Added pi4 configuration

flake.lock

@@ -169,6 +169,22 @@
         "type": "github"
       }
     },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1693588489,
+        "narHash": "sha256-hUGiONyurfBxmTtRUttdlkdq+ml16L1MiKKAS1047OE=",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "fe0ea731b84b10143fc68cd557368ac70f0fb65c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "master",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1692734709,
@@ -192,6 +208,7 @@
         "flake-utils-plus": "flake-utils-plus",
         "home-manager": "home-manager",
         "nixos-generators": "nixos-generators",
+        "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
         "snowfall-lib": "snowfall-lib"
       }

flake.nix

@@ -25,6 +25,8 @@
     agenix.inputs.nixpkgs.follows = "nixpkgs";
     agenix.inputs.home-manager.follows = "home-manager";
     agenix.inputs.darwin.follows = "";
+
+    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
   };
 
   outputs = inputs: let
@@ -39,20 +41,48 @@
       channels-config.allowUnfree = true;
 
       systems.modules = with inputs; [
-        home-manager.nixosModules.home-manager
         agenix.nixosModules.default
+        home-manager.nixosModules.home-manager
       ];
 
-      deploy.nodes.node = {
-        hostname = "node";
-        profiles.system = {
-          user = "root";
-          sshUser = "alejandro";
-          path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos inputs.self.nixosConfigurations.node;
-          sshOpts = ["-A"];
+      deploy.nodes = {
+        node = {
+          hostname = "node";
+          profiles.system = {
+            user = "root";
+            sshUser = "alejandro";
+            path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos inputs.self.nixosConfigurations.node;
+            sshOpts = ["-A"];
+          };
+        };
+
+        pi4 = let
+          system = "aarch64-linux";
+          pkgs = import inputs.nixpkgs {inherit system;};
+          deployPkgs = import inputs.nixpkgs {
+            inherit system;
+            overlays = [
+              inputs.deploy-rs.overlay
+              (self: super: {
+                deploy-rs = {
+                  inherit (pkgs) deploy-rs;
+                  lib = inputs.deploy-rs.lib;
+                };
+              })
+            ];
+          };
+        in {
+          hostname = "pi4";
+          profiles.system = {
+            user = "root";
+            sshUser = "alejandro";
+            path = deployPkgs.deploy-rs.lib.aarch64-linux.activate.nixos inputs.self.nixosConfigurations.pi4;
+          };
         };
       };
 
-      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks inputs.self.deploy) inputs.deploy-rs.lib;
+      # TODO: Re-enable this when I figure out how to prevent needing to build
+      # dependencies for architectures other than the host machine
+      # checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks inputs.self.deploy) inputs.deploy-rs.lib;
     };
 }

modules/services/octoprint/default.nix

@@ -0,0 +1,44 @@
+{
+  options,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.aa.services.octoprint;
+in {
+  options.aa.services.octoprint = with types; {
+    enable = mkEnableOption "octoprint";
+    acmeCertName = mkOption {
+      type = str;
+      default = "";
+      description = ''
+        If set to a non-empty string, foces SSL with the supplied acme
+        certificate.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.octoprint.enable = true;
+
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      virtualHosts."octoprint.kilonull.com" =
+        {
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:${toString config.services.octoprint.port}";
+            proxyWebsockets = true;
+          };
+        }
+        // lib.optionalAttrs (cfg.acmeCertName != "") {
+          forceSSL = true;
+          useACMEHost = cfg.acmeCertName;
+        };
+    };
+
+    networking.firewall.allowedTCPPorts = [80 443];
+  };
+}

secrets/cf_dns_kilonull.age

@@ -1,12 +1,14 @@
 age-encryption.org/v1
--> ssh-ed25519 Yk7ehg yd4HdQ3M4nNxxkQJxbBTpxm4Q91Geu9NPTpc89GDX2k
-VDK0jJvCRmDzjXkCTt7FTRQflccY+5Sw6m5j+i8y5qE
--> ssh-ed25519 SYNSNQ 6bUFdt0+KzWLIhk8HC2YSlvRGUHx9lbfsLuId3eI8mE
-/J8MhNcNbwGt3GNFWRqBoEuRA2diuVUEIwCNjWduV58
--> piv-p256 UIEGzg AmQTLuIgW3b1xwBR72vx1HKOWSrlBo2u2Cp/ERAUuC3E
-yRIBeItdJuAgp2f8/j4ZZAzvGSQnoDL1u3bneHKxdt8
--> g@-grease ekU. 7n9S
-TQDOfhGOoWQ0CRITXdz3pSreU3MTaB/SXBupQ2KCw8M3CN3q33DpL+29asuKQuK4
-6StATcU7fMQ+NU/tCXt1qWz/qw4cfo2+gLk
---- QFnlzub83Ji3lIK+B/U8nztj9t4DLBX00BBVKkJJ/gs
-¬S&°MÑ{@â¤@'H|Aà7ZìIrþ‰{>K¨WS'ªØ™¶µäŠŠâ"ŒoÖÙ¥(77-z!âùA¸<41>;Ø‹yr´7Ä*æ±oÄÉ‘<>ƒk$…\ÙpØå^©¾XL,­ÃOÌâÏIXÆ´<±×)È‘åÝÓ> úyeÂSüÁ¡4”fŽ}8vE+YYù<59>Q|iŒbéìã'ú%âN‡~
+-> ssh-ed25519 Yk7ehg NwKwWQiMTehA+gluPXpVyL4zyhGRheQ1hCyyjPyWNlM
+ZTD2ssehxzayPhnW+OVqXzr/fqQ7Hdm711RgZT5R4Pw
+-> ssh-ed25519 SYNSNQ oEc4p7cz7u+gEYIJVW7hl+VXwXzPSpRXCL33Ij2ZIkc
+avgbK9ss20KmL1XB9Sg45bwv6BItDcMJj8/e2fXxZOE
+-> ssh-ed25519 t5XIGA huqEOk8X1Z4g4pcjAc6griyt3x+hU5NWMfCUL8WoUkI
+yqJxaxWF04PzcmyFN8hq+u9DaQmbI4W3PSDC2+Rxr5I
+-> piv-p256 UIEGzg AzYN661WI0nUCA4MHnSqOT0A23jbBl9Dnv5CmmJkvuSk
+BXxeYW5RdiYNwtMG+PHF5b7x2Pu129SNOeqItwfcWTs
+-> X{\S-grease <0c[|Bb
+tXXujcfm/3s/TMaX5tM9TamHAEHSUCArwJCDEJ2SFKcL8FSV1N3srp4wNogtF7pO
+PjLeXFHo
+--- 1VR3EGzzVvK+pbDlvomJ6cJ9wOrP2LoPsUqmh0c6bVE
+°¸>¦/<2F>Éÿ,+ðì®bÇLþjgŽfÏ<9m¿K‰ÙõT¢‚±N3òà¦wÄ͹1¸(¿&É´D¦Á	7ø2 #­.^"KWì$BªKUknDX¨î­kÂÝ7GRÚ¡d§Ìèœ^9`Ðã©Ñ”yóM-µˆçKvõO#çÑ#¤þ8_—<Êù©âu:;Ø\•
A0â¬X5ø³)²Þ

