mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

retire pi4

Browse Source
This commit is contained in:
mjallen18
2026-02-19 18:35:13 -06:00
parent a5162e9e76
commit d7958927b5
16 changed files with 0 additions and 1095 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
.sops.yaml
View File

@@ -2,12 +2,10 @@
keys:
- &matt-pgp CBCB9B18A6B8930B0B6ABFD1CCB8CBEB30633684
- &matt age157jemphjzg6zmk373vpccuguyw6e75qnkqmz8pcnn2yue85p939swqqhy0
- &matt_pi4 age13g9a4d4jrvckfddpgn8sm4kjtzajr67le56pfdg78ktr5pd09phq32j89u
- &matt_pi5 age1wpvfpv5n32lruk7c0da4uaeapsmhjxdvg8z4ljehn06l6g2y0e0sum404l
- &desktop age1jv8ap5zwa49ftv0gg7wqf5ps0e68uuwxe2fekjsn0zkyql964unqyc58rf
- &admin age1pm3fehmmk0vmnrscz9vm96rakn46aaldr5ydpscmde3v9x0k3faswwdzxs
- &jallen-nas age1mn2afyp9my7y7hcyzum0wdwt49zufnkt8swnyy8pj30cwzs4zvgsthj0lt
- &pi4 age1ykkjw57t3z3deup3gtp7dujyaslskn74e0d9hsmqaha2pj3rvazqgndw5a
- &pi5 age1t2d5scrukk0guva5sr97a8tge5j8kd865adezrcru7p269pzwvpsamkgje
- &deck age1c8qw59ffcq9l77gfmtyc3djtvt3md0u6dwhrjcgsm98ntyf72ufqugj7cg
- &steamdeck age1er5qucsc2mugrzrr7n3xhzv7kemkrqrw4m84r544fkk7nkg5g5eswxkqj0
@@ -24,12 +22,10 @@ creation_rules:
- *matt-pgp
age:
- *matt
- *matt_pi4
- *matt_pi5
- *desktop
- *admin
- *jallen-nas
- *pi4
- *pi5
- *deck
- *steamdeck
@@ -70,29 +66,14 @@ creation_rules:
- *jallen-nas
- *matt_allyx
- *allyx
- path_regex: pi4-secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *matt-pgp
age:
- *matt
- *matt_pi4
- *matt_pi5
- *desktop
- *pi4
- *pi5
- *admin
- *jallen-nas
- path_regex: pi5-secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *matt-pgp
age:
- *matt
- *matt_pi4
- *matt_pi5
- *desktop
- *pi4
- *pi5
- *admin
- *jallen-nas

1
docs/architecture.md
View File

@@ -36,7 +36,6 @@ This NixOS configuration repository is built using [Nix Flakes](https://nixos.wi
├── jallen-nas/ # NAS server configuration
├── matt-nixos/ # Desktop configuration
├── nuc-nixos/ # NUC configuration
├── pi4/ # Raspberry Pi 4 configuration
└── ... # Other system configurations
```

1
docs/systems/README.md
View File

@@ -7,7 +7,6 @@ This directory contains documentation for each system configuration in this repo
- [Desktop (matt-nixos)](./matt-nixos.md) - Main desktop computer
- [NAS (jallen-nas)](./jallen-nas.md) - Home server and NAS
- [NUC (nuc-nixos)](./nuc-nixos.md) - Intel NUC
- [Raspberry Pi 4](./pi4.md) - Raspberry Pi 4
- [Raspberry Pi 5](./pi5.md) - Raspberry Pi 5
- [MacBook Pro (nixOS)](./macbook-pro-nixos.md) - MacBook Pro running NixOS

9
flake.nix
View File

@@ -199,15 +199,6 @@
];
};
# ######################################################
# Pi4 #
# ######################################################
pi4 = {
modules = with inputs; [
disko.nixosModules.disko
];
};
# ######################################################
# Pi5 #
# ######################################################

54
homes/aarch64-linux/matt@pi4/default.nix
View File

@@ -1,54 +0,0 @@
{ lib, namespace, ... }:
let
inherit (lib.${namespace}) enabled disabled;
in
{
home.username = "matt";
sops = {
age.keyFile = "/home/matt/.config/sops/age/keys.txt";
defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
validateSopsFiles = false;
secrets = {
"ssh-keys-public/pi4" = {
path = "/home/matt/.ssh/id_ed25519.pub";
mode = "0644";
};
"ssh-keys-private/pi4" = {
path = "/home/matt/.ssh/id_ed25519";
mode = "0600";
};
# "ssh-keys-public/desktop-nixos" = {
# path = "/home/matt/.ssh/authorized_keys";
# mode = "0600";
# };
# "ssh-keys-public/desktop-nixos-root" = {
# path = "/home/matt/.ssh/authorized_keys2";
# mode = "0600";
# };
# "ssh-keys-public/desktop-windows" = {
# path = "/home/matt/.ssh/authorized_keys3";
# mode = "0600";
# };
# "ssh-keys-public/macbook-macos" = {
# path = "/home/matt/.ssh/authorized_keys4";
# mode = "0600";
# };
};
};
programs = {
mangohud = lib.mkForce enabled;
};
services = {
nextcloud-client = lib.mkForce disabled;
kdeconnect = {
enable = false;
indicator = false;
};
};
}

18
homes/aarch64-linux/root@pi4/default.nix
View File

@@ -1,18 +0,0 @@
{
lib,
namespace,
...
