py-pi-bake 0.0.4__tar.gz

py_pi_bake-0.0.4/.github/workflows/workflow.yml

@@ -0,0 +1,73 @@
+# Build + publish py-pi-bake to PyPI on every `v*` tag.
+#
+# Auth: PyPI Trusted Publishing (OIDC) — no secrets stored in the
+# repo. Before the first publish, configure PyPI ONCE:
+#
+#   https://pypi.org/manage/project/py-pi-bake/settings/publishing/
+#
+#   PyPI Project Name: py-pi-bake
+#   Owner:             kurt-cb
+#   Repository:        pi-bake
+#   Workflow:          publish.yml
+#   Environment:       pypi
+#
+# (For the very first release before the PyPI project exists, use
+# https://pypi.org/manage/account/publishing/ — "Add a pending
+# publisher" — with the same values.)
+#
+# Version comes from the git tag via setuptools_scm. Tagging
+# `v0.0.4` produces a sdist + wheel for version `0.0.4`.
+
+name: publish
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # setuptools_scm needs the tag history to derive the version.
+          fetch-depth: 0
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install build tooling
+        run: python -m pip install --upgrade build
+
+      - name: Build sdist + wheel
+        run: python -m build
+
+      - name: Show version that will be published
+        run: |
+          ls -la dist/
+          python -c "import importlib.metadata as m; print(m.version('py-pi-bake'))" \
+            || true
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    needs: build
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      # Required for Trusted Publishing (OIDC token minting).
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - uses: pypa/gh-action-pypi-publish@release/v1
+        # No `with: password:` — Trusted Publishing handles auth via
+        # the OIDC token issued for this workflow + environment.

py_pi_bake-0.0.4/.gitignore

@@ -0,0 +1,12 @@
+__pycache__/
+*.py[cod]
+*.egg-info/
+build/
+dist/
+.venv/
+.pytest_cache/
+.coverage
+.cache/
+*.img
+*.img.gz
+*.apkovl.tar.gz

py_pi_bake-0.0.4/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Kurt Godwin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

