{ lib, ... }:
{
  imports = [ ./disk.nix ];

  time.timeZone = "America/New_York";

  networking = {
    hostId = "c3798ccc";
    firewall = {
      enable = true;
      allowedTCPPorts = [ 80 ];
    };
    useNetworkd = true;
  };

  # Raspberry Pi 4 uses U-Boot / extlinux — disable both GRUB and systemd-boot
  # TPM 2.0 HAT: systemd initrd required for tpm2-device auto-unlock
  # After first install, enroll with:
  #   systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --recovery-key /dev/mmcblk0p3
  boot = {
    useSystemdBoot = lib.mkForce false;
    loader.grub.enable = lib.mkOverride 0 false;
    initrd = {
      systemd.enable = true;
      luks.devices."cryptroot".crypttabExtraOpts = [ "tpm2-device=auto" ];
    };
  };

  sops = {
    defaultSopsFile = ./secrets.yaml;
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  };

  services.tang.enable = true;

  system.stateVersion = "26.11";
}