}:
let
inherit (lib.${namespace}) disabled;
in
{
home.username = "root";
services = {
nextcloud-client = lib.mkForce disabled;
kdeconnect = {
enable = false;
indicator = false;
};
};
}

4
modules/nixos/services/attic/default.nix
View File

@@ -107,10 +107,6 @@ let
echo "steamdeck built successfully at $(date)"
fi;
if nh os build --hostname=pi4 --out-link=result-pi4; then
echo "pi4 built successfully at $(date)"
fi;
if nh os build --hostname=pi5 --out-link=result-pi5; then
echo "pi5 built successfully at $(date)"
fi;

263
packages/uboot/default.nix
View File

@@ -1,263 +0,0 @@
{
lib,
bc,
bison,
flex,
gnutls,
installShellFiles,
libuuid,
ncurses,
openssl,
swig,
which,
python3,
perl,
buildPackages,
callPackages,
darwin,
namespace,
}@pkgs:
let
inherit (lib.trivial) importJSON;
inherit (lib.${namespace}) selectVariant mkAllSources;
versionSpec = importJSON ./version.json;
selected = selectVariant versionSpec null null;
sources = mkAllSources selected;
defaultVersion = selected.variables.version;
defaultSrc = sources.uboot;
# Dependencies for the tools need to be included as either native or cross,
# depending on which we're building
toolsDeps = [
ncurses # tools/kwboot
libuuid # tools/mkeficapsule
gnutls # tools/mkeficapsule
openssl # tools/mkimage and tools/env/fw_printenv
];
buildUBoot = lib.makeOverridable (
{
version ? null,
src ? null,
filesToInstall,
pythonScriptsToInstall ? { },
installDir ? "$out",
defconfig,
extraPatches ? [ ],
extraMakeFlags ? [ ],
extraMeta ? { },
crossTools ? false,
stdenv ? pkgs.stdenv,
...
}@args:
stdenv.mkDerivation (
{
pname = "uboot-${defconfig}";
version = if src == null then defaultVersion else version;
src = if src == null then defaultSrc else src;
patches = extraPatches;
postPatch = ''
${lib.concatMapStrings (script: ''
substituteInPlace ${script} \
--replace "#!/usr/bin/env python3" "#!${pythonScriptsToInstall.${script}}/bin/python3"
'') (builtins.attrNames pythonScriptsToInstall)}
patchShebangs tools
patchShebangs scripts
'';
nativeBuildInputs = [
ncurses # tools/kwboot
bc
bison
flex
installShellFiles
(buildPackages.python3.withPackages (p: [
p.libfdt
p.setuptools # for pkg_resources
p.pyelftools
]))
swig
which # for scripts/dtc-version.sh
perl # for oid build (secureboot)
]
++ lib.optionals (!crossTools) toolsDeps
++ lib.optionals stdenv.buildPlatform.isDarwin [ darwin.DarwinTools ]; # sw_vers command is needed on darwin
depsBuildBuild = [ buildPackages.gccStdenv.cc ]; # gccStdenv is needed for Darwin buildPlatform
buildInputs = lib.optionals crossTools toolsDeps;
hardeningDisable = [ "all" ];
enableParallelBuilding = true;
makeFlags = [
"DTC=${lib.getExe buildPackages.dtc}"
"CROSS_COMPILE=${stdenv.cc.targetPrefix}"
"HOSTCFLAGS=-fcommon"
]
++ extraMakeFlags;
passAsFile = [ "extraConfig" ];
configurePhase = ''
runHook preConfigure
make -j$NIX_BUILD_CORES ${defconfig}
cat $extraConfigPath >> .config
runHook postConfigure
'';
installPhase = ''
runHook preInstall
mkdir -p ${installDir}
cp ${
lib.concatStringsSep " " (filesToInstall ++ builtins.attrNames pythonScriptsToInstall)
} ${installDir}
mkdir -p "$out/nix-support"
${lib.concatMapStrings (file: ''
echo "file binary-dist ${installDir}/${baseNameOf file}" >> "$out/nix-support/hydra-build-products"
'') (filesToInstall ++ builtins.attrNames pythonScriptsToInstall)}
runHook postInstall
'';
dontStrip = true;
meta =
with lib;
{
homepage = "https://www.denx.de/wiki/U-Boot/";
description = "Boot loader for embedded systems";
license = licenses.gpl2Plus;
maintainers = with maintainers; [
dezgeg
lopsided98
];
}
// extraMeta;
}
// removeAttrs args [
"extraMeta"
"pythonScriptsToInstall"
]
)
);
in
{
inherit buildUBoot;
ubootTools = buildUBoot {
defconfig = "tools-only_defconfig";
installDir = "$out/bin";
hardeningDisable = [ ];
dontStrip = false;
extraMeta.platforms = lib.platforms.linux;
crossTools = true;
extraMakeFlags = [
"HOST_TOOLS_ALL=y"
"NO_SDL=1"
"cross_tools"
"envtools"
];
outputs = [
"out"
"man"
];
postInstall = ''