py_pi_bake-0.0.4/PKG-INFO

@@ -0,0 +1,177 @@
+Metadata-Version: 2.4
+Name: py-pi-bake
+Version: 0.0.4
+Summary: Generate flashable, headless Raspberry Pi images (no setup-alpine, no rpi-imager-pre-fill required)
+Author-email: Kurt Godwin <kurtgo@hotmail.com>
+License: MIT
+Project-URL: Homepage, https://github.com/kurt-cb/pi-bake
+Project-URL: Issues, https://github.com/kurt-cb/pi-bake/issues
+Keywords: raspberry-pi,alpine,raspbian,headless,image,sd-card
+Classifier: Development Status :: 3 - Alpha
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Topic :: System :: Boot
+Classifier: Topic :: System :: Installation/Setup
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Dynamic: license-file
+
+# pi-bake
+
+Generate flashable, headless Raspberry Pi images. Flash one
+`.img.gz` per Pi, boot, SSH in. No `setup-alpine` interactive
+walk, no `rpi-imager` GUI clicking through pre-fill, no console
+on the Pi.
+
+## What gets baked
+
+Per node, from CLI flags or the Python API:
+
+- **Hostname**       → `/etc/hostname`
+- **SSH pubkey**     → `/root/.ssh/authorized_keys` (mode 0600) +
+                       sshd `PasswordAuthentication no`
+- **WiFi creds** (optional) → `/etc/wpa_supplicant/wpa_supplicant.conf`
+  so the Pi auto-joins on first boot. Omit for wired-only.
+- **Timezone, regulatory country** (sensible defaults)
+- **First-boot script** that `apk add`s the small set of packages
+  (openssh-server, iproute2, etc.), enables services, then
+  self-disables.
+
+That's it. No role-specific code, no totaldns, no platform lock-in.
+Once the Pi is on the network, whatever orchestrator you use
+(pyinfra, Ansible, plain SSH) takes over.
+
+## Install
+
+```
+pip install pi-bake
+```
+
+System tools (one-time per dev machine):
+
+```
+# Fedora
+sudo dnf install mtools dosfstools
+# Debian / Ubuntu
+sudo apt install mtools dosfstools
+# Alpine
+apk add mtools dosfstools
+```
+
+The Alpine baker uses **`mtools`** (no root). The Raspbian baker
+(v0.2) will additionally need `sudo` for `losetup`.
+
+## Quick start
+
+```
+# What can we bake for what?
+pi-bake list-boards
+pi-bake list-os --board pi-zero-2-w
+
+# Bake an Alpine image for a Pi Zero 2 W with WiFi creds.
+pi-bake build \
+  --board pi-zero-2-w \
+  --os alpine \
+  --hostname pi-radio-1 \
+  --ssh-pubkey ~/.ssh/id_ed25519.pub \
+  --wifi-ssid totaldns-lab \
+  --wifi-psk secret \
+  --out ~/sdcards/pi-radio-1.img.gz
+
+# Flash. Replace mmcblk0 with your SD card's actual device.
+zcat ~/sdcards/pi-radio-1.img.gz | sudo dd of=/dev/mmcblk0 bs=4M status=progress
+
+# Boot the Pi. Wait ~30s. Then:
+ssh root@pi-radio-1.lan uptime
+```
+
+For wired-only nodes (eth0), omit the WiFi flags:
+
+```
+pi-bake build \
+  --board pi-5 --os alpine --hostname boat \
+  --ssh-pubkey ~/.ssh/id_ed25519.pub \
+  --out ~/sdcards/boat.img.gz
+```
+
+## Supported boards × OSes
+
+| Board          | Alpine | Raspbian | Debian |
+|----------------|--------|----------|--------|
+| Pi Zero W      | ✓ (armhf) | ✗ (32-bit ARMv6 not packaged) | ✗ |
+| Pi Zero 2 W    | ✓        | ✓ (32-bit ARMv7 / arm64) | ✗ |
+| Pi 3           | ✓        | ✓        | ✗ |
+| Pi 4           | ✓        | ✓        | ✓ |
+| Pi 5           | ✓ (3.21+) | ✓        | ✓ |
+
+Run `pi-bake list-os --board <b>` for the current matrix.
+
+## Status
+
+**v0.1**: Alpine baker is fully working (no-root, mtools). Raspbian
++ Debian backends are stubbed with a clear error pointing at the
+v0.2 roadmap. Most Pi 4 / Pi 5 deployments bootstrap with
+`rpi-imager`'s pre-fill flow today — `pi-bake` will take that
+over in v0.2.
+
+## Python API
+
+The CLI is a thin wrapper around `pi_bake.build()`:
+
+```python
+from pi_bake import build, NodeConfig
+
+build(
+    board="pi-zero-2-w",
+    os_name="alpine",
+    version=None,                       # latest known-good
+    node=NodeConfig(
+        hostname="pi-radio-1",
+        ssh_pubkey=open(".../id_ed25519.pub").read(),
+        wifi_ssid="totaldns-lab",
+        wifi_psk="secret",
+    ),
+    out_path="~/sdcards/pi-radio-1.img.gz",
+)
+```
+
+## Roadmap
+
+- **v0.2 — Raspbian + Debian backends.** `losetup -P` + `firstrun.sh`
+  injection. Needs `sudo`; CLI prompts honestly.
+- **v0.2 — dynamic OS version discovery.** Pull
+  `https://dl-cdn.alpinelinux.org/alpine/` and the rpi downloads
+  index instead of the hardcoded `versions` tuples in the catalog.
+- **v0.3 — multi-image batch.** `pi-bake build-many topology.json`
+  emits an `.img.gz` per node entry in one go.
+- **v0.3 — static IP option.** Today we DHCP from first reachable
+  iface; static-IP-only deployments need a `--static-v4` flag.
+- **v0.3 — encrypted overlay** for the rootfs (LUKS).
+
+## Why does this exist
+
+Three reasons to bake images instead of using
+`rpi-imager` pre-fill or hand-running `setup-alpine`:
+
+1. **Per-node config in a script.** Topology files (any shape —
+   JSON, YAML, a hand-written shell script) drive `pi-bake build`
+   in a loop. Lab grows from 1 Pi to 20 without 20 separate
+   keyboard sessions.
+2. **Reproducible.** Same inputs → same `.img.gz`. Re-flash a
+   replacement SD card identically; clone a node by changing the
+   hostname.
+3. **Alpine RPi has no `rpi-imager` pre-fill equivalent.** This is
+   the only convenient headless flow for the Pi Zero W / 2 W
+   family running Alpine.
+
+## License
+
+MIT — see `LICENSE`.

