infra/hosts/uconsole-cm5/configuration.nix

{ config, lib, pkgs, keys, ... }:

{
  # Basic Host Info
  networking.hostName = "uConsole";
  time.timeZone = "America/Montreal";
  i18n.defaultLocale = "en_CA.UTF-8";
  system.stateVersion = "25.11";

  # ============================================================
  # SSH Access — ta clé + clé de déploiement
  # ============================================================
  services.openssh = {
    enable = true;
    settings.PermitRootLogin = lib.mkForce "prohibit-password";
    settings.PasswordAuthentication = lib.mkForce false;
  };

  users.users.root = {
    openssh.authorizedKeys.keys = [
      keys.users.gortium.main
      keys.users.ai-worker.main
    ];
  };

  # ============================================================
  # Networking — WiFi via NetworkManager
  # ============================================================
  networking.networkmanager.enable = true;

  # ============================================================
  # WiFi credentials from agenix (SSID + password encrypted)
  # Reused across hosts — all connect to the same home WiFi
  # ============================================================
  age.secrets.home_wifi = {
    file = ../../secrets/home_wifi.age;
    owner = "root";
    group = "root";
    mode = "0400";
  };

  # Write WiFi connection at activation (reads decrypted age secret)
  systemd.services.ensure-wifi = {
    description = "Configure WiFi from age secret";
    after = [ "network.target" "age-home_wifi.service" ];
    wants = [ "age-home_wifi.service" ];
    before = [ "NetworkManager-wait-online.service" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = let
        wifi-setup = pkgs.writeShellScript "wifi-setup" ''
          SSID="$(head -1 /run/secrets/home_wifi)"
          PASS="$(tail -1 /run/secrets/home_wifi)"
          if ! nmcli -t connection show "$SSID" >/dev/null 2>&1; then
            nmcli device wifi connect "$SSID" password "$PASS"
          fi
        '';
      in "${wifi-setup}";
    };
  };

  # ============================================================
  # Kernel parameters from nixos-uconsole CM5 module
  # ============================================================
  boot.kernelParams = [
    "8250.nr_uarts=1"
    "console=tty1"
  ];

  # ============================================================
  # Console font for 5" 720x1280 display
  # ============================================================
  console = {
    earlySetup = true;
    font = "ter-v24n";
    packages = with pkgs; [ terminus_font ];
  };

  # ============================================================
  # Display — vc4/panel_cwu50 loaded AFTER RP1 PCIe init
  # Rien dans initrd — tout RP1 est derrière PCIe
  # ============================================================
  hardware.graphics.enable = true;

  boot.kernelModules = [
    "panel_cwu50"     # uConsole DSI panel driver
    "vc4"             # VideoCore 4 KMS GPU driver
    "rp1_dsi"         # RP1 DSI bridge driver
  ];

  boot.initrd.kernelModules = lib.mkForce [ ];

  # ============================================================
  # CM5 Config.txt — override complet (clear les defaults de nixos-uconsole)
  # ============================================================
  hardware.raspberry-pi.config = { };

  hardware.raspberry-pi.extra-config = ''
    [all]
    arm_64bit=1
    enable_uart=1
    disable_audio_dither=1
    ignore_lcd=0
    dtdebug=1
    gpio=10=ip,np
    gpio=11=op,dh
    dtoverlay=audremap
    dtparam=ant2=on
    dtparam=audio=on
    dtparam=pin_12_13=on

    [pi5]
    dtoverlay=clockworkpi-uconsole-cm5
    dtoverlay=vc4-kms-v3d-pi5,cma-384
    dtparam=pciex1=off
    dtparam=nohdmi1=off
  '';

  # ============================================================
  # CM5 Display Backlight Fix
  # ============================================================
  systemd.services.cm5-backlight-fix = {
    description = "CM5 Display Backlight Fix";
    after = [ "multi-user.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      ExecStart = let
        fixScript = pkgs.writeShellScript "backlight-fix" ''
          for bl in /sys/class/backlight/*/brightness; do
            if [ -f "$bl" ]; then
              max=$(cat "$(dirname "$bl")/max_brightness" 2>/dev/null || echo 100)
              echo "$max" > "$bl" 2>/dev/null || true
            fi
          done
        '';
      in "${fixScript}";
    };
  };

  # ============================================================
  # Minimal packages
  # ============================================================
  environment.systemPackages = with pkgs; [
    git
    vim
    htop
    libgpiod      # GPIO control
  ];
}
feat(uconsole): add cm5 cross-compiled nixosConfiguration - New host: uconsole-cm5 (aarch64-linux, cross-built from x86_64) - SSH authorizedKeys: gortium.main + ai-worker.main - NetworkManager enabled (WiFi password via agenix later) - Display: vc4/panel_cwu50/rp1_dsi with empty initrd - Config.txt [pi5] section (not [cm5]) - Backlight fix service - nixos-raspberrypi → gortium/cm5-cross-v1 fork (PR #197) - nixpkgs-uconsole pinned to nixos-25.11 (kernel patch compat) V3 branch saved as archive/uconsole-cm5-v3 (Reticulum/SDR/HAM config). 2026-06-12 16:02:13 -04:00			`{ config, lib, pkgs, keys, ... }:`

