Working Pi with Cage

2026-03-27 01:17:42 -04:00 · 2025-01-10 21:11:43 -05:00 · 2025-01-10 21:11:43 -05:00 · 4727b78cd6
commit 4727b78cd6
parent 1c2414c595
6 changed files with 156 additions and 56 deletions
--- a/modules/hosts/nixos/kiosk-gene-desk/default.nix
+++ b/modules/hosts/nixos/kiosk-gene-desk/default.nix
@ -1,4 +1,4 @@
-{ inputs, lib, pkgs, username, ... }: {
+{ inputs, config, lib, pkgs, username, ... }: {
  imports = [
    # SD card image
    "${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
@ -14,19 +14,25 @@
  environment.systemPackages = with pkgs; [
    libraspberrypi
    raspberrypi-eeprom
+    raspberrypifw
+    ubootRaspberryPi4_64bit
+    wlr-randr
  ];

  hardware.enableRedistributableFirmware = true;
+  hardware.graphics.enable = true;
+  hardware.raspberry-pi."4".fkms-3d.enable = true;

  networking.wireless = {
    enable = true;
    networks = {
+      # Home
+      "Diagon Alley".pskRaw = "ext:psk_diagon_alley";
      # Public networks
      "Gallery Row-GuestWiFi" = {};
-      "LocalTies Guest" = {
-        psk = "DrinkLocal!";
-      };
+      "LocalTies Guest".pskRaw = "ext:psk_local_ties";
    };
+    secretsFile = "${config.sops.secrets.wifi_creds.path}";
  };

  nixpkgs.overlays = [
@ -36,14 +42,55 @@
    })
  ];

+  sdImage.compressImage = false;
+
  services = {
-    cage = {
+    cage = let
+      kioskProgram = pkgs.writeShellScript "kiosk.sh" ''
+        WAYLAND_DISPLAY=wayland-0 wlr-randr --output HDMI-A-1 --transform 90
+        /etc/profiles/per-user/gene/bin/chromium-browser
+      '';
+    in {
      enable = true;
-      program = "${pkgs.chromium}/bin/chromium-browser";
+      program = kioskProgram;
+      user = "gene";
+      environment = {
+        WLR_LIBINPUT_NO_DEVICES = "1"; # boot up even if no mouse/keyboard connected
+      };
+    };
+    prometheus.exporters.node = {
+      enable = true;
+      enabledCollectors = [
+        "logind"
+        "systemd"
+        "network_route"
+      ];
+      disabledCollectors = [
+        "textfile"
+      ];
    };
  };

-  sdImage.compressImage = false;
+  sops = {
+    age.keyFile = "${config.users.users.${username}.home}/.config/sops/age/keys.txt";
+    defaultSopsFile = ./secrets.yaml;
+    secrets = {
+      local_git_config = {
+        owner = "${username}";
+        path = "${config.users.users.${username}.home}/.gitconfig-local";
+      };
+      local_private_env = {
+        owner = "${username}";
+        path = "${config.users.users.${username}.home}/.private-env";
+      };
+      wifi_creds = {
+        sopsFile = ../../common/secrets.yaml;
+        restartUnits = [
+          "wpa_supplicant.service"
+        ];
+      };
+    };
+  };

  users.users.${username} = {
    isNormalUser = true;
@ -55,5 +102,11 @@
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N gene.liverman@ltnglobal.com"
    ];
  };
+
+  zramSwap = {
+    enable = true;
+    algorithm = "zstd";
+    memoryPercent = 90;
+  };
 }