feat: set up 'eetion-02' raspberry pi host

flake.nix

@@ -92,11 +92,26 @@
           }
         ))
         // {
-          sd-image-aarch64 = nixpkgs.lib.nixosSystem {
+          sd-image-orange-pi-aarch64 = nixpkgs.lib.nixosSystem {
             system = "x86_64-linux";
             modules = [
               "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
-              ./images/sd-image-aarch64.nix
+              ./images/sd-image-orange-pi-aarch64.nix
+              {
+                nixpkgs.crossSystem = {
+                  system = "aarch64-linux";
+                };
+              }
+            ];
+            specialArgs = {
+              inherit inputs outputs dotsPath;
+            };
+          };
+          sd-image-raspberry-pi-aarch64 = nixpkgs.lib.nixosSystem {
+            system = "x86_64-linux";
+            modules = [
+              "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
+              ./images/sd-image-raspberry-pi-aarch64.nix
               {
                 nixpkgs.crossSystem = {
                   system = "aarch64-linux";
@@ -147,6 +162,9 @@
       formatter.${system} = gitHooks.formatter;
       devShells.${system} = gitHooks.devShells;
 
-      images.sd-image-aarch64 = self.nixosConfigurations.sd-image-aarch64.config.system.build.sdImage;
+      images.sd-image-orange-pi-aarch64 =
+        self.nixosConfigurations.sd-image-orange-pi-aarch64.config.system.build.sdImage;
+      images.sd-image-raspberry-pi-aarch64 =
+        self.nixosConfigurations.sd-image-raspberry-pi-aarch64.config.system.build.sdImage;
     };
 }

hosts/eetion-02/default.nix

@@ -0,0 +1,86 @@
+{ pkgs, ... }:
+
+# Raspberry Pi 3
+# See <https://nixos.wiki/wiki/NixOS_on_ARM/Raspberry_Pi_3>
+
+let
+  username = "h";
+  hostName = "eetion-02";
+in
+{
+  imports = [
+    ./hard.nix
+    ../../modules/ssh/hardened-openssh.nix
+  ];
+
+  ssh = {
+    inherit username;
+    publicHostname = "eetion-02";
+    authorizedHosts = [
+      "andromache"
+      "astyanax"
+    ];
+  };
+
+  boot = {
+    kernelParams = [
+      "console=ttyS1,115200n8"
+    ];
+
+    kernel.sysctl."net.ipv4.ip_forward" = 1;
+
+    loader = {
+      grub.enable = false;
+      generic-extlinux-compatible.enable = true;
+    };
+  };
+
+  hardware.enableRedistributableFirmware = true;
+
+  networking = {
+    inherit hostName;
+    networkmanager.enable = true;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        80
+        443
+      ];
+    };
+  };
+
+  users.users = {
+    root.hashedPassword = "!";
+    ${username} = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+    };
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  services = {
+    openssh = {
+      enable = true;
+      harden = true;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    vim
+    git
+  ];
+
+  nix.settings = {
+    experimental-features = [
+      "nix-command"
+      "flakes"
+    ];
+    trusted-users = [
+      "root"
+      "@wheel"
+    ];
+  };
+
+  system.stateVersion = "26.05";
+}

hosts/eetion-02/hard.nix

@@ -0,0 +1,24 @@
+{ lib, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd.availableKernelModules = [ ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/NIXOS_SD";
+    fsType = "ext4";
+    options = [ "noatime" ];
+  };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}

hosts/eetion-02/system.nix

@@ -0,0 +1 @@
+"aarch64-linux"

images/README.md

@@ -0,0 +1,15 @@
+# building SD Images
+
+## Raspberry Pi 3B+
+
+```bash
+nix build .#images.sd-image-raspberry-pi-aarch64
+nix-shell -p zstd --run "zstdcat result/sd-image/*.img.zst | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync"
+```
+
+## Orange Pi Zero2 H616
+```bash
+nix build .#images.sd-image-orange-pi-aarch64
+nix-shell -p zstd --run "zstdcat result/sd-image/*.img.zst | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync"
+sudo dd if=~/dl/u-boot-sunxi-with-spl.bin of=/dev/sdX bs=1024 seek=8
+```

images/sd-image-raspberry-pi-aarch64.nix

@@ -0,0 +1,73 @@
+# see <https://nixos.wiki/wiki/NixOS_on_ARM#Build_your_own_image_natively>
+# see <https://nixos.wiki/wiki/NixOS_on_ARM/Raspberry_Pi_3>
+# ```
+# nix build .#images.sd-image-raspberry-pi-aarch64
+# nix-shell -p zstd --run "zstdcat result/sd-image/*.img.zst | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync"
+# ```
+
+{ pkgs, ... }:
+
+let
+  username = "h";
+in
+{
+  imports = [
+    ../modules/ssh/hardened-openssh.nix
+  ];
+
+  ssh.username = username;
+  ssh.authorizedHosts = [
+    "andromache"
+    "astyanax"
+  ];
+
+  boot.kernelParams = [
+    "console=ttyS1,115200n8"
+  ];
+
+  boot.kernelModules = [
+    "bcm2835-v4l2"
+  ];
+
+  hardware.enableRedistributableFirmware = true;
+
+  hardware.pulseaudio.enable = true;
+
+  networking.wireless.enable = true;
+
+  systemd.services.btattach = {
+    before = [ "bluetooth.service" ];
+    after = [ "dev-ttyAMA0.device" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      ExecStart = "${pkgs.bluez}/bin/btattach -B /dev/ttyAMA0 -P bcm -S 3000000";
+    };
+  };
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+
+  users.users = {
+    root.initialPassword = "nixos";
+    ${username} = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      initialPassword = "nixos";
+    };
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  services.openssh = {
+    enable = true;
+    harden = true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    libraspberrypi
+  ];
+
+  system.stateVersion = "26.05";
+}