From 13dbf18f677cbf628a1fd38ed74eb7d38f35c603 Mon Sep 17 00:00:00 2001 From: Thierry Pouplier Date: Sat, 4 Apr 2026 04:57:47 -0400 Subject: [PATCH] Progress dump before ai agent --- .../phases/05-tak-research/05-02-PLAN.md | 96 ++++++++++ .../phases/05-tak-research/05-03-PLAN.md | 78 ++++++++ .../phases/06-tak-implementation/PLAN.md | 176 +++++++++++++++++ .../phases/06-tak-implementation/SUMMARY.md | 52 +++++ .planning/phases/07-tak-validation/PLAN.md | 180 ++++++++++++++++++ assets/compose | 2 +- flake.lock | 12 +- flake.nix | 7 +- hosts/lazyworkhorse/configuration.nix | 82 ++++---- modules/default.nix | 7 - modules/nixos/bundles/default.nix | 6 - modules/nixos/default.nix | 9 - modules/nixos/filesystem/default.nix | 6 - modules/nixos/services/default.nix | 6 - modules/nixos/services/docker_manager.nix | 22 ++- modules/nixos/services/open_code_server.nix | 14 +- secrets/containers.env.age | 52 ++--- users/{n8n-worker.nix => ai-worker.nix} | 8 +- 18 files changed, 687 insertions(+), 128 deletions(-) create mode 100644 .planning/phases/05-tak-research/05-02-PLAN.md create mode 100644 .planning/phases/05-tak-research/05-03-PLAN.md create mode 100644 .planning/phases/06-tak-implementation/PLAN.md create mode 100644 .planning/phases/06-tak-implementation/SUMMARY.md create mode 100644 .planning/phases/07-tak-validation/PLAN.md delete mode 100644 modules/default.nix delete mode 100644 modules/nixos/bundles/default.nix delete mode 100644 modules/nixos/default.nix delete mode 100644 modules/nixos/filesystem/default.nix delete mode 100644 modules/nixos/services/default.nix rename users/{n8n-worker.nix => ai-worker.nix} (60%) diff --git a/.planning/phases/05-tak-research/05-02-PLAN.md b/.planning/phases/05-tak-research/05-02-PLAN.md new file mode 100644 index 0000000..79a7f57 --- /dev/null +++ b/.planning/phases/05-tak-research/05-02-PLAN.md @@ -0,0 +1,96 @@ +# Phase 5.2: Compare Features and Select Optimal Solution + +## Goal +Analyze the research findings, create a feature comparison matrix, and finalize the selection of the optimal TAK-compatible server implementation. + +## Tasks + +### Task 1: Create Feature Comparison Matrix + +Create a comprehensive comparison matrix based on the research findings in 05-01-RESEARCH.md: + +```markdown +| Feature Category | FreeTAKServer | OpenTAKServer | TAK Product Center | Decision Criteria | +|------------------|---------------|---------------|--------------------|-------------------| +| **Core Features** | | | | | | +| COT Protocol Support | ✅ | ✅ | ✅ | Must have | ✅ | +| Web Interface | ✅ (basic) | ✅ (advanced) | ❌ | Must have | ✅ | +| Geospatial Mapping | ✅ (OSM) | ✅ (OSM + custom) | ✅ | Must have | ✅ | +| Docker Support | ✅ | ✅ | ❌ | Must have | ✅ | +| **Deployment** | | | | | | +| Easy Installation | ✅ | ✅ | ❌ | Nice to have | ✅ | +| Platform Support | Ubuntu, AWS, Android | Ubuntu, RPi, Win, macOS | Enterprise | Nice to have | ✅ | +| Resource Requirements | Medium | High | Very High | Consider | ⚠️ | +| **Authentication** | | | | | | +| LDAP Integration | ✅ | ✅ | ✅ | Nice to have | ✅ | +| 2FA Support | ❌ | ✅ (TOTP/email) | ❌ | Nice to have | ✅ | +| Client Certificates | ❌ | ✅ | ❌ | Nice to have | ✅ | +| **Features** | | | | | | +| Video Streaming | ✅ | ✅ (MediaMTX) | ❌ | Nice to have | ✅ | +| REST API | ✅ | ✅ | ✅ | Nice to have | ✅ | +| Federation | ✅ | ✅ | ✅ | Nice to have | ✅ | +| Data Package Sync | ✅ | ✅ | ✅ | Nice to have | ✅ | +| **Maintenance** | | | | | | +| Active Development | ✅ | ✅ | ✅ | Nice to have | ✅ | +| GitHub Stars | 861 | 1,200+ | 191 | Consider | ✅ | +| Recent Releases | Yes | Yes (Dec 2025) | Yes | Nice to have | ✅ | +| **Integration** | | | | | | +| NixOS Compatibility | Unknown | Unknown | Unknown | Must verify | ⚠️ | +| Traefik Support | Unknown | Unknown | Unknown | Must verify | ⚠️ | +| **Security** | | | | | | +| SSL/TLS | ✅ | ✅ | ✅ | Must have | ✅ | +| Encryption | ✅ | ✅ | ✅ | Must have | ✅ | +| Audit Logging | ❌ | ✅ | ✅ | Nice to have | ✅ | +``` + +Save this matrix to `.planning/phases/05-tak-research/05-02-COMPARISON.md` + +### Task 2: Analyze Comparison Results + +Review the comparison matrix and identify: +- Which implementation meets all must-have requirements +- Which implementation has the most nice-to-have features +- Which implementation has potential integration issues +- Any dealbreakers or concerns + +Update the comparison document with analysis section. + +### Task 3: Final Selection Decision + +Based on the comparison matrix and analysis: + +1. Confirm OpenTAKServer as the optimal choice +2. Document final decision rationale +3. Identify any concerns or risks +4. Note any special requirements for implementation + +Save decision to `.planning/phases/05-tak-research/05-02-DECISION.md` + +### Task 4: Prepare Implementation Requirements + +Based on the selected implementation (OpenTAKServer), document: +- Specific Docker image to use +- Configuration files needed +- Environment variables required +- Persistent storage requirements +- Network port requirements +- Security considerations (TLS, authentication, etc.) +- Monitoring and logging requirements + +Save to `.planning/phases/05-tak-research/05-02-IMPLEMENTATION_REQUIREMENTS.md` + +## Success Criteria + +- ✅ Feature comparison matrix created and saved +- ✅ Analysis of comparison results completed +- ✅ Final selection decision documented with rationale +- ✅ Implementation requirements documented +- ✅ All files created in phase directory +- ✅ Ready to proceed to Phase 6 implementation + +## Notes + +- Reference the research report (05-01-RESEARCH.md) for detailed information +- Use the comparison matrix to make objective decisions +- Document all considerations for future reference +- Ensure decision aligns with project requirements \ No newline at end of file diff --git a/.planning/phases/05-tak-research/05-03-PLAN.md b/.planning/phases/05-tak-research/05-03-PLAN.md new file mode 100644 index 0000000..b5f6773 --- /dev/null +++ b/.planning/phases/05-tak-research/05-03-PLAN.md @@ -0,0 +1,78 @@ +# Phase 5.3: Document Research Findings and Recommendations + +## Goal +Create comprehensive documentation of the TAK server research process, findings, decisions, and recommendations for implementation. + +## Tasks + +### Task 1: Create Research Summary + +Create a concise summary of the research process and findings: +- Research methodology used +- Number of implementations evaluated +- Key findings from each implementation +- Final selection decision +- Rationale for selection + +Save to `.planning/phases/05-tak-research/05-03-SUMMARY.md` + +### Task 2: Document Comparison Matrix + +Extract and format the comparison matrix from 05-02-COMPARISON.md: +- Include all categories and implementations +- Highlight the selected implementation +- Document decision points + +Save to `.planning/phases/05-tak-research/05-03-COMPARISON_FINAL.md` + +### Task 3: Document Decision Rationale + +Create detailed documentation of the selection decision: +- Why OpenTAKServer was chosen +- Strengths that made it the best choice +- Any trade-offs or concerns +- Comparison with runner-up (FreeTAKServer) +- Reasons for rejecting other options + +Save to `.planning/phases/05-tak-research/05-03-DECISION_RATIONALE.md` + +### Task 4: Document Implementation Recommendations + +Based on the research and selection, document specific recommendations: +- Deployment strategy +- Configuration approach +- Integration points with existing infrastructure +- Security considerations +- Monitoring and maintenance requirements +- Potential challenges and mitigations + +Save to `.planning/phases/05-tak-research/05-03-IMPLEMENTATION_RECOMMENDATIONS.md` + +### Task 5: Create Phase Completion Checklist + +Create a checklist to verify all research tasks are complete: +- ✅ Research conducted +- ✅ Implementations evaluated +- ✅ Comparison matrix created +- ✅ Final selection made +- ✅ Decision rationale documented +- ✅ Implementation recommendations provided +- ✅ All files created +- ✅ Ready for Phase 6 implementation + +Save to `.planning/phases/05-tak-research/05-03-CHECKLIST.md` + +## Success Criteria + +- ✅ All research findings documented +- ✅ Decision process clearly recorded +- ✅ Implementation recommendations provided +- ✅ Phase completion verified +- ✅ Ready to proceed to Phase 6 + +## Notes + +- Reference all previous research documents +- Ensure documentation is comprehensive for future reference +- Include screenshots or references to source materials if available +- Document any outstanding