disassembler/gist:9935250ccff5b59dd5aef09c6a0ea2a9 Secret

## gistfile1.txt
{ lib, pkgs, config, ...}: {

  imports = [];
  sdImage.firmwareSize = 1024;

  boot.loader.raspberryPi = {
    enable = true;
    version = 4;
    uboot.enable = false;
  };
  boot.loader.grub.enable = false;
  boot.loader.generic-extlinux-compatible.enable = true;
  # Mainline doesn't work yet
  boot.kernelPackages = pkgs.linuxPackages_rpi4;

  # ttyAMA0 is the serial console broken out to the GPIO
  boot.kernelParams = [
    "8250.nr_uarts=1" # may be required only when using u-boot
    "console=ttyAMA0,115200"
    "console=tty1"
  ];
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
    };
    "/boot" = {
      device = "/dev/disk/by-label/FIRMWARE";
      fsType = "vfat";
    };
  };
  hardware.opengl = {
    enable = true;
    setLdLibraryPath = true;
    package = pkgs.mesa_drivers;
  };
  hardware.deviceTree = {
    kernelPackage = pkgs.linux_rpi4;
    #overlays = [ "${pkgs.device-tree_rpi.overlays}/vc4-fkms-v3d.dtbo" ];
  };
  #services.xserver = {
  #  enable = true;
  #  displayManager.lightdm.enable = true;
  #  desktopManager.gnome3.enable = true;
  #  videoDrivers = [ "modesetting" ];
  #};
  boot.loader.raspberryPi.firmwareConfig = ''
    gpu_mem=192
  '';
  hardware.bluetooth.enable = true;
  hardware.enableRedistributableFirmware = true;
  sound.enable = true;
  hardware.pulseaudio.enable = true;
  services.dbus.enable = true;

  # theming
  gtk.iconCache.enable = true;
  environment.systemPackages = [
  pkgs.vim pkgs.gnome3.adwaita-icon-theme pkgs.hicolor-icon-theme pkgs.sway

    (pkgs.git.override {
      withManual = false;
      pythonSupport = false;
      withpcre2 = false;
      perlSupport = false;
    })
  ];

  # input
  services.udev.packages = [ pkgs.libinput.out ];

  services.openssh = {
    enable = true;
    permitRootLogin = lib.mkForce "without-password";
  };

  users.users.root = {
    openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEPOLnk4+mWNGOXd309PPxal8wgMzKXHnn7Jbu/SpSUYEc1EmjgnrVBcR0eDxgDmGD9zJ69wEH/zLQLPWjaTusiuF+bqAM/x7z7wwy1nZ48SYJw3Q+Xsgzeb0nvmNsPzb0mfnpI6av8MTHNt+xOqDnpC5B82h/voQ4m5DGMQz60ok2hMeh+sy4VIvX5zOVTOFPQqFR6BGDwtALiP5PwMfyScYXlebWHhDRdX9B0j9t+cqiy5utBUsl4cIUInE0KW7Z8Kf6gIsmQnfSZadqI857kdozU3IbaLoJc1C6LyVjzPFyC4+KUC11BmemTGdCjwcoqEZ0k5XtJaKFXacYYXi1l5MS7VdfHldFDZmMEMvfJG/PwvXN4prfOIjpy1521MJHGBNXRktvWhlNBgI1NUQlx7rGmPZmtrYdeclVnnY9Y4HIpkhm0iEt/XUZTMQpXhedd1BozpMp0h135an4uorIEUQnotkaGDwZIV3mSL8x4n6V02Qe2CYvqf4DcCSBv7D91N3JplJJKt7vV4ltwrseDPxDtCxXrQfSIQd0VGmwu1D9FzzDOuk/MGCiCMFCKIKngxZLzajjgfc9+rGLZ94iDz90jfk6GF4hgF78oFNfPEwoGl0soyZM7960QdBcHgB5QF9+9Yd6QhCb/6+ENM9sz6VLdAY7f/9hj/3Aq0Lm4Q== cardno:000610540514" ];
  };
  users.users.kiosk = {
    isNormalUser = true;
    useDefaultShell = true;
    openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEPOLnk4+mWNGOXd309PPxal8wgMzKXHnn7Jbu/SpSUYEc1EmjgnrVBcR0eDxgDmGD9zJ69wEH/zLQLPWjaTusiuF+bqAM/x7z7wwy1nZ48SYJw3Q+Xsgzeb0nvmNsPzb0mfnpI6av8MTHNt+xOqDnpC5B82h/voQ4m5DGMQz60ok2hMeh+sy4VIvX5zOVTOFPQqFR6BGDwtALiP5PwMfyScYXlebWHhDRdX9B0j9t+cqiy5utBUsl4cIUInE0KW7Z8Kf6gIsmQnfSZadqI857kdozU3IbaLoJc1C6LyVjzPFyC4+KUC11BmemTGdCjwcoqEZ0k5XtJaKFXacYYXi1l5MS7VdfHldFDZmMEMvfJG/PwvXN4prfOIjpy1521MJHGBNXRktvWhlNBgI1NUQlx7rGmPZmtrYdeclVnnY9Y4HIpkhm0iEt/XUZTMQpXhedd1BozpMp0h135an4uorIEUQnotkaGDwZIV3mSL8x4n6V02Qe2CYvqf4DcCSBv7D91N3JplJJKt7vV4ltwrseDPxDtCxXrQfSIQd0VGmwu1D9FzzDOuk/MGCiCMFCKIKngxZLzajjgfc9+rGLZ94iDz90jfk6GF4hgF78oFNfPEwoGl0soyZM7960QdBcHgB5QF9+9Yd6QhCb/6+ENM9sz6VLdAY7f/9hj/3Aq0Lm4Q== cardno:000610540514" ];
  };

