374d022593
fix: update compose submodule - permission fix for atomic writes
2026-05-09 15:50:42 +00:00
9679846cdb
feat: update compose submodule - Ryan high voice
2026-05-09 15:21:59 +00:00
4056f91ec6
fix: update compose submodule - remove patch step
2026-05-09 14:28:44 +00:00
1ba7d31d2f
fix: update compose submodule - patch path fix
2026-05-09 14:27:16 +00:00
c7e9f8a1e0
feat: update compose submodule for Norman voice
2026-05-09 14:20:55 +00:00
bbe1a4a850
fix: update compose submodule - ca-certificates
2026-05-09 14:15:01 +00:00
2b8316060c
fix: update compose submodule - COPY path fix
2026-05-09 14:12:15 +00:00
cc2c62faf7
fix: update compose submodule - Dockerfile heredoc fix
2026-05-09 14:09:59 +00:00
47f1ba6cf2
fix: update compose submodule - clean patch script
2026-05-09 13:59:17 +00:00
db89881d75
fix: update compose submodule for full OPENROUTER_API_KEY
2026-05-09 13:55:47 +00:00
0bb0a270e6
fix: update compose submodule for clean Piper Dockerfile
2026-05-09 13:42:02 +00:00
41256ccbde
fix: update compose submodule for Piper TTS (replaces Coqui/ROCm)
2026-05-09 13:24:17 +00:00
e551f0e5c5
feat: update compose submodule for ROCm + Coqui TTS Dockerfile
2026-05-09 04:10:05 +00:00
b11d599f37
fix: update compose submodule for simplified Dockerfile
2026-05-09 02:38:41 +00:00
782f2fa9ed
feat(hermes): update compose submodule for ROCm GPU voice STT support
2026-05-09 00:22:08 +00:00
2e14069584
Merge pull request 'feat: add WireGuard VPN stack' ( #33 ) from feat/wireguard-vpn into master
...
Reviewed-on: #33
2026-05-09 00:13:36 +00:00
c53460c400
fix: remove dns option from wireguard config (not a valid nixos option)
2026-05-05 03:26:44 +00:00
Robert
ee96593e3d
Merge branch 'feat/wireguard-vpn' of ssh://code.lazyworkhorse.net:2222/gortium/infra into feat/wireguard-vpn
2026-05-04 23:22:35 -04:00
Robert
030125ab01
Added wireguard pass
2026-05-04 23:21:36 -04:00
Robert
5935747902
Security fixes
2026-05-04 23:20:57 -04:00
Robert
9ae0f6ad62
Submodule update
2026-05-04 23:20:03 -04:00
5c481d664a
fix: split tunnel on host VPN - only route 10.8.0.0/24
2026-05-05 02:41:29 +00:00
94a7c7195a
fix: remove exposed keys from comments
2026-05-05 02:12:55 +00:00
cf279c4fb0
feat: add host-level WireGuard client via networking.wireguard
...
- Add wg0 interface config with agenix-managed secrets
- Revert compose submodule to remove NET_ADMIN from Hermes
- WireGuard runs at host level, all containers inherit the tunnel
2026-05-05 02:11:41 +00:00
b9289a149d
chore: update compose submodule for Hermes NET_ADMIN + WireGuard Dockerfile
2026-05-05 01:48:24 +00:00
e0068260cb
chore: move Hermes Dockerfile to compose repo, add WireGuard tools
...
- Move Dockerfile.full from infra/docker/hermes to compose/ai/Dockerfile
- Add wireguard-tools and openresolv to Hermes image
- Remove stray docker/hermes directory from infra
2026-05-05 01:43:42 +00:00
a42b2ff65d
chore: update compose submodule to wireguard-vpn (fix ref)
2026-05-05 01:21:34 +00:00
92bcf1cc04
chore: update compose submodule to wireguard-vpn
2026-05-05 01:21:19 +00:00
7d0b72a513
chore: update compose submodule to linuxserver/wireguard
2026-05-05 01:18:13 +00:00
48245518a1
fix: load iptables kernel modules for WireGuard NAT
...
wg-easy needs iptable_nat and iptable_filter to set up
masquerading for VPN traffic. These modules must be loaded
at boot for the container to access iptables.
2026-05-05 01:17:14 +00:00
1673a56439
feat: add WireGuard VPN stack
...
- Add vpn stack to services.dockerStacks
- Open UDP port 51820 for WireGuard protocol
- Update compose submodule to include vpn stack
2026-05-04 22:49:06 +00:00
4cceab05d0
Merge pull request 'security: harden lazyworkhorse with firewall, fail2ban, SSH hardening' ( #28 ) from feature/server-hardening-clean into master
...