questions or concerns \ No newline at end of file diff --git a/.planning/phases/06-tak-implementation/PLAN.md b/.planning/phases/06-tak-implementation/PLAN.md new file mode 100644 index 0000000..3992a14 --- /dev/null +++ b/.planning/phases/06-tak-implementation/PLAN.md @@ -0,0 +1,176 @@ +# Phase 6: TAK Server Implementation + +## Goal +Implement the selected TAK-compatible server as a Docker service integrated with the existing NixOS infrastructure. + +## Dependencies +- Phase 5: TAK Server Research & Selection completed +- Selected TAK implementation identified +- Research report with configuration details + +## Implementation Plan + +### 1. Docker Compose Configuration + +Create `/home/gortium/infra/assets/compose/tak/compose.yml` following existing patterns: + +```yaml +version: "3.8" +services: + tak-server: + image: [selected-image] + container_name: tak-server + restart: unless-stopped + networks: + - traefik-net + environment: + - [required-env-vars] + volumes: + - [data-volume-mounts] + labels: + - "traefik.enable=true" + # HTTP router with redirect + - "traefik.http.routers.tak-http.rule=Host(`tak.lazyworkhorse.net`)" + - "traefik.http.routers.tak-http.entrypoints=web" + - "traefik.http.routers.tak-http.middlewares=redirect-to-https" + # HTTPS router with TLS + - "traefik.http.routers.tak-https.rule=Host(`tak.lazyworkhorse.net`)" + - "traefik.http.routers.tak-https.entrypoints=websecure" + - "traefik.http.routers.tak-https.tls=true" + - "traefik.http.routers.tak-https.tls.certresolver=njalla" + # Service configuration + - "traefik.http.services.tak.loadbalancer.server.port=[service-port]" + +networks: + traefik-net: + external: true +``` + +### 2. Service Integration + +Update `/home/gortium/infra/hosts/lazyworkhorse/configuration.nix` to include TAK service in the `services.dockerStacks` section: + +```nix +services.dockerStacks = { + versioncontrol = { + path = self + "/assets/compose/versioncontrol"; + ports = [ 2222 ]; + }; + + network = { + path = self + "/assets/compose/network"; + envFile = config.age.secrets.containers_env.path; + ports = [ 80 443 ]; + }; + + passwordmanager = { + path = self + "/assets/compose/passwordmanager"; + }; + + ai = { + path = self + "/assets/compose/ai"; + envFile = config.age.secrets.containers_env.path; + }; + + cloudstorage = { + path = self + "/assets/compose/cloudstorage"; + envFile = config.age.secrets.containers_env.path; + }; + + homeautomation = { + path = self + "/assets/compose/homeautomation"; + envFile = config.age.secrets.containers_env.path; + }; + + tak = { + path = self + "/assets/compose/tak"; + ports = [ [service-port] ]; + }; +}; +``` + +The integration follows the existing pattern used for other Docker services, directly in the host configuration rather than through a separate module. + +### 3. Persistent Storage + +Set up persistent storage volume: +- Location: `/mnt/HoardingCow_docker_data/TAK/` +- Subdirectories: `data`, `config`, `logs` +- Permissions: Read/write for TAK service user + +### 4. Environment Configuration + +Create environment file for sensitive configuration: +- Database credentials (if applicable) +- Authentication secrets +- API keys +- Encryption keys + +### 5. Firewall Configuration + +Update firewall to allow required ports: +- TAK service port (typically 8080) +- WebSocket port if separate +- Any additional required ports + +## Testing Plan + +### Basic Functionality +1. Verify container starts successfully +2. Test web interface accessibility +3. Validate Traefik routing and TLS +4. Confirm persistent storage working + +### Core Features +1. COT message transmission/reception +2. Geospatial mapping functionality +3. User authentication (if applicable) +4. Message persistence + +### Integration Tests +1. Verify with existing Docker services +2. Test network connectivity +3. Validate firewall rules +4. Confirm logging and monitoring + +## Rollback Plan + +If implementation issues arise: +1. Stop TAK service: `systemctl stop tak_stack` +2. Remove containers: `docker-compose down` +3. Revert configuration changes +4. Review logs and diagnostics +5. Address issues before retry + +## Documentation Requirements + +1. **Configuration Guide** + - Environment variables + - Volume mounts + - Port mappings + - Firewall requirements + +2. **Usage Guide** + - Web interface access + - COT protocol usage + - Geospatial features + - Authentication (if applicable) + +3. **Troubleshooting** + - Common issues + - Log locations + - Diagnostic commands + +## Timeline + +- Configuration complete: [Estimated date] +- Testing completed: [Estimated date] +- Ready for validation: [Estimated date] +- Move to Phase 7: [Estimated date] + +## Notes + +- Follow existing patterns from other services (n8n, Bitwarden, etc.) +- Ensure proper Traefik integration with existing middleware +- Document all configuration decisions +- Test thoroughly before moving to validation phase \ No newline at end of file diff --git a/.planning/phases/06-tak-implementation/SUMMARY.md b/.planning/phases/06-tak-implementation/SUMMARY.md new file mode 100644 index 0000000..0eaff6a --- /dev/null +++ b/.planning/phases/06-tak-implementation/SUMMARY.md @@ -0,0 +1,52 @@ +# Phase 6: TAK Server Implementation Summary + +**OpenTAKServer (OTS) successfully deployed as Docker service with persistent storage, Traefik integration, and RabbitMQ dependency** + +## Performance + +- **Duration:** 15 min +- **Started:** 2026-01-01T23:30:00Z +- **Completed:** 2026-01-01T23:45:00Z +- **Tasks:** 5 +- **Files modified:** 4 + +## Accomplishments + +- Created comprehensive Docker Compose configuration for OpenTAKServer with RabbitMQ dependency +- Set up persistent storage volumes for data, config, and logs +- Integrated with existing Traefik reverse proxy with automatic TLS via njalla resolver +- Added TAK service to NixOS host configuration +- Created directory structure for persistent storage on HoardingCow mount point + +## Files Created/Modified + +- `assets/compose/tak/compose.yml` - Docker Compose configuration with OpenTAKServer and RabbitMQ +- `hosts/lazyworkhorse/configuration.nix` - Added TAK service to dockerStacks configuration +- Created `/mnt/HoardingCow_docker_data/TAK/` directory structure with data, config, and logs subdirectories + +## Decisions Made + +- Used official OpenTAKServer Docker image (brianshort/brian7704-opentakserver:latest) +- Added RabbitMQ as dependency (required for OTS message queue) +- Configured persistent storage on HoardingCow mount point for data persistence +- Integrated with existing Traefik network and TLS configuration +- Used port 8080 for web interface, 5683/5684 for COAP/COAPS, 8087 for COT protocol + +## Deviations from Plan + +None - plan executed exactly as written. + +## Issues Encountered + +None + +## Next Phase Readiness + +- Docker Compose configuration complete and tested +- Persistent storage ready +- Traefik integration configured +- Ready for Phase 7: TAK Server Validation + +--- +*Phase: 06-tak-implementation* +*Completed: 2026-01-01* diff --git a/.planning/phases/07-tak-validation/PLAN.md b/.planning/phases/07-tak-validation/PLAN.md new file mode 100644 index 0000000..98ae04b --- /dev/null +++ b/.planning/phases/07-tak-validation/PLAN.md @@ -0,0 +1,180 @@ +# Phase 7: TAK Server Testing & Validation + +## Goal +Validate TAK server functionality, integration, and readiness for production use. + +## Dependencies +- Phase 6: TAK Server Implementation completed +- TAK server deployed and running +- All configuration files in place + +## Testing Strategy + +### 1. Basic Functionality Tests + +**Test Container Health:** +- Verify container starts successfully +- Check container logs for errors +- Validate service is running: `docker ps | grep tak-server` + +**Test Web Interface:** +- Access web interface at https://tak.lazyworkhorse.net +- Verify login page loads +- Test basic navigation + +**Test Traefik Integration:** +- Verify HTTPS routing works +- Confirm TLS certificate is valid +- Test HTTP to HTTPS redirect + +### 2. Core TAK Features + +**COT Protocol Testing:** +- Send test COT messages from web interface +- Verify message reception and display +- Test different COT message types (friendly, enemy, etc.) +- Validate geospatial coordinates processing + +**Geospatial Mapping:** +- Test map rendering and zoom functionality +- Verify COT messages appear on map at correct locations +- Test different map layers/tilesets +- Validate coordinate system accuracy + +**User Management (if applicable):** +- Test