- Deployment: nh os switch, nixos-rebuild switch (flake path locked)
- Firewall checks: iptables -L, iptables -S
- Fail2ban: status, banned IPs
- Logs: journalctl for kernel and fail2ban
- SSH config: sshd -T for verification
- Docker: ps, inspect (service health)
- Network: ss -tlnp, /proc/net/tcp
All commands are whitelisted with NOPASSWD.
No shell access, no ALL command - principle of least privilege.
- Refactor all 12 compose stacks to use isolated networks with Traefik as the hub
- Add openclaw-ssh sidecar to ai stack for reverse tunneling (port 2425)
- Add sshnode entrypoint to Traefik configuration
- Add cyt-pi host configuration for Pi Zero 2 W (headless)
- Include kismet and target_detector_cli services for remote Wi-Fi monitoring
- Add reverse SSH tunnel service via autossh
- Add headless openclaw node systemd service for host execution
- Migrate from nix to lix package manager
- Permit openclaw-2026.3.12 (insecure package warning)
- Use ai-worker user for node service
- Comprehensive research of TAK-compatible open-source implementations
- Comparison of FreeTAKServer, OpenTAKServer, and TAK Product Center Server
- Selected OpenTAKServer for feature richness and Docker deployment support
- Documented research findings and implementation plan
- Started OpenCode service and verified it's running
- Tested Context7 web search functionality
- Tested DuckDuckGo web search functionality
- Documented web search integration in open_code_server.nix
- Updated ROADMAP and STATE with completion status
- Phase 4 complete, ready for Phase 5: TAK Server Integration
Phases 1-3 complete.
Phase 4 removed per request.
New focus:
4. Internet Access & MCP - web access via MCP server
5. TAK Server Integration - TAK server Docker integration
Phases 1-3 complete - foundation, Docker integration, and AI assistant ready.
New phases:
4. Advanced Monitoring - service health and logging
5. Internet Access & MCP - web access via MCP server
6. TAK Server Integration - add TAK server to infrastructure
Dropped 04-01 (auto Docker Compose detection) per user request.
Reproducible NixOS infrastructure with Docker service management and AI assistant integration.
Phases:
1. Foundation Setup: Core NixOS configuration with flakes
2. Docker Service Integration: Docker Compose integration and Traefik proxy
3. AI Assistant Integration: OpenCode AI assistant for infrastructure management
4. Automation & Monitoring: Service detection and health monitoring