py_pi_bake-0.0.4/README.md

@@ -0,0 +1,151 @@
+# pi-bake
+
+Generate flashable, headless Raspberry Pi images. Flash one
+`.img.gz` per Pi, boot, SSH in. No `setup-alpine` interactive
+walk, no `rpi-imager` GUI clicking through pre-fill, no console
+on the Pi.
+
+## What gets baked
+
+Per node, from CLI flags or the Python API:
+
+- **Hostname**       → `/etc/hostname`
+- **SSH pubkey**     → `/root/.ssh/authorized_keys` (mode 0600) +
+                       sshd `PasswordAuthentication no`
+- **WiFi creds** (optional) → `/etc/wpa_supplicant/wpa_supplicant.conf`
+  so the Pi auto-joins on first boot. Omit for wired-only.
+- **Timezone, regulatory country** (sensible defaults)
+- **First-boot script** that `apk add`s the small set of packages
+  (openssh-server, iproute2, etc.), enables services, then
+  self-disables.
+
+That's it. No role-specific code, no totaldns, no platform lock-in.
+Once the Pi is on the network, whatever orchestrator you use
+(pyinfra, Ansible, plain SSH) takes over.
+
+## Install
+
+```
+pip install pi-bake
+```
+
+System tools (one-time per dev machine):
+
+```
+# Fedora
+sudo dnf install mtools dosfstools
+# Debian / Ubuntu
+sudo apt install mtools dosfstools
+# Alpine
+apk add mtools dosfstools
+```
+
+The Alpine baker uses **`mtools`** (no root). The Raspbian baker
+(v0.2) will additionally need `sudo` for `losetup`.
+
+## Quick start
+
+```
+# What can we bake for what?
+pi-bake list-boards
+pi-bake list-os --board pi-zero-2-w
+
+# Bake an Alpine image for a Pi Zero 2 W with WiFi creds.
+pi-bake build \
+  --board pi-zero-2-w \
+  --os alpine \
+  --hostname pi-radio-1 \
+  --ssh-pubkey ~/.ssh/id_ed25519.pub \
+  --wifi-ssid totaldns-lab \
+  --wifi-psk secret \
+  --out ~/sdcards/pi-radio-1.img.gz
+
+# Flash. Replace mmcblk0 with your SD card's actual device.
+zcat ~/sdcards/pi-radio-1.img.gz | sudo dd of=/dev/mmcblk0 bs=4M status=progress
+
+# Boot the Pi. Wait ~30s. Then:
+ssh root@pi-radio-1.lan uptime
+```
+
+For wired-only nodes (eth0), omit the WiFi flags:
+
+```
+pi-bake build \
+  --board pi-5 --os alpine --hostname boat \
+  --ssh-pubkey ~/.ssh/id_ed25519.pub \
+  --out ~/sdcards/boat.img.gz
+```
+
+## Supported boards × OSes
+
+| Board          | Alpine | Raspbian | Debian |
+|----------------|--------|----------|--------|
+| Pi Zero W      | ✓ (armhf) | ✗ (32-bit ARMv6 not packaged) | ✗ |
+| Pi Zero 2 W    | ✓        | ✓ (32-bit ARMv7 / arm64) | ✗ |
+| Pi 3           | ✓        | ✓        | ✗ |
+| Pi 4           | ✓        | ✓        | ✓ |
+| Pi 5           | ✓ (3.21+) | ✓        | ✓ |
+
+Run `pi-bake list-os --board <b>` for the current matrix.
+
+## Status
+
+**v0.1**: Alpine baker is fully working (no-root, mtools). Raspbian
++ Debian backends are stubbed with a clear error pointing at the
+v0.2 roadmap. Most Pi 4 / Pi 5 deployments bootstrap with
+`rpi-imager`'s pre-fill flow today — `pi-bake` will take that
+over in v0.2.
+
+## Python API
+
+The CLI is a thin wrapper around `pi_bake.build()`:
+
+```python
+from pi_bake import build, NodeConfig
+
+build(
+    board="pi-zero-2-w",
+    os_name="alpine",
+    version=None,                       # latest known-good
+    node=NodeConfig(
+        hostname="pi-radio-1",
+        ssh_pubkey=open(".../id_ed25519.pub").read(),
+        wifi_ssid="totaldns-lab",
+        wifi_psk="secret",
+    ),
+    out_path="~/sdcards/pi-radio-1.img.gz",
+)
+```
+
+## Roadmap
+
+- **v0.2 — Raspbian + Debian backends.** `losetup -P` + `firstrun.sh`
+  injection. Needs `sudo`; CLI prompts honestly.
+- **v0.2 — dynamic OS version discovery.** Pull
+  `https://dl-cdn.alpinelinux.org/alpine/` and the rpi downloads
+  index instead of the hardcoded `versions` tuples in the catalog.
+- **v0.3 — multi-image batch.** `pi-bake build-many topology.json`
+  emits an `.img.gz` per node entry in one go.
+- **v0.3 — static IP option.** Today we DHCP from first reachable
+  iface; static-IP-only deployments need a `--static-v4` flag.
+- **v0.3 — encrypted overlay** for the rootfs (LUKS).
+
+## Why does this exist
+
+Three reasons to bake images instead of using
+`rpi-imager` pre-fill or hand-running `setup-alpine`:
+
+1. **Per-node config in a script.** Topology files (any shape —
+   JSON, YAML, a hand-written shell script) drive `pi-bake build`
+   in a loop. Lab grows from 1 Pi to 20 without 20 separate
+   keyboard sessions.
+2. **Reproducible.** Same inputs → same `.img.gz`. Re-flash a
+   replacement SD card identically; clone a node by changing the
+   hostname.
+3. **Alpine RPi has no `rpi-imager` pre-fill equivalent.** This is
+   the only convenient headless flow for the Pi Zero W / 2 W
+   family running Alpine.
+
+## License
+
+MIT — see `LICENSE`.