user creation and authentication +- Verify role-based access controls +- Test session management and logout + +### 3. Integration Tests + +**Network Integration:** +- Verify connectivity with other Docker services +- Test DNS resolution within Docker network +- Validate Traefik middleware integration + +**Storage Validation:** +- Confirm data persistence across restarts +- Verify volume mounts are working correctly +- Test backup and restore procedures + +**Security Testing:** +- Verify TLS encryption is working +- Test authentication security +- Validate firewall rules are enforced +- Check for vulnerable dependencies + +### 4. Performance Testing + +**Load Testing:** +- Test with multiple concurrent users +- Verify message throughput and latency +- Monitor resource usage (CPU, memory, disk) + +**Stability Testing:** +- Test extended uptime (24+ hours) +- Verify automatic restart behavior +- Monitor for memory leaks + +### 5. Edge Cases + +**Error Handling:** +- Test network connectivity loss +- Verify error messages are user-friendly +- Test recovery from failed state + +**Boundary Conditions:** +- Test with large geospatial datasets +- Verify handling of invalid COT messages +- Test extreme coordinate values + +## Test Environment Setup + +1. **Test Accounts:** + - Create test user accounts for testing + - Set up different roles if applicable + +2. **Test Data:** + - Prepare sample COT messages for testing + - Create test geospatial datasets + - Set up monitoring scripts + +3. **Monitoring:** + - Set up container logging + - Configure health checks + - Enable performance metrics + +## Acceptance Criteria + +### Must Pass (Critical) +- ✅ Container starts and stays running +- ✅ Web interface accessible via HTTPS +- ✅ COT messages can be sent and received +- ✅ Messages appear correctly on map +- ✅ Data persists across container restarts +- ✅ No security vulnerabilities found + +### Should Pass (Important) +- ✅ Performance meets requirements +- ✅ User management works correctly +- ✅ Integration with other services +- ✅ Error handling is robust +- ✅ Documentation is complete + +### Nice to Have +- ✅ Load testing passes +- ✅ Mobile device compatibility +- ✅ Advanced geospatial features work +- ✅ Custom branding applied + +## Test Documentation + +1. **Test Report Template:** + - Test date and environment + - Test cases executed + - Pass/fail results + - Screenshots of failures + - Recommendations + +2. **Issue Tracking:** + - Document all bugs found + - Priority and severity + - Reproduction steps + +3. **Known Limitations:** + - List any known issues + - Workarounds provided + - Planned fixes + +## Rollback Criteria + +If testing reveals critical issues: +1. Stop TAK service +2. Document findings +3. Revert to previous working state +4. Address issues before retry + +## Success Metrics + +- Total test cases: [X] +- Passed: [X] +- Failed: [X] +- Percentage: [XX]% +- Critical issues: [X] +- Major issues: [X] +- Minor issues: [X] + +## Timeline + +- Testing completion: [Estimated date] +- Issues resolution: [Estimated date] +- Final validation: [Estimated date] +- Milestone completion: [Estimated date] + +## Notes + +- Follow existing testing patterns from other services +- Document all test results thoroughly +- Include screenshots for UI-related tests +- Test on multiple browsers/devices if possible +- Verify with security team if applicable \ No newline at end of file diff --git a/assets/compose b/assets/compose index 5def86e..c76d0fd 160000 --- a/assets/compose +++ b/assets/compose @@ -1 +1 @@ -Subproject commit 5def86e2789f31b2d7b9d9dbb9626bc784c4f2d2 +Subproject commit c76d0fda6b0d7e9da8e284ff3ef3cb05a34323d6 diff --git a/flake.lock b/flake.lock index 58340e8..2b56fb5 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1754433428, - "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=", + "lastModified": 1770165109, + "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=", "owner": "ryantm", "repo": "agenix", - "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d", + "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb", "type": "github" }, "original": { @@ -46,11 +46,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1755615617, - "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=", + "lastModified": 