63 lines
1.6 KiB
Markdown
Executable File
63 lines
1.6 KiB
Markdown
Executable File
# Raspberry Pi 5 (pi5)
|
|
|
|
`systems/aarch64-linux/pi5/`
|
|
|
|
## Hardware
|
|
|
|
- **Board**: Raspberry Pi 5
|
|
- **Boot**: UEFI (via `rpi5-uefi`)
|
|
- **Storage**: bcachefs
|
|
- **Connectivity**: Ethernet (`end0`); Wi-Fi and Bluetooth disabled via device tree overlays
|
|
|
|
## Key Features
|
|
|
|
- Headless server (no display, no desktop)
|
|
- Nebula VPN **lighthouse** — the central relay for the `jallen-nebula` overlay network
|
|
- AdGuard Home DNS server (port 53)
|
|
- Docker
|
|
- Impermanence (ephemeral root)
|
|
- Extensive Raspberry Pi device tree overlays configured (I²C, SPI, UART, SDIO, etc.)
|
|
|
|
## Network
|
|
|
|
- **LAN IP**: 10.0.1.2 (static, `end0`)
|
|
- **Gateway**: 10.0.1.1
|
|
- **DNS**: 1.1.1.1
|
|
- **Nebula**: lighthouse at `10.1.1.1`, listening on UDP 4242 (public: `mjallen.dev:4242`)
|
|
- Firewall: TCP/UDP 53 open (DNS)
|
|
|
|
## Nebula Lighthouse
|
|
|
|
The pi5 acts as the Nebula VPN lighthouse for the whole network. All other Nebula nodes connect to it to discover peers.
|
|
|
|
```nix
|
|
mjallen.services.nebula = {
|
|
enable = true;
|
|
isLighthouse = true;
|
|
port = 4242;
|
|
secretsPrefix = "pi5/nebula";
|
|
secretsFile = lib.snowfall.fs.get-file "secrets/pi5-secrets.yaml";
|
|
hostSecretName = "lighthouse";
|
|
};
|
|
```
|
|
|
|
## Services
|
|
|
|
| Service | Port | Description |
|
|
|---|---|---|
|
|
| AdGuard Home | 53 | DNS ad-blocking |
|
|
| Nebula | 4242 (UDP) | VPN lighthouse |
|
|
|
|
## Configuration Files
|
|
|
|
| File | Purpose |
|
|
|---|---|
|
|
| `default.nix` | Main config |
|
|
| `boot.nix` | UEFI boot, kernel |
|
|
| `adguard.nix` | AdGuard Home configuration |
|
|
| `sops.nix` | Secret declarations (SSH keys, system keys) |
|
|
|
|
## Secrets
|
|
|
|
Secrets are in `secrets/pi5-secrets.yaml`, encrypted for: `matt`, `matt_pi5`, `desktop`, `pi5`, `admin`, `jallen-nas`.
|