8 files changed, 340 insertions, 0 deletions

diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..a1b35eb
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,5 @@
+root = true
+
+[*]
+indent_size = 2
+indent_style = space
diff --git a/configuration.nix b/configuration.nix
new file mode 100644
index 0000000..7eb5a30
--- /dev/null
+++ b/configuration.nix
@@ -0,0 +1,88 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ config, lib, pkgs, inputs, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+      ./disko.nix
+      ./impermanence.nix
+      ./router.nix
+    ];
+
+  hardware.graphics.extraPackages = with pkgs; [ vpl-gpu-rt intel-media-driver ];
+  hardware.graphics.enable = true;
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "oden";
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+
+  # Set your time zone.
+  time.timeZone = "Europe/Stockholm";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "mod-dh-iso-us";
+  };
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.mathias = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" "wireshark" ];
+    shell = pkgs.fish;
+    hashedPassword = "REDACTED";
+  };
+
+  programs.fish.enable = true;
+
+  programs.wireshark.enable = true;
+
+  # List packages installed in system profile.
+  # You can use https://search.nixos.org/ to find more packages (and options).
+  environment.systemPackages = with pkgs; [
+    neovim
+    curl
+    git
+    (ffmpeg.override { withVpl = true; })
+  ];
+
+  services.openssh.enable = true;
+  services.openssh.settings = {
+    PasswordAuthentication = false;
+    PermitRootLogin = "no";
+  };
+
+  nix.registry.nixpkgs.flake = inputs.nixpkgs;
+  nix.extraOptions = ''
+    experimental-features = nix-command flakes
+  '';
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "25.05"; # Did you read the comment?
+
+}
+
diff --git a/disko.nix b/disko.nix
new file mode 100644
index 0000000..1f89ffa
--- /dev/null
+++ b/disko.nix
@@ -0,0 +1,49 @@
+{
+  disko.devices.disk.main = {
+    type = "disk";
+    device = "/dev/nvme0n1";
+    content = {
+      type = "gpt";
+      partitions.ESP = {
+        priority = 1;
+        name = "ESP";
+        start = "1M";
+        end = "512M";
+        type = "EF00";
+        content = {
+          type = "filesystem";
+          format = "vfat";
+          mountpoint = "/boot";
+          mountOptions = [ "umask=0077" ];
+        };
+      };
+      partitions.root = {
+        size = "100%";
+        content = {
+          type = "btrfs";
+          extraArgs = [ "-f" ];
+          subvolumes = {
+            "/root" = {
+              mountpoint = "/";
+              mountOptions = [ "subvol=root" "compress=zstd" "noatime" ];
+            };
+            "/home" = {
+              mountpoint = "/home";
+              mountOptions = [ "subvol=home" "compress=zstd" "noatime" ];
+            };
+            "/nix" = {
+              mountpoint = "/nix";
+              mountOptions = [ "subvol=nix" "compress=zstd" "noatime" ];
+            };
+            "/nix/persist" = {
+              mountpoint = "/nix/persist";
+              mountOptions = [ "subvol=persist" "compress=zstd" "noatime" ];
+            };
+          };
+        };
+      };
+    };
+  };
+
+  fileSystems."/nix/persist".neededForBoot = true;
+}
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..5b0620f
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,65 @@
+{
+  "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746728054,
+        "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "ff442f5d1425feb86344c028298548024f21256d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "latest",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1737831083,
+        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1758791193,
+        "narHash": "sha256-F8WmEwFoHsnix7rt290R0rFXNJiMbClMZyIC/e+HYf0=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "25e53aa156d47bad5082ff7618f5feb1f5e02d01",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "disko": "disko",
+        "impermanence": "impermanence",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..89a530a
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,17 @@
+{
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
+    disko.url = "github:nix-community/disko/latest";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
+    impermanence.url = "github:nix-community/impermanence";
+  };
+  outputs = inputs@{ self, nixpkgs, disko, impermanence, ... }: {
+    nixosConfigurations.oden = nixpkgs.lib.nixosSystem {
+      modules = [ ./configuration.nix disko.nixosModules.disko impermanence.nixosModules.impermanence ];
+      specialArgs = {
+        inherit inputs;
+      };
+    };
+  };
+}
+
diff --git a/hardware-configuration.nix b/hardware-configuration.nix
new file mode 100644
index 0000000..df42bc0
--- /dev/null
+++ b/hardware-configuration.nix
@@ -0,0 +1,26 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp8s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp9s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/impermanence.nix b/impermanence.nix
new file mode 100644
index 0000000..0592049
--- /dev/null
+++ b/impermanence.nix
@@ -0,0 +1,40 @@
+{ lib, ... }: {
+  boot.initrd.postResumeCommands = lib.mkAfter ''
+    mkdir /btrfs_tmp
+    mount /dev/disk/by-partlabel/disk-main-root /btrfs_tmp # CONFIRM THIS IS CORRECT FROM findmnt
+    if [[ -e /btrfs_tmp/root ]]; then
+      mkdir -p /btrfs_tmp/old_roots
+      timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
+      mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
+    fi
+
+    delete_subvolume_recursively() {
+      IFS=$'\n'
+      for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
+        delete_subvolume_recursively "/btrfs_tmp/$i"
+      done
+      btrfs subvolume delete "$1"
+    }
+
+    for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
+      delete_subvolume_recursively "$i"
+    done
+
+    btrfs subvolume create /btrfs_tmp/root
+    umount /btrfs_tmp
+  '';
+
+  environment.persistence."/nix/persist" = {
+    hideMounts = true;
+    directories = [
+      "/var/log"
+      "/var/lib/nixos"
+      "/var/lib/systemd/coredump"
+    ];
+    files = [
+      "/etc/machine-id"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+    ];
+  };
+}
diff --git a/router.nix b/router.nix
new file mode 100644
index 0000000..ad58ba8
--- /dev/null
+++ b/router.nix
@@ -0,0 +1,50 @@
+{ ... }:
+let
+  lanInterface = "enp5s0f0u2";
+in
+{
+  boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
+  networking.nftables.enable = true;
+  networking.firewall.filterForward = true;
+  networking.nat = {
+    enable = true;
+    externalInterface = "enp8s0";
+    internalInterfaces = [ lanInterface ];
+    forwardPorts = [{
+      sourcePort = 1234;
+      destination = "10.69.0.2:12345";
+    }];
+  };
+  networking.interfaces.${lanInterface}.ipv4.addresses = [{
+    address = "10.69.0.1";
+    prefixLength = 16;
+  }];
+  services.kea.dhcp4 = {
+    enable = true;
+    settings = {
+      interfaces-config = {
+        interfaces = [ lanInterface ];
+        service-sockets-max-retries = 200000;
+        service-sockets-retry-wait-time = 5000;
+      };
+      lease-database = {
+        name = "/var/lib/kea/dhcp4-leases.csv";
+        type = "memfile";
+      };
+      valid-lifetime = 4000;
+      renew-timer = 2000;
+      rebind-timer = 3500;
+      subnet4 = [{
+        id = 1;
+        subnet = "10.69.0.0/16";
+        pools = [{
+          pool = "10.69.0.2 - 10.69.0.254";
+        }];
+        option-data = [
+          { name = "routers"; data = "10.69.0.1"; }
+          { name = "domain-name-servers"; data = "1.1.1.1, 1.0.0.1"; }
+        ];
+      }];
+    };
+  };
+}