NixOS-Configs/hosts/pi-server/default.nix

{
  inputs,
  outputs,
  lib,
  config,
  pkgs,
  ...
}: {
  nix = {
    settings = {
      experimental-features = ["nix-command" "flakes"];
      warn-dirty = false;
      auto-optimise-store = true;
      trusted-users = ["root" "don"];
    };
    gc = {
      automatic = true;
      dates = "daily";
      options = "--delete-older-than 3d";
    };
  };
  imports = [
    ../../home/pi-server.nix
    ./services.nix
    ./systemd.nix
    ../vars.nix
    ./upgrade-diff.nix
    ../../modules/beszel-agent.nix
  ];

  # Enable networking
  networking.networkmanager.enable = true;
  networking.enableIPv6 = true;
  networking.useDHCP = false;

  # Set your time zone.
  time = {
    timeZone = "America/Chicago";
    hardwareClockInLocalTime = false;
  };

  # Select internationalisation properties.
  i18n = {
    defaultLocale = "en_US.UTF-8";
    inputMethod = {
      enable = true;
      type = "fcitx5";
      fcitx5.addons = with pkgs; [fcitx5-mozc fcitx5-gtk];
    };
  };

  # Bootloader.
  boot = {
    kernelPackages = pkgs.linuxPackages_rpi4;
    plymouth = {enable = true;};
    kernel = {sysctl = {"vm.swappiness" = 10;};};
  };

  security = {
    polkit = {enable = true;};
    sudo.enable = false;
    doas = {
      enable = true;
      extraRules = [
        {
          users = ["don"];
          keepEnv = true;
          noPass = true;
        }
      ];
    };
  };

  services = {
    beszel-agent = {enable = true;};
    nscd = {enableNsncd = true;};
    locate = {
      enable = true;
      package = pkgs.mlocate;
    };
    openssh = {
      enable = true;
      settings = {
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
        PermitRootLogin = "yes";
      };
    };
  };

  security.rtkit.enable = true;

  users.users = {
    root = {
      initialPassword = "changeme";
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINd8AdVbQQ/Fmw+b9mI8EMYqIoRkwmSwAOtmlte3incL don@loki"
      ];
    };
    don = {
      isNormalUser = true;
      initialPassword = "changeme";
      description = "Don Harper";
      extraGroups = [
        "disk"
        "docker"
        "lp"
        "cdrom"
        "mlocate"
        "networkmanager"
        "scanner"
        "video"
        "wheel"
      ];
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINd8AdVbQQ/Fmw+b9mI8EMYqIoRkwmSwAOtmlte3incL don@loki"
      ];
    };
  };

  zramSwap = {
    enable = true;
    memoryPercent = 25;
    memoryMax = 2147483648;
  };

  environment.systemPackages = with pkgs; [
    python313
    age
    base16-schemes
    bash-completion
    btop
    dmidecode
    home-manager
    lsb-release
    lsof
    nix-bash-completions
    pkg-config
    sops
  ];

  programs = {
    gnupg = {
      agent = {
        enable = true;
        pinentryPackage = pkgs.pinentry-curses;
        enableSSHSupport = true;
      };
    };
  };

  # Open ports in the firewall.
  networking.firewall = {
    enable = true;
    checkReversePath = "loose";
    allowedTCPPorts = [22];
  };

  system.stateVersion = "23.11"; # Did you read the comment?
}