hosts/helios: add initial disko config

Flake lock file updates:

• Updated input 'firefox-gnome-theme':
    'github:rafaelmardojai/firefox-gnome-theme/6f173d0873dd33c5653dee89a831af3e49db3e36?narHash=sha256-9veVYpPCwKNjIK5gOigl5nEUN6tmrSHXUv4bVZkRuOE%3D' (2025-08-04)
  → 'github:rafaelmardojai/firefox-gnome-theme/6fafa0409ad451b90db466f900b7549a1890bf1a?narHash=sha256-ClHCtrzwU6TIfK0qOzAsfPY4swrpbZ8SwUpBpVwphaY%3D' (2025-08-22)
• Updated input 'home-manager':
    'github:nix-community/home-manager/4fb695d10890e9fc6a19deadf85ff79ffb78da86?narHash=sha256-CPM7zm6csUx7vSfKvzMDIjepEJv1u/usmaT7zydzbuI%3D' (2025-08-21)
  → 'github:nix-community/home-manager/4a44fb9f7555da362af9d499817084f4288a957f?narHash=sha256-OILVkfhRCm8u18IZ2DKR8gz8CVZM2ZcJmQBXmjFLIfk%3D' (2025-08-23)
• Updated input 'hyprland':
    'github:hyprwm/Hyprland/42caff5587b6c43703b3c3d51878f156448994f6?narHash=sha256-afr1iUi3HHTgBdF5wZJ1JZQGUNTM4ZY85NnEN138Q2g%3D' (2025-08-22)
  → 'github:hyprwm/Hyprland/0d45b277d6c750377b336034b8adc53eae238d91?narHash=sha256-/yviTS9piazXoZAmnN0dXnYjDAFvooBnzJfPw2Gi30Y%3D' (2025-08-22)
• Updated input 'pre-commit-hooks':
    'github:cachix/git-hooks.nix/4b04db83821b819bbbe32ed0a025b31e7971f22e?narHash=sha256-I0Ok1OGDwc1jPd8cs2VvAYZsHriUVFGIUqW%2B7uSsOUM%3D' (2025-08-17)
  → 'github:cachix/git-hooks.nix/3ff4596663c8cbbffe06d863ee4c950bce2c3b78?narHash=sha256-2KZl6cU5rzEwXKMW369kLTzinJXXkF3TRExA6qEeVbc%3D' (2025-08-22)
• Updated input 'thunderbird-gnome-theme':
    'github:rafaelmardojai/thunderbird-gnome-theme/a9ee1a2c8a1dfce700250a4ce3ce7f88dff43300?narHash=sha256-zADBsXqIkxy519sK/2mnZ/lcTQSA/3iXwdkXCVNqUVY%3D' (2025-08-06)
  → 'github:rafaelmardojai/thunderbird-gnome-theme/b1fbb41db5718c23667bd9b40268b8e7317634fd?narHash=sha256-oLmw1VRrmbuLwT5errG3lT85K0jLII/aQ32VtdJ%2B1xM%3D' (2025-08-22)
• Updated input 'treefmt-nix':
    'github:numtide/treefmt-nix/7d81f6fb2e19bf84f1c65135d1060d829fae2408?narHash=sha256-2vX8QjO5lRsDbNYvN9hVHXLU6oMl%2BV/PsmIiJREG4rE%3D' (2025-08-10)
  → 'github:numtide/treefmt-nix/74e1a52d5bd9430312f8d1b8b0354c92c17453e5?narHash=sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU%3D' (2025-08-23)