			`{`
			`# Basic Host Info`
			`networking.hostName = "uConsole";`
			`time.timeZone = "America/Montreal";`
			`i18n.defaultLocale = "en_CA.UTF-8";`
			`system.stateVersion = "25.11";`

			`# ============================================================`
			`# SSH Access — ta clé + clé de déploiement`
			`# ============================================================`
			`services.openssh = {`
			`enable = true;`
fix(uconsole): resolve conflicting SSH options + properly override nixos-uconsole's nixos-raspberrypi input - mkForce on PermitRootLogin and PasswordAuthentication - nixos-uconsole.inputs.nixos-raspberrypi follows our fork 2026-06-12 16:43:33 -04:00			`settings.PermitRootLogin = lib.mkForce "prohibit-password";`
			`settings.PasswordAuthentication = lib.mkForce false;`
feat(uconsole): add cm5 cross-compiled nixosConfiguration - New host: uconsole-cm5 (aarch64-linux, cross-built from x86_64) - SSH authorizedKeys: gortium.main + ai-worker.main - NetworkManager enabled (WiFi password via agenix later) - Display: vc4/panel_cwu50/rp1_dsi with empty initrd - Config.txt [pi5] section (not [cm5]) - Backlight fix service - nixos-raspberrypi → gortium/cm5-cross-v1 fork (PR #197) - nixpkgs-uconsole pinned to nixos-25.11 (kernel patch compat) V3 branch saved as archive/uconsole-cm5-v3 (Reticulum/SDR/HAM config). 2026-06-12 16:02:13 -04:00			`};`

			`users.users.root = {`
			`openssh.authorizedKeys.keys = [`
			`keys.users.gortium.main`
			`keys.users.ai-worker.main`
			`];`
			`};`

			`# ============================================================`
			`# Networking — WiFi via NetworkManager`
			`# ============================================================`
			`networking.networkmanager.enable = true;`

feat(uconsole): add agenix secret for WiFi credentials - age.secrets.uconsole-wifi (SSID+password in encrypted file) - systemd service ensure-wifi reads decrypted secret and configures NM - agenix.nixosModules.default imported for uconsole-cm5 - uconsole-wifi.age declared in secrets/secrets.nix 2026-06-12 16:15:30 -04:00			`# ============================================================`
			`# WiFi credentials from agenix (SSID + password encrypted)`
fix(uconsole): rename secret to home_wifi (shared across hosts, not uconsole-specific) 2026-06-12 16:17:24 -04:00			`# Reused across hosts — all connect to the same home WiFi`
feat(uconsole): add agenix secret for WiFi credentials - age.secrets.uconsole-wifi (SSID+password in encrypted file) - systemd service ensure-wifi reads decrypted secret and configures NM - agenix.nixosModules.default imported for uconsole-cm5 - uconsole-wifi.age declared in secrets/secrets.nix 2026-06-12 16:15:30 -04:00			`# ============================================================`
fix(uconsole): rename secret to home_wifi (shared across hosts, not uconsole-specific) 2026-06-12 16:17:24 -04:00			`age.secrets.home_wifi = {`
			`file = ../../secrets/home_wifi.age;`
feat(uconsole): add agenix secret for WiFi credentials - age.secrets.uconsole-wifi (SSID+password in encrypted file) - systemd service ensure-wifi reads decrypted secret and configures NM - agenix.nixosModules.default imported for uconsole-cm5 - uconsole-wifi.age declared in secrets/secrets.nix 2026-06-12 16:15:30 -04:00			`owner = "root";`
			`group = "root";`
			`mode = "0400";`
			`};`