Reviewed-on: #28
2026-05-03 09:11:56 +00:00
bcebf18676
fix: move filter into jail settings (NixOS submodule doesn't pass string filters)
2026-05-01 11:59:33 +00:00
0370d784a0
fix: http-botsearch logpath must be string, not list
2026-05-01 04:02:06 +00:00
260b2d2756
fix: restructure fail2ban jails per NixOS module - recidive in jails, settings attr, str bantime
2026-05-01 03:59:32 +00:00
2477acdfc7
fix: services.fail2ban top-level options - no findtime, maxretry lowercase
2026-05-01 03:57:21 +00:00
81c25d3f20
fix: use security.auditd instead of services.auditd
2026-05-01 03:55:09 +00:00
9b1f467db9
fix: remove invalid networking.firewall.defaultAllow option
2026-05-01 03:52:57 +00:00
65fa778b2b
fix: add custom traefik fail2ban filters for http-auth and http-botsearch jails
2026-05-01 03:40:59 +00:00
5d3bbe99f3
chore: update compose submodule for traefik access logs
2026-05-01 03:33:34 +00:00
Robert
bcf5cadaa0
olllama template fix to remove currenttime
2026-04-30 21:54:47 -04:00
3e04ccc1e8
security: remove deployment commands from ai-worker sudo rules
...
ai-worker only needs security audit commands, not deployment access.
Removed:
- nh os switch
- nixos-rebuild switch
Kept:
- Firewall checks (iptables)
- Fail2ban status
- Log inspection (journalctl)
- SSH config (sshd -T)
- Docker service checks
- Network diagnostics
2026-04-30 17:46:39 +00:00
21bd4bb283
security: add restricted sudo for ai-worker with security audit commands
...
- Deployment: nh os switch, nixos-rebuild switch (flake path locked)
- Firewall checks: iptables -L, iptables -S
- Fail2ban: status, banned IPs
- Logs: journalctl for kernel and fail2ban
- SSH config: sshd -T for verification
- Docker: ps, inspect (service health)
- Network: ss -tlnp, /proc/net/tcp
All commands are whitelisted with NOPASSWD.
No shell access, no ALL command - principle of least privilege.
2026-04-30 17:46:39 +00:00
7994aad8d8
security: harden lazyworkhorse with firewall, fail2ban, SSH hardening
...
- Firewall (default deny):
- Allow only essential ports: SSH(2424), Gitea(2222), HTTP(80), HTTPS(443)
- Rate limit SSH (max 4 new connections/60s)
- Rate limit HTTP/HTTPS (25/minute)
- Drop invalid packets, log dropped packets
- Fail2ban (auto-ban attackers):
- SSH jail: 3 strikes = 1 hour ban
- HTTP auth failures: 5 strikes = 1 hour ban
- HTTP scanning: 2 strikes = 2 hour ban
- Recidive jail: repeat offenders = 1 week ban
- SSH hardening:
- No root login
- Max 3 auth tries, 5 sessions
- 30s login grace time
- No X11/TCP/agent forwarding
- Verbose logging
- Kernel network hardening:
- SYN flood protection (syncookies)
- IP spoofing protection (rp_filter)
- Disable source routing, redirects
- Log martian packets
- Connection tuning for high load
- Audit logging enabled
Ports commented for review (likely internal-only):
- 8000 (Portainer), 4242 (Coms), 5000/8087/8089 (TAK)
2026-04-30 17:46:39 +00:00
7efba3ac5b
Compose update
2026-04-27 06:11:34 -04:00
Robert
cf1373cd68
Forced restart for docker services
2026-04-27 06:02:25 -04:00
Robert
bc875ef9fb
feat: isolate docker networks and add cyt-pi remote node config
...
- Refactor all 12 compose stacks to use isolated networks with Traefik as the hub
- Add openclaw-ssh sidecar to ai stack for reverse tunneling (port 2425)
- Add sshnode entrypoint to Traefik configuration
- Add cyt-pi host configuration for Pi Zero 2 W (headless)
- Include kismet and target_detector_cli services for remote Wi-Fi monitoring
- Add reverse SSH tunnel service via autossh
2026-04-06 19:14:57 -04:00
Robert
c579b07843
fix: read gateway token from secret file via bash
2026-04-04 17:49:39 -04:00
Robert
d3f50cdadc
fix: always restart node service on exit
2026-04-04 17:43:03 -04:00
Robert
8aa85e62e5
feat: add openclaw CLI to system packages
2026-04-04 17:23:15 -04:00
