{ pkgs, lib, homeyConfig, ... }:

# Bootstrap image for the primary Raspberry Pi 4.
#
# Flash this image first. Its only purpose is to boot the Pi so you can:
#   1. Generate the age key:  sudo age-keygen -o /var/lib/sops-nix/key.txt
#   2. Print the pubkey:      sudo age-keygen -y /var/lib/sops-nix/key.txt
#   3. Add the pubkey to .sops.yaml, re-encrypt secrets, then deploy pi-main.
#
# No sops, no services, no external HD — just SSH + WiFi.
#
# WiFi PSK: uncomment and fill in before building. Do not commit the password.
#   networks."YourSSID".psk = "your-wifi-password";

{
  networking.hostName = "pi-main";
  time.timeZone       = homeyConfig.timezone;
  i18n.defaultLocale  = "en_US.UTF-8";
  system.stateVersion = "25.05";

  nix.settings = {
    experimental-features = [ "nix-command" "flakes" ];
    substituters = [
      "https://cache.nixos.org"
      "https://nix-community.cachix.org"
    ];
    trusted-public-keys = [
      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
      "nix-community.cachix.org-1:mB9FkXj6Q3Q4ohOcbM4FJ9Z1X2kCrVK4vZOqsDqqNqk="
    ];
  };
  nixpkgs.config.allowUnfree = true;

  # linux_rpi4 is pre-built in cache.nixos.org — fetched, not compiled.
  boot.kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;

  networking.wireless = {
    enable = true;
    # networks."Zakobar".psk = "your-wifi-password";
  };
  networking.interfaces.wlan0.ipv4.addresses = [{
    address      = "192.168.1.100";
    prefixLength = 24;
  }];
  networking.useDHCP = false;
  networking.interfaces.wlan0.useDHCP = false;
  networking.defaultGateway = "192.168.1.1";
  networking.nameservers    = [ "1.1.1.1" "8.8.8.8" ];
  networking.firewall.allowedTCPPorts = [ 22 ];

  services.openssh = {
    enable   = true;
    settings = {
      PasswordAuthentication = false;
      PermitRootLogin        = "no";
    };
  };

  users.mutableUsers = false;
  users.users.admin = {
    isNormalUser = true;
    extraGroups  = [ "wheel" ];
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfzDDO5juINctECmWlsYtGghEiX/RnTJ1cazLvOWSrPfsTyEd+B1+Ig8kFefNryjkpApfRXqj5KtLPNlpLfdVBrOIfhIveEp2MGqhgOGZFNVxQyXnZgii8Zdh4cqZ2O3pZpMsaAQBaJ9nH6dK0dJjicWT5f6TqwrVcInywRc5SuyizoSxoFmg7ch2rnlVi0j5XMVqdh8XLzHXZ7yWCzXy7+hWl/d7pwpyuzoK8dBw2EU9TauhgRDruom5Q9vWJTLStALC9pAIb0v9UFj9y+1zwx7pXsXp5F1g73EYrE4QR+QQ6z2LebuK280W0t+VA/fSCEB13DnkmofgqZQxX5MSCmrxZ5lTFp1FjW6yJo7As9FheF/GECowYkMRIx4IiQsjjHjZqlLRpLas11yAp6tGoZnw59hFo6Lu0Kva39jGVVmioYHtAeE5rD5w+v5kseJR4jlQ8aKB5yOjYUQOIz2AHQyoidgaeR2jPWqZUeRQbACI+/p3CHO45r3hrjATtGloBg0xF95Qws7Be3mjHVhbBLOoob8MdZ8nYAGnhlWrZphlkvXsHC6OUkuDJW00tmMjWXRlFwhFJ+nqUQCgLVjxVHQJ5rq9GeXBUuNXAeCm5BKBsdq+9qqVlt7D9iGyfr0lcZ7peKz/96KwPCWpG2En1Ur0/cVcbWnXEfG/xWO10tQ== cardno:24_758_470"
    ];
  };
  security.sudo.wheelNeedsPassword = false;

  environment.systemPackages = [ pkgs.age pkgs.vim ];
}