pi4

hosts/pi4/boot.nix

@@ -0,0 +1,52 @@
+{ pkgs, lib, ... }:
+let
+  kernelBundle = pkgs.linuxAndFirmware.v6_6_31;
+in
+{
+  boot = {
+    loader.raspberryPi.firmwarePackage = kernelBundle.raspberrypifw;
+    kernelPackages = kernelBundle.linuxPackages_rpi4;
+  };
+  
+  hardware.raspberry-pi.config = {
+    all = { # [all] conditional filter, https://www.raspberrypi.com/documentation/computers/config_txt.html#conditional-filters
+
+      options = {
+        # https://www.raspberrypi.com/documentation/computers/config_txt.html#enable_uart
+        # in conjunction with `console=serial0,115200` in kernel command line (`cmdline.txt`)
+        # creates a serial console, accessible using GPIOs 14 and 15 (pins 
+        #  8 and 10 on the 40-pin header)
+        enable_uart = {
+          enable = true;
+          value = true;
+        };
+        # https://www.raspberrypi.com/documentation/computers/config_txt.html#uart_2ndstage
+        # enable debug logging to the UART, also automatically enables 
+        # UART logging in `start.elf`
+        uart_2ndstage = {
+          enable = true;
+          value = true;
+        };
+      };
+
+      # Base DTB parameters
+      # https://github.com/raspberrypi/linux/blob/a1d3defcca200077e1e382fe049ca613d16efd2b/arch/arm/boot/dts/overlays/README#L132
+      base-dt-params = {
+
+        # https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#enable-pcie
+        pciex1 = {
+          enable = true;
+          value = "on";
+        };
+        # PCIe Gen 3.0
+        # https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#pcie-gen-3-0
+        pciex1_gen = {
+          enable = true;
+          value = "3";
+        };
+
+      };
+
+    };
+  };
+}

hosts/pi4/configuration.nix

@@ -0,0 +1,87 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ config, lib, pkgs, ... }:
+let
+  user = "matt";
+  password = config.sops.secrets."jallen-nas/admin_password".path;
+  kernelBundle = pkgs.linuxAndFirmware.v6_6_31;
+in
+{
+  imports = [
+    ./boot.nix
+    ./impermanence.nix
+    ./networking.nix
+    ./sops.nix
+    ../default.nix
+    ../../modules/desktop-environments/cosmic/default.nix
+  ];
+
+  # Enable nix flakes and nix-command tools
+  nix = {
+    settings = {
+      substituters = [
+        "https://nixos-raspberrypi.cachix.org"
+      ];
+      trusted-public-keys = [
+        "nixos-raspberrypi.cachix.org-1:4iMO9LXa8BqhU+Rpg6LQKiGa2lsNh/j2oiYLNOQ5sPI="
+      ];
+    };
+  };
+
+  # Configure nixpkgs
+  nixpkgs = {
+    overlays = lib.mkAfter [
+      (self: super: {
+        # This is used in (modulesPath + "/hardware/all-firmware.nix") when at least 
+        # enableRedistributableFirmware is enabled
+        # I know no easier way to override this package
+        inherit (kernelBundle) raspberrypiWirelessFirmware;
+        # Some derivations want to use it as an input,
+        # e.g. raspberrypi-dtbs, omxplayer, sd-image-* modules
+        inherit (kernelBundle) raspberrypifw;
+      })
+    ];
+  };
+
+  system.nixos.tags = let
+    cfg = config.boot.loader.raspberryPi;
+  in [
+    "raspberry-pi-${cfg.variant}"
+    cfg.bootloader
+    config.boot.kernelPackages.kernel.version
+  ];
+
+  systemd.services.btattach = {
+    before = [ "bluetooth.service" ];
+    after = [ "dev-ttyAMA0.device" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      ExecStart = "${pkgs.bluez}/bin/btattach -B /dev/ttyAMA0 -P bcm -S 3000000";
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    git
+    libraspberrypi
+    raspberrypi-eeprom
+    raspberrypifw
+    raspberrypiWirelessFirmware
+    raspberrypi-armstubs
+    vim
+  ];
+
+  users = {
+    mutableUsers = false;
+    users."${user}" = {
+      isNormalUser = true;
+      hashedPasswordFile = password;
+      extraGroups = [
+        "wheel"
+        "docker"
+      ];
+      shell = pkgs.zsh;
+    };
+  };
+}

