From 1a0c85ec975de0cdc2267746e3b2af7f5d28f45d Mon Sep 17 00:00:00 2001
From: hektor <hektor.misplon@pm.me>
Date: Sun, 8 Feb 2026 00:28:31 +0100
Subject: [PATCH] feat: set up 'eetion-02' raspberry pi host

---
 flake.nix                                     | 24 +++++-
 hosts/eetion-02/default.nix                   | 86 +++++++++++++++++++
 hosts/eetion-02/hard.nix                      | 24 ++++++
 hosts/eetion-02/system.nix                    |  1 +
 images/README.md                              | 15 ++++
 ...h64.nix => sd-image-orange-pi-aarch64.nix} |  0
 images/sd-image-raspberry-pi-aarch64.nix      | 73 ++++++++++++++++
 7 files changed, 220 insertions(+), 3 deletions(-)
 create mode 100644 hosts/eetion-02/default.nix
 create mode 100644 hosts/eetion-02/hard.nix
 create mode 100644 hosts/eetion-02/system.nix
 create mode 100644 images/README.md
 rename images/{sd-image-aarch64.nix => sd-image-orange-pi-aarch64.nix} (100%)
 create mode 100644 images/sd-image-raspberry-pi-aarch64.nix

diff --git a/flake.nix b/flake.nix
index b82e752..7336c7d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -92,11 +92,26 @@
           }
         ))
         // {
-          sd-image-aarch64 = nixpkgs.lib.nixosSystem {
+          sd-image-orange-pi-aarch64 = nixpkgs.lib.nixosSystem {
             system = "x86_64-linux";
             modules = [
               "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
-              ./images/sd-image-aarch64.nix
+              ./images/sd-image-orange-pi-aarch64.nix
+              {
+                nixpkgs.crossSystem = {
+                  system = "aarch64-linux";
+                };
+              }
+            ];
+            specialArgs = {
+              inherit inputs outputs dotsPath;
+            };
+          };
+          sd-image-raspberry-pi-aarch64 = nixpkgs.lib.nixosSystem {
+            system = "x86_64-linux";
+            modules = [
+              "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
+              ./images/sd-image-raspberry-pi-aarch64.nix
               {
                 nixpkgs.crossSystem = {
                   system = "aarch64-linux";
@@ -147,6 +162,9 @@
       formatter.${system} = gitHooks.formatter;
       devShells.${system} = gitHooks.devShells;
 
