{ config, ... }: { system.stateVersion = "24.11"; networking.hostName = "noisebridge-pi"; networking.wireless = { enable = true; networks."Noisebridge".psk = "noisebridge"; }; services.avahi = { enable = true; nssmdns4 = true; openFirewall = true; }; # Decrypted at runtime by agenix age.identityPaths = [ "/boot/noisebell-bootstrap.agekey" "/etc/ssh/ssh_host_ed25519_key" ]; age.secrets.tailscale-auth-key.file = ../secrets/tailscale-auth-key.age; age.secrets.pi-to-cache-key.file = ../secrets/pi-to-cache-key.age; age.secrets.cache-to-pi-key.file = ../secrets/cache-to-pi-key.age; services.noisebell = { enable = true; port = 80; endpointUrl = "https://noisebell.extremist.software/webhook"; apiKeyFile = config.age.secrets.pi-to-cache-key.path; inboundApiKeyFile = config.age.secrets.cache-to-pi-key.path; }; hardware.enableRedistributableFirmware = true; nix.settings.experimental-features = [ "nix-command" "flakes" ]; boot.kernelParams = [ "console=ttyS0,115200n8" "console=ttyAMA0,115200n8" "console=tty0" "boot.shell_on_fail" "loglevel=7" "systemd.log_level=debug" "systemd.log_target=console" ]; services.tailscale = { enable = true; authKeyFile = config.age.secrets.tailscale-auth-key.path; }; services.openssh.enable = true; system.activationScripts.pi-zero-2-dtb-compat.text = '' for dtb_dir in /boot/nixos/*-dtbs/broadcom; do if [ -d "$dtb_dir" ]; then if [ -f "$dtb_dir/bcm2837-rpi-zero-2-w.dtb" ] && [ ! -e "$dtb_dir/bcm2837-rpi-zero-2.dtb" ]; then cp "$dtb_dir/bcm2837-rpi-zero-2-w.dtb" "$dtb_dir/bcm2837-rpi-zero-2.dtb" elif [ -f "$dtb_dir/bcm2837-rpi-3-b.dtb" ] && [ ! -e "$dtb_dir/bcm2837-rpi-zero-2.dtb" ]; then cp "$dtb_dir/bcm2837-rpi-3-b.dtb" "$dtb_dir/bcm2837-rpi-zero-2.dtb" fi fi done ''; networking.firewall = { trustedInterfaces = [ "tailscale0" ]; allowedUDPPorts = [ config.services.tailscale.port ]; }; users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu" ]; }