			`# Write WiFi connection at activation (reads decrypted age secret)`
			`systemd.services.ensure-wifi = {`
			`description = "Configure WiFi from age secret";`
fix(uconsole): rename secret to home_wifi (shared across hosts, not uconsole-specific) 2026-06-12 16:17:24 -04:00			`after = [ "network.target" "age-home_wifi.service" ];`
			`wants = [ "age-home_wifi.service" ];`
feat(uconsole): add agenix secret for WiFi credentials - age.secrets.uconsole-wifi (SSID+password in encrypted file) - systemd service ensure-wifi reads decrypted secret and configures NM - agenix.nixosModules.default imported for uconsole-cm5 - uconsole-wifi.age declared in secrets/secrets.nix 2026-06-12 16:15:30 -04:00			`before = [ "NetworkManager-wait-online.service" ];`
			`wantedBy = [ "multi-user.target" ];`
			`serviceConfig = {`
			`Type = "oneshot";`
			`RemainAfterExit = true;`
			`ExecStart = let`
			`wifi-setup = pkgs.writeShellScript "wifi-setup" ''`
fix(uconsole): rename secret to home_wifi (shared across hosts, not uconsole-specific) 2026-06-12 16:17:24 -04:00			`SSID="$(head -1 /run/secrets/home_wifi)"`
			`PASS="$(tail -1 /run/secrets/home_wifi)"`
feat(uconsole): add agenix secret for WiFi credentials - age.secrets.uconsole-wifi (SSID+password in encrypted file) - systemd service ensure-wifi reads decrypted secret and configures NM - agenix.nixosModules.default imported for uconsole-cm5 - uconsole-wifi.age declared in secrets/secrets.nix 2026-06-12 16:15:30 -04:00			`if ! nmcli -t connection show "$SSID" >/dev/null 2>&1; then`
			`nmcli device wifi connect "$SSID" password "$PASS"`
			`fi`
			`'';`
			`in "${wifi-setup}";`
			`};`
			`};`
feat(uconsole): add cm5 cross-compiled nixosConfiguration - New host: uconsole-cm5 (aarch64-linux, cross-built from x86_64) - SSH authorizedKeys: gortium.main + ai-worker.main - NetworkManager enabled (WiFi password via agenix later) - Display: vc4/panel_cwu50/rp1_dsi with empty initrd - Config.txt [pi5] section (not [cm5]) - Backlight fix service - nixos-raspberrypi → gortium/cm5-cross-v1 fork (PR #197) - nixpkgs-uconsole pinned to nixos-25.11 (kernel patch compat) V3 branch saved as archive/uconsole-cm5-v3 (Reticulum/SDR/HAM config). 2026-06-12 16:02:13 -04:00
			`# ============================================================`
			`# Kernel parameters from nixos-uconsole CM5 module`
			`# ============================================================`
			`boot.kernelParams = [`
			`"8250.nr_uarts=1"`
			`"console=tty1"`
			`];`

			`# ============================================================`
			`# Console font for 5" 720x1280 display`
			`# ============================================================`
			`console = {`
			`earlySetup = true;`
			`font = "ter-v24n";`
			`packages = with pkgs; [ terminus_font ];`
			`};`

			`# ============================================================`
			`# Display — vc4/panel_cwu50 loaded AFTER RP1 PCIe init`
			`# Rien dans initrd — tout RP1 est derrière PCIe`
			`# ============================================================`
			`hardware.graphics.enable = true;`

			`boot.kernelModules = [`
			`"panel_cwu50" # uConsole DSI panel driver`
			`"vc4" # VideoCore 4 KMS GPU driver`
			`"rp1_dsi" # RP1 DSI bridge driver`
			`];`

			`boot.initrd.kernelModules = lib.mkForce [ ];`

			`# ============================================================`
fix(uconsole): clean config.txt — clear conflicting defaults, single [pi5] section 2026-06-12 20:16:50 -04:00			`# CM5 Config.txt — override complet (clear les defaults de nixos-uconsole)`
feat(uconsole): add cm5 cross-compiled nixosConfiguration - New host: uconsole-cm5 (aarch64-linux, cross-built from x86_64) - SSH authorizedKeys: gortium.main + ai-worker.main - NetworkManager enabled (WiFi password via agenix later) - Display: vc4/panel_cwu50/rp1_dsi with empty initrd - Config.txt [pi5] section (not [cm5]) - Backlight fix service - nixos-raspberrypi → gortium/cm5-cross-v1 fork (PR #197) - nixpkgs-uconsole pinned to nixos-25.11 (kernel patch compat) V3 branch saved as archive/uconsole-cm5-v3 (Reticulum/SDR/HAM config). 2026-06-12 16:02:13 -04:00			`# ============================================================`
fix(uconsole): clean config.txt — clear conflicting defaults, single [pi5] section 2026-06-12 20:16:50 -04:00			`hardware.raspberry-pi.config = { };`

