feat(machines): add hifiberry machine and profile

jakobkukla · jakobkukla · commit 9c01c2bb0d8c · 2025-01-05T17:39:02.000+01:00
diff --git a/flake.nix b/flake.nix
@@ -49,6 +49,16 @@
             ./machines/pc/configuration.nix
           ];
       };
+      hifiberry = inputs.nixpkgs.lib.nixosSystem {
+        inherit specialArgs;
+        system = "aarch64-linux";
+        modules =
+          defaultModules
+          ++ [
+            inputs.nixos-hardware.nixosModules.raspberry-pi-4
+            ./machines/hifiberry/configuration.nix
+          ];
+      };
     };
 
     devShells.x86_64-linux.default = let
diff --git a/machines/hifiberry/README.md b/machines/hifiberry/README.md
@@ -0,0 +1,56 @@
+# hifiberry
+
+## New Installation
+
+### SD Image
+
+Download and decompress latest aarch64 SD image from [hydra](https://hydra.nixos.org/job/nixos/trunk-combined/nixos.sd_image.aarch64-linux/latest):
+
+```bash
+wget https://hydra.nixos.org/build/283233356/download/1/<name>.img.zst
+unzstd -d <name>.img.zst
+sudo dd if=<name>.img of=/dev/sdX bs=4096 conv=fsync status=progress
+```
+
+### SSH Host Keys
+
+Set a password for nixos in tty.
+
+Get public SSH host key, add to agenix and rekey.
+
+```bash
+ssh nixos@<ip-address> -- cat /etc/ssh/ssh_host_ed25519_key.pub
+
+cd secrets
+vim secrets.nix # Add host key
+
+agenix -r
+```
+
+### Deploy configuration
+
+```bash
+nixos-rebuild switch \
+  --flake github:jakobkukla/nixos-config#hifiberry \
+  --target-host root@<ip-address>
+```
+
+### Update Firmware
+
+```bash
+ssh pi@<ip-address>
+
+nix-shell -p raspberrypi-eeprom
+mount /dev/disk/by-label/FIRMWARE /mnt
+BOOTFS=/mnt FIRMWARE_RELEASE_STATUS=stable rpi-eeprom-update -d -a
+```
+
+## Deploy configuration update remotely
+
+The local machine needs a working cross-compilation environment (if applicable).
+
+```bash
+nixos-rebuild switch \
+  --flake github:jakobkukla/nixos-config#hifiberry \
+  --target-host root@<ip-address>
+```
diff --git a/machines/hifiberry/configuration.nix b/machines/hifiberry/configuration.nix
@@ -0,0 +1,41 @@
+{...}: {
+  imports = [
+    ./hardware-configuration.nix
+    ../base.nix
+  ];
+
+  profiles = {
+    core.enable = true;
+    chat.enable = false;
+    desktop.enable = false;
+    laptop.enable = false;
+    media.enable = false;
+    gaming.enable = false;
+    work.enable = false;
+    hifiberry.enable = true;
+  };
+
+  modules = {
+    user = {
+      enable = true;
+      name = "pi";
+      enableXdgUser = false;
+    };
+  };
+
+  # Enable HiFiBerry Dac+ overlay
+  hardware.hifiberry.dacplus.enable = true;
+
+  # Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
+  boot.loader.grub.enable = false;
+  # Enables the generation of /boot/extlinux/extlinux.conf
+  boot.loader.generic-extlinux-compatible.enable = true;
+
+  networking.hostName = "nixos-hifiberry";
+
+  networking.networkmanager.enable = true;
+  networking.networkmanager.wifi.backend = "iwd";
+
+  # FIXME: open librespot and shairport-sync ports in firewall instead
+  networking.firewall.enable = false;