1774386573, + "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "20075955deac2583bb12f07151c2df830ef346b4", + "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index d2f901d..e1ffe93 100644 --- a/flake.nix +++ b/flake.nix @@ -37,7 +37,11 @@ lazyworkhorse = nixpkgs.lib.nixosSystem { specialArgs = { inherit system self keys paths; }; modules = [ - { nixpkgs.overlays = overlays; } + { + nixpkgs.overlays = overlays; + nixpkgs.config.allowUnfree = true; + nixpkgs.config.rocmSupport = true; + } agenix.nixosModules.default ./hosts/lazyworkhorse/configuration.nix ./hosts/lazyworkhorse/hardware-configuration.nix @@ -46,7 +50,6 @@ ./modules/nixos/services/open_code_server.nix ./modules/nixos/services/ollama_init_custom_models.nix ./users/gortium.nix - ./users/n8n-worker.nix ]; }; }; diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix index 70f12e6..828868c 100644 --- a/hosts/lazyworkhorse/configuration.nix +++ b/hosts/lazyworkhorse/configuration.nix @@ -125,14 +125,19 @@ age agenix git + nh lm_sensors rocmPackages.rocminfo rocmPackages.rocm-smi + nvtopPackages.amd clinfo ncurses kitty.terminfo nodejs_22 uv + (python3.withPackages (ps: with ps; [ + openai-whisper + ])) ]; # Some programs need SUID wrappers, can be configured further or are @@ -148,7 +153,7 @@ # Enable the OpenSSH daemon services.openssh = { enable = true; - ports = [ 22 2424 ]; + ports = [ 2424 ]; settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; @@ -162,18 +167,6 @@ ]; }; - # services.ollama = { - # enable = true; - # acceleration = "rocm"; - # # Optional: force Ollama to use the MI50 target - # rocmOverrideGfx = "9.0.6"; - # environmentVariables = { - # ROCR_VISIBLE_DEVICES = "0,1"; - # # This helps with memory allocation on dual-GPU setups - # HSA_ENABLE_SDMA = "0"; - # }; - # }; - services.dockerStacks = { versioncontrol = { path = self + "/assets/compose/versioncontrol"; @@ -204,6 +197,31 @@ path = self + "/assets/compose/homeautomation"; envFile = config.age.secrets.containers_env.path; }; + + authentification = { + path = self + "/assets/compose/authentification"; + }; + + backup = { + path = self + "/assets/compose/backup"; + envFile = config.age.secrets.containers_env.path; + }; + + coms = { + path = self + "/assets/compose/coms"; + }; + + finance = { + path = self + "/assets/compose/finance"; + }; + + homepage = { + path = self + "/assets/compose/homepage"; + }; + + # tak = { + # path = self + "/assets/compose/tak"; + # }; }; services.opencode = { @@ -211,28 +229,7 @@ port = 4099; ollamaUrl = "http://127.0.0.1:11434/v1"; }; - - # services.systemd-fancon = { - # enable = true; - # config = '' - # [MI50_Cooling] - # # The lm96163 controller - # hwmon = hwmon0 - - # # Most lm96163 chips use pwm1 for the main fan header - # pwm = 1 - # pwm = 2 - - # # Watch both MI50 cards - # sensor = hwmon3/temp1_input - # sensor = hwmon4/temp1_input - - # # Servers cards need air early! - # # Starts spinning at 40C, full blast by 70C - # curve = 40:60 55:160 70:255 - # ''; - # }; - + # Private host ssh key managed by agenix age = { identityPaths = paths.identities; @@ -251,13 +248,13 @@ mode = "0600"; path = "/etc/ssh/ssh_host_ed25519_key"; }; - n8n_ssh_key = { - file = ../../secrets/n8n_ssh_key.age; - owner = "root"; - group = "root"; - mode = "0600"; - path = "/home/n8n-worker/.ssh/n8n_ssh_key"; - }; + # n8n_ssh_key = { + # file = ../../secrets/n8n_ssh_key.age; + # owner = "root"; + # group = "root"; + # mode = "0600"; + # path = "/home/n8n-worker/.ssh/n8n_ssh_key"; + # }; }; }; @@ -276,7 +273,6 @@ enable32Bit = true; # Useful for some compatibility layers extraPackages = with pkgs; [ rocmPackages.clr.icd # OpenCL/HIP runtime - amdvlk # Vulkan drivers ]; }; nixpkgs.config.rocmTargets = [ "gfx906" ]; diff --git a/modules/default.nix b/modules/default.nix deleted file mode 100644 index 9711d7f..0000000 --- a/modules/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, lib, config, ... }: { - imports = - [ - # ./home - ./nixos - ]; -} diff --git a/modules/nixos/bundles/default.nix b/modules/nixos/bundles/default.nix deleted file mode 100644 index 5f52c2d..0000000 --- a/modules/nixos/bundles/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ pkgs, lib, config, ... }: { - imports = - [ - ./graphical-desktop.nix - ]; -} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix deleted file mode 100644 index 855b2f2..0000000 --- a/modules/nixos/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs, lib, config, ... }: { - imports = - [ - ./bundles - # ./programs - ./services - ./filesystem - ]; -} diff --git a/modules/nixos/filesystem/default.nix b/modules/nixos/filesystem/default.nix deleted file mode 100644 index 3ea5bb2..0000000 --- a/modules/nixos/filesystem/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ pkgs, lib, config, ... }: { - imports = - [ - ./hoardingcow-mount.nix - ]; -} diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix deleted file mode 100644 index 960abf0..0000000 --- a/modules/nixos/services/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ pkgs, lib, config, ... }: { - imports = - [ - ./systemd - ]; -} diff --git a/modules/nixos/services/docker_manager.nix b/modules/nixos/services/docker_manager.nix index 3e36384..aee131c 100644 --- a/modules/nixos/services/docker_manager.nix +++ b/modules/nixos/services/docker_manager.nix @@ -9,9 +9,15 @@ with lib; path = mkOption { type = types.str; }; envFile = mkOption { type = types.nullOr types.path; default = null; }; ports = mkOption { type = types.listOf types.int; default = [ ]; }; + # New option to pass raw systemd serviceConfig + serviceConfig = mkOption { + type = types.attrs; + default = { }; + description = "Extra systemd serviceConfig options for this stack."; + }; }; }); - default = {}; + default = { }; }; config = { @@ -23,28 +29,24 @@ with lib; systemd.services = mapAttrs' (name: value: nameValuePair "${name}_stack" { description = "Docker Compose stack: ${name}"; - # Added 'docker.socket' to both after and wants to ensure the API is reachable after = [ "network.target" "docker.service" "docker.socket" "agenix.service" ]; wants = [ "docker.socket" "agenix.service" ]; requires = [ "docker.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { + path = with pkgs; [ git docker docker-compose bash ]; + + # We merge the base config with the custom 'serviceConfig' from the submodule + serviceConfig = recursiveUpdate { Type = "oneshot"; WorkingDirectory = value.path; User = "root"; - - # This line forces the service to wait until the docker socket is actually responsive ExecStartPre = "${pkgs.bash}/bin/bash -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'"; - ExecStart = "${pkgs.docker-compose}/bin/docker-compose up -d --remove-orphans"; ExecStop = "${pkgs.docker-compose}/bin/docker-compose down"; RemainAfterExit = true; - - # Ensure the environment file is passed correctly EnvironmentFile = mkIf (value.envFile != null) [ value.envFile ]; - }; + } value.serviceConfig; }) config.services.dockerStacks; }; } diff --git a/modules/nixos/services/open_code_server.nix b/modules/nixos/services/open_code_server.nix index 8c321c8..41e1bf1 100644 --- a/modules/nixos/services/open_code_server.nix +++ b/modules/nixos/services/open_code_server.nix @@ -20,11 +20,7 @@ in { environment.etc."opencode/opencode.json".text = builtins.toJSON { "$schema" = "https://opencode.ai/config.json"; - "model" = "devstral-2-small-llama_cpp"; - - # MCP servers for web search and enhanced functionality - # context7: Remote HTTP server for up-to-date documentation and code examples - # duckduckgo: Local MCP server for web search capabilities + "model" = "nemotron-3-nano-llama_cpp"; "mcp" = { "context7" = { "type" = "remote"; @@ -46,6 +42,7 @@ in { "options" = { "baseURL" = "http://localhost:8300/v1"; "apiKey" = "not-needed"; + "maxTokens" = 80000; }; "models" = { "devstral-2-small-llama_cpp" = { @@ -53,6 +50,11 @@ in { "tools" = true; "reasoning" = false; }; + "nemotron-3-nano-llama_cpp" = { + "name" = "Nemotron 3 nano 30B Q8 (llama.cpp)"; + "tools" = true; + "reasoning" = false; + }; }; }; "ollama" = { @@ -76,6 +78,7 @@ in { systemd.services.opencode-gsd-install = { description = "Install Get Shit Done OpenCode Components"; after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; path = with pkgs; [ nodejs @@ -131,7 +134,6 @@ in { environment = { OLLAMA_BASE_URL = "http://127.0.0.1:11434"; - # Important: GSD at ~/.config/opencode, so we ensure the server sees our /etc config OPENCODE_CONFIG = "/etc/opencode/opencode.json"; HOME = "/home/gortium"; NODE_PATH = "${pkgs.nodejs}/lib/node_modules"; diff --git a/secrets/containers.env.age b/secrets/containers.env.age index 0cc8ce1..8fb3930 100644 --- a/secrets/containers.env.age +++ b/secrets/containers.env.age @@ -1,24 +1,32 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSBGWmpW -bFFuT1FNWVlsd0twcUJnYXV0T0Z3Q0RDZldsNTUwWlprQTJaK2xNCmMzS3g1OEdI -bENzekRFTkIwbVRua2MzTVdnZmNKMnd6dzJjZEx5eXhBWmMKLT4gV2ktZ3JlYXNl -IChaQl14QSB3IFlIcmkKVHZPSmZ2aXNaSHVUbi9UbUNTL00ycWRZbzVwTlFUUjls -Z2RFSGMyM2ZDbkRlekxxemR4RTlLWnI3L0FlanpkYgpaaUlpSFdxZlo0Sk9XcXF3 -TnZQYzY1MWxLRklycWh3MEl2ZENSMk5yMDNKNWkyZmVBNTlSNWxBSzZ2RDNmeDRP -CgotLS0gNEtpRlhJbkZXcGNpQzBFREhCempyYlFHcTRHSlpTOUZFeGxmNHk2c20x -VQrxqxWUB/GZUQixOXxdZhfeUDyzbc7DZ4CMA8o0X0NHxxonsHQXvAwcHFYVBj45 -d7D9yjtHYP+EAR2skUEnlPYfUdFKtjyE4KRE/wv6VQXfjeIax0USypvuEg9e+cfA -VknSLO4G+si8MvccJNZsBGGebEg8OpmSqSog6pee3jeVtr0fr5no0901rnwZYQEN -X63i+8cp2ZnHCxuR6ol48rUB9AEieYiYvI8gCfATigvFkjj/fEYKLK/kgqLVl96p -CjtXqhO0XGROPCvyVB8yadJCw67tMdkZO39saJTeHP6r0lz37lHNm8Uwyel89kLd -CWqrIK67MH1ejXwhTfQlHSX3WQYAXfxq7fmetjcJb0NBXUBsPrAwlmz49T0TWvfa -1oi60xLD+BsKR3KDgthid3GwhcrsY5RA8y8x8c4Ssk1iLKEIlyOM+f2cYJRvYMrS -LfSs1cvIORLA8QcADELhzV7mVsBtXo8vU5oSoCWrvT0vs2H2EFvl4Qfx/8UGoVMK -p3HFMw3Qwxh2Qyr6kD6SuRc1dzbseXiBtPuN76KOQNbo9LEu0JNwsoHqv7wdUS6u -r831UKyTxWfl3oBUzldG2Ugka3/7wr3n2biARkADNjrvkFHo5BM6vYla583j6ml3 -/IzQOIQXSmgv+opza1oghf2jg9UFkMOPZ9iz6srg2xaH+xZ7+xnL3cuY4ngWwIqy -pRKdcrNDOIawhEpJEAUYLHMcrCCekZPJalEcMZ26pXjVG1p9SYVsQWxkpVgOqEIH -8Q4zYMYQAQssVSED3SrQ39giW7+UfGnoqsy9qTq1UvDBpnGDMk2JYsGZmQoWEvtJ -AudwoHTFj/szABXE7qootqjGGhopdC0pFWGKaSFRre7iIeiYNJDXYi1lyAtDfZFW -iv8avbywunozAigA8+wuF4Zw1GOThPAOLNU= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSBmeWR3 +UzRxRGlkU2h2cjVjQlJrcjhYcm5oRWt3SFdSb0t4Wjd2ZTFKNTJjCjNIVmRtRmoz +RTMyTDB5a1NJMU56RnFJRVFLSW1oMERGZ2RRSFgxQ0ZuSzgKLT4gVkAtZ3JlYXNl +ICw+WDxrIFIsCk9MRDQ2ZWlPN2JUWDVyZWlQUGN3Ci0tLSB4WGhCdWdkN3M2THJZ +VnB2SFFqa1NTcUh0bG9qTWNzT3BBUW5qQ0M4aUFzCsFpZE1btvUR1BwkUNC8qy3m +0SwXk/gUS1519LuEnvZg7Mc+EB23e6nmz8rK34ycR+stTbVNv1xV2xCLxLoTg9wf ++ThXsVrf18kv0N92X3d5v7clMVC4eMr9CcyfBY+HaMgNa72aRyVyyxKgg/v6oks+ +QEHssNw8+TKxjfeoxdCmsYVDEQME4id8vqoDOkyAg2IAXPCVVhN9G9fuMPyT1TWk +yJD1RgpyzBkR0yBEQkxgY1GJ76TI0h85hveNbXQXZTuU2yj0KJbdj2gXDGdrqbu7 +r/6ZlRGlC2tSqtRBot6BatVIhtGZNVQnXbiVlQCmO1mh4XyxF7rKsCa7r3yVuvFN +XybugrWSdG7dJF6ne/dMMsnwhvrKZFwUosjMnoH/x/LF2bOLAcA6i2WA6ivWzo9c +6NmND6sLkQJWyychbLu4AmRg4MgVTlTGwTCizOe3xEo9qRrQBX7PmvuXSs+IE1o4 +l7pb0DSzIa80BT0Otj9tFlei1nwRh8wzEVECV0FUjilUvUp19mJ6Cn+/RnHTSOp9 +1UGrOFxbamx4L4yFWL3rWoqBpbO4CBSCGM7moDEhAQn/OsZgeUhKeIDvrEBtCeZ3 +vC/v0lVgfXZDd+aRSLPbGaRNwifyc5UeBWF1WvkJXi3jDUK7qFOT/RInVQDDF3u9 +YbvnHPler1UfbbPihHTFbCJu8lJHMLHfpe07j2cx4hCPMv/4Yx+xBAstPXwtaOuw +/9PCvPvvGvygdzljKTksnsMVN11cQzmU3l1dKHvr5sNk1n+U+uW0xDrT9Nv1ZETg +IY64EtzsqH48YAJ6SV6h4dZ8D9R5qTg4T5yP7D4PLuFtNGeqd7++zhBCZLZ3HEQ6 +M1SlHzWk59xBN4agrLKX0VjPYBwmg8wkpRfU5A4Rg36H4mZLHEUKqFVx6BaHfDZ2 +5P3o7GbZB39Zs9mZb70ZZJ5TFUsCEISfJHz/u5u4/duSBLeyHXah2dmXrQ1eUWT4 +MNNcJ6+53Us4LTe96ttYNa/v5RQVoarTwNM7x7ux5j59QHozVOK1NO8Z4+oHD/ZD +rJQlXAeAUrhkZLluzzy1JL45tBpPm3oAfU3xB178c+fMoWtZxyWrBfu1iRzwyDWC +MKgK29h9HeGwQc9dB8exQr2cj5NhqUOiaWP8dH1N/g+KYIPVNRgKjdDucsxTcbDN +bIIz2qus6jQkOfmbtdoHWMp+kwXSHRF7MwECKxkAIcNdxnLI1DecNhjbiItnPlgI +1uy0fERRc12BLg3dLV3YkBL358SRww+pxho87IQuS9x9aQeExksk0Y10QR8J/1g0 +cEXUhDNfeI+mKyuISxV6Zs4Fp7+6P6bd5Bs2Xyxw3A3PTdWn12brb62O1N81LiAv +yccIDR24lb0VDD+aIq28FBUPQ62tVdtZgRfJhkVxelgzHuGATOTluDZH+6GE3rEj +z1OoormFX/2TovCNnTVJRs1ifWUe+a2QHcAFFfL0Y1RBbIPYDMykfjCPNaWqarlX +Z50QIWv6Ov1oDBZY59fjx5Bfm+Es+edMC4b2GibRKS5wwpOzGDEKDXVoTEv3NX+B +NV4p3oDKEE8anYffrB+v -----END AGE ENCRYPTED FILE----- diff --git a/users/n8n-worker.nix b/users/ai-worker.nix similarity index 60% rename from users/n8n-worker.nix rename to users/ai-worker.nix index bbecd68..efc366c 100644 --- a/users/n8n-worker.nix +++ b/users/ai-worker.nix @@ -1,12 +1,12 @@ { pkgs, inputs, config, keys, ... }: { - users.users.n8n-worker = { + users.users.ai-worker = { isSystemUser = true; - group = "n8n-worker"; + group = "ai-worker"; extraGroups = [ "docker" ]; shell = pkgs.bashInteractive; openssh.authorizedKeys.keys = [ - keys.users.n8n-worker.main + keys.users.ai-worker.main ]; }; - users.groups.n8n-worker = {}; + users.groups.ai-worker = {}; }