dots/modules/hosts/nixos/kiosk-gene-desk/default.nix

{
  inputs,
  config,
  lib,
  pkgs,
  username,
  ...
}:
{
  imports = [
    # SD card image
    "${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
  ];

  system.stateVersion = "24.11";

  boot.supportedFilesystems = lib.mkForce [
    "vfat"
    "ext4"
  ];

  environment.systemPackages = with pkgs; [
    libraspberrypi
    raspberrypi-eeprom
    raspberrypifw
    ubootRaspberryPi4_64bit
    wlr-randr
  ];

  hardware = {
    enableRedistributableFirmware = true;
    graphics.enable = true;
    raspberry-pi."4".fkms-3d.enable = true;
  };

  networking = {
    firewall.enable = false;
    useNetworkd = true;
    wireless = {
      enable = true;
      networks = {
        # Home
        "Diagon Alley".pskRaw = "ext:psk_diagon_alley";
        # Public networks
        "Gallery Row-GuestWiFi" = { };
        "LocalTies Guest".pskRaw = "ext:psk_local_ties";
      };
      secretsFile = "${config.sops.secrets.wifi_creds.path}";
    };
  };

  nixpkgs.overlays = [
    (_final: super: {
      makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; });
    })
  ];

  sdImage.compressImage = true;

  services = {
    cage =
      let
        kioskProgram = pkgs.writeShellScript "kiosk.sh" ''
          WAYLAND_DISPLAY=wayland-0 wlr-randr --output HDMI-A-1 --transform 90
          /etc/profiles/per-user/gene/bin/chromium-browser
        '';
      in
      {
        enable = true;
        program = kioskProgram;
        user = "gene";
        environment = {
          WLR_LIBINPUT_NO_DEVICES = "1"; # boot up even if no mouse/keyboard connected
        };
      };
    prometheus.exporters.node = {
      enable = true;
      enabledCollectors = [
        "logind"
        "systemd"
        "network_route"
      ];
      disabledCollectors = [
        "textfile"
      ];
    };
  };

  sops = {
    age.keyFile = "${config.users.users.${username}.home}/.config/sops/age/keys.txt";
    defaultSopsFile = ./secrets.yaml;
    secrets = {
      local_git_config = {
        owner = "${username}";
        path = "${config.users.users.${username}.home}/.gitconfig-local";
      };
      local_private_env = {
        owner = "${username}";
        path = "${config.users.users.${username}.home}/.private-env";
      };
      wifi_creds = {
        sopsFile = ../../../shared/secrets.yaml;
        restartUnits = [
          "wpa_supplicant.service"
        ];
      };
    };
  };

  systemd.services.cage-tty1 = {
    wants = [
      "wpa_supplicant.service"
      "network-online.target"
    ];
  };

  users.users.${username} = {
    isNormalUser = true;
    description = "Gene Liverman";
    extraGroups = [
      "networkmanager"
      "wheel"
    ];
    linger = true;
  };

  zramSwap = {
    enable = true;
    algorithm = "zstd";
    memoryPercent = 90;
  };
}