secrets/secrets.nix

@@ -2,9 +2,12 @@ let
   # Remember to pass '--identity identities/me.txt` when using this key
   users.me = "age1yubikey1qdwgvfqrcqmyw56ux7azuvqr6f8nanszu27nztvxmn4utmplgxctzt90g25";
 
-  machines.gospel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDzjXVoQEfO9JIcFbp56EvQ0oBdr9Cmhxp4z0ih+ZEZ";
-  machines.node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETLBnc8kJokmFiA28BaSYpeE7flY1W0SM5C1pWv/tOv";
+  machines = {
+    gospel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDzjXVoQEfO9JIcFbp56EvQ0oBdr9Cmhxp4z0ih+ZEZ";
+    node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETLBnc8kJokmFiA28BaSYpeE7flY1W0SM5C1pWv/tOv";
+    pi4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9fnNXzEmDdmtR+KWj/M9vQioFR0s/4jMnIkUFcj8As";
+  };
 in {
-  "cf_dns_kilonull.age".publicKeys = [users.me machines.node machines.gospel];
+  "cf_dns_kilonull.age".publicKeys = [users.me machines.node machines.gospel machines.pi4];
   "nextcloud_admin.age".publicKeys = [users.me machines.node];
 }

systems/aarch64-linux/pi4/default.nix

@@ -0,0 +1,85 @@
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  nixpkgs,
+  modulesPath,
+  ...
+}: {
+  imports = with inputs; [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/installer/sd-card/sd-image-aarch64.nix")
+    nixos-hardware.nixosModules.raspberry-pi-4
+  ];
+
+  # Workaround for issue 109280
+  # See here: https://github.com/NixOS/nixpkgs/issues/109280#issuecomment-973636212
+  nixpkgs.overlays = [
+    (final: super: {
+      makeModulesClosure = x:
+        super.makeModulesClosure (x // {allowMissing = true;});
+    })
+  ];
+
+  age.secrets.cf_dns_kilonull.file = ../../../secrets/cf_dns_kilonull.age;
+
+  aa = {
+    nix.enable = true;
+    nix.useSelfhostedCache = true;
+
+    apps.btop.enable = true;
+    apps.tmux.enable = true;
+
+    services.tailscale = {
+      enable = true;
+      configureClientRouting = true;
+      configureServerRouting = true;
+    };
+    services.openssh.enable = true;
+    services.octoprint = {
+      enable = true;
+      acmeCertName = "kilonull.com";
+    };
+
+    security.acme = {
+      enable = true;
+      domainName = "kilonull.com";
+      dnsCredentialsFile = config.age.secrets.cf_dns_kilonull.path;
+    };
+
+    suites.utils.enable = true;
+    tools.zsh.enable = true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    libraspberrypi
+    raspberrypi-eeprom
+  ];
+
+  networking = {
+    hostName = "pi4";
+    useDHCP = false;
+    defaultGateway = "192.168.113.1";
+    nameservers = ["192.168.113.13" "1.1.1.1"];
+    interfaces.end0.ipv4.addresses = [
+      {
+        address = "192.168.113.42";
+        prefixLength = 24;
+      }
+    ];
+  };
+
+  security.sudo = {
+    wheelNeedsPassword = false;
+    execWheelOnly = true;
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+}

systems/x86_64-linux/gospel/default.nix

@@ -73,7 +73,7 @@
     };
   };
 
-  boot.binfmt.emulatedSystems = ["aarch64-linux" "armv6l-linux"];
+  # boot.binfmt.emulatedSystems = ["aarch64-linux" "armv6l-linux"];
   networking = {
     hostName = "gospel";
     useDHCP = false;