Changes to rpi setup
This commit is contained in:
Aner Zakobar
@@ -19,7 +19,7 @@ modules/
|
||||
storage.nix # External HD mount + per-service directory layout
|
||||
caddy.nix # Caddy reverse proxy (DNS-01 ACME, forward_auth)
|
||||
cloudflared.nix # Cloudflare Tunnel for remote access
|
||||
backup.nix # Restic daily backups
|
||||
backup.nix # Restic daily backups (S3 primary + manual offload)
|
||||
services/
|
||||
openldap.nix # OpenLDAP — central identity provider
|
||||
authelia.nix # Authelia — SSO gateway
|
||||
@@ -226,19 +226,54 @@ production-ready:
|
||||
- [ ] **`hosts/pi-main/default.nix` — fill in real values**:
|
||||
- SSH public key in `users.users.admin.openssh.authorizedKeys.keys`
|
||||
- External HD device path in `homey.storage.device`
|
||||
- Backup repository URL in `homey.backup.repository`
|
||||
- Backup repository URL in `homey.backup.repository` — must be an S3-compatible
|
||||
URL, e.g. `"s3:https://s3.us-west-002.backblazeb2.com/your-bucket-name"`
|
||||
|
||||
- [ ] **`secrets/secrets.yaml` — populate and encrypt**: Fill in all secret
|
||||
values (old passwords from k8s + freshly generated ones), then run
|
||||
values (old passwords from k8s + freshly generated ones, including
|
||||
`restic/s3_access_key_id` and `restic/s3_secret_access_key`), then run
|
||||
`sops --encrypt --in-place secrets/secrets.yaml` before committing.
|
||||
|
||||
- [ ] **`secrets/.sops.yaml` — add real age keys**: Replace both
|
||||
`AGE-PUBLIC-KEY-*` placeholders with actual public keys (workstation + Pi).
|
||||
- [x] **`secrets/.sops.yaml` — PGP key**: The encryption subkey
|
||||
`076AA297579A0064` is already in `.sops.yaml`.
|
||||
|
||||
- [ ] **Cloudflare Tunnel**: Create the tunnel in the Zero Trust dashboard,
|
||||
copy the tunnel token into secrets, and configure public hostnames. See
|
||||
`modules/cloudflared.nix` and Phase 3 of `PORTING.md` for details.
|
||||
|
||||
- [ ] **Second machine**: When ready, add `hosts/pi-secondary/` and uncomment
|
||||
the `pi-secondary` entry in `flake.nix`. Services communicating cross-machine
|
||||
should reference the primary Pi's LAN IP instead of `127.0.0.1`.
|
||||
|
||||
- [ ] **Jellyfin and Transmission**: Both modules are written and importable
|
||||
but disabled. Enable in `hosts/pi-main/default.nix` when ready:
|
||||
```nix
|
||||
homey.jellyfin.enable = true;
|
||||
homey.transmission.enable = true;
|
||||
```
|
||||
|
||||
- [ ] **Backup — S3 credentials**: Add `restic/s3_access_key_id` and
|
||||
`restic/s3_secret_access_key` to secrets, and set `homey.backup.repository`
|
||||
to your S3-compatible bucket URL in `hosts/pi-main/default.nix`.
|
||||
|
||||
- [ ] **Backup — offload script**: Write `scripts/offload-backup.sh` for
|
||||
manually copying snapshots to a local disk (USB attached to Pi, or a disk
|
||||
on your workstation). Uses `restic copy` to clone from the S3 repo into a
|
||||
local restic repo on the target path. See `TODO.org` for design notes.
|
||||
|
||||
### Post- Pi first boot
|
||||
|
||||
These items require the Pi to be built, flashed, and booted at least once.
|
||||
|
||||
- [ ] **`secrets/.sops.yaml` — add Pi age key**: After generating the age key
|
||||
on the Pi (`age-keygen -o /var/lib/sops-nix/key.txt`), add the public key
|
||||
to `.sops.yaml` alongside the existing PGP key, then run
|
||||
`sops updatekeys secrets/secrets.yaml`.
|
||||
|
||||
- [ ] **`hosts/pi-main/hardware.nix` — verify SD card labels**: The file
|
||||
assumes partition labels `NIXOS_SD` (root) and `FIRMWARE` (boot). Relabel
|
||||
after flashing if they differ, or update the `fileSystems` entries.
|
||||
|
||||
- [ ] **Gitea LDAP auth**: After first start, configure LDAP authentication
|
||||
in Gitea's admin panel (Admin → Authentication Sources → Add LDAP source).
|
||||
The old Helm chart had this commented out; it must be done manually once.
|
||||
@@ -250,18 +285,3 @@ production-ready:
|
||||
- [ ] **Nextcloud LDAP app**: After restoring the Nextcloud volume, verify
|
||||
the LDAP Users and Contacts app is still configured correctly
|
||||
(Admin → LDAP/AD Integration).
|
||||
|
||||
- [ ] **`hosts/pi-main/hardware.nix` — verify SD card labels**: The file
|
||||
assumes partition labels `NIXOS_SD` (root) and `FIRMWARE` (boot). Relabel
|
||||
after flashing if they differ, or update the `fileSystems` entries.
|
||||
|
||||
- [ ] **Second machine**: When ready, add `hosts/pi-secondary/` and uncomment
|
||||
the `pi-secondary` entry in `flake.nix`. Services communicating cross-machine
|
||||
should reference the primary Pi's LAN IP instead of `127.0.0.1`.
|
||||
|
||||
- [ ] **Jellyfin and Transmission**: Both modules are written and importable
|
||||
but disabled. Enable in `hosts/pi-main/default.nix` when ready:
|
||||
```nix
|
||||
homey.jellyfin.enable = true;
|
||||
homey.transmission.enable = true;
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user