installManPage doc/*.1
# from u-boot's tools/env/README:
# "You should then create a symlink from fw_setenv to fw_printenv. They
# use the same program and its function depends on its basename."
ln -s $out/bin/fw_printenv $out/bin/fw_setenv
'';
filesToInstall = [
"tools/dumpimage"
"tools/fdt_add_pubkey"
"tools/fdtgrep"
"tools/kwboot"
"tools/mkeficapsule"
"tools/mkenvimage"
"tools/mkimage"
"tools/env/fw_printenv"
"tools/mkeficapsule"
];
pythonScriptsToInstall = {
"tools/efivar.py" = (python3.withPackages (ps: [ ps.pyopenssl ]));
};
};
ubootPythonTools = lib.recurseIntoAttrs (callPackages ./python.nix { });
ubootQemuAarch64 = buildUBoot {
defconfig = "qemu_arm64_defconfig";
extraMeta.platforms = [ "aarch64-linux" ];
filesToInstall = [ "u-boot.bin" ];
};
ubootQemuArm = buildUBoot {
defconfig = "qemu_arm_defconfig";
extraMeta.platforms = [ "armv7l-linux" ];
filesToInstall = [ "u-boot.bin" ];
};
ubootQemuRiscv64Smode = buildUBoot {
defconfig = "qemu-riscv64_smode_defconfig";
extraMeta.platforms = [ "riscv64-linux" ];
filesToInstall = [ "u-boot.bin" ];
};
ubootQemuX86 = buildUBoot {
defconfig = "qemu-x86_defconfig";
extraConfig = ''
CONFIG_USB_UHCI_HCD=y
CONFIG_USB_EHCI_HCD=y
CONFIG_USB_EHCI_GENERIC=y
CONFIG_USB_XHCI_HCD=y
'';
extraMeta.platforms = [
"i686-linux"
"x86_64-linux"
];
filesToInstall = [ "u-boot.rom" ];
};
ubootQemuX86_64 = buildUBoot {
defconfig = "qemu-x86_64_defconfig";
extraConfig = ''
CONFIG_USB_UHCI_HCD=y
CONFIG_USB_EHCI_HCD=y
CONFIG_USB_EHCI_GENERIC=y
CONFIG_USB_XHCI_HCD=y
'';
extraMeta.platforms = [ "x86_64-linux" ];
filesToInstall = [ "u-boot.rom" ];
};
ubootRaspberryPi4 = buildUBoot {
defconfig = "rpi_4_defconfig";
extraMeta.platforms = [ "aarch64-linux" ];
filesToInstall = [ "u-boot.bin" ];
};
ubootRaspberryPi5 = buildUBoot {
defconfig = "rpi_arm64_defconfig";
extraMeta.platforms = [ "aarch64-linux" ];
filesToInstall = [ "u-boot.bin" ];
};
}

160
packages/uboot/python.nix
View File

@@ -1,160 +0,0 @@
{
lib,
python3Packages,
fetchPypi,
makeWrapper,
armTrustedFirmwareTools,
bzip2,
cbfstool,
gzip,
lz4,
lzop,
openssl,
ubootTools,
vboot-utils,
xilinx-bootgen,
xz,
zstd,
}:
let
# We are fetching from PyPI because the code in the repository seems to be
# lagging behind the PyPI releases somehow...
version = "0.0.7";
in
rec {
u_boot_pylib = python3Packages.buildPythonPackage rec {
pname = "u_boot_pylib";
inherit version;
pyproject = true;
src = fetchPypi {
inherit pname version;
hash = "sha256-A5r20Y8mgxhOhaKMpd5MJN5ubzPbkodAO0Tr0RN1SRA=";
};
build-system = with python3Packages; [
setuptools
];
checkPhase = ''
${python3Packages.python.interpreter} "src/$pname/__main__.py"
# There are some tests in other files, but they are broken
'';
pythonImportsCheck = [ "u_boot_pylib" ];
};
dtoc = python3Packages.buildPythonPackage rec {
pname = "dtoc";
inherit version;
pyproject = true;
src = fetchPypi {
inherit pname version;
hash = "sha256-NA96CznIxjqpw2Ik8AJpJkJ/ei+kQTCUExwFgssV+CM=";
};
build-system = with python3Packages; [
setuptools
];
dependencies =
(with python3Packages; [
libfdt
])
++ [
u_boot_pylib
];
pythonImportsCheck = [ "dtoc" ];
};
binman =
let
btools = [
armTrustedFirmwareTools
bzip2
cbfstool
# TODO: cst
gzip
lz4
# TODO: lzma_alone
lzop
openssl
ubootTools
vboot-utils
xilinx-bootgen
xz
zstd
];
in
python3Packages.buildPythonApplication rec {
pname = "binary_manager";
inherit version;
pyproject = true;