-      images.sd-image-aarch64 = self.nixosConfigurations.sd-image-aarch64.config.system.build.sdImage;
+      images.sd-image-orange-pi-aarch64 =
+        self.nixosConfigurations.sd-image-orange-pi-aarch64.config.system.build.sdImage;
+      images.sd-image-raspberry-pi-aarch64 =
+        self.nixosConfigurations.sd-image-raspberry-pi-aarch64.config.system.build.sdImage;
     };
 }
diff --git a/hosts/eetion-02/default.nix b/hosts/eetion-02/default.nix
new file mode 100644
index 0000000..cb35d58
--- /dev/null
+++ b/hosts/eetion-02/default.nix
@@ -0,0 +1,86 @@
+{ pkgs, ... }:
+
+# Raspberry Pi 3
+# See <https://nixos.wiki/wiki/NixOS_on_ARM/Raspberry_Pi_3>
+
+let
+  username = "h";
+  hostName = "eetion-02";
+in
+{
+  imports = [
+    ./hard.nix
+    ../../modules/ssh/hardened-openssh.nix
+  ];
+
+  ssh = {
+    inherit username;
+    publicHostname = "eetion-02";
+    authorizedHosts = [
+      "andromache"
+      "astyanax"
+    ];
+  };
+
+  boot = {
+    kernelParams = [
+      "console=ttyS1,115200n8"
+    ];
+
+    kernel.sysctl."net.ipv4.ip_forward" = 1;
+
+    loader = {
+      grub.enable = false;
+      generic-extlinux-compatible.enable = true;
+    };
+  };
+
+  hardware.enableRedistributableFirmware = true;
+
+  networking = {
+    inherit hostName;
+    networkmanager.enable = true;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        80
+        443
+      ];
+    };
+  };
+
+  users.users = {
+    root.hashedPassword = "!";
+    ${username} = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+    };
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  services = {
+    openssh = {
+      enable = true;
+      harden = true;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    vim
+    git
+  ];
+
+  nix.settings = {
+    experimental-features = [
+      "nix-command"
+      "flakes"
+    ];
+    trusted-users = [
+      "root"
+      "@wheel"
+    ];
+  };
+
+  system.stateVersion = "26.05";
+}
diff --git a/hosts/eetion-02/hard.nix b/hosts/eetion-02/hard.nix
new file mode 100644
index 0000000..73126c9
--- /dev/null
+++ b/hosts/eetion-02/hard.nix
@@ -0,0 +1,24 @@
+{ lib, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd.availableKernelModules = [ ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/NIXOS_SD";
+    fsType = "ext4";
+    options = [ "noatime" ];
+  };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}
diff --git a/hosts/eetion-02/system.nix b/hosts/eetion-02/system.nix
new file mode 100644
index 0000000..9487bcc
--- /dev/null
+++ b/hosts/eetion-02/system.nix
@@ -0,0 +1 @@
+"aarch64-linux"
diff --git a/images/README.md b/images/README.md
new file mode 100644
index 0000000..7baedab
--- /dev/null
+++ b/images/README.md
@@ -0,0 +1,15 @@
+# building SD Images
+
+## Raspberry Pi 3B+
+
+```bash
+nix build .#images.sd-image-raspberry-pi-aarch64
+nix-shell -p zstd --run "zstdcat result/sd-image/*.img.zst | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync"
+```
+
+## Orange Pi Zero2 H616
+```bash
+nix build .#images.sd-image-orange-pi-aarch64
+nix-shell -p zstd --run "zstdcat result/sd-image/*.img.zst | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync"
+sudo dd if=~/dl/u-boot-sunxi-with-spl.bin of=/dev/sdX bs=1024 seek=8
+```
diff --git a/images/sd-image-aarch64.nix b/images/sd-image-orange-pi-aarch64.nix
similarity index 100%
rename from images/sd-image-aarch64.nix
rename to images/sd-image-orange-pi-aarch64.nix
diff --git a/images/sd-image-raspberry-pi-aarch64.nix b/images/sd-image-raspberry-pi-aarch64.nix
new file mode 100644
index 0000000..dff2475
--- /dev/null
+++ b/images/sd-image-raspberry-pi-aarch64.nix
@@ -0,0 +1,73 @@
+# see <https://nixos.wiki/wiki/NixOS_on_ARM#Build_your_own_image_natively>
+# see <https://nixos.wiki/wiki/NixOS_on_ARM/Raspberry_Pi_3>
+# ```
+# nix build .#images.sd-image-raspberry-pi-aarch64
+# nix-shell -p zstd --run "zstdcat result/sd-image/*.img.zst | sudo dd of=/dev/sdX bs=4M status=progress conv=fsync"
+# ```
+
+{ pkgs, ... }:
+
+let
+  username = "h";
+in
+{
+  imports = [
+    ../modules/ssh/hardened-openssh.nix
+  ];
+
+  ssh.username = username;
+  ssh.authorizedHosts = [
+    "andromache"
+    "astyanax"
+  ];
+
+  boot.kernelParams = [
+    "console=ttyS1,115200n8"
+  ];
+
+  boot.kernelModules = [
+    "bcm2835-v4l2"
+  ];
+
+  hardware.enableRedistributableFirmware = true;
+
+  hardware.pulseaudio.enable = true;
+
+  networking.wireless.enable = true;
+
+  systemd.services.btattach = {
+    before = [ "bluetooth.service" ];
+    after = [ "dev-ttyAMA0.device" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      ExecStart = "${pkgs.bluez}/bin/btattach -B /dev/ttyAMA0 -P bcm -S 3000000";
+    };
+  };
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+
+  users.users = {
+    root.initialPassword = "nixos";
+    ${username} = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      initialPassword = "nixos";
+    };
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  services.openssh = {
+    enable = true;
+    harden = true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    libraspberrypi
+  ];
+
+  system.stateVersion = "26.05";
+}