commit 1a7c5c9489cf89c65d1904f15b5f08268b9d9066
Author: lew <lew@ily.rs>
Date:   Sat Apr 4 19:20:52 2026 +0100

    init: scaffold nixos flake for lab server

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..726d2d6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+result
+.direnv
diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..7bb7dfb
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,7 @@
+keys:
+  - &lab age1r8h6gy2f4mu8xvx609qeadl82v2hua74xaevsp982zyfh4tm9qlsu80s0f
+creation_rules:
+  - path_regex: secrets/.*\.yaml$
+    key_groups:
+      - age:
+          - *lab
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..9fd2926
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,21 @@
+{
+  description = "NixOS configuration";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = { self, nixpkgs, sops-nix, ... }: {
+    nixosConfigurations.lab = nixpkgs.lib.nixosSystem {
+      system = "aarch64-linux";
+      modules = [
+        sops-nix.nixosModules.sops
+        ./hosts/lab
+      ];
+    };
+  };
+}
diff --git a/hosts/common/default.nix b/hosts/common/default.nix
new file mode 100644
index 0000000..6a72d6b
--- /dev/null
+++ b/hosts/common/default.nix
@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+{
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  time.timeZone = "Europe/London";
+  i18n.defaultLocale = "en_GB.UTF-8";
+
+  environment.systemPackages = with pkgs; [
+    neovim
+    git
+  ];
+}
diff --git a/hosts/lab/default.nix b/hosts/lab/default.nix
new file mode 100644
index 0000000..f710f6e
--- /dev/null
+++ b/hosts/lab/default.nix
@@ -0,0 +1,31 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../common
+  ];
+
+  networking.hostName = "lab";
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "yes";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  users.users.lew = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6KI06F0tHIurNFFRJRlHMeLb7dnUEk8jtSmdsdkfPPoDY0HL1A0QJwqsppFbjHSsJoQ/WZGIj09Evmk9RRGjR5uNEtDMWfxEoeJQoJ6Bwdit+BPa3TfgyyoLM107/D5JriFoZW9k0JVNkgAIFnHp6VAjFyrg4298yKzy2dZchDO4u5HfFi+HBwn2haP7IC0JNgq6GO8K+yw4UK2635/3B/xNLhhLobbT4sThcghBtBhvb8pSXJ0wLupwuGWN9uuONs0UYEOlb8BhedXR4ShJUsQERIPFByAvMaq5vbsVIojF5s4P4dAlpsRQpXhQa7E4wzwGy5bYVP3MNmtYwxZel ssh-key-2025-12-11"
+    ];
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  system.stateVersion = "23.11";
+}
diff --git a/hosts/lab/hardware-configuration.nix b/hosts/lab/hardware-configuration.nix
new file mode 100644
index 0000000..0971835
--- /dev/null
+++ b/hosts/lab/hardware-configuration.nix
@@ -0,0 +1,16 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader = {
+    efi.efiSysMountPoint = "/boot/efi";
+    grub = {
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+      device = "nodev";
+    };
+  };
+  fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/3807-C85F"; fsType = "vfat"; };
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+}
diff --git a/secrets/.gitkeep b/secrets/.gitkeep
new file mode 100644
index 0000000..e69de29