feat(uconsole): add cm5 cross-compiled nixosConfiguration - New host: uconsole-cm5 (aarch64-linux, cross-built from x86_64) - SSH authorizedKeys: gortium.main + ai-worker.main - NetworkManager enabled (WiFi password via agenix later) - Display: vc4/panel_cwu50/rp1_dsi with empty initrd - Config.txt [pi5] section (not [cm5]) - Backlight fix service - nixos-raspberrypi → gortium/cm5-cross-v1 fork (PR #197) - nixpkgs-uconsole pinned to nixos-25.11 (kernel patch compat) V3 branch saved as archive/uconsole-cm5-v3 (Reticulum/SDR/HAM config). 2026-06-12 16:02:13 -04:00			`hardware.raspberry-pi.extra-config = ''`
			`[all]`
fix(uconsole): clean config.txt — clear conflicting defaults, single [pi5] section 2026-06-12 20:16:50 -04:00			`arm_64bit=1`
			`enable_uart=1`
			`disable_audio_dither=1`
fix(uconsole): set ignore_lcd=0 + disable conflicting dt-overlays 2026-06-12 20:19:21 -04:00			`ignore_lcd=0`
fix(uconsole): clean config.txt — clear conflicting defaults, single [pi5] section 2026-06-12 20:16:50 -04:00			`dtdebug=1`
feat(uconsole): add cm5 cross-compiled nixosConfiguration - New host: uconsole-cm5 (aarch64-linux, cross-built from x86_64) - SSH authorizedKeys: gortium.main + ai-worker.main - NetworkManager enabled (WiFi password via agenix later) - Display: vc4/panel_cwu50/rp1_dsi with empty initrd - Config.txt [pi5] section (not [cm5]) - Backlight fix service - nixos-raspberrypi → gortium/cm5-cross-v1 fork (PR #197) - nixpkgs-uconsole pinned to nixos-25.11 (kernel patch compat) V3 branch saved as archive/uconsole-cm5-v3 (Reticulum/SDR/HAM config). 2026-06-12 16:02:13 -04:00			`gpio=10=ip,np`
			`gpio=11=op,dh`
fix(uconsole): clean config.txt — clear conflicting defaults, single [pi5] section 2026-06-12 20:16:50 -04:00			`dtoverlay=audremap`
			`dtparam=ant2=on`
			`dtparam=audio=on`
			`dtparam=pin_12_13=on`
feat(uconsole): add cm5 cross-compiled nixosConfiguration - New host: uconsole-cm5 (aarch64-linux, cross-built from x86_64) - SSH authorizedKeys: gortium.main + ai-worker.main - NetworkManager enabled (WiFi password via agenix later) - Display: vc4/panel_cwu50/rp1_dsi with empty initrd - Config.txt [pi5] section (not [cm5]) - Backlight fix service - nixos-raspberrypi → gortium/cm5-cross-v1 fork (PR #197) - nixpkgs-uconsole pinned to nixos-25.11 (kernel patch compat) V3 branch saved as archive/uconsole-cm5-v3 (Reticulum/SDR/HAM config). 2026-06-12 16:02:13 -04:00
			`[pi5]`
			`dtoverlay=clockworkpi-uconsole-cm5`
			`dtoverlay=vc4-kms-v3d-pi5,cma-384`
fix(uconsole): clean config.txt — clear conflicting defaults, single [pi5] section 2026-06-12 20:16:50 -04:00			`dtparam=pciex1=off`
feat(uconsole): add cm5 cross-compiled nixosConfiguration - New host: uconsole-cm5 (aarch64-linux, cross-built from x86_64) - SSH authorizedKeys: gortium.main + ai-worker.main - NetworkManager enabled (WiFi password via agenix later) - Display: vc4/panel_cwu50/rp1_dsi with empty initrd - Config.txt [pi5] section (not [cm5]) - Backlight fix service - nixos-raspberrypi → gortium/cm5-cross-v1 fork (PR #197) - nixpkgs-uconsole pinned to nixos-25.11 (kernel patch compat) V3 branch saved as archive/uconsole-cm5-v3 (Reticulum/SDR/HAM config). 2026-06-12 16:02:13 -04:00			`dtparam=nohdmi1=off`
			`'';`

			`# ============================================================`
			`# CM5 Display Backlight Fix`
			`# ============================================================`
			`systemd.services.cm5-backlight-fix = {`
			`description = "CM5 Display Backlight Fix";`
			`after = [ "multi-user.target" ];`
			`wantedBy = [ "multi-user.target" ];`
			`serviceConfig = {`
			`Type = "oneshot";`
			`ExecStart = let`
			`fixScript = pkgs.writeShellScript "backlight-fix" ''`
			`for bl in /sys/class/backlight/*/brightness; do`
			`if [ -f "$bl" ]; then`
			`max=$(cat "$(dirname "$bl")/max_brightness" 2>/dev/null \|\| echo 100)`
			`echo "$max" > "$bl" 2>/dev/null \|\| true`
			`fi`
			`done`
			`'';`
			`in "${fixScript}";`
			`};`
			`};`

			`# ============================================================`
			`# Minimal packages`
			`# ============================================================`
			`environment.systemPackages = with pkgs; [`
			`git`
			`vim`
			`htop`
			`libgpiod # GPIO control`
			`];`
			`}`