hosts/pi4/home.nix

@@ -0,0 +1,105 @@
+{ pkgs, ... }:
+let
+  shellAliases = {
+    ll = "ls -alh";
+    update-boot = "sudo nixos-rebuild boot --max-jobs 10 --build-host admin@10.0.1.18";
+    update-switch = "sudo nixos-rebuild switch --max-jobs 10 --build-host admin@10.0.1.18";
+    update-flake = "nix flake update desktop-nixpkgs desktop-chaotic desktop-home-manager desktop-impermanence desktop-lanzaboote desktop-nixos-hardware desktop-sops-nix desktop-steam-rom-manager --flake /etc/nixos";
+    update-nas = "nixos-rebuild switch --use-remote-sudo --target-host admin@10.0.1.18 --build-host admin@10.0.1.18 --flake ~/nix-config#jallen-nas";
+    nas-ssh = "kitten ssh admin@10.0.1.18";
+    ducks = "du -cksh * | sort -hr | head -n 15";
+  };
+
+  gitAliases = {
+    co = "checkout";
+    ci = "commit";
+    cia = "commit --amend";
+    s = "status";
+    st = "status";
+    b = "branch";
+    p = "pull --rebase";
+    pu = "push";
+  };
+in
+{
+  home.username = "matt";
+  home.homeDirectory = "/home/matt";
+  home.stateVersion = "23.11";
+
+  sops = {
+    age.keyFile = "/home/matt/.config/sops/age/keys.txt";
+    defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
+    validateSopsFiles = false;
+    secrets = {
+      "ssh-keys-public/pi4" = {
+        path = "/home/matt/.ssh/id_ed25519.pub";
+        mode = "0644";
+      };
+      "ssh-keys-private/pi4" = {
+        path = "/home/matt/.ssh/id_ed25519";
+        mode = "0600";
+      };
+      "ssh-keys-public/desktop-nixos" = {
+        path = "/home/matt/.ssh/authorized_keys";
+        mode = "0600";
+      };
+
+      "ssh-keys-public/desktop-nixos-root" = {
+        path = "/home/matt/.ssh/authorized_keys2";
+        mode = "0600";
+      };
+
+      "ssh-keys-public/desktop-windows" = {
+        path = "/home/matt/.ssh/authorized_keys3";
+        mode = "0600";
+      };
+
+      "ssh-keys-public/macbook-macos" = {
+        path = "/home/matt/.ssh/authorized_keys4";
+        mode = "0600";
+      };
+    };
+  };
+
+  programs = {
+    fish.enable = false;
+    mangohud.enable = true;
+    java.enable = true;
+    home-manager.enable = true;
+
+    zsh = {
+      enable = true;
+      enableCompletion = true;
+      autosuggestion.enable = true;
+      syntaxHighlighting.enable = true;
+
+      shellAliases = shellAliases;
+
+      oh-my-zsh = {
+        enable = true;
+        plugins = [ "git" ];
+        theme = "fishy";
+      };
+    };
+    
+    git = {
+      enable = true;
+      userName = "mjallen18";
+      userEmail = "matt.l.jallen@gmail.com";
+      aliases = gitAliases;
+    };
+  };
+
+  home.packages = with pkgs; [
+    age
+    btop
+    fastfetch
+    firefox
+    home-manager
+    lm_sensors
+    mission-center
+    sops
+    tree
+    vscode
+  ];
+}

hosts/pi4/impermanence.nix

@@ -0,0 +1,36 @@
+{ ... }:
+{
+  # Set up impernance configuration for things like bluetooth
+  # In this configuration with /etc and /var/log being persistent, only directories outside of that need to be done here. See hardware configuration for all mountpoints.
+
+  environment.persistence."/nix/persist/system" = {
+    hideMounts = true;
+    directories = [
+      "/var/lib/bluetooth"
+      "/var/lib/nixos"
+      "/var/lib/libvirt"
+      "/var/lib/systemd/coredump"
+      {
+        directory = "/var/lib/private";
+        mode = "u=rwx,g=,o=";
+      }
+      "/etc/NetworkManager/system-connections"
+      {
+        directory = "/etc/nix";
+        user = "root";
+        group = "root";
+        mode = "u=rwx,g=rx,o=rx";
+      }
+    ];
+#    files = [
+#      "/etc/machine-id"
+#      { file = "/etc/nix/id_rsa"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
+#    ];
+  };
+
+  security.sudo.extraConfig = ''
+    # rollback results in sudo lectures after each reboot
+    Defaults lecture = never
+  '';
+
+}

hosts/pi4/networking.nix

@@ -0,0 +1,54 @@
+{ lib, config, ... }:
+let
+  hostname = "pi4";
+in
+{
+  # Networking configs
+  networking = {
+    hostName = hostname;
+
+    defaultGateway.address = "10.0.1.1";
+    nameservers = [ "10.0.1.1" ];
+
+    firewall = {
+      enable = true;
+      allowPing = true;
+    };
+
+    # Enable Network Manager
+    networkmanager = {
+      enable = lib.mkDefault true;
+      wifi.powersave = lib.mkDefault false;
+      settings.connectivity.uri = lib.mkDefault "http://nmcheck.gnome.org/check_network_status.txt";
+      ensureProfiles = {
+        environmentFiles = [
+          config.sops.secrets.wifi.path
+        ];
+
+        profiles = {
+          "Joey's Jungle 5G" = {
+            connection = {
+              id = "Joey's Jungle 5G";
+              type = "wifi";
+            };
+            ipv4 = {
+              method = "auto";
+            };
+            ipv6 = {
+              addr-gen-mode = "stable-privacy";
+              method = "auto";
+            };
+            wifi = {
+              mode = "infrastructure";
+              ssid = "Joey's Jungle 5G";
+            };
+            wifi-security = {
+              key-mgmt = "sae";
+              psk = "$PSK";
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/pi4/sops.nix

@@ -0,0 +1,36 @@
+{ config, ... }:
+let
+  user = "matt";
+in
+{
+  sops = {
+    defaultSopsFile = ../../secrets/secrets.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+    secrets = {
+      "wifi" = { };
+      "desktop/matt_password" = {
+        neededForUsers = true;
+        mode = "0600";
+        owner = config.users.users."${user}".name;
+        group = config.users.users."${user}".group;
+      };
+
+      # ------------------------------
+      # SSH keys
+      # ------------------------------
+      "ssh-keys-public/pi4" = {
+        mode = "0644";
+        owner = config.users.users."${user}".name;
+        group = config.users.users."${user}".group;
+        restartUnits = [ "sshd.service" ];
+      };
+      "ssh-keys-private/pi4" = {
+        mode = "0600";
+        owner = config.users.users."${user}".name;
+        group = config.users.users."${user}".group;
+        restartUnits = [ "sshd.service" ];
+      };
+    };
+  };
+}