feat(nixos): replace X1 with ThinkPad T400; add Mac Pro 3,1 desktop

- lyrathorpe-t400 replaces lyrathorpe-x1c: ThinkPad T400 (legacy BIOS -> GRUB,
  Intel microcode + redistributable firmware for iwlwifi, pipewire, sshd).
- lyrathorpe-macpro31: new desktop host (portable = false) importing
  desktop.nix. Mac Pro 3,1 has 64-bit EFI -> systemd-boot; wired NetworkManager
  via desktop.nix; desktop status bar (temperature + net, no battery).

Both ship hand-written placeholder hardware-configuration.nix (root/swap/ESP by
label, GRUB device /dev/sda) to be regenerated with nixos-generate-config and
committed at install time. All five host configs evaluate; nixfmt clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

system/machine/MacPro31/configuration.nix

@@ -0,0 +1,57 @@
+# Apple Mac Pro 3,1 (Early 2008, dual Xeon Harpertown, x86_64). Desktop host:
+# shared graphical/wired options live in ../../modules/desktop.nix; only
+# host-specific settings are here.
+{ ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  # The Mac Pro 3,1 has 64-bit EFI (confirmed by the owner), so boot via
+  # systemd-boot like the MBP -- no GRUB/BIOS shim needed.
+  boot.loader.systemd-boot.enable = true;
+  # Apple's EFI does not reliably support efibootmgr NVRAM writes; leave the
+  # firmware vars untouched.
+  boot.loader.efi.canTouchEfiVariables = false;
+  # Apple-EFI quirk: if the Mac does not pick up the bootloader at the boot
+  # picker, install it to the fallback path \EFI\BOOT\BOOTX64.EFI and/or
+  # "bless" the ESP from macOS. Uncomment to write the removable fallback path:
+  # boot.loader.efi.efiInstallAsRemovable = true;
+
+  networking.hostName = "MacPro31-NixOS";
+
+  # This host accepts SSH, so open 22 (the firewall itself is enabled in
+  # workstation.nix with a default-deny policy).
+  services.openssh.enable = true;
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
+  services.pipewire = {
+    enable = true;
+    pulse.enable = true;
+  };
+
+  # No fingerprint hardware; empty service still lets swaylock authenticate via
+  # password.
+  security.pam.services.swaylock = { };
+
+  # Dual Harpertown Xeon microcode + redistributable firmware (e.g. GPU/NIC
+  # blobs).
+  hardware.cpu.intel.updateMicrocode = true;
+  hardware.enableRedistributableFirmware = true;
+
+  # GPU note: the stock card varies between units -- ATI Radeon HD 2600 XT or
+  # NVIDIA GeForce 8800 GT. Sway needs a working KMS/modesetting driver; do NOT
+  # install a proprietary blob here. Depending on the installed card, rely on
+  # the open kernel driver:
+  #   - ATI Radeon HD 2600 XT -> "radeon" (older) or "amdgpu" KMS
+  #   - NVIDIA GeForce 8800 GT -> "nouveau" KMS
+  # These come up automatically via the in-tree drivers + KMS, and the graphics
+  # stack itself is enabled by swaywm.nix. If a card needs to be forced, add it
+  # here, e.g. `services.xserver.videoDrivers = [ "radeon" ];` (or "nouveau"),
+  # and/or `boot.initrd.kernelModules = [ "radeon" ];` in
+  # hardware-configuration.nix for early KMS.
+
+  # See `man configuration.nix` / the stateVersion docs before changing.
+  system.stateVersion = "26.05";
+}

system/machine/MacPro31/hardware-configuration.nix

@@ -0,0 +1,52 @@
+# PLACEHOLDER -- hand-written, not machine-generated. Regenerate on the real
+# Mac Pro 3,1 with `nixos-generate-config` and commit the result. The device
+# labels below are guesses; replace them with the generated UUIDs (or label the
+# partitions accordingly at install time).
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "ata_piix"
+    "ehci_pci"
+    "uhci_hcd"
+    "firewire_ohci"
+    "usb_storage"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # EFI System Partition for systemd-boot. Label the ESP `ESP` at install, or
+  # replace with the generated UUID.
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/ESP";
+    fsType = "vfat";
+  };
+
+  # Label your root partition `nixos` at install, or replace with the generated UUID.
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-label/swap"; }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

system/machine/T400/configuration.nix

@@ -0,0 +1,43 @@
+# ThinkPad T400 (NixOS). Shared laptop options live in ../../modules/laptop.nix;
+# only host-specific settings are here.
+{ ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  # The T400 is legacy BIOS only (no UEFI), so boot via GRUB in BIOS mode.
+  # `device` must point at the actual install disk -- adjust if it is not /dev/sda.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+  };
+
+  networking.hostName = "T400-NixOS";
+
+  console.font = "Lat2-Terminus16";
+
+  services.pipewire = {
+    enable = true;
+    pulse.enable = true;
+  };
+
+  # This host accepts SSH, so open 22 (the firewall itself is enabled in
+  # laptop.nix with a default-deny policy).
+  services.openssh.enable = true;
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
+  # The T400's fingerprint reader differs/may be absent; empty service still
+  # lets swaylock authenticate via password.
+  security.pam.services.swaylock = { };
+
+  # Intel Core 2 (Penryn) microcode + redistributable firmware for the Intel
+  # WiFi Link 5100/5300 iwlwifi blobs. The GMA 4500MHD works out of the box via
+  # i915/KMS, so no extra graphics config is needed.
+  hardware.cpu.intel.updateMicrocode = true;
+  hardware.enableRedistributableFirmware = true;
+
+  # See `man configuration.nix` / the stateVersion docs before changing.
+  system.stateVersion = "26.05";
+}

system/machine/T400/hardware-configuration.nix

@@ -0,0 +1,44 @@
+# PLACEHOLDER -- hand-written, not machine-generated. Regenerate on the real
+# T400 with `nixos-generate-config` and commit the result. The device labels
+# below are guesses; replace them with the generated UUIDs (or label the
+# partitions accordingly at install time).
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "ata_piix"
+    "ehci_pci"
+    "uhci_hcd"
+    "usb_storage"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # Label your root partition `nixos` at install, or replace with the generated UUID.
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-label/swap"; }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

system/machine/X1/configuration.nix

@@ -1,33 +0,0 @@
-# ThinkPad X1 (NixOS). Shared laptop options live in ../../modules/laptop.nix;
-# only host-specific settings are here.
-{ ... }:
-
-{
-  imports = [
-    ./hardware-configuration.nix
-  ];
-
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "X1-NixOS";
-  networking.domain = "client.cbg.emmaisvery.gay";
-
-  console.font = "Lat2-Terminus16";
-
-  services.pipewire = {
-    enable = true;
-    pulse.enable = true;
-  };
-
-  # This host accepts SSH, so open 22 (the firewall itself is enabled in
-  # laptop.nix with a default-deny policy).
-  services.openssh.enable = true;
-  networking.firewall.allowedTCPPorts = [ 22 ];
-
-  # Fingerprint reader: allow swaylock to authenticate via fprintd.
-  services.fprintd.enable = true;
-  security.pam.services.swaylock.fprintAuth = true;
-
-  # See `man configuration.nix` / the stateVersion docs before changing.
-  system.stateVersion = "24.11";
-}

system/machine/X1/hardware-configuration.nix

@@ -1,42 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/a7145534-b122-4899-a75a-3d2e78474d6b";
-      fsType = "ext4";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/1338-3D4F";
-      fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/e553c8dc-9d5a-48ec-87bc-9c86ce5932a4"; }
-    ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wwan0.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}