  #systemd.services."cage@" = {
  #  serviceConfig.Restart = "always";
  #  environment = {
  #    WLR_LIBINPUT_NO_DEVICES = "1";
  #    NO_AT_BRIDGE = "1";
  #  } // lib.optionalAttrs (config.environment.variables ? GDK_PIXBUF_MODULE_FILE) {
  #    GDK_PIXBUF_MODULE_FILE = config.environment.variables.GDK_PIXBUF_MODULE_FILE;
  #  };
  #};

  documentation.enable = false;
  powerManagement.enable = false;
  programs.command-not-found.enable = false;

  services.cage = {
    enable = false;
    user = "kiosk";
    program = "${pkgs.epiphany}/bin/epiphany";
  };

  services.avahi = {
    enable = true;
    nssmdns = true;
    publish = {
      enable = true;
      userServices = true;
      addresses = true;
      hinfo = true;
      workstation = true;
      domain = true;
    };
  };
  environment.etc."avahi/services/ssh.service" = {
    text = ''
      <?xml version="1.0" standalone='no'?><!--*-nxml-*-->
      <!DOCTYPE service-group SYSTEM "avahi-service.dtd">
      <service-group>
        <name replace-wildcards="yes">%h</name>
        <service>
          <type>_ssh._tcp</type>
          <port>22</port>
        </service>
      </service-group>
    '';
  };


  boot.plymouth.enable = true;

  networking.hostName = "pikiosk";
  networking.dhcpcd.extraConfig = ''
    timeout 0
    noarp
  '';

  security.polkit.extraConfig = ''
    polkit.addRule(function(action, subject) {
      if (action.id == "org.freedesktop.login1.power-off" ||
	        action.id == "org.freedesktop.login1.reboot") {
        return polkit.Result.YES;
      }
    });
  '';

}
	{ lib, pkgs, config, ...}: {

	imports = [];
	sdImage.firmwareSize = 1024;

	boot.loader.raspberryPi = {
	enable = true;
	version = 4;
	uboot.enable = false;
	};
	boot.loader.grub.enable = false;
	boot.loader.generic-extlinux-compatible.enable = true;
	# Mainline doesn't work yet
	boot.kernelPackages = pkgs.linuxPackages_rpi4;

	# ttyAMA0 is the serial console broken out to the GPIO
	boot.kernelParams = [
	"8250.nr_uarts=1" # may be required only when using u-boot
	"console=ttyAMA0,115200"
	"console=tty1"
	];
	fileSystems = {
	"/" = {
	device = "/dev/disk/by-label/NIXOS_SD";
	fsType = "ext4";
	};
	"/boot" = {
	device = "/dev/disk/by-label/FIRMWARE";
	fsType = "vfat";
	};
	};
	hardware.opengl = {
	enable = true;
	setLdLibraryPath = true;
	package = pkgs.mesa_drivers;
	};
	hardware.deviceTree = {
	kernelPackage = pkgs.linux_rpi4;
	#overlays = [ "${pkgs.device-tree_rpi.overlays}/vc4-fkms-v3d.dtbo" ];
	};
	#services.xserver = {
	# enable = true;
	# displayManager.lightdm.enable = true;
	# desktopManager.gnome3.enable = true;
	# videoDrivers = [ "modesetting" ];
	#};
	boot.loader.raspberryPi.firmwareConfig = ''
	gpu_mem=192
	'';
	hardware.bluetooth.enable = true;
	hardware.enableRedistributableFirmware = true;
	sound.enable = true;
	hardware.pulseaudio.enable = true;
	services.dbus.enable = true;

	# theming
	gtk.iconCache.enable = true;
	environment.systemPackages = [
	pkgs.vim pkgs.gnome3.adwaita-icon-theme pkgs.hicolor-icon-theme pkgs.sway

	(pkgs.git.override {
	withManual = false;
	pythonSupport = false;
	withpcre2 = false;
	perlSupport = false;
	})
	];