flake.lock

@@ -213,11 +213,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754971456,
-        "narHash": "sha256-p04ZnIBGzerSyiY2dNGmookCldhldWAu03y0s3P8CB0=",
+        "lastModified": 1755519972,
+        "narHash": "sha256-bU4nqi3IpsUZJeyS8Jk85ytlX61i4b0KCxXX9YcOgVc=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "8246829f2e675a46919718f9a64b71afe3bfb22d",
+        "rev": "4073ff2f481f9ef3501678ff479ed81402caae6d",
         "type": "github"
       },
       "original": {
@@ -229,11 +229,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1754312136,
-        "narHash": "sha256-9veVYpPCwKNjIK5gOigl5nEUN6tmrSHXUv4bVZkRuOE=",
+        "lastModified": 1755874650,
+        "narHash": "sha256-ClHCtrzwU6TIfK0qOzAsfPY4swrpbZ8SwUpBpVwphaY=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "6f173d0873dd33c5653dee89a831af3e49db3e36",
+        "rev": "6fafa0409ad451b90db466f900b7549a1890bf1a",
         "type": "github"
       },
       "original": {
@@ -517,11 +517,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753592768,
-        "narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=",
+        "lastModified": 1755928099,
+        "narHash": "sha256-OILVkfhRCm8u18IZ2DKR8gz8CVZM2ZcJmQBXmjFLIfk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "fc3add429f21450359369af74c2375cb34a2d204",
+        "rev": "4a44fb9f7555da362af9d499817084f4288a957f",
         "type": "github"
       },
       "original": {
@@ -605,11 +605,11 @@
         "xdph": "xdph"
       },
       "locked": {
-        "lastModified": 1755416233,
-        "narHash": "sha256-40yHpmTu/dJV5xh8V6PcMvSVqxtQdsVZUium5WMpxFg=",
+        "lastModified": 1755883465,
+        "narHash": "sha256-/yviTS9piazXoZAmnN0dXnYjDAFvooBnzJfPw2Gi30Y=",
         "owner": "hyprwm",
         "repo": "Hyprland",
-        "rev": "251288ec5942b3544ad31de1299569284d80f0d7",
+        "rev": "0d45b277d6c750377b336034b8adc53eae238d91",
         "type": "github"
       },
       "original": {
@@ -993,11 +993,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1755186698,
-        "narHash": "sha256-wNO3+Ks2jZJ4nTHMuks+cxAiVBGNuEBXsT29Bz6HASo=",
+        "lastModified": 1755615617,
+        "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fbcf476f790d8a217c3eab4e12033dc4a0f6d23c",
+        "rev": "20075955deac2583bb12f07151c2df830ef346b4",
         "type": "github"
       },
       "original": {
@@ -1008,11 +1008,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1755274400,
-        "narHash": "sha256-rTInmnp/xYrfcMZyFMH3kc8oko5zYfxsowaLv1LVobY=",
+        "lastModified": 1755704039,
+        "narHash": "sha256-gKlP0LbyJ3qX0KObfIWcp5nbuHSb5EHwIvU6UcNBg2A=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ad7196ae55c295f53a7d1ec39e4a06d922f3b899",
+        "rev": "9cb344e96d5b6918e94e1bca2d9f3ea1e9615545",
         "type": "github"
       },
       "original": {
@@ -1031,11 +1031,11 @@
         "systems": "systems_6"
       },
       "locked": {
-        "lastModified": 1754262585,
-        "narHash": "sha256-Yz5dJ0VzGRzSRHdHldsWQbuFYmtP3NWNreCvPfCi9CI=",
+        "lastModified": 1755727480,
+        "narHash": "sha256-eb9N7XFj1zirk+D2KV+rn/CjmVHDISlxhtZCWZEVpkM=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "ab1b5962e1ca90b42de47e1172e0d24ca80e6256",
+        "rev": "6df0b97b39baa1c0b3002b051f307aed68e17d1b",
         "type": "github"
       },
       "original": {
@@ -1100,11 +1100,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754416808,
-        "narHash": "sha256-c6yg0EQ9xVESx6HGDOCMcyRSjaTpNJP10ef+6fRcofA=",
+        "lastModified": 1755879220,
+        "narHash": "sha256-2KZl6cU5rzEwXKMW369kLTzinJXXkF3TRExA6qEeVbc=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "9c52372878df6911f9afc1e2a1391f55e4dfc864",
+        "rev": "3ff4596663c8cbbffe06d863ee4c950bce2c3b78",
         "type": "github"
       },
       "original": {
@@ -1143,11 +1143,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1753994653,
-        "narHash": "sha256-kVd17w6oo9dbZfgZXMMPEssspp8vAr32G5U8VnfuIFc=",
+        "lastModified": 1755887038,
+        "narHash": "sha256-HoEMwFfR3rwNxwJjFCbj3rfW8k6EabHuMJAZOwsT95c=",
         "ref": "refs/heads/master",
-        "rev": "e0cb8c5b8de3f61fbef13c80219715f2e3e5ffb5",
-        "revCount": 39,
+        "rev": "9e47b557087ebde3a30c9f97189d110c29d144fd",
+        "revCount": 40,
         "type": "git",
         "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
       },
@@ -1249,11 +1249,11 @@
     "thunderbird-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1754507270,
-        "narHash": "sha256-zADBsXqIkxy519sK/2mnZ/lcTQSA/3iXwdkXCVNqUVY=",
+        "lastModified": 1755861050,
+        "narHash": "sha256-oLmw1VRrmbuLwT5errG3lT85K0jLII/aQ32VtdJ+1xM=",
         "owner": "rafaelmardojai",
         "repo": "thunderbird-gnome-theme",
-        "rev": "a9ee1a2c8a1dfce700250a4ce3ce7f88dff43300",
+        "rev": "b1fbb41db5718c23667bd9b40268b8e7317634fd",
         "type": "github"
       },
       "original": {
@@ -1290,11 +1290,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754847726,
-        "narHash": "sha256-2vX8QjO5lRsDbNYvN9hVHXLU6oMl+V/PsmIiJREG4rE=",
+        "lastModified": 1755934250,
+        "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "7d81f6fb2e19bf84f1c65135d1060d829fae2408",
+        "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5",
         "type": "github"
       },
       "original": {

