# Raspberry Pi 5 (aarch64) headless server. Two roles, split into submodules:
# ./docker.nix (Docker host with a network socket) and ./reverse-proxy.nix
# (native nginx). The raspberry-pi-5 nixos-hardware profile (kernel, firmware,
# device tree) and key-only sshd (../../modules/ssh.nix) are layered on in the
# flake host table. Install notes: see ./README.md.
{ ... }:
{
  imports = [
    ./hardware-configuration.nix
    ./docker.nix
    ./reverse-proxy.nix
  ];

  # Match the flake's nixosConfigurations attribute name so `nh os switch`
  # (which selects by the local hostname) resolves without an explicit -H flag.
  networking.hostName = "lyrathorpe-rpi5";

  # Headless server: the Sway desktop is intentionally not set up. swaywm.nix is
  # not imported and features.swayDesktop.enable defaults to false (declared in
  # system/modules/features.nix), so this host keeps plain TTY/SSH login.

  # Raspberry Pi boots via U-Boot + extlinux, not GRUB/systemd-boot. The
  # raspberry-pi-5 nixos-hardware profile supplies the kernel, firmware and
  # device tree.
  boot.loader.grub.enable = false;
  boot.loader.generic-extlinux-compatible.enable = true;

  # Remote administration. Key-only policy and the authorized key come from
  # ../../modules/ssh.nix; here we just enable the daemon and open the port.
  services.openssh.enable = true;

  # Default-deny inbound. Open only SSH here; the Docker and nginx submodules
  # open their own ports (Docker via a source-restricted nftables rule, nginx
  # via 80/443). List-valued, so these merge with the submodule definitions.
  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [ 22 ];

  # See `man configuration.nix` / the stateVersion docs before changing.
  system.stateVersion = "26.05";
}