From 9222be40529dccaea606c0b261ac2f2f9999999a Mon Sep 17 00:00:00 2001
From: ahuston-0 <aliceghuston@gmail.com>
Date: Sun, 3 May 2026 13:59:56 -0400
Subject: [PATCH] add argiletum

---
 .sops.yaml                          | 10 ++++++++++
 systems/argiletum/configuration.nix | 25 +++++++++++++++++++++++++
 systems/argiletum/default.nix       | 11 +++++++++++
 systems/argiletum/hardware.nix      | 21 +++++++++++++++++++++
 4 files changed, 67 insertions(+)
 create mode 100644 systems/argiletum/configuration.nix
 create mode 100644 systems/argiletum/default.nix
 create mode 100644 systems/argiletum/hardware.nix

diff --git a/.sops.yaml b/.sops.yaml
index 45d9626..6aa989c 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -9,6 +9,10 @@ keys:
     - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
     - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
     - &selinunte age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
+    # argiletum: replace placeholder after first boot with:
+    #   nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+    # then run: sops updatekeys systems/argiletum/secrets.yaml
+    - &argiletum age1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
     # cspell:enable
 # add new users by executing: sops users/<user>/secrets.yaml
 # then have someone already in the repo run the below
@@ -55,3 +59,9 @@ creation_rules:
             - *admin_alice
           age:
             - *palatine-hill
+    - path_regex: systems/argiletum/secrets.*\.yaml$
+      key_groups:
+        - pgp:
+            - *admin_alice
+          age:
+            - *argiletum
diff --git a/systems/argiletum/configuration.nix b/systems/argiletum/configuration.nix
new file mode 100644
index 0000000..0b85d97
--- /dev/null
+++ b/systems/argiletum/configuration.nix
@@ -0,0 +1,25 @@
+{ lib, ... }:
+{
+  time.timeZone = "America/New_York";
+
+  networking = {
+    hostId = "5f8a1c2e";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 ];
+    };
+    useNetworkd = true;
+  };
+
+  # Raspberry Pi 4 uses U-Boot / extlinux, not systemd-boot
+  boot.useSystemdBoot = lib.mkForce false;
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  };
+
+  services.tang.enable = true;
+
+  system.stateVersion = "25.11";
+}
diff --git a/systems/argiletum/default.nix b/systems/argiletum/default.nix
new file mode 100644
index 0000000..b906976
--- /dev/null
+++ b/systems/argiletum/default.nix
@@ -0,0 +1,11 @@
+{ inputs, ... }:
+{
+  system = "aarch64-linux";
+  server = true;
+  home = false;
+  sops = true;
+  users = [ "alice" ];
+  modules = [
+    inputs.nixos-hardware.nixosModules.raspberry-pi-4
+  ];
+}
diff --git a/systems/argiletum/hardware.nix b/systems/argiletum/hardware.nix
new file mode 100644
index 0000000..5ea917c
--- /dev/null
+++ b/systems/argiletum/hardware.nix
@@ -0,0 +1,21 @@
+# TODO: replace with the output of:
+#   sudo nixos-generate-config --show-hardware-config
+# run on the Pi after initial boot into the NixOS installer.
+{ ... }:
+{
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot/firmware" = {
+    device = "/dev/disk/by-label/NIXOS_BOOT";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };
+
+  swapDevices = [ ];
+}