{ lib, pkgs, inputs, outputs, config, modulesPath, ... }: { imports = [ # inputs.nixos-hardware.nixosModules.raspberry-pi-4 (modulesPath + "/installer/sd-card/sd-image-aarch64.nix") ./hardware-configuration.nix # Import shared settings ../../shared ]; nixpkgs.overlays = [ (final: super: { makeModulesClosure = x: super.makeModulesClosure (x // {allowMissing = true;}); }) ]; #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys sops.defaultSopsFile = ./secrets/sops.yaml; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; boot.initrd.kernelModules = ["vc4" "bcm2835_dma" "i2c_bcm2835" "cma=256M" "console=tty0"]; sdImage.compressImage = false; home-manager = { extraSpecialArgs = {inherit inputs outputs;}; users = { # Import your home-manager configuration lillian = import ../../../home-manager/hosts/wheatley; }; }; networking.hostName = "wheatley"; services.openssh = { enable = true; # require public key authentication for better security settings.PasswordAuthentication = false; settings.KbdInteractiveAuthentication = false; settings.PermitRootLogin = "no"; }; # Add stremio kiosk on wayland :) users.extraUsers.kodi.isNormalUser = true; services.cage.user = "kodi"; services.cage.program = "${pkgs.kodi}/bin/kodi-standalone"; services.cage.enable = true; environment.systemPackages = [ (pkgs.kodi.withPackages (kodiPkgs: with kodiPkgs; [ steam-controller indvidious netflix upnext sponsorblock sendtokodi jellyfin ])) ]; sops.secrets."protonvpn-priv-key".mode = "0440"; sops.secrets."protonvpn-priv-key".owner = config.users.users.root.name; networking.wireguard.enable = true; networking.wg-quick.interfaces = { # "wg0" is the network interface name. You can name the interface arbitrarily. wg0 = { autostart = true; # Determines the IP address and subnet of the server's end of the tunnel interface. address = ["10.2.0.2/32"]; # The port that WireGuard listens to. Must be accessible by the client. listenPort = 51820; dns = ["10.2.0.1"]; # Path to the private key file. # # Note: The private key can also be included inline via the privateKey option, # but this makes the private key world-readable; thus, using privateKeyFile is # recommended. privateKeyFile = config.sops.secrets."protonvpn-priv-key".path; peers = [ # List of allowed peers. { # Feel free to give a meaning full name # Public key of the peer (not a file path). publicKey = "/i7jCNpcqVBUkY07gVlILN4nFdvZHmxvreAOgLGoZGg="; # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. allowedIPs = ["0.0.0.0/0"]; endpoint = "146.70.86.114:51820"; } ]; }; }; networking.firewall = { enable = true; allowPing = false; allowedTCPPorts = [ 22 # SSH 5349 # STUN tls 5350 # STUN tls alt 80 # http 443 # https ]; allowedUDPPortRanges = [ { from = 49152; to = 49999; } # TURN relay ]; }; system.stateVersion = "25.05"; nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; }