diff --git a/hosts/pi4/boot.nix b/hosts/pi4/boot.nix
index ed179a6..a17b7aa 100755
--- a/hosts/pi4/boot.nix
+++ b/hosts/pi4/boot.nix
@@ -1,4 +1,7 @@
 { pkgs, lib, ... }:
+let
+  uefi_pi4 = pkgs.callPackage ./pi4-uefi.nix { };
+in
 {
   boot = {
     loader = {
@@ -9,4 +12,10 @@
     plymouth.enable = true;
     kernelPackages = pkgs.linuxPackages_latest;
   };
+  environment.systemPackages = [ uefi_pi4 ];
+
+  # Copy UEFI firmware files to the boot partition
+  system.activationScripts.installUEFIFirmware.text = ''
+    cp -r ${uefi_pi4}/share/uefi_rpi4/* /boot/firmware/
+  '';
 }
diff --git a/hosts/pi4/configuration.nix b/hosts/pi4/configuration.nix
index ca2d6df..8baef52 100755
--- a/hosts/pi4/configuration.nix
+++ b/hosts/pi4/configuration.nix
@@ -29,6 +29,7 @@ in
       authorizedKeysFiles = [
         config.sops.secrets."ssh-keys-public/pi5".path
       ];
+      hostKeys = [ ];
     };
   };
 
@@ -41,16 +42,22 @@ in
     };
   };
 
-  environment.systemPackages = with pkgs; [
-    argononed
-    git
-    libraspberrypi
-    raspberrypi-eeprom
-    raspberrypifw
-    raspberrypiWirelessFirmware
-    raspberrypi-armstubs
-    vim
-  ];
+  environment = {
+    systemPackages = with pkgs; [
+      argononed
+      git
+      libraspberrypi
+      raspberrypi-eeprom
+      raspberrypifw
+      raspberrypiWirelessFirmware
+      raspberrypi-armstubs
+      vim
+    ];
+    etc = {
+      "ssh/ssh_host_ed25519_key".source = config.sops.secrets."pi4/sys-priv-key".path;
+      "ssh/ssh_host_ed25519_key.pub".source = config.sops.secrets."pi4/sys-public-key".path;
+    };
+  };
 
   users = {
     mutableUsers = false;
diff --git a/hosts/pi4/pi4-uefi.nix b/hosts/pi4/pi4-uefi.nix
new file mode 100644
index 0000000..8537dec
--- /dev/null
+++ b/hosts/pi4/pi4-uefi.nix
@@ -0,0 +1,24 @@
+{ stdenv, fetchzip }:
+
+stdenv.mkDerivation rec {
+  pname = "uefi_rpi4";
+  version = "1.38";
+
+  src = fetchzip {
+    url = "https://github.com/pftf/RPi4/releases/download/v1.38/RPi4_UEFI_Firmware_v1.38.zip";
+    hash = "sha256-9tOr80jcmguFy2bSz+H3TfmG8BkKyBTFoUZkMy8x+0g=";
+    stripRoot = false;
+  };
+
+  installPhase = ''
+    mkdir -p $out/share/uefi_rpi4
+    cp -r * $out/share/uefi_rpi4
+  '';
+
+  meta = {
+    description = "UEFI Firmware for Raspberry Pi 4";
+    homepage = "https://github.com/pftf/RPi4";
+#    license = stdenv.lib.licenses.bsd2; # or appropriate license
+    platforms = [ "aarch64-linux" ];
+  };
+}
diff --git a/hosts/pi4/sops.nix b/hosts/pi4/sops.nix
index 4ca93cd..1bc4874 100755
--- a/hosts/pi4/sops.nix
+++ b/hosts/pi4/sops.nix
@@ -38,6 +38,8 @@ in
       "ssh-keys-public/pi5" = {
         neededForUsers = true;
       };
+      "pi4/sys-public-key" = { };
+      "pi4/sys-priv-key" = { };
     };
   };
 }