add argiletum

.sops.yaml

@@ -9,6 +9,10 @@ keys:
     - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
     - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
     - &selinunte age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
+    # argiletum: replace placeholder after first boot with:
+    #   nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+    # then run: sops updatekeys systems/argiletum/secrets.yaml
+    - &argiletum age1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
     # cspell:enable
 # add new users by executing: sops users/<user>/secrets.yaml
 # then have someone already in the repo run the below
@@ -55,3 +59,9 @@ creation_rules:
             - *admin_alice
           age:
             - *palatine-hill
+    - path_regex: systems/argiletum/secrets.*\.yaml$
+      key_groups:
+        - pgp:
+            - *admin_alice
+          age:
+            - *argiletum

systems/argiletum/configuration.nix

@@ -0,0 +1,25 @@
+{ lib, ... }:
+{
+  time.timeZone = "America/New_York";
+
+  networking = {
+    hostId = "5f8a1c2e";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 ];
+    };
+    useNetworkd = true;
+  };
+
+  # Raspberry Pi 4 uses U-Boot / extlinux, not systemd-boot
+  boot.useSystemdBoot = lib.mkForce false;
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  };
+
+  services.tang.enable = true;
+
+  system.stateVersion = "25.11";
+}

systems/argiletum/default.nix

@@ -0,0 +1,11 @@
+{ inputs, ... }:
+{
+  system = "aarch64-linux";
+  server = true;
+  home = false;
+  sops = true;
+  users = [ "alice" ];
+  modules = [
+    inputs.nixos-hardware.nixosModules.raspberry-pi-4
+  ];
+}

systems/argiletum/hardware.nix

@@ -0,0 +1,21 @@
+# TODO: replace with the output of:
+#   sudo nixos-generate-config --show-hardware-config
+# run on the Pi after initial boot into the NixOS installer.
+{ ... }:
+{
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot/firmware" = {
+    device = "/dev/disk/by-label/NIXOS_BOOT";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };
+
+  swapDevices = [ ];
+}