+}
diff --git a/machines/hifiberry/hardware-configuration.nix b/machines/hifiberry/hardware-configuration.nix
@@ -0,0 +1,35 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["xhci_pci"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/NIXOS_SD";
+    fsType = "ext4";
+    options = ["noatime"];
+  };
+
+  swapDevices = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.end0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}
diff --git a/modules/profiles/default.nix b/modules/profiles/default.nix
@@ -7,5 +7,6 @@
     ./media.nix
     ./gaming.nix
     ./work.nix
+    ./hifiberry.nix
   ];
 }
diff --git a/modules/profiles/hifiberry.nix b/modules/profiles/hifiberry.nix
@@ -0,0 +1,32 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.profiles.hifiberry;
+
+  deviceName = "HiFiBerry";
+  alsaDeviceName = "default:CARD=sndrpihifiberry";
+in {
+  options.profiles.hifiberry = with lib; {
+    enable = mkEnableOption "HiFiBerry profile";
+  };
+
+  config = lib.mkIf cfg.enable {
+    modules.librespot = {
+      enable = true;
+
+      settings = {
+        name = deviceName;
+        device = alsaDeviceName;
+        bitrate = 320;
+        enableVolumeNormalisation = true;
+      };
+    };
+
+    services.shairport-sync = {
+      enable = true;
+      arguments = "-a ${deviceName} --output=alsa -- -d ${alsaDeviceName}";
+    };
+  };
+}
diff --git a/secrets/eduroam.age b/secrets/eduroam.age
diff --git a/secrets/jakob.age b/secrets/jakob.age
diff --git a/secrets/netrc-attic.age b/secrets/netrc-attic.age
diff --git a/secrets/pi.age b/secrets/pi.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 AJb1UQ 42sDcq2BQXsh+N0yhWe5TIJ7Y/9wB+kV91udBdp+diU
+8sfEDqq/YljfYzSBuau9p5IDg3oX2LkY3EDt0ZBj6VA
+-> ssh-ed25519 gTqh/A A5mt2ozt7Ieep9B4xgFTGcM+xnAKxW+5S7bUtOELfVc
+g3BiwvqCC3XLahI9QzTqIn+DpM79jFFkCAJ0DsqKRG0
+-> ssh-ed25519 8jWW0w LNw54w3wz4TqhSp4UG3mHOor1gG338SLSs3QWmhPZko
+SsIOvHBGMZS7s77JYHRydvMXk/xpfbsYC64BWqur2oA
+-> ssh-ed25519 yQ0bLA uOkcD58pOPt8hmVMEwIJvsP3C0UcU3Qcdhyq9wTF6Ds
+16x0sEBvVPOHZQnVN6eFdx5ARu4WPXR4/KCaVgQguI0
+-> ssh-ed25519 LG3qfQ Li0DkYicuiADoMo8Gs1/a4958rWXRH6/Q00+pI5DQlE
+Ky+A2UZS654puZEfGidXZZdz/1qz48NROxIzmMXbJBk
+--- wAVn1awNfQas0igYqzDEPnWn9q8/b24Vw47R4myKFBI
+��	����;gg�������O�GyR�I�ꟾN��n�M,���#�
diff --git a/secrets/root.age b/secrets/root.age
@@ -1,12 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 AJb1UQ GOc3Q378nIWxAe4MchoYE2px6HBujOok/ROGNyvPzD8
-FuSuD1IWI0Mbd60HcNqvB9X/AapgLqOpPqMi6QbDHMc
--> ssh-ed25519 gTqh/A g/IzMofnrpmVrRIuw1x2MNvqybWEuWLPpq0uuoIF43w
-MrICqJKw03xnS7gqaQsAQH4euTIWW1u33uozJPAJVnQ
--> ssh-ed25519 8jWW0w tW2U17vy7WJuijDEjKsos7sM+CiP6HcubMgHS/o6PFI
-dTx4yleVGPCFbhb86E02tv5a6NDTUPjMIK3+Bq0rJ0Q
--> ssh-ed25519 yQ0bLA uS86afmbEfJ/6rfFFk4PP09RO06ACbmn5859F4XAW1s
-J1mtccBh3RSCsBE0xuVxfUSinrHJ4p/g/IFJEilMwyw
---- 7fYc/Py81nhqwpgQ9FVMYu8rhBPmdFJ+1UtB6zILDmo
-��À�Rp�lGƻ�aj�V�i-E��		�a܁4�Q�O3����d�A�gT��l?�R�UZ�
-M����Tpf5lO85h��H{d��$Tdlq�.��@=��6T��
+-> ssh-ed25519 AJb1UQ gMn/lsx8eFiogkF7wPe0AS+w0v36mmXLb1FrUmiCGQI
