lyrathorpe/nixfiles
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Raspberry Pi 5 host (Docker host + nginx reverse proxy) #32

Merged
lyrathorpe merged 7 commits from feat/rpi5-host into main 2026-06-16 14:12:48 +01:00
Conversation 0 Commits 7 Files Changed 9
+258 -14

7 Commits

Author SHA1 Message Date
Emma Thorpe efa9aa93da docs(rpi5): add install notes and update host table
CI / flake (pull_request) Successful in 3m47s
Details 
Add system/machine/RPi5/README.md (flash/boot, regenerate hardware-config,
Docker-socket security caveat and remote-client usage, how to add a
reverse-proxy vhost). Add lyrathorpe-rpi5 to the README host table and note
that the swayDesktop flag now lives in system/modules/features.nix so headless
hosts keep TTY login.
 2026-06-16 13:32:11 +01:00
Emma Thorpe 277dfa4251 feat(flake): register lyrathorpe-rpi5 host 
Add the aarch64-linux Raspberry Pi 5 host to the host table: the RPi5
machine config, the raspberry-pi-5 nixos-hardware profile, and key-only
sshd. Headless, so no swaywm.nix; base home modules only.
 2026-06-16 13:31:16 +01:00
Emma Thorpe 3470751c3e refactor(modules): declare swayDesktop feature flag in a base module 
lyrathorpe/user.nix reads features.swayDesktop.enable on every host, but the
option was declared inside lyrathorpe/swaywm.nix -- so a host that does not
import swaywm.nix (a headless server) would fail evaluation. Move the option
declaration to a new always-imported system/modules/features.nix and wire it
into baseModules; swaywm.nix keeps only its implementation (config) block.
Headless hosts can now omit swaywm.nix and the flag defaults to false.
 2026-06-16 13:29:15 +01:00
Emma Thorpe b56641aaee feat(rpi5): add host configuration (boot, network, sshd) 
Tie the RPi5 submodules together: import hardware-config, docker.nix and
reverse-proxy.nix; pin networking.hostName to the flake attr name so nh
resolves; use U-Boot/extlinux boot (raspberry-pi-5 profile supplies kernel +
firmware); enable key-only sshd and a default-deny firewall opening 22.
Headless -- swaywm.nix is not imported, so swayDesktop stays off.
 2026-06-16 13:26:31 +01:00
Emma Thorpe 108f7b9528 feat(rpi5): add nginx reverse-proxy module 
Enable nginx with the recommended proxy/TLS/optimisation/gzip settings and a
declarative virtualHosts table -- each proxied service is a Nix entry, so the
routing lives in-repo. Ships one HTTP-only example vhost; enableACME/forceSSL
are present but commented, to be flipped per-vhost once a DNS name and cert
exist. Opens 80 and 443.
 2026-06-16 13:25:57 +01:00
Emma Thorpe 1cb8371775 feat(rpi5): add Docker host with LAN-restricted network socket 
Enable Docker and expose the daemon over TCP 2375 by extending the systemd
docker.socket ListenStream (avoids the daemon.json hosts vs unit -H fd://
conflict). The port is not added to allowedTCPPorts; instead an nftables
rule accepts it only from the trusted LAN subnet. Plain 2375 is
root-equivalent, so the source restriction is the only safeguard -- mTLS on
2376 is the documented upgrade path.
 2026-06-16 13:25:31 +01:00
Emma Thorpe 2fc39a5f15 feat(rpi5): add placeholder hardware-configuration 
Committed so the lyrathorpe-rpi5 host evaluates in CI before the Pi is
provisioned. It is a placeholder, not a bootable config: on first install,
regenerate it on the device with nixos-generate-config and replace this file.
Excluded from formatters/linters by the existing hardware-configuration.nix
rules.
 2026-06-16 13:25:02 +01:00