src = fetchPypi {
inherit pname version;
hash = "sha256-llEBBhUoW5jTEQeoaTCjZN8y6Kj+PGNUSB3cKpgD06w=";
};
patches = [
./binman-resources.patch
];
patchFlags = [
"-p2"
"-d"
"src"
];
build-system = with python3Packages; [
setuptools
];
nativeBuildInputs = [ makeWrapper ];
dependencies =
(with python3Packages; [
jsonschema
pycryptodomex
pyelftools
yamllint
])
++ [
dtoc
u_boot_pylib
];
preFixup = ''
wrapProgram "$out/bin/binman" --prefix PATH : "${lib.makeBinPath btools}"
'';
};
patman = python3Packages.buildPythonApplication rec {
pname = "patch_manager";
inherit version;
pyproject = true;
src = fetchPypi {
inherit pname version;
hash = "sha256-zD9e87fpWKynpUcfxobbdk6wbM6Ja3f8hEVHS7DGIKQ=";
};
build-system = with python3Packages; [
setuptools
];
dependencies =
(with python3Packages; [
aiohttp
pygit2
])
++ [
u_boot_pylib
];
};
}

13
packages/uboot/version.json
View File

@@ -1,13 +0,0 @@
{
"schemaVersion": 1,
"variables": {
"version": "2025.07"
},
"sources": {
"uboot": {
"fetcher": "url",
"urlTemplate": "https://ftp.denx.de/pub/u-boot/u-boot-${version}.tar.bz2",
"hash": "sha256-D5M/bFpCaJW/MG6T5qxTxghw5LVM2lbZUhG+yZ5jvsc="
}
}
}

181
secrets/pi4-secrets.yaml
View File

@@ -1,181 +0,0 @@
pi4:
matt-password: ENC[AES256_GCM,data:2gQOr6LlHNAL0CBk12R8lu1pgMLWc017k7M4xDNSpOM1iqEnoODSeFa2JhjJqf2st3kaJuDVucmiPgBcW51Hm1k+z15Rokz78Q==,iv:pcBy2UWjSEiPIcLayi4wWw2jRB7rdxYUqnVxt3DHKKc=,tag:wSOEVbjDEpUYjrZFe484hQ==,type:str]
sys-public-key: ENC[AES256_GCM,data:4m0G3buO6ao+hzpEQ5pFAjqrd9DjLE+ld+N3KT4mYdRfUD/SfcIrpP0ML8c4Omx34J9xPIxBJPAeJp1CNdvMfG4OZ56AB0p+bHVTS3W5GUx+eIeiDsoGQbM=,iv:kU0O88hShlik8xNnk0j2Qbkv+5KNCk03w66stkSlOJs=,tag:pg6SiaH1Mb3my+U8aqE4Lw==,type:str]
sys-priv-key: ENC[AES256_GCM,data:f/gszWqZ62i7SPCs3Jo1KcGrLyW5tk649XyiNEQcWwO6egE725s2PYM4bCkfKcKbyaXduN/L1F4Yos7etfJzmwo0LcW5DnmO0bOizWbSrxF5VYfeVGYeGzvGFOmrQwHPIQRdWrw62YKt1LG0W2boSJ44MDJD8P/po9zwbtiLYat9cLrEFUpWydvZ+i+Ua24fr8NQTD5jRfV7xDhy83gj4X0PDfa9I+PzHpiY9GZFEPJlcxdwRbm2fjc0+7pemJG1hwb/mwLYl5nTfsNPfO4oDJNPDAsUUGL1jYYSSwYZT0HDOVP2ToWXc06B4vIxxacjyZN6my7Sfn5uQkdavhNYUgsyOMV0Dhhow5MD8Mt1w6xv7jODlzK4mb84tU3qWHRRfcmrXDz9ZiQ2YBnhH7vUgcx1J70HwtttR3i0FWFVT92RvO5i83SNZtAgMwvsaIANHCnnhG+ZMnaIURzMAsZAqo2HpRQ18C3X+UKLyvs+scIAjaW1XYDCOR5OdT1CXAv2jWm7Dl9L0QkTysdZ+G5/,iv:hzbJ8cfdpiyXAjSRWxyNHqsq8D2LNNUP8nNvRswJzNw=,tag:ubJiNhOKz7g2hhAsj9JJYw==,type:str]
nebula:
ca-cert: ENC[AES256_GCM,data:FDlXjLyMcKdwXVSP+boKAjNprWDYkKsdmdA7RHK9/+Pa8gUpmhqJKRuJp0ta2T6KTCGdh+cRFBPy0PgME7wkjY5ygjiGJV5ixGIN8x+JkfP+1Moi5GZlYK27JTGoX5I+9bRmSWN9mjoGqby4ms+x/gh2S8OBTpOMWCUhDOjtShr7YEJ57Q4z2stxv+IXxIKkfFAtnpb0a0QdFJZP2/2D5KligoXEL410FGhigHJ1dOLIoXYtqXDtUVMxoouzLf4lrnWCljVYr2OeI39wRPLHOkE+MnhYIHTzre8M9urchCHVTN//tQBWaeeia/lI7rGbduk6vqHZo7fXku1D1A==,iv:3lwMkR9AB7wWxXqW5HTaDFTI+vB4ebSdR1Yg3an89qE=,tag:vLn+lrHa2yLg5KSzW8HUKw==,type:str]
ca-key: ENC[AES256_GCM,data:vKbPalJqrqS2uNiykKMvAZOSUYPZqEovo7xCO80RPqNhoUKQ9snpfsggWTMhk5U5tWWu9aUSBJn7XGXB7aRLuGXCpqtR+N7Rtz+2Ec2BNb9ETnI2AI8/BsTkZe5P2U2cn2va1hXPTPN1xWW7n11DLAqnQTBGizOVNH4mTXktW2JS37k+X1C57CazQoc90iNbOJqPlHI0QjHdhcH8yO7DOnY8f9LdHvBPh6ANfUt4,iv:qtyDl3TfNgwDvTY+H+hJuNEj5g1+01MXixZG9dGJyys=,tag:pyeNhIiiKOilhNEIaJ/abg==,type:str]
