noisebell/pi/README.md

# noisebell

Monitors a GPIO pin on a Raspberry Pi to detect door open/close events. State changes get POSTed to a webhook endpoint. Current state is available over HTTP.

Runs on NixOS with Tailscale for networking and agenix for secrets.

## Setup

### 1. Hardware config

Replace `hardware-configuration.nix` with the output of `nixos-generate-config --show-hardware-config` on your Pi (or use an appropriate hardware module like `sd-card/sd-image-aarch64.nix`).

### 2. SSH key

Add your SSH public key to `configuration.nix`:

```nix
users.users.root.openssh.authorizedKeys.keys = [
  "ssh-ed25519 AAAA..."
];
```

### 3. Secrets

Get your Pi's SSH host public key and put it in `secrets/secrets.nix`:

```sh
ssh-keyscan <pi-ip> | grep ed25519
```

Then create the encrypted secret files:

```sh
cd secrets
agenix -e endpoint-url.age      # paste webhook URL
agenix -e tailscale-auth-key.age # paste Tailscale auth key
```

### 4. Deploy

```sh
nix build .#nixosConfigurations.pi.config.system.build.toplevel
nixos-rebuild switch --flake .#pi --target-host root@noisebell
```

## Configuration

Options under `services.noisebell` in `flake.nix`:

| Option | Default | Description |
|---|---|---|
| `gpioPin` | 17 | GPIO pin to monitor |
| `debounceSecs` | 5 | Debounce delay |
| `port` | 8080 | HTTP status port |
| `retryAttempts` | 3 | Webhook retry count |
| `retryBaseDelaySecs` | 1 | Base delay for exponential backoff |
| `httpTimeoutSecs` | 10 | Timeout for outbound webhook requests |
| `bindAddress` | `0.0.0.0` | Address to bind the HTTP server to |
| `activeLow` | `true` | Whether low GPIO level means open (depends on wiring) |
| `restartDelaySecs` | 5 | Seconds before systemd restarts on failure |

## API

`GET /` — current door state:

```json
{"status": "open", "timestamp": 1710000000}
```

State changes (and initial state on startup) are POSTed to the configured endpoint in the same format.