MinBZK/DAWO-NixOS
33
3
Fork 0
Code Issues 14 Pull requests 4 Projects Releases Wiki Activity Actions

feat: add Lenovo T495s reference client + in-place-upgrade disko #14

Closed
bram.buijs wants to merge 1 commit from bram.buijs/DAWO-NixOS:pr-t495s into main
pull from: bram.buijs/DAWO-NixOS:pr-t495s
merge into: MinBZK:main
Conversation 4 Commits 1 Files changed 4 +188
bram.buijs commented 2026-06-18 08:37:05 +00:00
Collaborator
Copy link

Adds, as discussed in #10:

  • modules/hardware/lenovo-t495s.nix, AMD ThinkPad T495s hardware module
    (initrd modules from an on-device nixos-generate-config; replace with
    nixos-facter once it boots)
  • modules/hosts/profiles/disko/nvme-luks-ext4.nix, ext4-cryptroot layout that
    matches an existing install, for in-place migration without a wipe
    (single-nvme-luks stays the full-wipe path)
  • modules/hosts/clients/dawo-t495s.nix, the host, wired through
    profiles-dawo-generic, with a commented opt-in block for the hardening
    modules; lanzaboote secure boot reusing the existing /var/lib/sbctl keys so
    the signed chain and TPM2 unlock keep working
  • docs/deploy.md, provisioning with nixos-anywhere and updates via deploy-rs

Note: this drops the .forgejo CI workflow that was in my branch, it's
mirror-specific, not for upstream.

Evaluates green.

Build/deploy proof to follow: verifying on a Lenovo T495s before merge.

Adds, as discussed in #10: - `modules/hardware/lenovo-t495s.nix`, AMD ThinkPad T495s hardware module (initrd modules from an on-device `nixos-generate-config`; replace with `nixos-facter` once it boots) - `modules/hosts/profiles/disko/nvme-luks-ext4.nix`, ext4-cryptroot layout that matches an existing install, for in-place migration without a wipe (`single-nvme-luks` stays the full-wipe path) - `modules/hosts/clients/dawo-t495s.nix`, the host, wired through `profiles-dawo-generic`, with a commented opt-in block for the hardening modules; lanzaboote secure boot reusing the existing `/var/lib/sbctl` keys so the signed chain and TPM2 unlock keep working - `docs/deploy.md`, provisioning with nixos-anywhere and updates via deploy-rs Note: this drops the `.forgejo` CI workflow that was in my branch, it's mirror-specific, not for upstream. Evaluates green. Build/deploy proof to follow: verifying on a Lenovo T495s before merge.
Add an AMD ThinkPad T495s reference client next to the existing hp-elitebook, plus an ext4-cryptroot disko variant (nvme-luks-ext4) that matches an existing install so a host can switch to this config without a wipe (single-nvme-luks stays the full-wipe path), reusing the lanzaboote keys. docs/deploy.md covers provisioning with nixos-anywhere and updates via deploy-rs.
rutger.putter commented 2026-06-18 09:41:21 +00:00
Collaborator
Copy link

Deploy.md looks good, but let's keep it English as per the CONTRIBUTING.md.

Deploy.md looks good, but let's keep it English as per the [CONTRIBUTING.md](https://code.overheid.nl/MinBZK/DAWO-NixOS/src/branch/main/CONTRIBUTING.md).
rutger.putter commented 2026-06-18 09:42:37 +00:00
Collaborator
Copy link

The T495 from Lenovo already has a upstream config here. Could you include it?

The T495 from Lenovo already has a upstream config [here](https://github.com/NixOS/nixos-hardware/tree/master/lenovo/thinkpad/t495). Could you include it?
rutger.putter commented 2026-06-18 09:44:10 +00:00
Collaborator
Copy link

Is there a specific reason you're implementing ext4 while we already have a disko profile with BTRFS and will prevent any inode issues in the future?

Is there a specific reason you're implementing ext4 while we already have a disko profile with BTRFS and will prevent any inode issues in the future?
bram.buijs commented 2026-06-18 12:23:09 +00:00
Author
Collaborator
Copy link

Superseded by #20, which reworks this onto upstream nixos-hardware for the T495 and a BTRFS single-nvme-luks disko layout, with English deploy docs. Closing this one in favour of #20.

Superseded by #20, which reworks this onto upstream nixos-hardware for the T495 and a BTRFS single-nvme-luks disko layout, with English deploy docs. Closing this one in favour of #20.
bram.buijs closed this pull request 2026-06-18 12:23:09 +00:00

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
Compat/Breaking
Breaking change that won't be backward compatible

  
Kind/Bug
Something is not working

  
Kind/Discussion
Any topic that needs discussion before a technical solution is accepted

  
Kind/Documentation
Documentation changes

  
Kind/Enhancement
Improve existing functionality

  
Kind/Feature
New functionality

  
Kind/Security
This is security issue

  
Kind/Testing
Issue or pull request related to testing

  
Priority
Critical
 The priority is critical

  
Priority
High
 The priority is high

  
Priority
Low
 The priority is low

  
Priority
Medium
 The priority is medium

  
Reviewed
Confirmed
 Issue has been confirmed

  
Reviewed
Duplicate
 This issue or pull request already exists

  
Reviewed
Invalid
 Invalid issue

  
Reviewed
Won't Fix
 This issue won't be fixed

  
Status
Abandoned
 Somebody has started to work on this but abandoned work

  
Status
Blocked
 Something is blocking this issue or pull request

  
Status
Help Wanted
 If you're looking to help out, start here

  
Status
Need More Info
 Feedback is required to reproduce issue or to continue work

  
Prio - Hoog
Hoge prioriteit

  
Prio - Laag
Lage prioriteit

  
Prio - Middel
Medium prioriteit

  
styling
Verbeteringen aan de styling

No labels
Compat/Breaking
Kind/Bug
Kind/Discussion
Kind/Documentation
Kind/Enhancement
Kind/Feature
Kind/Security
Kind/Testing
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Help Wanted
Status
Need More Info
Prio - Hoog
Prio - Laag
Prio - Middel
styling
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
MinBZK/DAWO-NixOS!14
No description provided.