hosts/artemis/README.md

@@ -2,7 +2,7 @@
 
 ## Overview
 
-Couch gaming PC and media centre
+Home theatre and gaming PC
 
 ## Specs
 
@@ -25,16 +25,24 @@ WD Black SN850X | `/dev/nvme0n1p1` (EFI, 500 MiB, NixOS Boot) <br> `/dev/nvme0n1
 rpool/
 ├── local
 │   ├── nix
-│   └── tmp
-├── system
 │   ├── root
-│   └── var
-└── user
-    └── home
+│   └── state
+└── safe
+    └── persist
 ```
 
 See [Graham Christensen's article](https://grahamc.com/blog/nixos-on-zfs/#datasets) for the motivation behind these datasets.
 
+#### Impermanence
+
+This machine uses [impermanence](https://github.com/nix-community/impermanence) and is rolled back to a clean state on each reboot.
+
+Mountpoint | Persists across reboots? | Backed up?
+--- | --- | ---
+`/` | No | Yes
+`/state` | Yes | No
+`/persist` | Yes | Yes
+
 ### Networks
 
 - DHCP on `10.0.1.0/24` subnet.

hosts/artemis/default.nix

@@ -18,6 +18,7 @@ in
     ./hardware-configuration.nix
     ./disko-config.nix
     ../desktop.nix
+    ../../users/guest
   ];
 
   nixpkgs = {
@@ -72,6 +73,8 @@ in
     capSysAdmin = true;
   };
 
+  programs.steam.enable = true;
+
   environment = {
     systemPackages = [ pkgs.wine ];
     sessionVariables.WINE_BIN = getExe pkgs.wine;

hosts/atlas/default.nix

@@ -4,6 +4,7 @@
   imports = [
     ./hardware-configuration.nix
     ../desktop.nix
+    ../../users/jordan
   ];
 
   nixpkgs.hostPlatform = "x86_64-linux";

hosts/desktop.nix

@@ -1,4 +1,6 @@
 {
+  inputs,
+  config,
   pkgs,
   ...
 }:
@@ -6,7 +8,6 @@
 {
   imports = [
     ./common.nix
-    ../users/jordan
   ];
 
   services.printing.enable = true;
@@ -44,6 +45,9 @@
     randomizedDelaySec = "10min";
   };
 
+  age.secrets."passwords/users/root".file = "${inputs.secrets}/passwords/users/jordan.age";
+  users.users.root.hashedPasswordFile = config.age.secrets."passwords/users/root".path;
+
   systemd.services.NetworkManager-wait-online.enable = false;
 
   modules = {

hosts/eos/default.nix

@@ -4,6 +4,7 @@
   imports = [
     ./hardware-configuration.nix
     ../desktop.nix
+    ../../users/jordan
   ];
 
   nixpkgs.hostPlatform = "x86_64-linux";

hosts/helios/default.nix

@@ -1,4 +1,5 @@
 {
+  inputs,
   pkgs,
   lib,
   ...
@@ -9,8 +10,11 @@ let
 in
 {
   imports = [
+    inputs.disko.nixosModules.disko
     ./hardware-configuration.nix
+    ./disko-config.nix
     ../desktop.nix
+    ../../users/jordan
   ];
 
   nixpkgs.hostPlatform = "x86_64-linux";

hosts/helios/disko-config.nix

@@ -0,0 +1,101 @@
+{ ... }:
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-SanDisk_Ultra_II_480GB_162224802391";
+        content = {
+          type = "gpt";
+          partitions = {
+            MBR = {
+              size = "1M";
+              type = "EF02"; # For GRUB MBR
+            };
+            boot = {
+              size = "500M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "rpool";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      rpool = {
+        type = "zpool";
+        options = {
+          ashift = "12";
+        };
+        rootFsOptions = {
+          compression = "zstd";
+          acltype = "posix";
+          atime = "off";
+          xattr = "sa";
+          dnodesize = "auto";
+          mountpoint = "none";
+          canmount = "off";
+          devices = "off";
+          exec = "off";
+          setuid = "off";
+        };
+        datasets = {
+          "local" = {
+            type = "zfs_fs";
+          };
+          "local/root" = {
+            type = "zfs_fs";
+            mountpoint = "/";
+            options = {
+              canmount = "noauto";
+              mountpoint = "/";
+              exec = "on";
+              setuid = "on";
+            };
+            postCreateHook = "zfs snapshot rpool/local/root@blank";
+          };
+          "local/nix" = {