lighthouse-cert: ENC[AES256_GCM,data:EJq8S1vI/SZ8A5MzSdMcuvvSZADuzB7CwPa5dsSUvqSeBkapHbCkJiki885D0TpXfc8SxDDZCMUvv4cAHbH2ZlKhuOB8klT4tm1fP3p/P10WrV8SPje87XZ870mtH8bdoVLrdPHjvmotBkXCskTeSDcDlgS4+fMUrxO8gB5O/HIx1tFn5eDoUtdOAlqYAGDiZALGbI2c3Acwtl5pzI39iHtag7YmAEEUQSY1732e/G79wWd4iaOpKZDo7Uig+PIIpymYZgweNtYNGRl7+xKZsJcB21gVnpofUIm6QDwhg1XJ79WIOacBL3d1IKrdipj7uBMd9HbIhlfioOl1noyqICdg8IjlMgSX2FVDu75gMQu+WpuFhaJn1lcnO1na3UoLfz16bX+7T8fuFWhONAxwKmI7V6nQfmplBsE=,iv:hHsCuoBL9bDnDSlooEJDVFYo8pn38eT+p2bQ6EbJwhI=,tag:/7jZvWvcgcPcQp/HrFY8HA==,type:str]
lighthouse-key: ENC[AES256_GCM,data:BsGgTwdse1aBdZGYUWdNTbn1+tw/gnj+hvxGbaK6hZLoL3Pp0ytGbwt9QcyXUrqJd8SDByhEQM1ZdZQt9PYnA7Urs6RFFyw+nFJCClC8RJ4ncpkOcElu8yRcUZdlQtpRQK3+db6E7/15hzJTEufLf+CUO1Bg8UfDuJQRb5ur4Q==,iv:2/o63fIvyvqb0UdubUI7wyTm7a/hYWl9kQzOoO3IDFg=,tag:E9Fl4HGkTQFrqmOuQLWHzg==,type:str]
sops:
shamir_threshold: 1
age:
- recipient: age157jemphjzg6zmk373vpccuguyw6e75qnkqmz8pcnn2yue85p939swqqhy0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1NlFoc2hlSEtzQXlxRkdz
YXU0SFZoT0QzbDJ0cGhZVTBGZVJMYkF0ZkhJCkxkVFJueEx6S1VlQUJseWxnQlZH
aTVrbVRyUjNPMkp6dXJGS3lLWnBVV3MKLS0tIHhUYjE1NjdHRHBTMGd1UVZUQy9S
a1Z6U3VPQ3daOVBIZ1M0UHo3VGV4QXMKoyOfYaPQOgdFDPthdnsSu/d3fv+KdY/D
KxZmSd8V4ECgcwhI39d/SRbs1ipcr9915lKT31c3MFqGNXrN1kpxnQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age13g9a4d4jrvckfddpgn8sm4kjtzajr67le56pfdg78ktr5pd09phq32j89u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSExvRGwwT1dobmt0R250
R0JPc3lxRFVON2xIK1ViTjg3WW5JdStBbkdRCmdTc1NOTDY4c3hVMWtNVE1ERThr
K2hWeE1uRHFsdXI3Uzh4S3JwY1Buc0kKLS0tICtUSWovZWZLdHk0cjVJSktCbW1s
djBhblNsQUtINmxRc0VRbDlIYUJwWkEKZavXvFPT9pzaMEuH+Dl5NNlerG8PQoFa
zlbwXbRj2nqlQ/fxmPhsaak9QXOHa13mzpnQp6gZIBf75g7ip14XNQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wpvfpv5n32lruk7c0da4uaeapsmhjxdvg8z4ljehn06l6g2y0e0sum404l
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTOTlocHFoZHoyN0s4Q0tV
Z2ZQdzlzMGpWZnBpaTRVNGljNjNVamxFc0Y4ClM2ZWVTOTFHNnM1ajdJcGpSN2dv
TDVTTWNZUjZqbStMTzFROS8rN1B6NDgKLS0tIHZVZmlMTHpQOWFqbEoxMkd5UGJC
OXlOMVMrcmh5SEViUkhMSUROOGI3a1UKXsXMhwbxySqr5yawE47OyzJtMeICZXgT
S8l7/3dFybBZ5AkDRY+81ubJO893/wGDfgYjJn+L1uAw+FM+FqU7Ng==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jv8ap5zwa49ftv0gg7wqf5ps0e68uuwxe2fekjsn0zkyql964unqyc58rf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFWVpXakFuL2QwbjdvY3hG
NDlXcjlFOGtRMWVXQ2NwSXBXNU5LWU8wZFJZCmlrWlM0UzdRQk5IaXRKNkQ5N2NY
YytnVkpFRi9icnRWRHo1N093R0YvZXMKLS0tIGovMEsrYzlNN1c2UEhEZUZWTSt6
YjI2UXJ5UzhiSVp6Q01aVHRUOFBTZm8KGVSZPOEpUsw3U3nL51F1lH5uXpknRDqN
OhaRmuoW+XosHMOuJ3ZBMp3tLoxYEg6kZ+nQJp9oiGfl01UaFqdQHA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1pm3fehmmk0vmnrscz9vm96rakn46aaldr5ydpscmde3v9x0k3faswwdzxs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwR3ZzU2lQZldqZ2Nkd0dm
dTd1eGZrZEFSOTJLTXpzSG9xWjgrWHJza1JJCmd4QWlyUjVGV04wd1dveUkvWU1t
ZjRzQUk0eGJxd0FSaDFpLzVHYTBMWDQKLS0tIEppbW1nUm9nWkdlQXg1M2FYb1hD
eTl0cG8vUlJHYUJFQjNvb2tuZEt1NGMK2ZKzwoUwTHKixc8XfUg6pv23m5ZqjPgZ
Y/1Z4RyL2OwNQRxeqiOY7p9LrGmPgszMuAlFQb/r/BlAgaEkNLl0fw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mn2afyp9my7y7hcyzum0wdwt49zufnkt8swnyy8pj30cwzs4zvgsthj0lt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bGs0ZnJwMUVCa0R5TWFU
OW5odnNvcWc5V2FrTGVkR2o5Vy9UTnQ0SFgwCk14TXJmL0djcTBzQlVaUDJJTzFY
RFhMNzhPakJyNmtTeUhiMkNaUkFSQ1EKLS0tIFVLNTJiNy9wMDd5RmdrRnZQM0l3
UmJ5eXdmVFJrTVd0cmE0aitITC81Z3cKtWRvDiKJUserIJWVhD4+nnpckVexdkaq
GkJJPRiKmxP7LtO0vJV8m7xKV33frSNk5772H5mnJu/STdultvwd8Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ykkjw57t3z3deup3gtp7dujyaslskn74e0d9hsmqaha2pj3rvazqgndw5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWUmgyMyt4TG04bjlzV1BJ