	# input
	services.udev.packages = [ pkgs.libinput.out ];

	services.openssh = {
	enable = true;
	permitRootLogin = lib.mkForce "without-password";
	};

	users.users.root = {
	openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEPOLnk4+mWNGOXd309PPxal8wgMzKXHnn7Jbu/SpSUYEc1EmjgnrVBcR0eDxgDmGD9zJ69wEH/zLQLPWjaTusiuF+bqAM/x7z7wwy1nZ48SYJw3Q+Xsgzeb0nvmNsPzb0mfnpI6av8MTHNt+xOqDnpC5B82h/voQ4m5DGMQz60ok2hMeh+sy4VIvX5zOVTOFPQqFR6BGDwtALiP5PwMfyScYXlebWHhDRdX9B0j9t+cqiy5utBUsl4cIUInE0KW7Z8Kf6gIsmQnfSZadqI857kdozU3IbaLoJc1C6LyVjzPFyC4+KUC11BmemTGdCjwcoqEZ0k5XtJaKFXacYYXi1l5MS7VdfHldFDZmMEMvfJG/PwvXN4prfOIjpy1521MJHGBNXRktvWhlNBgI1NUQlx7rGmPZmtrYdeclVnnY9Y4HIpkhm0iEt/XUZTMQpXhedd1BozpMp0h135an4uorIEUQnotkaGDwZIV3mSL8x4n6V02Qe2CYvqf4DcCSBv7D91N3JplJJKt7vV4ltwrseDPxDtCxXrQfSIQd0VGmwu1D9FzzDOuk/MGCiCMFCKIKngxZLzajjgfc9+rGLZ94iDz90jfk6GF4hgF78oFNfPEwoGl0soyZM7960QdBcHgB5QF9+9Yd6QhCb/6+ENM9sz6VLdAY7f/9hj/3Aq0Lm4Q== cardno:000610540514" ];
	};
	users.users.kiosk = {
	isNormalUser = true;
	useDefaultShell = true;
	openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEPOLnk4+mWNGOXd309PPxal8wgMzKXHnn7Jbu/SpSUYEc1EmjgnrVBcR0eDxgDmGD9zJ69wEH/zLQLPWjaTusiuF+bqAM/x7z7wwy1nZ48SYJw3Q+Xsgzeb0nvmNsPzb0mfnpI6av8MTHNt+xOqDnpC5B82h/voQ4m5DGMQz60ok2hMeh+sy4VIvX5zOVTOFPQqFR6BGDwtALiP5PwMfyScYXlebWHhDRdX9B0j9t+cqiy5utBUsl4cIUInE0KW7Z8Kf6gIsmQnfSZadqI857kdozU3IbaLoJc1C6LyVjzPFyC4+KUC11BmemTGdCjwcoqEZ0k5XtJaKFXacYYXi1l5MS7VdfHldFDZmMEMvfJG/PwvXN4prfOIjpy1521MJHGBNXRktvWhlNBgI1NUQlx7rGmPZmtrYdeclVnnY9Y4HIpkhm0iEt/XUZTMQpXhedd1BozpMp0h135an4uorIEUQnotkaGDwZIV3mSL8x4n6V02Qe2CYvqf4DcCSBv7D91N3JplJJKt7vV4ltwrseDPxDtCxXrQfSIQd0VGmwu1D9FzzDOuk/MGCiCMFCKIKngxZLzajjgfc9+rGLZ94iDz90jfk6GF4hgF78oFNfPEwoGl0soyZM7960QdBcHgB5QF9+9Yd6QhCb/6+ENM9sz6VLdAY7f/9hj/3Aq0Lm4Q== cardno:000610540514" ];
	};

	#systemd.services."cage@" = {
	# serviceConfig.Restart = "always";
	# environment = {
	# WLR_LIBINPUT_NO_DEVICES = "1";
	# NO_AT_BRIDGE = "1";
	# } // lib.optionalAttrs (config.environment.variables ? GDK_PIXBUF_MODULE_FILE) {
	# GDK_PIXBUF_MODULE_FILE = config.environment.variables.GDK_PIXBUF_MODULE_FILE;
	# };
	#};

	documentation.enable = false;
	powerManagement.enable = false;
	programs.command-not-found.enable = false;

	services.cage = {
	enable = false;
	user = "kiosk";
	program = "${pkgs.epiphany}/bin/epiphany";
	};

	services.avahi = {
	enable = true;
	nssmdns = true;
	publish = {
	enable = true;
	userServices = true;
	addresses = true;
	hinfo = true;
	workstation = true;
	domain = true;
	};
	};
	environment.etc."avahi/services/ssh.service" = {
	text = ''
	<?xml version="1.0" standalone='no'?><!---nxml--->
	<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
	<service-group>
	<name replace-wildcards="yes">%h</name>
	<service>
	<type>_ssh._tcp</type>
	<port>22</port>
	</service>
	</service-group>
	'';
	};


	boot.plymouth.enable = true;

	networking.hostName = "pikiosk";
	networking.dhcpcd.extraConfig = ''
	timeout 0
	noarp
	'';

	security.polkit.extraConfig = ''
	polkit.addRule(function(action, subject) {
	if (action.id == "org.freedesktop.login1.power-off" \|\|
	action.id == "org.freedesktop.login1.reboot") {
	return polkit.Result.YES;
	}
	});
	'';

	}