Add a Lenovo T495s reference client + an in-place-upgrade disko layout #10

New issue

Open

opened 2026-06-18 08:37:04 +00:00 by bram.buijs · 1 comment

bram.buijs commented 2026-06-18 08:37:04 +00:00

Collaborator

Copy link

What's missing

There's one reference client today (dawo-hp-eb-850g7) and one disko layout
(single-nvme-luks, a fresh-install full-wipe). Two things I'd like to add:

1. A second hardware reference for an AMD ThinkPad (Lenovo T495s), so the
   hardware-module pattern is exercised on more than one machine.
2. A disko variant (nvme-luks-ext4) that matches a machine's existing
   storage and boot, so a host already running NixOS can switch to this config
   without a wipe, same ext4 cryptroot, same lanzaboote /var/lib/sbctl
   keys (so the signed chain and TPM2 unlock keep working). The full-wipe path
   stays single-nvme-luks.

Plus rollout/update docs: provisioning with nixos-anywhere (using the existing
disko layout, optional nixos-facter hardware generation) and updates over the
already-wired deploy-rs nodes.

Files

modules/hardware/lenovo-t495s.nix,
modules/hosts/profiles/disko/nvme-luks-ext4.nix,
modules/hosts/clients/dawo-t495s.nix, docs/deploy.md.

The host imports profiles-dawo-generic and carries a commented opt-in block
for the hardening modules (nothing auto-on), consistent with the opt-in posture.

Question

Are a second hardware reference and the in-place-upgrade disko variant welcome
upstream, or would you rather keep only the full-wipe path in the generic repo?
(The Forgejo CI workflow from my branch is mirror-specific and will be left out
of the PR.)

## What's missing There's one reference client today (`dawo-hp-eb-850g7`) and one disko layout (`single-nvme-luks`, a fresh-install full-wipe). Two things I'd like to add: 1. A second hardware reference for an AMD ThinkPad (Lenovo T495s), so the hardware-module pattern is exercised on more than one machine. 2. A disko variant (`nvme-luks-ext4`) that matches a machine's *existing* storage and boot, so a host already running NixOS can switch to this config **without a wipe**, same ext4 cryptroot, same lanzaboote `/var/lib/sbctl` keys (so the signed chain and TPM2 unlock keep working). The full-wipe path stays `single-nvme-luks`. Plus rollout/update docs: provisioning with nixos-anywhere (using the existing disko layout, optional `nixos-facter` hardware generation) and updates over the already-wired deploy-rs nodes. ## Files `modules/hardware/lenovo-t495s.nix`, `modules/hosts/profiles/disko/nvme-luks-ext4.nix`, `modules/hosts/clients/dawo-t495s.nix`, `docs/deploy.md`. The host imports `profiles-dawo-generic` and carries a commented opt-in block for the hardening modules (nothing auto-on), consistent with the opt-in posture. ## Question Are a second hardware reference and the in-place-upgrade disko variant welcome upstream, or would you rather keep only the full-wipe path in the generic repo? (The Forgejo CI workflow from my branch is mirror-specific and will be left out of the PR.)

bram.buijs referenced this issue 2026-06-18 08:37:05 +00:00

feat: add Lenovo T495s reference client + in-place-upgrade disko #14

bram.buijs referenced this issue 2026-06-18 08:37:05 +00:00

feat: overheid baseline (hardening opt-in, users, T495s host, 26.05 pin) #7

rutger.putter commented 2026-06-18 10:48:03 +00:00

Collaborator

Copy link

@bram.buijs wrote in #10 (comment):

Question

Are a second hardware reference and the in-place-upgrade disko variant welcome upstream, or would you rather keep only the full-wipe path in the generic repo? (The Forgejo CI workflow from my branch is mirror-specific and will be left out of the PR.)

I'd say specific hardware should not be part of the reference. The ideal location for hardware definitions should be nixos-hardware upstream. And any specific hardware profiles should be part of a organizational DAWO repo.

@bram.buijs wrote in https://code.overheid.nl/MinBZK/DAWO-NixOS/issues/10#issue-296: > ## [](#question)Question > > Are a second hardware reference and the in-place-upgrade disko variant welcome upstream, or would you rather keep only the full-wipe path in the generic repo? (The Forgejo CI workflow from my branch is mirror-specific and will be left out of the PR.) I'd say specific hardware should not be part of the reference. The ideal location for hardware definitions should be [nixos-hardware](https://github.com/NixOS/nixos-hardware) upstream. And any specific hardware profiles should be part of a organizational DAWO repo.

bram.buijs referenced this issue 2026-06-18 12:12:10 +00:00

feat(t495s): upstream T495 hardware, BTRFS disko, English deploy docs #20

rutger.putter referenced this issue from a commit 2026-06-18 12:53:33 +00:00

feat(t495s): use upstream T495 hardware, BTRFS disko, English docs

bram.buijs referenced this issue from a commit 2026-06-18 19:32:40 +00:00

revert daed6f81a189403e41d49df3d76cfb02d1de8ea5

bram.buijs referenced this issue 2026-06-18 19:33:03 +00:00

revert daed6f81a189403e41d49df3d76cfb02d1de8ea5 #32

rutger.putter added the

Kind/Enhancement

Kind/Discussion

labels 2026-06-22 09:19:53 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

release/0.1.0

No results found.

Labels

Clear labels   

Compat/Breaking

Breaking change that won't be backward compatible

  

Kind/Bug

Something is not working

  

Kind/Discussion

Any topic that needs discussion before a technical solution is accepted

  

Kind/Documentation

Documentation changes

  

Kind/Enhancement

Improve existing functionality

  

Kind/Feature

New functionality

  

Kind/Security

This is security issue

  

Kind/Testing

Issue or pull request related to testing

  

Priority

Critical

The priority is critical

  

Priority

High

The priority is high

  

Priority

Low

The priority is low

  

Priority

Medium

The priority is medium

  

Reviewed

Confirmed

Issue has been confirmed

  

Reviewed

Duplicate

This issue or pull request already exists

  

Reviewed

Invalid

Invalid issue

  

Reviewed

Won't Fix

This issue won't be fixed

  

Status

Abandoned

Somebody has started to work on this but abandoned work

  

Status

Blocked

Something is blocking this issue or pull request

  

Status

Help Wanted

If you're looking to help out, start here

  

Status

Need More Info

Feedback is required to reproduce issue or to continue work

  

Prio - Hoog

Hoge prioriteit

  

Prio - Laag

Lage prioriteit

  

Prio - Middel

Medium prioriteit

  

styling

Verbeteringen aan de styling

No labels

Compat/Breaking

Kind/Bug

Kind/Discussion

Kind/Documentation

Kind/Enhancement

Kind/Feature

Kind/Security

Kind/Testing

Priority

Critical

Priority

High

Priority

Low

Priority

Medium

Reviewed

Confirmed

Reviewed

Duplicate

Reviewed

Invalid

Reviewed

Won't Fix

Status

Abandoned

Status

Blocked

Status

Help Wanted

Status

Need More Info

Prio - Hoog

Prio - Laag

Prio - Middel

styling

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

MinBZK/DAWO-NixOS#10

No description provided.