Add Raspberry Pi 5 host: Docker host + nginx reverse proxy #31

New Issue

2026-06-16T13:24:17+01:00

lyrathorpe commented

2026-06-16 13:24:17 +01:00

Summary

Add a Raspberry Pi 5 (aarch64-linux) host to the flake to serve two roles:

Docker host — the Docker daemon socket exposed over the network so remote
clients can drive it.
Native nginx reverse proxy — proxy configuration expressed declaratively
in Nix (services.nginx.virtualHosts).

Scope

This issue covers the framework: the host evaluates cleanly in CI and follows
the existing per-machine module pattern. The real hardware-configuration.nix is
generated on the device after first boot; a committed placeholder keeps eval/CI
green until then.

Design decisions

Docker socket: plain TCP 2375, no TLS, restricted to the trusted LAN
subnet by an nftables firewall rule. Plain 2375 is root-equivalent; the
source-subnet restriction is the only thing protecting it. mTLS on 2376 is the
documented upgrade path.
nginx TLS: an HTTP-only example vhost ships as the scaffold;
enableACME/forceSSL are present but commented, to be enabled per-vhost once
a DNS name and certificate path exist.

Tasks

system/machine/RPi5/ module set: hardware-config placeholder, Docker host,
nginx reverse proxy, host configuration, install README.
Relocate the features.swayDesktop.enable option to a base module so a
headless host need not import swaywm.nix.
Register lyrathorpe-rpi5 in the flake host table; update the README host
table.
Validate: per-host eval, nix fmt, nix flake check.

Out of scope

On-device install (flashing, regenerating hardware-configuration.nix,
nixos-rebuild switch).
TLS/mTLS for either Docker or nginx (documented, not wired).

## Summary Add a Raspberry Pi 5 (`aarch64-linux`) host to the flake to serve two roles: 1. **Docker host** — the Docker daemon socket exposed over the network so remote clients can drive it. 2. **Native nginx reverse proxy** — proxy configuration expressed declaratively in Nix (`services.nginx.virtualHosts`). ## Scope This issue covers the *framework*: the host evaluates cleanly in CI and follows the existing per-machine module pattern. The real `hardware-configuration.nix` is generated on the device after first boot; a committed placeholder keeps eval/CI green until then. ## Design decisions - **Docker socket**: plain TCP `2375`, no TLS, restricted to the trusted LAN subnet by an nftables firewall rule. Plain 2375 is root-equivalent; the source-subnet restriction is the only thing protecting it. mTLS on 2376 is the documented upgrade path. - **nginx TLS**: an HTTP-only example vhost ships as the scaffold; `enableACME`/`forceSSL` are present but commented, to be enabled per-vhost once a DNS name and certificate path exist. ## Tasks - [ ] `system/machine/RPi5/` module set: hardware-config placeholder, Docker host, nginx reverse proxy, host configuration, install README. - [ ] Relocate the `features.swayDesktop.enable` option to a base module so a headless host need not import `swaywm.nix`. - [ ] Register `lyrathorpe-rpi5` in the flake host table; update the README host table. - [ ] Validate: per-host eval, `nix fmt`, `nix flake check`. ## Out of scope - On-device install (flashing, regenerating `hardware-configuration.nix`, `nixos-rebuild switch`). - TLS/mTLS for either Docker or nginx (documented, not wired).

lyrathorpe referenced a pull request that will close this issue

2026-06-16 13:39:24 +01:00

feat: Raspberry Pi 5 host (Docker host + nginx reverse proxy) #32

lyrathorpe referenced this issue

2026-06-16 13:53:07 +01:00

RPi5 Docker socket: upgrade to mTLS (2376) and wire the Terraform runner #33

lyrathorpe closed this issue

2026-06-16 14:12:49 +01:00

Sign in to join this conversation.