MENrV3Nmb1dhY2t0a3dBRnFJZzRudDNlalVZCmdzOUo0UEJ4QmFBNXA4aUlkY1do
QWhMR29sUnhuZlprb3NCbEhhMnd2RDAKLS0tIGFCUk5DS0M2dk9LNWlpenpXQk8r
SFZUYXpsbENkS014Tks3ZWJPNCtDb2sK8CtjOC4EnBgd8xSc6GwGtXnoGX/Wf1s2
r1L97kqmMRD7Npwhs2gT+5kilEJBpIT+djfsc0KlezONOTVKJiiT0A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1t2d5scrukk0guva5sr97a8tge5j8kd865adezrcru7p269pzwvpsamkgje
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxeXY0ZmRQL3E3enVQMHFh
Wk1scFpoeFhwMG9iQmFMTklWMzhWM1Z5MFIwCnJJTG44NVMrZXVuVEtXRThxMy8v
VTM3U1dCRnFZOW15aHZoemh6YitRODgKLS0tIEVQaHlPankzNHJORHhyUnplSnRw
QmZESkVxSlZ1aUMrTUhZRFV6bjZXVXMK6n1TE1RTHxlqV198Hf+GjSMeSCXsEDpm
1LVqSF1t7hQzXAf6M1hncKWmmvf8QZDzFPQsc1Rmoo0JRAeL1CUlYw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1c8qw59ffcq9l77gfmtyc3djtvt3md0u6dwhrjcgsm98ntyf72ufqugj7cg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBia1lDOEFIYXRxbk1yaHVG
NHNrN016UnVyUEx5YXdwWXRuUVJ2VkdzT1FFCm52dFlNYkp4M0YvRUQxZU1UTzBx
SnBZdVZGZlIvaUZIQzBxY0NuY3dtYWsKLS0tIDFvTVJBNlpmZ2ZkOTM1bVFHcGRi
VFB3aTlNUFlOUC9TZmVJSGdlTU9UVFkKdL3zout9Xl/tYCdkGmO3rUxPXF3XhchR
cTvSkyqOLcfno4AwB4nC18pGfhxYh0O1AsJrfUYfZUDm4AydqC6RIg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1er5qucsc2mugrzrr7n3xhzv7kemkrqrw4m84r544fkk7nkg5g5eswxkqj0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBbnZvK3VyYjdiQ2VFekZF
aXpSbCsrZEFqSmdkV1c2OFZJdkpseEFSOWpFCkpTS2dVYjFiNENDQnFjTEtUK010
Wk1kVndqZldhWlVVV2gyRkdUY0dxMEkKLS0tIDcvVkI3OUJXZnBvUC9xTmxzdHFP
cHEwL1oyRUl3blYrKzZaaE5zME8xU1UKhPCOFlYU6SuDe5riehIIuMhUB/KSSyD7
YZ+CqCBVFECF1vhfgvPj432Aqdd0yS6M/9r1Bqt+fcj+fRz2bGXapw==
-----END AGE ENCRYPTED FILE-----
- recipient: age12gu9hqhd56yl5x3t5yenkn9yg57du08h77vzjqsmnu5hdppne38qcur5a0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGRm1IMjJXcmh0cnVwOFlY
MUV0d3dNYjVqSkNqZjNqdHprc04zbGViRDI0CklVVklkV0owUUFJVXNqc09tbFpn
azA1M3R2eUlJVVBaUGFhZDJoLy9rTEUKLS0tIDI4S1pZSUZ3Q0ZPOVV3T0FJQ3NZ
UFhFR3R4emR0UHpFalJ0b1dwZmhRYUEKn849C7Xp1uDeAZRNXqF/WxSx+y204U9q
uuEUgbstlOvqRGFs6buGRFTLFi845qfv4J0QnXvj/COLZfNjwl3Jbg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1t7378n8kmd3f32fkye2gw3jj6qswv3exjdx0dq8kl0xra3tmcdnsvddq3u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyN1U3WkFuSlZ1ekhkVVJU
VU51WjlCc1hySnlLVWFONWdnZ2VPTHFid3pVCkcwNmRXendXZjRRazhkSzRWU2FF
Z0xHQjlsVllYdkN1OGtmTEVXcnUwSVEKLS0tIG5YTmxGTzUyQ2IxR2VBMmQwUThX
Uk1kQ0w1VGh6YUZaZ1NvSHIwelZFSHcKtjHNHVWu9bpDEsUmibm3vXwf/ff2Zmtk
YiZmlU2imQ6WWPcTfGDPsNZ0YhA8mPxoWdzpHt10elUCwCpyi3L7iA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yn82e39pxt0d0pgny34ux4lkge4ff7wxvsye8ragvwngehemt4ps27phyw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNDA4SDJIVnJySUVMMTZw
UnZxb05OK1h6aldBT0kreE9jRHYyYyttZlNvCjZBQTlzajFweUoxSnRCMUpCQWQr
V0Q2eGVYOENpSlFWWlFUQThOREVpVG8KLS0tIDAwUWk2aW1NMFZsWWFabGhSKzMv
NUMyN01MVTlsbWpNV24yOVVhZitGd1kKa8dbwXGW5Bthym+BuGr+E8bYMbHb07ew
YbTskFI7vkMRWg1VGWMbrzvoqdVP7xJpUBtUo3okL4j/au+hG+br5w==
-----END AGE ENCRYPTED FILE-----
- recipient: age102el4snus37dj807rwvsmlvwu2sg2d8rw3vfmtntgczfkz04l9nshetcq0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4MFFxUmkvVFRrNWN2V2Z1
ekV4ejJlMFZ3WkhycXBjRGFZa05XWHdHQjE0CnpuaG9TVjJ2ZkkweDNFUXgxWnBt
YmhLRzFzRzlSRGpKTm1LMmcwZVdlU3cKLS0tIE10a1pVOW5jQ0kwWHdWcmlNY0hm
ZU4rL3BiT29jcHNGU0xzajIvb0hqU0EKtkiSn5PVzJYZmCEnsa7a3AZW5PhlwWXt
