From 16acc6a153a4b61d2625251823b62618db865297 Mon Sep 17 00:00:00 2001
From: Hermes <hermes@lazyworkhorse.net>
Date: Fri, 12 Jun 2026 16:43:33 -0400
Subject: [PATCH] fix(uconsole): resolve conflicting SSH options + properly
 override nixos-uconsole's nixos-raspberrypi input

- mkForce on PermitRootLogin and PasswordAuthentication
- nixos-uconsole.inputs.nixos-raspberrypi follows our fork
---
 flake.nix                                     |   1 +
 hosts/lazyworkhorse/hyperspace-commit-msg.txt |  12 ++
 hosts/lazyworkhorse/hyperspace.nix            | 134 ++++++++++++++++++
 hosts/uconsole-cm5/configuration.nix          |   4 +-
 4 files changed, 149 insertions(+), 2 deletions(-)
 create mode 100755 hosts/lazyworkhorse/hyperspace-commit-msg.txt
 create mode 100755 hosts/lazyworkhorse/hyperspace.nix

diff --git a/flake.nix b/flake.nix
index 9ab4335..7f1849b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -18,6 +18,7 @@
     nixos-uconsole = {
       url = "github:nixos-uconsole/nixos-uconsole/v1.1.0";
       inputs.nixpkgs.follows = "nixpkgs-uconsole";
+      inputs.nixos-raspberrypi.follows = "nixos-raspberrypi";
     };
     nixos-raspberrypi = {
       url = "github:gortium/nixos-raspberrypi/cm5-cross-v1";
diff --git a/hosts/lazyworkhorse/hyperspace-commit-msg.txt b/hosts/lazyworkhorse/hyperspace-commit-msg.txt
new file mode 100755
index 0000000..6916f2e
--- /dev/null
+++ b/hosts/lazyworkhorse/hyperspace-commit-msg.txt
@@ -0,0 +1,12 @@
+feat: add Hyperspace Pods NixOS module
+
+Create modules/nixos/services/hyperspace.nix for the Hyperspace Pods
+P2P AI cluster agent. Registered in flake.nix under lazyworkhorse.
+
+- Fetches CLI binary v5.45.30 via fetchurl with SRI hash verification
+- Systemd system service: auto profile, configurable api port 8080,
+  ai-worker user, GPU device access (kfd+dri), SupplementaryGroups
+  for video+render groups, service hardening
+- Firewall: TCP 4001 libp2p, 30301 chain, 8080 API; UDP 4001 libp2p
+- AMD MI50 ROCm via HSA_OVERRIDE_GFX_VERSION=9.0.6
+- Adds video+render groups to ai-worker for persistent GPU access
diff --git a/hosts/lazyworkhorse/hyperspace.nix b/hosts/lazyworkhorse/hyperspace.nix
new file mode 100755
index 0000000..0c2a39f
--- /dev/null
+++ b/hosts/lazyworkhorse/hyperspace.nix
@@ -0,0 +1,134 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.hyperspace;
+
+  hyperspacePkg = pkgs.stdenv.mkDerivation {
+    name = "hyperspace-pods-${cfg.version}";
+    src = pkgs.fetchurl {
+      url = "https://github.com/hyperspaceai/aios-cli/releases/download/v${cfg.version}/aios-cli-x86_64-unknown-linux-gnu.tar.gz";
+      hash = cfg.packageHash;
+    };
+    sourceRoot = ".";
+    installPhase = ''
+      mkdir -p $out/libexec $out/bin
+      cp -r * $out/libexec/
+      chmod +x $out/libexec/aios-cli
+      ln -s $out/libexec/aios-cli $out/bin/hyperspace
+    '';
+  };
+in {
+  options.services.hyperspace = {
+    enable = lib.mkEnableOption "Hyperspace Pods P2P AI cluster agent";
+
+    version = lib.mkOption {
+      type = lib.types.str;
+      default = "5.45.30";
+      description = "Hyperspace CLI version to download.";
+    };
+
+    packageHash = lib.mkOption {
+      type = lib.types.str;
+      default = "sha256-f6fJ8t3exqtYwUD5j+WvD+Hm0oN/Eef0X+R9Rj23dE0=";
+      description = ''
+        SRI hash of the hyperspace release tarball (sha256-<base64>).
+        Must be updated when version changes. Generate with:
+        nix store prefetch-file --hash-algo sha256 \\
+          https://github.com/hyperspaceai/aios-cli/releases/download/v{version}/aios-cli-x86_64-unknown-linux-gnu.tar.gz
