2026-05-03 13:59:56 -04:00
|
|
|
{ lib, ... }:
|
|
|
|
|
{
|
2026-05-03 14:09:35 -04:00
|
|
|
imports = [ ./disk.nix ];
|
|
|
|
|
|
2026-05-03 13:59:56 -04:00
|
|
|
time.timeZone = "America/New_York";
|
|
|
|
|
|
|
|
|
|
networking = {
|
2026-05-03 14:09:35 -04:00
|
|
|
hostId = "c3798ccc";
|
2026-05-03 13:59:56 -04:00
|
|
|
firewall = {
|
|
|
|
|
enable = true;
|
|
|
|
|
allowedTCPPorts = [ 80 ];
|
|
|
|
|
};
|
|
|
|
|
useNetworkd = true;
|
|
|
|
|
};
|
|
|
|
|
|
2026-05-03 17:33:56 -04:00
|
|
|
# Raspberry Pi 4 uses U-Boot / extlinux — disable both GRUB and systemd-boot
|
|
|
|
|
# TPM 2.0 HAT: systemd initrd required for tpm2-device auto-unlock
|
|
|
|
|
# After first install, enroll with:
|
|
|
|
|
# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --recovery-key /dev/mmcblk0p3
|
|
|
|
|
boot = {
|
|
|
|
|
useSystemdBoot = lib.mkForce false;
|
|
|
|
|
loader.grub.enable = lib.mkOverride 0 false;
|
|
|
|
|
initrd = {
|
|
|
|
|
systemd.enable = true;
|
|
|
|
|
luks.devices."cryptroot".crypttabExtraOpts = [ "tpm2-device=auto" ];
|
|
|
|
|
};
|
|
|
|
|
};
|
2026-05-03 13:59:56 -04:00
|
|
|
|
|
|
|
|
sops = {
|
|
|
|
|
defaultSopsFile = ./secrets.yaml;
|
|
|
|
|
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.tang.enable = true;
|
|
|
|
|
|
2026-05-03 14:09:35 -04:00
|
|
|
system.stateVersion = "26.11";
|
2026-05-03 13:59:56 -04:00
|
|
|
}
|
