feat: add sd flash command and rekey ages

2026-03-21 01:05:36 -07:00 · 2026-03-21 01:05:36 -07:00 · faf9701a86
commit faf9701a86
parent 36720e2ba5
11 changed files with 190 additions and 67 deletions
--- a/flake.nix
+++ b/flake.nix
@ -98,10 +98,88 @@
          cargoArtifacts = piArtifacts;
        }
      );
+
+      flash-pi-sd = pkgs.writeShellApplication {
+        name = "flash-pi-sd";
+        runtimeInputs = [
+          agenix.packages.${system}.default
+          pkgs.coreutils
+          pkgs.nix
+          pkgs.systemd
+          pkgs.util-linux
+          pkgs.zstd
+        ];
+        text = ''
+          set -euo pipefail
+
+          if [ "$#" -ne 1 ]; then
+            echo "usage: flash-pi-sd /dev/sdX" >&2
+            exit 1
+          fi
+
+          device="$1"
+          flake_path=${builtins.toString ./.}
+          image_link="$(mktemp -u /tmp/noisebell-sd-image.XXXXXX)"
+          mount_dir="$(mktemp -d)"
+          key_file="${builtins.toString ./secrets/bootstrap-identity.age}"
+          rules_file="${builtins.toString ./secrets/secrets.nix}"
+
+          cleanup() {
+            if mountpoint -q "$mount_dir"; then
+              sudo umount "$mount_dir"
+            fi
+            rm -rf "$mount_dir"
+            rm -f "$image_link"
+          }
+          trap cleanup EXIT
+
+          if [ ! -b "$device" ]; then
+            echo "not a block device: $device" >&2
+            exit 1
+          fi
+
+          boot_part="''${device}1"
+          case "$device" in
+            *[0-9]) boot_part="''${device}p1" ;;
+          esac
+
+          echo "Building bootstrap SD image..."
+          nix build "$flake_path#nixosConfigurations.bootstrap.config.system.build.sdImage" -o "$image_link"
+
+          image="$(echo "$image_link"/sd-image/*.img*)"
+          if [ ! -f "$image" ]; then
+            echo "failed to locate SD image under $image_link/sd-image" >&2
+            exit 1
+          fi
+
+          echo "Flashing $image to $device..."
+          if [ "''${image##*.}" = "zst" ]; then
+            zstd -d --stdout "$image" | sudo dd of="$device" bs=4M conv=fsync status=progress
+          else
+            sudo dd if="$image" of="$device" bs=4M conv=fsync status=progress
+          fi
+          sync
+
+          sudo partprobe "$device"
+          sudo udevadm settle
+
+          if findmnt -rn "$boot_part" >/dev/null 2>&1; then
+            sudo umount "$boot_part"
+          fi
+
+          echo "Installing bootstrap age identity onto $boot_part..."
+          sudo mount "$boot_part" "$mount_dir"
+          RULES="$rules_file" agenix -d "$key_file" | sudo tee "$mount_dir/noisebell-bootstrap.agekey" >/dev/null
+          sudo chmod 600 "$mount_dir/noisebell-bootstrap.agekey"
+          sync
+
+          echo "Done. You can now move the card to the Pi and boot it."
+        '';
+      };
    in
    {
      packages.${system} = {
-        inherit noisebell-cache noisebell-discord;
+        inherit noisebell-cache noisebell-discord flash-pi-sd;
        default = noisebell-cache;
      };

@ -136,7 +214,14 @@

      nixosConfigurations.bootstrap = nixpkgs.lib.nixosSystem {
        system = "aarch64-linux";
-        modules = [ ./pi/bootstrap.nix ];
+        modules = [
+          agenix.nixosModules.default
+          (import ./pi/module.nix {
+            pkg = noisebell-pi;
+            rev = self.shortRev or "dirty";
+          })
+          ./pi/bootstrap.nix
+        ];
      };

      devShells.${system}.default = craneLib.devShell {
@ -145,5 +230,10 @@
          agenix.packages.${system}.default
        ];
      };
+
+      apps.${system}.flash-pi-sd = {
+        type = "app";
+        program = "${flash-pi-sd}/bin/flash-pi-sd";
+      };
    };
 }