8TLrM5WYljSR7rzeqmVH5PaXT6olUXo/NCmbqiM1R5nizNBDbKGLbQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1n5frpwgvps7c2348ynu9g7g47kqar4srdplw5kkcyn4x80eqzetqw3ej2m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBib0ZWUXpJVXkyLzdEdnN2
TDIzd0F6WkdDbGgrMW9BS00rTmtvSGV3Y0RjClI2YTkxb0pUazlYY3dsOFBmcXpC
cFg5bVJOL3ZKQ3N4L2lSZ0xaTjVPMFUKLS0tIFo1YklYdXZNam5FbnhEZDUxKzYr
TXh5SmQxK0pmRG80bjVzUUNYWmRKcG8K5xbwbYccoMcpmS3oSSBFpHaYkZizfxhK
03lO4cEDsufZAt95OzD6pQZCaBp8dVsyZTJQaDTMsnsPTQ5Kxq6sng==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lvks0rdf743cn9rvvx90mzu3mjldydlzslpmv9608wn4j0m8u3xsmu7yew
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIZnQ0U1FieWlWRVpYWUQ0
ZGNRV3l3MTRvM2VBVjVnSitwTXp1Y0l5bzFvCm4xRXJXTzA1YmhERkszSkhVaVFF
Qnc4T0pVRi92MVh2UHlUd3E0OU9lM28KLS0tIDZ3TUZ3cHBUc0NnTHl4K0JLZ3J0
RWRidzlRQ2Qrb3hZQmI4UkNiOXlNTXMK7e3ZpGsleiDmH3YscwbpkHUo1vF4g34u
dx7EBE89sCYLFHPXk0bkZIOe/CTXUDBDiFHew4zL3I60mwMJKKnisw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-13T19:10:40Z"
mac: ENC[AES256_GCM,data:HaMU0o8ORSUCrcmppdJwpXj4YgKESOUy9YJPktBvY7s1QhQVqvzNigxcvJcpGFexvy9/I6mBxzc7JYDPuMmSyaaFQyTZ6e47cxshqy5Sxxs6U7lyxPWynnC7nU1F+CWhkqULQ0+v45NB6wilHc+ASOb1JGSF546ffZDmbJ+eDU4=,iv:+5+S63+PtrCvVFdfSAUHUoS342g6LzoICFUpR2OL9ns=,tag:WnksdwIcQCDCmMiIwbSUpQ==,type:str]
pgp:
- created_at: "2026-02-06T15:34:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0B7mmjbybiOAQ/+N+WG14Kn6aqETcs3SDEvdeREb//2S/suf27VIT7NqdEY
VZWa19oWO20+pSD1WZAQDatXFo4Ty13az1pSIUhKRj6jwkzvtAwAXQcH3i6oRQPv
Fsh2mMfeq6+bgLqCbD74DckM4j7e+sj1mENMKUwTALdY6ecdoADA97vcxEuvPWoJ
g9KDwX4xKzjRujsmPTa7Q2daq/9/607WU+FlkkdQK6wCUgn6eNXSXLSdITB/TAe2
YVtEGj0+bgMawItah9uro6eiL4hpOJhVDk8R2Vq7/qkV+eSI5DW6hlXAMlZXZ4SU
WtaqQ1vb7sYQ9PHHpMkZ0qo9TxQDo6RpKonj0qP2Ihm0hh39n/hEcHI+Q8L78OcZ
ZcdnxU9RsLqXEgi/QvDITGCxFB58Ng1Kx0IEYNxav+4s2Vb28KqukpCPPwBOf2nI
MqzDn/mDtsu6RR/d0OO8qN6Rp+fg2k4RBoB7rYLM5mSFmx1S/MYbM1JTdVmSGvCL
mCnuZE18WGBgd7qfH7A6J11H/jIWCAB4UyIZXtJcGm/hCqIkDATqe0f7QMC6S+qR
Zl/3zdzv3MaKTotLTfJC9Y+teOrMlk/OYrDjEg5btHI/XJOn0V2lxE9O3Z/i3l50
16U/oUK54jaZi1+ZvHgHwjEFcDJ74IoyWvBh25vg1qhQVH9a1to74a/yq2zKYIzS
XgHVF+/WTjQvEl44RiuLuUDxlDrxOUwer+bTM8Rx9BDFhqDfH+GKvZKwQdwu72Ri
hvUppPOtx6x1Q++S9/luXy25dlC/EDkmUyzQgT6m4GzlxiOWkW0dxfob547PYlI=
=abGW
-----END PGP MESSAGE-----
fp: CBCB9B18A6B8930B0B6ABFD1CCB8CBEB30633684
unencrypted_suffix: _unencrypted
version: 3.11.0

58
systems/aarch64-linux/pi4/adguard.nix
View File

@@ -1,58 +0,0 @@
{ lib, ... }:
{
services.resolved.enable = lib.mkForce false;
services.adguardhome = {
enable = true;
openFirewall = true;
allowDHCP = true;
mutableSettings = true;
settings = {
http.address = "0.0.0.0:0";
users = [
{
name = "mjallen";
password = "$2a$10$G07P7V1EnBQxWtMNGyfgTOTpAgr4d.uqYoG.cGSFCv9jQdiYWCsfq";
}
];
dns = {
upstream_dns = [
"https://dns10.quad9.net/dns-query"
"1.1.1.1"
"8.8.8.8"
];
bootstrap_dns = [
"9.9.9.10"
"149.112.112.10"
"2620:fe::10"
"2620:fe::fe:10"
];
upstream_mode = "load_balance";
trusted_proxies = [
"127.0.0.0/8"
"::1/128"
"10.0.1.3"
];
cache_optimistic = true;
};
dhcp = {
enabled = false;
interface_name = "end0";
local_domain_name = "lan";
dhcpv4 = {
gateway_ip = "10.0.1.1";
subnet_mask = "255.255.255.0";
range_start = "10.0.1.100";
range_end = "10.0.1.254";
lease_duration = 86400;
icmp_timeout_msec = 1000;
};
dhcpv6 = {
range_start = "2001::1";
lease_duration = 86400;
ra_slaac_only = false;
ra_allow_slaac = false;
};
};
};
};
}

82
systems/aarch64-linux/pi4/boot.nix
View File

@@ -1,82 +0,0 @@
{
pkgs,
lib,
namespace,
...
