feat: Raspberry Pi 5 host (Docker host + nginx reverse proxy) #32

2026-06-16T13:39:24+01:00

lyrathorpe commented

2026-06-16 13:39:24 +01:00

What

Adds the framework for a Raspberry Pi 5 (aarch64-linux) headless host,
lyrathorpe-rpi5, serving two roles:

Docker host with the daemon exposed over the network.
Native nginx reverse proxy with declarative virtualHosts.

Closes #31.

Changes

system/machine/RPi5/ — configuration.nix (boot, hostname, sshd,
default-deny firewall), docker.nix, reverse-proxy.nix, a placeholder
hardware-configuration.nix, and install notes (README.md).
system/modules/features.nix — new base module declaring
features.swayDesktop.enable; the option declaration was moved out of
lyrathorpe/swaywm.nix so a headless host can omit swaywm.nix without an
eval error. Wired into baseModules.
flake.nix — register lyrathorpe-rpi5 (no swaywm.nix; raspberry-pi-5
profile + key-only sshd).
README.md — host table + greeter note.

Docker socket — security

The daemon listens on plain TCP 2375, no TLS, no auth (chosen posture).
Access is root-equivalent; the only protection is an nftables rule accepting
2375 solely from the trusted LAN subnet (10.187.1.0/24, configurable). 2375
is deliberately not in allowedTCPPorts. mTLS on 2376 is the documented
upgrade path; not wired.

nginx

Recommended proxy/TLS/optimisation/gzip settings + a declarative virtualHosts
table with one HTTP-only example vhost. enableACME/forceSSL are present but
commented, to flip per-vhost once a DNS name + cert exist. Opens 80/443.

Verification

nix flake check — green (deadnix, statix, nixfmt, treefmt, pre-commit;
x86 host evals).
nix eval of lyrathorpe-rpi5 toplevel.drvPath — resolves (aarch64 eval,
same gate CI uses). Spot-checked the rendered docker socket ListenStream, the
nginx virtualHosts, the hostname, and features.swayDesktop.enable = false.
Existing hosts (sway + headless) re-evaluated after the feature-flag move.

Not included (by design)

On-device install: the hardware-configuration.nix is a placeholder to keep
CI eval green; it must be regenerated on the device with nixos-generate-config
before the Pi will boot. See system/machine/RPi5/README.md.
TLS/mTLS for Docker and nginx (documented, not wired).

## What Adds the framework for a Raspberry Pi 5 (`aarch64-linux`) headless host, `lyrathorpe-rpi5`, serving two roles: - **Docker host** with the daemon exposed over the network. - **Native nginx reverse proxy** with declarative `virtualHosts`. Closes #31. ## Changes - `system/machine/RPi5/` — `configuration.nix` (boot, hostname, sshd, default-deny firewall), `docker.nix`, `reverse-proxy.nix`, a placeholder `hardware-configuration.nix`, and install notes (`README.md`). - `system/modules/features.nix` — new base module declaring `features.swayDesktop.enable`; the option declaration was moved out of `lyrathorpe/swaywm.nix` so a headless host can omit `swaywm.nix` without an eval error. Wired into `baseModules`. - `flake.nix` — register `lyrathorpe-rpi5` (no `swaywm.nix`; `raspberry-pi-5` profile + key-only sshd). - `README.md` — host table + greeter note. ## Docker socket — security The daemon listens on **plain TCP `2375`, no TLS, no auth** (chosen posture). Access is root-equivalent; the only protection is an nftables rule accepting `2375` solely from the trusted LAN subnet (`10.187.1.0/24`, configurable). `2375` is deliberately not in `allowedTCPPorts`. mTLS on `2376` is the documented upgrade path; not wired. ## nginx Recommended proxy/TLS/optimisation/gzip settings + a declarative `virtualHosts` table with one HTTP-only example vhost. `enableACME`/`forceSSL` are present but commented, to flip per-vhost once a DNS name + cert exist. Opens 80/443. ## Verification - `nix flake check` — green (deadnix, statix, nixfmt, treefmt, pre-commit; x86 host evals). - `nix eval` of `lyrathorpe-rpi5` `toplevel.drvPath` — resolves (aarch64 eval, same gate CI uses). Spot-checked the rendered docker socket `ListenStream`, the nginx `virtualHosts`, the hostname, and `features.swayDesktop.enable = false`. - Existing hosts (sway + headless) re-evaluated after the feature-flag move. ## Not included (by design) - On-device install: the `hardware-configuration.nix` is a **placeholder** to keep CI eval green; it must be regenerated on the device with `nixos-generate-config` before the Pi will boot. See `system/machine/RPi5/README.md`. - TLS/mTLS for Docker and nginx (documented, not wired).

