machine_setup/nix/yubipi/configuration.nix

{
  config,
  lib,
  pkgs,
  modulesPath,
  ...
}:

{
  imports = [
    "${modulesPath}/installer/sd-card/sd-image.nix"
    ./roles/image_based_appliance
    ./roles/optimized_build
    ./roles/raspberry_pi_sd_image
    ./roles/reset
    # ./util/install_files
    ./util/unfree_polyfill
  ];

  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  nix.settings.trusted-users = [ "@wheel" ];

  hardware.enableRedistributableFirmware = true;

  # Keep outputs so we can build offline.
  nix.extraOptions = ''
    keep-outputs = true
    keep-derivations = true
    substitute = false
  '';

  # Technically only needed when building the ISO because nix detects ZFS in the filesystem list normally. I basically always want this so I'm just setting it to always be on.
  boot.supportedFilesystems.zfs = true;
  # TODO: Is this different from boot.supportedFilesystems = [ "zfs" ]; ?

  services.getty = {
    autologinUser = "talexander";
    autologinOnce = true;
  };
  users.mutableUsers = false;
  users.users.talexander = {
    isNormalUser = true;
    createHome = true; # https://github.com/NixOS/nixpkgs/issues/6481
    group = "talexander";
    extraGroups = [ "wheel" ];
    uid = 11235;
    packages = with pkgs; [
      tree
    ];
    # Generate with `mkpasswd -m scrypt`
    hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0+4zi26M3eYWnIrciR54kOlGxzfgCXG+o4ea1zpzrk openpgp:0x7FF123C8"
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
    ];
  };
  users.groups.talexander.gid = 11235;

  # Automatic garbage collection
  nix.gc = lib.mkIf (!config.me.image_based_appliance.enable) {
    # Runs nix-collect-garbage --delete-older-than 5d
    automatic = true;
    persistent = true;
    dates = "monthly";
    # randomizedDelaySec = "14m";
    options = "--delete-older-than 30d";
  };
  nix.settings.auto-optimise-store = true;
  nix.settings.substituters = lib.mkForce [ ];

  # Use doas instead of sudo
  security.doas.enable = true;
  security.doas.wheelNeedsPassword = false;
  security.sudo.enable = false;
  security.doas.extraRules = [
    {
      # Retain environment (for example NIX_PATH)
      keepEnv = true;
      persist = true; # Only ask for a password the first time.
    }
  ];

  environment.systemPackages = with pkgs; [
    # wget
    # mg
    # rsync
    # libinput
    # htop
    # tmux
    # file
    # usbutils # for lsusb
    # pciutils # for lspci
    # ripgrep
    # strace
    # # ltrace # Disabled because it uses more than 48GB of /tmp space during test phase.
    # trace-cmd # ftrace
    # tcpdump
    # git-crypt
    # gnumake
    # ncdu
    # nix-tree
    # libarchive # bsdtar
    # lsof
    # doas-sudo-shim # To support --sudo for remote builds
    # dmidecode # Read SMBIOS information.
    # ipcalc
    # gptfdisk # for cgdisk
    # nix-output-monitor # For better view into nixos-rebuild
    # nix-serve-ng # Serve nix store over http
  ];

  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
    };
    hostKeys = [
      {
        path = "/persist/ssh/ssh_host_ed25519_key";
        type = "ed25519";
      }
      {
        path = "/persist/ssh/ssh_host_rsa_key";
        type = "rsa";
        bits = 4096;
      }
    ];
  };

  boot.initrd.kernelModules = [
    # "vc4"
    # "bcm2835_dma"
    # "i2c_bcm2835"
  ];
  # Compressing through emulation is slow and we're just going to decompress the image anyway.
  sdImage.compressImage = false;

  # Write a list of the currently installed packages to /etc/current-system-packages
  environment.etc."current-system-packages".text =
    let
      packages = builtins.map (p: "${p.name}") config.environment.systemPackages;
      sortedUnique = builtins.sort builtins.lessThan (lib.unique packages);
      formatted = builtins.concatStringsSep "\n" sortedUnique;
    in
    formatted;

  nixpkgs.overlays = [
    (final: prev: {
      efivar = throw "foo";
    })
  ];

  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
  # Most users should NEVER change this value after the initial install, for any reason,
  # even if you've upgraded your system to a new NixOS release.
  #
  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
  # to actually do that.
  #
  # This value being lower than the current NixOS release does NOT mean your system is
  # out of date, out of support, or vulnerable.
  #
  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
  # and migrated your data accordingly.
  #
  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
  system.stateVersion = "25.11"; # Did you read the comment?

}