/lib/nixos
+  # but to do that I'd need something other than environment.etc
+
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    directories = [
+      "/root"
+      "/etc/nixos"
+      "/etc/ssh"
+      #"/var/log"
+      #"/var/lib/nixos"
+      #"/var/lib/systemd/coredump"
+      #"/etc/NetworkManager/system-connections"
+    ];
+    files = [
+      "/etc/machine-id"
+    ];
+  };
+  security.sudo.extraConfig = ''
+    # rollback results in sudo lectures after each reboot
+    Defaults lecture = never
+  '';
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [ 32400 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  # system.copySystemConfiguration = true;
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "23.11"; # Did you read the comment?
+
+}
+

hosts/zima/flake.nix

@@ -0,0 +1,23 @@
+{
+  inputs = {
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs = {
+    self,
+    nixpkgs,
+    sops-nix,
+  }:
+    let
+      system = "x86_64-linux";
+    in
+    {
+      nixosConfigurations.zima = nixpkgs.lib.nixosSystem {
+        modules = [
+          ./configuration.nix
+          sops-nix.nixosModules.sops
+        ];
+      };
+    };
+}

hosts/zima/hardware-configuration.nix

@@ -0,0 +1,62 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "rpool/local/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "rpool/local/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home" =
+    { device = "rpool/safe/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/persist" =
+    { device = "rpool/safe/persist";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/08E2-681A";
+      fsType = "vfat";
+    };
+
+  fileSystems."/var/lib" =
+    { device = "rpool/local/var/lib";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/log" =
+    { device = "rpool/local/var/log";
+      fsType = "zfs";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/zima/secrets/config.yaml

@@ -0,0 +1,25 @@
+hashedPassword: ENC[AES256_GCM,data:8kCOlv0GfypM0kTNLALKDdWtb4bK6wK1o1DgnzHbuUqJUfIWt6wx1ILVXfuti0rHO38lkuL05LXt9sLh1niPEmFlS4OLNCMHWg==,iv:bNbQex3+6LkDvnypQP7obFSJZ3kuLgFegu+xDQsJZh8=,tag:sN/4YVcEXXPG5C0kvh56Bg==,type:str]
+sops:
+    age:
+        - recipient: age17sdp0gguexd88qel74fa4zeckxh93gqpkayz366fz6yvjauw7vcq7w6y45
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPV3kwUFpNblhubTh0b293
+            eUF0WDVIbGxWVlA1NnpjNFo1RXhJalY5OWpzCmZxYkMxa2tCQi9iRG96YkVhMVVK
+            RDQ3T3Y0SnVYdnZYemp6Q2lnblpXZEEKLS0tIFNHWUVremJWN2tjYUN1UmpUdnhQ
+            RWIzVjBiMjRoa0VLNDNuWDFqa1lDcVEKFitdIkUqqMuWOTn+liboLyXPBkxd2u3O
+            K62aQV5UxXjDmwXeH6woDCiSMFfgdWlJT6PfvS+y1FO6VKRQ39ob4w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16ptwug2yygtfh2dyy5dahaz85pfv3nvqyks03wltyymhyal25uyskz3q9v
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Q3MzS3Y1WWhkUmlFMUcw
+            amx1RU1hZ2lJWXRVajE4Q1UvbVFlOVZ5b0E4CjU3bENCYmM2Tmg3NkwwWWRRdldP
+            Zm4yOHlCMU5QQTRXV2xFRTV1UGtGZGcKLS0tIDh2WitGbDQ0aEx6c2t5eTF0djFT
+            L0hXK1ZSY292dTRDU0Z2NGlJNHhpb2cK76bGG3yJD8ORZFPvW/WAlHLi9mt2A8+Q
+            /uOs6FBcubW6MGiC50OlSAI19yvg7BYqqWRFI+XEkXjxbLlwhWy1RA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-21T01:32:03Z"
+    mac: ENC[AES256_GCM,data:PezvH3WCehALUH3QEvIu21hJX5xyjnuGIvZAtVbEhDeD1JdO+lXSFVyH2gWjNWSgrDiDEKXMKtdl0Q+5eXJPpqHjNHIh0lDLePG0JSMZWdOz/F7uuiXqqeA7b4Plrf28PniqA4+c2PURhp5UggW6Tb2mBmVgwtsSuVH7kPnted8=,iv:59HIfn640uI6YvRwJ5WCY9QiJLvMnrdVnjpsCTG000k=,tag:3rZ4sm9cwc/n9cK/SOnMLw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0