}:
{
boot = {
# loader.raspberry-pi = {
# firmwarePackage = kernelBundle.raspberrypifw;
# variant = "4";
# };
# kernelPackages = kernelBundle.linuxPackages_rpi4;
# kernelPackages = pkgs.${namespace}.linuxPackages_cachyos-lto;
kernelPackages = pkgs.${namespace}.linuxPackages_rpi4-lts;
initrd = {
availableKernelModules = {
bcachefs = lib.mkForce false;
};
kernelModules = {
bcachefs = lib.mkForce false;
};
};
supportedFilesystems = {
bcachefs = lib.mkForce false;
};
};
specialisation = {
"linux-latest".configuration = {
boot = {
kernelPackages = lib.mkOverride 90 pkgs.unstable.linuxPackages_latest;
};
};
};
${namespace}.hardware.raspberry-pi.config = {
all = {
# [all] conditional filter, https://www.raspberrypi.com/documentation/computers/config_txt.html#conditional-filters
base-dt-params = {
i2c_arm = {
enable = true;
value = "on";
};
i2c = {
enable = true;
value = "on";
};
spi = {
enable = true;
value = "on";
};
};
options = {
# https://www.raspberrypi.com/documentation/computers/config_txt.html#enable_uart
# in conjunction with `console=serial0,115200` in kernel command line (`cmdline.txt`)
# creates a serial console, accessible using GPIOs 14 and 15 (pins
# 8 and 10 on the 40-pin header)
enable_uart = {
enable = true;
value = true;
};
# https://www.raspberrypi.com/documentation/computers/config_txt.html#uart_2ndstage
# enable debug logging to the UART, also automatically enables
# UART logging in `start.elf`
uart_2ndstage = {
enable = true;
value = true;
};
};
# Base DTB parameters
# https://github.com/raspberrypi/linux/blob/a1d3defcca200077e1e382fe049ca613d16efd2b/arch/arm/boot/dts/overlays/README#L132
base-dt-params = {
};
};
};
}

105
systems/aarch64-linux/pi4/default.nix
View File

@@ -1,105 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{
namespace,
...
}:
{
imports = [
./adguard.nix
./boot.nix
./sops.nix
];
nixpkgs.overlays = [
(_self: super: {
# This is used in (modulesPath + "/hardware/all-firmware.nix") when at least
# enableRedistributableFirmware is enabled
inherit (super) raspberrypiWirelessFirmware;
# Some derivations want to use it as an input,
# e.g. raspberrypi-dtbs, omxplayer, sd-image-* modules
inherit (super) raspberrypifw;
})
];
${namespace} = {
impermanence.enable = true;
hardware = {
disko = {
enable = true;
firmware = {
enableFirmware = true;
firmwareDisk = "/dev/mmcblk1";
};
};
raspberry-pi = {
enable = true;
variant = "4";
};
};
headless.enable = true;
user = {
name = "matt";
mutableUsers = false;
hashedPassword = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06";
extraGroups = [
"docker"
"video"
];
};
network = {
hostName = "pi4";
ipv4 = {
interface = "end0";
method = "manual";
address = "10.0.1.2/24";
gateway = "10.0.1.1";
dns = "1.1.1.1";
};
firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
networkmanager = {
profiles = {
"static-end0" = {
type = "ethernet";
};
};
};
};
services = {
nebula-lighthouse = {
enable = true;
port = 4242;
};
};
};
services.kmscon = {
enable = true;
hwRender = true;
};
programs = {
seahorse.enable = false;
};
virtualisation = {
docker.enable = false;
podman.enable = false;
waydroid.enable = false;
libvirtd.enable = false;
};
# Root user configuration - explicit to avoid conflicts with home-manager
users.users.root = {
isSystemUser = true;
isNormalUser = false;
};
fileSystems."/etc".neededForBoot = true;
}

72
systems/aarch64-linux/pi4/networking.nix
View File

@@ -1,72 +0,0 @@
{ lib, config, ... }:
{
# Networking configs
networking = {
# hostName = lib.mkForce hostname;
defaultGateway.address = "10.0.1.1";
nameservers = [ "10.0.1.1" ];
firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
# Enable Network Manager
networkmanager = {
enable = lib.mkDefault true;
wifi.powersave = lib.mkDefault false;
settings.connectivity.uri = lib.mkDefault "http://nmcheck.gnome.org/check_network_status.txt";
ensureProfiles = {
environmentFiles = [
config.sops.secrets.wifi.path
];
profiles = {
# "Joey's Jungle 5G" = {
# connection = {
# id = "Joey's Jungle 5G";
# type = "wifi";
# };
# ipv4 = {
# method = "auto";
# };
# ipv6 = {
# addr-gen-mode = "stable-privacy";
# method = "auto";
# };
# wifi = {
# mode = "infrastructure";
# ssid = "Joey's Jungle 5G";
# };
# wifi-security = {
# key-mgmt = "sae";
# psk = "$PSK";
# };
# };
"static-enabcm6e4ei0" = {
connection = {
id = "static-enabcm6e4ei0";
type = "ethernet";
interface-name = "enabcm6e4ei0";
};
ipv4 = {
method = "manual";
address = "10.0.1.2/24";
gateway = "10.0.1.1";
dns = "1.1.1.1";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
};
};
};
};
};
}

55
systems/aarch64-linux/pi4/sops.nix
View File

@@ -1,55 +0,0 @@
{ config, lib, ... }:
let
user = "matt";
defaultSops = (lib.snowfall.fs.get-file "secrets/pi4-secrets.yaml");
in
{
sops = {
age.keyFile = "/home/matt/.config/sops/age/keys.txt";
validateSopsFiles = false;
# ------------------------------
# Secrets
# ------------------------------
secrets = {
# ------------------------------
# SSH keys
# ------------------------------
"ssh-keys-public/pi4" = {
mode = "0644";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "sshd.service" ];
};
"ssh-keys-private/pi4" = {
mode = "0600";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "sshd.service" ];
};
"ssh-keys-public/pi5" = {
neededForUsers = true;
mode = "0600";
owner = config.users.users.root.name;
group = config.users.users.root.group;
restartUnits = [ "sshd.service" ];
};
"pi4/sys-public-key" = {
sopsFile = defaultSops;
neededForUsers = true;
mode = "0600";
owner = config.users.users.root.name;
group = config.users.users.root.group;
restartUnits = [ "sshd.service" ];
};
"pi4/sys-priv-key" = {
sopsFile = defaultSops;
neededForUsers = true;
mode = "0600";
owner = config.users.users.root.name;
group = config.users.users.root.group;
restartUnits = [ "sshd.service" ];
};
};
};
}