nixfiles

lyrathorpe/nixfiles

Fork 0

Commit Graph

Author	SHA1	Message	Date
Emma Thorpe	1cb8371775	feat(rpi5): add Docker host with LAN-restricted network socket Enable Docker and expose the daemon over TCP 2375 by extending the systemd docker.socket ListenStream (avoids the daemon.json hosts vs unit -H fd:// conflict). The port is not added to allowedTCPPorts; instead an nftables rule accepts it only from the trusted LAN subnet. Plain 2375 is root-equivalent, so the source restriction is the only safeguard -- mTLS on 2376 is the documented upgrade path.	2026-06-16 13:25:31 +01:00
Emma Thorpe	2fc39a5f15	feat(rpi5): add placeholder hardware-configuration Committed so the lyrathorpe-rpi5 host evaluates in CI before the Pi is provisioned. It is a placeholder, not a bootable config: on first install, regenerate it on the device with nixos-generate-config and replace this file. Excluded from formatters/linters by the existing hardware-configuration.nix rules.	2026-06-16 13:25:02 +01:00

Author

SHA1

Message

Date

Emma Thorpe

1cb8371775

feat(rpi5): add Docker host with LAN-restricted network socket

Enable Docker and expose the daemon over TCP 2375 by extending the systemd
docker.socket ListenStream (avoids the daemon.json hosts vs unit -H fd://
conflict). The port is not added to allowedTCPPorts; instead an nftables
rule accepts it only from the trusted LAN subnet. Plain 2375 is
root-equivalent, so the source restriction is the only safeguard -- mTLS on
2376 is the documented upgrade path.

2026-06-16 13:25:31 +01:00

Emma Thorpe

2fc39a5f15

feat(rpi5): add placeholder hardware-configuration

Committed so the lyrathorpe-rpi5 host evaluates in CI before the Pi is
provisioned. It is a placeholder, not a bootable config: on first install,
regenerate it on the device with nixos-generate-config and replace this file.
Excluded from formatters/linters by the existing hardware-configuration.nix
rules.

2026-06-16 13:25:02 +01:00

2 Commits