py_pi_bake-0.0.4/ROADMAP.md

@@ -0,0 +1,124 @@
+# pi-bake roadmap
+
+## v0.2 — top of list
+
+### Pre-baked SSH host keys (no host-key-change warnings)
+Every reflash regenerates `/etc/ssh/ssh_host_*_key{,.pub}` so the
+operator's `~/.ssh/known_hosts` flags the rebuilt Pi as "REMOTE HOST
+IDENTIFICATION HAS CHANGED". Annoying; also breaks pyinfra runs
+without `-o StrictHostKeyChecking=no`.
+
+macmpi/alpine-linux-headless-bootstrap solves this by placing
+`ssh_host_*_key{,.pub}` files alongside the apkovl on the FAT
+partition; on first boot the apkovl restore copies them into
+`/etc/ssh/` with the right perms (600/644). pi-bake should
+either:
+
+  1. Generate a per-hostname keypair at bake time and bake it
+     into the apkovl (`/etc/ssh/ssh_host_ed25519_key{,.pub}`),
+     OR
+  2. Accept a `--ssh-host-key PATH` CLI flag pointing at an
+     existing keypair (so reflashes can reuse the same identity).
+
+Probably (2) — operator-controlled, easy to back up, no surprises.
+
+### Bake-time package fetch (avahi + firmware)
+Alpine RPi's stock /apks cache ships sshd, dhcpcd, chrony,
+wpa_supplicant — enough for "real sshd + an IP". But .local
+discovery via avahi-daemon, dbus, and WiFi firmware blobs
+(linux-firmware-brcm for Pi-built-in BCM43455, linux-firmware-intel
+for BE200) are NOT in the stock cache.
+
+Plan: at bake time, after extracting the upstream tarball, do a
+local `apk fetch` against the upstream Alpine mirror to drop
+extra .apk files into `apks/aarch64/` and regenerate the
+APKINDEX.tar.gz. Then add those packages to /etc/apk/world so
+the diskless init's `apk add --no-network` picks them up from the
+now-enriched local cache on first boot. No podman, no chroot —
+just `apk fetch --no-cache --recursive --output ...` on the bake
+host, which works as a regular user with the apk-tools package.
+
+The 936f233 baseline (sshd + dhcpcd + chrony) is sufficient for
+pyinfra take-over. Avahi is a discoverability nice-to-have, not a
+blocker.
+
+### Interactive mode + YAML recipes (UX)
+The `pi-bake build` CLI is now flag-heavy enough that nobody will
+remember it. Add an interactive walk-through:
+
+```
+pi-bake build --interactive
+  ? Which board? (pi-5, pi-zero-2-w, …)        > pi-5
+  ? Which OS?    (alpine 3.21.4, raspbian, …)  > alpine 3.21.4
+  ? Hostname?                                   > td-pi5-1
+  ? SSH pubkey path? (Tab to browse)           > ~/.ssh/totaldns-adhoc.pub
+  ? WiFi? [y/N]                                 > N
+  ? Static IP? [y/N]                            > y
+    ? CIDR?                                     > 192.168.4.111/24
+    ? Gateway?                                  > 192.168.4.1
+  ? HATs / expansion? (multi-select)
+      [x] Intel BE200 M.2 WiFi 7 (PCIe HAT)
+      [ ] PoE+ HAT (Pi 5)
+      [ ] Sense HAT
+      [ ] Adafruit 2.8" PiTFT 320x240
+  ? Save recipe to YAML? [td-pi5-1.yaml]
