From 28e9fba68692045a42390ad2c8cbc0575c371a9b Mon Sep 17 00:00:00 2001
From: gwg313 <gwg313@pm.me>
Date: Mon, 20 Apr 2026 15:02:46 -0400
Subject: [PATCH] add machine: grymforge

---
 modules/hosts/grymforge.nix          | 22 +++++++++
 modules/nixos/hardware/grymforge.nix | 68 ++++++++++++++++++++++++++++
 modules/users/gwg313.nix             |  7 +++
 secrets/hosts/grymforge.yaml         | 17 +++++++
 4 files changed, 114 insertions(+)
 create mode 100644 modules/hosts/grymforge.nix
 create mode 100644 modules/nixos/hardware/grymforge.nix
 create mode 100644 secrets/hosts/grymforge.yaml

diff --git a/modules/hosts/grymforge.nix b/modules/hosts/grymforge.nix
new file mode 100644
index 0000000..21cff5e
--- /dev/null
+++ b/modules/hosts/grymforge.nix
@@ -0,0 +1,22 @@
+{
+  config.dendritic.hosts.grymforge = {
+    system = "x86_64-linux";
+    type = "desktop";
+    roles = [
+      "workstation"
+    ];
+    primaryUser = "gwg313";
+    primaryUserExtraGroups = [
+      "wheel"
+      "networkmanager"
+      "audio"
+    ];
+
+    nixosModules = [
+      ../nixos/hardware/grymforge.nix
+      ../nixos/hosts/candlekeep/ssh.nix
+      ../nixos/hosts/candlekeep/nfs.nix
+      ../nixos/hosts/candlekeep/networking.nix
+    ];
+  };
+}
diff --git a/modules/nixos/hardware/grymforge.nix b/modules/nixos/hardware/grymforge.nix
new file mode 100644
index 0000000..518aa93
--- /dev/null
+++ b/modules/nixos/hardware/grymforge.nix
@@ -0,0 +1,68 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+
+    initrd.luks.devices."luks-ab8d2b18-14de-44ff-a7b5-91d5f5d0e937".device =
+      "/dev/disk/by-uuid/ab8d2b18-14de-44ff-a7b5-91d5f5d0e937";
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/95565731-9a95-4fcc-857d-1f066f4e4acf";
+    fsType = "ext4";
+  };
+
+  boot.initrd.luks.devices."luks-c140b0df-2cce-4710-a2fa-94dd3016a7e6".device =
+    "/dev/disk/by-uuid/c140b0df-2cce-4710-a2fa-94dd3016a7e6";
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/34C4-ECCE";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/2fea88dc-b9a8-40d6-a87d-f7383548e60d"; }
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/modules/users/gwg313.nix b/modules/users/gwg313.nix
index 1f626f6..45705a7 100644
--- a/modules/users/gwg313.nix
+++ b/modules/users/gwg313.nix
@@ -17,5 +17,12 @@
       roles = [ "workstation" ];
       extraModules = [ ];
     };
+
+    homes.grymforge = {
+      system = "x86_64-linux";
+      stateVersion = "25.11";
+      roles = [ "workstation" ];
+      extraModules = [ ];
+    };
   };
 }
diff --git a/secrets/hosts/grymforge.yaml b/secrets/hosts/grymforge.yaml
new file mode 100644
index 0000000..d01e47a
--- /dev/null
+++ b/secrets/hosts/grymforge.yaml
@@ -0,0 +1,17 @@
+system:
+    example: ENC[AES256_GCM,data:HGduc8uq6YhzDBM=,iv:IDdNjIjWAhTEzHiGrsuSpHSjidpeFnGdzkiBCjBv5H4=,tag:pm2IGSy3siDAhn2E7lMUhA==,type:str]
+sops:
+    age:
+        - recipient: age1k3hs0gyzrmsdyqh9lpret46q3xaayxxntruzc4euy6h3slqn4u6q36h7rg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0R1VYMmEvdWk5UzBQLzds
+            Q2JzSC9zZFJVWldHbTlkdTIrSXNFLzZqdjBFClJqZmxTSCtjeGwxNjA3VFVscEtP
+            NEhOcU9la2MzNWNEK1NwU0dNTHlPNFUKLS0tIHVWVlRkRHlwb21IemRFS3FTT1kz
+            U21XTEVjNWgzVHVYQ2dDQmIrV21EdGMKw14LaWlK9WbBXxnNvKfNgg44K9/Y7p5H
+            +3QeahQRu8OYn/tFyaMiRxIzLWOhBhtdqAH8k2GN2X5TxzGA1vxGXg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-14T00:22:17Z"
+    mac: ENC[AES256_GCM,data:bPSDTqcfnnUcj80y+9qUfWkX9NcBWdQETMC3qyZYB3FWrJryepWn4bMUEb5IBfwcZXiKWmvyOTXjFYEkx4F4YGZA0qz3usuq6EjeZDSFrpf9Itr9wdc400mc7cf5YFtNOkf+BuE3nsYQDj1KViBKReEgMjZe9bHjvmi1f+utvjM=,iv:DcvjgVAUTily7Xm1+3NCA7/P3+qE05WlQkkqKggm27g=,tag:47TIh6ybU4Cu8QybMxuz/g==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.2