+bAh9aY4zQyO95+tMpITzvq0FePuwJjcOGDfg97WyPpk
+-> ssh-ed25519 gTqh/A YDewYZYqyQUCNMJDlyHtXFnsxkorR3I3cqZFM4M5LGg
+/BHD2cSaf/RFV/MUrqGtfX1NicPpaGQaCAfHQE8J7f4
+-> ssh-ed25519 8jWW0w UVRU0akGCT/rQDHRDIKpHVide2EZIY3ANeogCcf2rXs
+v86ox3JpN14irkyb6L7YjWrWxUjBYM+WKvQPXS2f1zQ
+-> ssh-ed25519 yQ0bLA YmuwrxhdGV2XUgHb6q4ak4sBfP2tZTh08CA2bHJulig
+QQaM3cyxziIMJ5H0hn7jhoogjNCkq4Hb9kL32HQRGP0
+-> ssh-ed25519 LG3qfQ kVHO/zJj9GxNOK0xf8eF2e15Ck8NbUT39tKOVuiUJRI
+TihMI3HpOByNGQn/sp2v/sv7J5PVM2/jJplwLHV5/Ek
+--- pY1lJ22Ci3GS/G3cuZVVtLM5XxqbqsbDfD0ypgIpn+o
+ݙ�����h��\ U"I�}K�v'�c�ө�N�۸�ִ��u�9jh�6��#z1p����^J�zM���y7���!v��ʋ~�K�/"�[��ˈ�Vf���3
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -5,10 +5,12 @@ let
   matebook = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2PyNHnOUfdYWB0oFjuRZQ98/2biKQVy1jt4+vEAmiT root@nixos-matebook";
   pc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFUTEU+53xE6W+LQKsb0/L0Sn4A7c5lQynNF6yCn2I9I root@nixos-pc";
   server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPn5mXfQ1OWg70WbZKMttRGXDWRH7sPXGl67k88xSCIp root@nixos-server";
-  systems = [matebook pc server];
+  hifiberry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS0BKlAHc/ev1+oNpPsfp046IPWwijHXf9J9NoLNQ6I root@nixos";
+  systems = [matebook pc server hifiberry];
 in {
   "root.age".publicKeys = users ++ systems;
   "jakob.age".publicKeys = users ++ systems;
+  "pi.age".publicKeys = users ++ systems;
   "netrc-attic.age".publicKeys = users ++ systems;
   "spotify.age".publicKeys = users ++ systems;
   "eduroam.age".publicKeys = users ++ systems;
diff --git a/secrets/spotify.age b/secrets/spotify.age
@@ -1,11 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 AJb1UQ 9vLBZkKCf6KxfL9X1ILtHf/AHonnG7xFMBquFGOeiTk
-JKvdFNQFQ2Rpa6B8DutDfUk0fwlYUuAqQ6VtngUN5PM
--> ssh-ed25519 gTqh/A ts17NmY1+dqm3zyM3EKy+2GeRjFYKOa38qdDTp8Z8G4
-HNZuAT/kSXkL4cKFZSsCATAfkXqI85/WIwuZF4nH3mg
--> ssh-ed25519 8jWW0w T/xiyMmOGMUOZkR2rku+f6PJLDXMoRRthxvOSZ++Bgc
-wbYwl2mYa9sOzwaw7UtoNNs+b9umG26KxePnfx3YwpA
--> ssh-ed25519 yQ0bLA ON4rjO6998E9Q5GflXmqgxPVTk+InBFQv8skSew6two
-ij0FQVBqZ1UraRrClxX6sAALYvyZ6jHeDkdz7X7NS9Q
---- pJAVwYCPNvohC0fV96IXzMzyyy+Hk7C+nq6v3mBrQuM
-��͎* �����2�n�?O�$�n��f�K��8<�j��^�K��Ķ��
+-> ssh-ed25519 AJb1UQ 1PgcJo4x1t9DmfcXq0V2y9sATl+pX/QvfLFK9DYr9DU
+lyXfa4xHX5RY5aA0PR/ltyoBJd2AJ74sADfldpGuU0M
+-> ssh-ed25519 gTqh/A 3D6/RWcwKSUb0QvK2OkpTXfKgn1DJaZU9pPcEUSk2TQ
+0CInvpXAydxtEqJNl+RCFBKVDpgDIzyWuR431EzSZcU
+-> ssh-ed25519 8jWW0w nf8mhqYTss6SOdpLS4G3+AfstwpVycpQT0NmF76Oexc
+Y9kKK7LeuE+idi+K7FKwN8/WMRMMZSo1DY0QGzhLj0g
+-> ssh-ed25519 yQ0bLA VjJmxSnkjC6kVzVXdx0oLtq9Yi9bWF5Z3D2f61lUIFc
+v5Un0IzDgrVSIkSAKweHzRym/10G66SBqy/l9vvNGIY
+-> ssh-ed25519 LG3qfQ UoO5B1s5K6knGz0zNgWbxu2w74m94iYwJmbCgWPu3g8
+7HOZO7nb2W19olqW1Ep6H6AQAFC9LO3vdGPX8Oh1SKU
+--- GI74G9dKurtVYciRYkLqrJnUHajZvZFXo/mE0ojqxSg
+$�="C^b<���@Yݓ:���pJ��_b��6a��\���ޫ�^a�����B

Original file line number	Diff line number	Diff line change
`@@ -7,5 +7,6 @@`
`7`	`7`	`./media.nix`
`8`	`8`	`./gaming.nix`
`9`	`9`	`./work.nix`
	`10`	`+ ./hifiberry.nix`
`10`	`11`	`];`
`11`	`12`	`}`