+  ? Bake now? [Y/n]
+```
+
+The HAT picker drives config.txt edits (dtoverlay=, dtparam=).
+
+### YAML recipe in/out
+- `pi-bake build --from-yaml pi-1.yaml` — bake from a saved recipe.
+- `pi-bake build --to-yaml pi-1.yaml ...` — write the recipe without baking.
+- `pi-bake build --interactive --to-yaml ...` — walk-through saves.
+
+Means batch deployments are: edit pi-1.yaml, pi-2.yaml, pi-3.yaml,
+then `for y in *.yaml; do pi-bake build --from-yaml $y; done`.
+
+### HAT catalog + config.txt overlays (FAT writes)
+Currently we only write apkovl. To support HATs (PCIe BE200, Sense
+HAT, displays, etc.) we need to write `/uboot/usercfg.txt` (the
+Pi-canonical override file) or append to `/config.txt`. Each HAT
+catalog entry knows its required dtoverlay= line(s).
+
+### Raspbian backend
+Documented v0.2 target — losetup-based, sudo prompted. Pi 4 / Pi 5
+Raspbian deployments still go via rpi-imager pre-fill until this lands.
+
+### Dynamic version discovery
+Pull the live Alpine + Raspbian version indexes instead of the hard-
+coded `versions` tuples. CLI flag `--refresh-versions` to update.
+
+## v0.1 retrospective (what we learned during real deployment)
+
+- udhcpc on Pi 5 + busybox 1.37 + Alpine 3.21 hangs. Static IP
+  baked-in path now standard (commit 3a2efbd).
+- Pi has no RTC. Without time, apk TLS verify rejects everything.
+  HTTP-Date header hack + chrony in firstboot (commit 3a2efbd).
+- WiFi firmware needs explicit linux-firmware-{brcm,intel}, not a
+  meta `wifi-firmware` package (doesn't exist on Alpine).
+- /etc/apk/repositories must be set to upstream main + community in
+  the apkovl — local FAT cache only covers the bootstrap set.
+- FAT partition mounts read-only by default. lbu commit handles the
+  remount cycle; external apkovl pushes need explicit `mount -o
+  remount,rw /media/mmcblk0` first.
+- Backup the apkovl before overwriting:
+  `cp .../td-pi5-1.apkovl.tar.gz{,.bak}` enables console rollback
+  without re-flashing.
+
+### DHCP client choice — RESOLVED (commit 936f233)
+We picked dhcpcd over both busybox udhcpc and ISC dhclient. dhcpcd
+ships pre-built in the stock Alpine RPi /apks cache (no bake-time
+fetch needed), runs as a daemon watching all interfaces, sends DHCP
+option 12 from /etc/hostname automatically, and doesn't share
+udhcpc's Pi 5 + macb-driver hang. dhclient would have worked too
+but isn't in the stock cache so it'd need a fetch dance.
+
+### Backup convention — APKOVL FILENAME LESSON
+The Alpine RPi bootloader globs `*.apkovl.tar.gz` on the FAT root.
+A backup at `td-pi5-1.apkovl.tar.gz.bak` was still glob-matched
+(or close enough to confuse the loader) and bricked boot until
+the user renamed it to `.failed`. Going forward: NEVER leave a
+file matching the apkovl pattern on the FAT root. Either keep
+backups OUTSIDE the FAT or use a name that has no `.apkovl.tar.gz`
+anywhere in it.