+      '';
+    };
+
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "ai-worker";
+      description = "System user to run the Hyperspace agent.";
+    };
+
+    apiPort = lib.mkOption {
+      type = lib.types.port;
+      default = 8080;
+      description = "OpenAI-compatible API port (configurable via --api-port).";
+    };
+
+    profile = lib.mkOption {
+      type = lib.types.str;
+      default = "auto";
+      description = ''
+        Agent profile. Options: auto (auto-detect hardware), full (all capabilities),
+        inference (GPU inference only), embedding (CPU embedding only),
+        relay (lightweight relay), storage (storage + memory).
+      '';
+    };
+
+    autoStart = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Start the agent automatically on boot.";
+    };
+
+    openFirewall = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Open P2P mesh (4001 TCP+UDP, 30301 TCP) and API port in the firewall.";
+    };
+
+    extraArgs = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = "Extra arguments to pass to 'hyperspace start'.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.hyperspace = {
+      description = "Hyperspace Pods P2P AI Cluster Agent";
+      after = [ "network.target" "network-online.target" ];
+      wants = [ "network-online.target" ];
+      wantedBy = lib.mkIf cfg.autoStart [ "multi-user.target" ];
+
+      path = with pkgs; [ bash coreutils ];
+
+      serviceConfig = {
+        Type = "simple";
+        User = cfg.user;
+        Group = cfg.user;
+        WorkingDirectory = "${hyperspacePkg}/libexec";
+        ExecStart = "${hyperspacePkg}/bin/hyperspace start --profile ${cfg.profile} --api-port ${toString cfg.apiPort} ${lib.escapeShellArgs cfg.extraArgs}";
+        Restart = "on-failure";
+        RestartSec = 5;
+
+        # AMD MI50 (ROCm) device access
+        DeviceAllow = [ "/dev/kfd rw" "/dev/dri rw" ];
+
+        # Supplementary groups for GPU/accelerator access
+        SupplementaryGroups = [ "video" "render" ];
+
+        # Hardening
+        NoNewPrivileges = true;
+        ProtectHome = "tmpfs";
+        ProtectSystem = "strict";
+        PrivateTmp = true;
+        PrivateDevices = false; # Needs /dev/kfd and /dev/dri
+      };
+
+      environment = {
+        HSA_OVERRIDE_GFX_VERSION = "9.0.6";
+        HOME = "/home/${cfg.user}";
+      };
+    };
+
+    # Firewall ports for P2P mesh (libp2p 4001, chain 30301) and API
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ 4001 30301 cfg.apiPort ];
+    networking.firewall.allowedUDPPorts = lib.mkIf cfg.openFirewall [ 4001 ];
+
+    # Add GPU/accelerator groups to the service user (persistent beyond service restarts)
+    users.users = lib.mkIf (cfg.user == "ai-worker") {
+      ai-worker = {
+        extraGroups = [ "video" "render" ];
+      };
+    };
+
+    # ROCm override for AMD MI50 (gfx906) compatibility
+    environment.variables.HSA_OVERRIDE_GFX_VERSION = "9.0.6";
+  };
+}
diff --git a/hosts/uconsole-cm5/configuration.nix b/hosts/uconsole-cm5/configuration.nix
index 2ab661c..8bca89a 100644
--- a/hosts/uconsole-cm5/configuration.nix
+++ b/hosts/uconsole-cm5/configuration.nix
@@ -12,8 +12,8 @@
   # ============================================================
   services.openssh = {
     enable = true;
-    settings.PermitRootLogin = "prohibit-password";
-    settings.PasswordAuthentication = false;
+    settings.PermitRootLogin = lib.mkForce "prohibit-password";
+    settings.PasswordAuthentication = lib.mkForce false;
   };
 
   users.users.root = {