lyrathorpe added 7 commits 2026-06-16 13:39:24 +01:00

feat(rpi5): add placeholder hardware-configuration 2fc39a5f15

Committed so the lyrathorpe-rpi5 host evaluates in CI before the Pi is
provisioned. It is a placeholder, not a bootable config: on first install,
regenerate it on the device with nixos-generate-config and replace this file.
Excluded from formatters/linters by the existing hardware-configuration.nix
rules.

feat(rpi5): add Docker host with LAN-restricted network socket 1cb8371775

Enable Docker and expose the daemon over TCP 2375 by extending the systemd
docker.socket ListenStream (avoids the daemon.json hosts vs unit -H fd://
conflict). The port is not added to allowedTCPPorts; instead an nftables
rule accepts it only from the trusted LAN subnet. Plain 2375 is
root-equivalent, so the source restriction is the only safeguard -- mTLS on
2376 is the documented upgrade path.

feat(rpi5): add nginx reverse-proxy module 108f7b9528

Enable nginx with the recommended proxy/TLS/optimisation/gzip settings and a
declarative virtualHosts table -- each proxied service is a Nix entry, so the
routing lives in-repo. Ships one HTTP-only example vhost; enableACME/forceSSL
are present but commented, to be flipped per-vhost once a DNS name and cert
exist. Opens 80 and 443.

feat(rpi5): add host configuration (boot, network, sshd) b56641aaee

Tie the RPi5 submodules together: import hardware-config, docker.nix and
reverse-proxy.nix; pin networking.hostName to the flake attr name so nh
resolves; use U-Boot/extlinux boot (raspberry-pi-5 profile supplies kernel +
firmware); enable key-only sshd and a default-deny firewall opening 22.
Headless -- swaywm.nix is not imported, so swayDesktop stays off.

refactor(modules): declare swayDesktop feature flag in a base module 3470751c3e

lyrathorpe/user.nix reads features.swayDesktop.enable on every host, but the
option was declared inside lyrathorpe/swaywm.nix -- so a host that does not
import swaywm.nix (a headless server) would fail evaluation. Move the option
declaration to a new always-imported system/modules/features.nix and wire it
into baseModules; swaywm.nix keeps only its implementation (config) block.
Headless hosts can now omit swaywm.nix and the flag defaults to false.

feat(flake): register lyrathorpe-rpi5 host 277dfa4251

Add the aarch64-linux Raspberry Pi 5 host to the host table: the RPi5
machine config, the raspberry-pi-5 nixos-hardware profile, and key-only
sshd. Headless, so no swaywm.nix; base home modules only.

docs(rpi5): add install notes and update host table

CI / flake (pull_request) Successful in 3m47s

Details

efa9aa93da

Add system/machine/RPi5/README.md (flash/boot, regenerate hardware-config,
Docker-socket security caveat and remote-client usage, how to add a
reverse-proxy vhost). Add lyrathorpe-rpi5 to the README host table and note
that the swayDesktop flag now lives in system/modules/features.nix so headless
hosts keep TTY login.

lyrathorpe referenced this pull request

2026-06-16 13:53:07 +01:00

RPi5 Docker socket: upgrade to mTLS (2376) and wire the Terraform runner #33

lyrathorpe merged commit 1e49af53e7 into main

2026-06-16 14:12:48 +01:00

lyrathorpe deleted branch feat/rpi5-host

2026-06-16 14:12:50 +01:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lyrathorpe/nixfiles#32