py_pi_bake-0.0.4/pyproject.toml

@@ -0,0 +1,54 @@
+[build-system]
+requires = ["setuptools>=68", "setuptools_scm>=8"]
+build-backend = "setuptools.build_meta"
+
+[project]
+# PyPI distribution name is `py-pi-bake` (`pi-bake` was unavailable
+# on PyPI). The import name + console_script stay `pi_bake` /
+# `pi-bake`, so users `pip install py-pi-bake` then run
+# `pi-bake build ...`.
+name = "py-pi-bake"
+# Version is derived from the latest git tag via setuptools_scm.
+# `git tag v0.0.5 && git push --tags` releases 0.0.5; no version
+# string lives in source. CI needs fetch-depth: 0 so tags reach
+# the build environment.
+dynamic = ["version"]
+description = "Generate flashable, headless Raspberry Pi images (no setup-alpine, no rpi-imager-pre-fill required)"
+readme = "README.md"
+license = { text = "MIT" }
+authors = [{ name = "Kurt Godwin", email = "kurtgo@hotmail.com" }]
+requires-python = ">=3.9"
+keywords = ["raspberry-pi", "alpine", "raspbian", "headless", "image", "sd-card"]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3 :: Only",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Operating System :: POSIX :: Linux",
+    "Topic :: System :: Boot",
+    "Topic :: System :: Installation/Setup",
+]
+# Pure stdlib at the Python level. Runtime depends on `mtools` +
+# `dosfstools` on PATH (Alpine baker) and `losetup` (raspbian
+# baker, when implemented in v0.2). Operator installs those via
+# their distro package manager.
+dependencies = []
+
+[project.urls]
+Homepage = "https://github.com/kurt-cb/pi-bake"
+Issues   = "https://github.com/kurt-cb/pi-bake/issues"
+
+[project.scripts]
+pi-bake = "pi_bake.cli:main"
+
+[tool.setuptools.packages.find]
+where = ["src"]
+
+[tool.setuptools_scm]
+# Tags like `v0.0.4` map to version `0.0.4`. Untagged commits get
+# a dev suffix (0.0.5.dev3+g<sha>), which pip + PyPI both accept.

py_pi_bake-0.0.4/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

py_pi_bake-0.0.4/src/pi_bake/__init__.py

@@ -0,0 +1,49 @@
+"""pi-bake — generate flashable, headless Raspberry Pi images.
+
+Bake `(board, os, version, hostname, ssh_pubkey, [wifi])` into a
+single `.img.gz` operator dd's to an SD card. Boot the Pi → it
+joins the network → operator can SSH in. No keyboard, no monitor,
+no `setup-alpine`.
+
+Public API (also surfaced via the `pi-bake` CLI):
+
+    from pi_bake import NodeConfig, build, list_boards, list_oses
+    out = build(
+        board="pi-zero-2-w",
+        os_name="alpine",
+        version="3.21",
+        node=NodeConfig(
+            hostname="pi-radio-1",
+            ssh_pubkey="ssh-ed25519 AAAA...",
+            wifi_ssid="totaldns-lab",
+            wifi_psk="secret",
+        ),
+        out_path="~/sdcards/pi-radio-1.img.gz",
+    )
+
+Designed to be agnostic of any specific downstream — totaldns,
+home-server projects, anything that wants a flash-and-boot Pi.
+"""
+from importlib.metadata import PackageNotFoundError, version as _pkg_version
+
+from pi_bake.boards import Board, BOARDS, list_boards
+from pi_bake.config import NodeConfig
+from pi_bake.oses import OSImage, OSES, list_oses, resolve_image
+from pi_bake.bake import build, supports
+
+try:
+    # Distribution name on PyPI is `py-pi-bake`; importlib.metadata
+    # reads it from the installed dist-info, which setuptools_scm
+    # populated from the git tag at build time.
+    __version__ = _pkg_version("py-pi-bake")
+except PackageNotFoundError:
+    # Running from a checkout without `pip install -e .` — fine for
+    # one-off tests, just don't claim a real version.
+    __version__ = "0.0.0+unknown"
+
+__all__ = [
+    "Board", "BOARDS", "list_boards",
+    "OSImage", "OSES", "list_oses", "resolve_image",
+    "NodeConfig",
+    "build", "supports",
+]