+            type = "zfs_fs";
+            mountpoint = "/nix";
+            options = {
+              canmount = "noauto";
+              mountpoint = "/nix";
+              exec = "on";
+              setuid = "on";
+            };
+          };
+          "local/state" = {
+            type = "zfs_fs";
+            mountpoint = "/state";
+            options = {
+              canmount = "noauto";
+              mountpoint = "/state";
+            };
+          };
+          "safe" = {
+            type = "zfs_fs";
+          };
+          "safe/persist" = {
+            type = "zfs_fs";
+            mountpoint = "/persist";
+            options = {
+              canmount = "noauto";
+              mountpoint = "/persist";
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/hypnos/default.nix

@@ -11,6 +11,7 @@
     ./hardware-configuration.nix
     ./disko-config.nix
     ../desktop.nix
+    ../../users/jordan
   ];
 
   nixpkgs = {

hosts/odyssey/default.nix

@@ -10,6 +10,7 @@
     ./gitea-runner.nix
     ./nix-serve.nix
     ../desktop.nix
+    ../../users/jordan
   ];
 
   nixpkgs = {

modules/nixos/impermanence.nix

@@ -35,7 +35,10 @@ in
         };
       };
 
-  age.identityPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
+  age.identityPaths = [
+    "/persist/etc/ssh/ssh_host_ed25519_key"
+    "/etc/ssh/ssh_host_ed25519_key"
+  ];
 
   fileSystems."/state" = mkIf config.environment.persistence."/state".enable {
     neededForBoot = true;

users/guest/common/optional/graphical/steam.nix

@@ -0,0 +1,30 @@
+{
+  pkgs,
+  ...
+}:
+{
+  home.packages = with pkgs; [
+    gamescope
+    steam
+  ];
+
+  systemd.user.services.steam-big-picture = {
+    Unit = {
+      Description = "Steam Big Picture in Gamescope";
+      After = [
+        "graphical.target"
+        "default.target"
+      ];
+    };
+    Service = {
+      ExecStart = ''
+        ${pkgs.gamescope}/bin/gamescope --rt --backend drm --steam -- \
+          ${pkgs.steam}/bin/steam -pipewire-dmabuf -tenfoot
+      '';
+      Restart = "always";
+    };
+    Install = {
+      WantedBy = [ "default.target" ];
+    };
+  };
+}

users/guest/default.nix

@@ -0,0 +1,66 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  inherit (lib)
+    optional
+    ;
+  name = "guest";
+  hostFile = ./. + "/${config.networking.hostName}.nix";
+in
+{
+  users.users.${name} = {
+    description = "Guest";
+    extraGroups = [
+      "audio"
+      "input"
+      "render"
+      "video"
+    ];
+    group = "users";
+    isNormalUser = true;
+    shell = pkgs.zsh;
+  };
+
+  home-manager.users.${name} = {
+    imports = [
+      ./common/optional/graphical/steam.nix
+      {
+        home.persistence."/state" = {
+          directories = [
+            ".local/state/wireplumber"
+          ];
+        };
+        home.persistence."/persist" = {
+          directories = [
+            ".config/gamescope"
+            ".local/share/icons"
+            ".local/share/Steam"
+            ".local/share/vulkan"
+            ".steam"
+          ];
+        };
+      }
+    ]
+    ++ optional (builtins.pathExists hostFile) hostFile;
+
+    home = {
+      username = name;
+    };
+
+    xdg.enable = true;
+  };
+
+  services.getty = {
+    autologinOnce = true;
+    autologinUser = "guest";
+  };
+
+  # Workaround: https://github.com/nix-community/home-manager/issues/7166
+  systemd.services."home-manager-${name}".serviceConfig = {
+    RemainAfterExit = "yes";
+  };
+}

users/jordan/default.nix

@@ -15,7 +15,6 @@ in
 {
   age.secrets."passwords/users/jordan".file = "${inputs.secrets}/passwords/users/jordan.age";
 
-  users.users.root.hashedPasswordFile = config.age.secrets."passwords/users/jordan".path;
   users.users.${name} = {
     description = "Jordan Holt";
     extraGroups = [