a9b95c5d48
fix(config): use libgpiod instead of gpiod for gpioset
...
The nixpkgs attribute for userspace GPIO tools is 'libgpiod',
not 'gpiod'. This provides the gpioset binary used by the
GPIO 23 internal USB hub service.
2026-06-06 17:27:12 -04:00
6771c9882a
fix(hw-config): use mkForce for filesystems to avoid disko conflict
...
Disko auto-generates fileSystems with by-partlabel paths, but
for manual install via loop devices we need by-label paths.
mkForce ensures our paths win during evaluation.
2026-06-06 17:23:50 -04:00
897f470a16
fix(disko): use /dev/mmcblk0 instead of wrong by-path
...
platform-fe340000.mmc doesn't exist on the uConsole CM5.
The eMMC is at /dev/mmcblk0 in normal boot mode.
2026-06-06 16:51:46 -04:00
eaf879c4d1
fix(disko-config): use disko.devices.disk instead of top-level disk
...
disko module defines options under `disko.devices.disk.*`, not
`disk.*`. This was causing evaluation error:
"The option 'disk' does not exist. Did you mean 'disko'?"
2026-06-06 16:39:46 -04:00
486758e51a
feat(uConsole): add disko, backlight fix, GPIO 23, mt7921u
...
- Add disko flake input + partition config (/boot/firmware, /, /home)
- Add cm5-backlight-fix service as display fallback
- Add enable-gpio23-usb-hub service for internal USB hub
- Add mt7921u kernel module for MediaTek AC1200 WiFi
- Add gpiod package for GPIO userspace control
2026-06-06 16:38:41 -04:00
a51e095717
feat: enable aarch64 cross-build on lazyworkhorse (QEMU binfmt + extra-platforms)
2026-06-06 09:16:23 -04:00
7f11da1878
fix: let nixos-raspberrypi manage kernel version (patches incompatible with linuxPackages_latest)
2026-06-05 23:33:10 -04:00
29cc20bb04
fix: add wants=network-online.target to rnsd and kismet services to silence eval warnings
2026-06-05 22:58:09 -04:00
1617ac9149
fix: migrate from deprecated kernelboot to kernel bootloader for nixos-raspberrypi
2026-06-05 22:57:26 -04:00
bdd6d03739
fix: use mkForce for PermitRootLogin to override upstream module default
2026-06-05 22:45:59 -04:00
a0a6663793
fix: use mkForce for PasswordAuthentication to override upstream module default
2026-06-05 22:45:30 -04:00
b66ffadb79
fix: add missing 'keys' to uConsole module args
2026-06-05 22:43:53 -04:00
db2bd1d157
feat: add uConsole CM5 host configuration with Reticulum mesh stack
...
- New NixOS host 'uConsole' for ClockworkPi CM5 portable terminal
- flake.nix: add nixos-uconsole and nixos-raspberrypi inputs
- Imports: nixos-uconsole.nixosModules.uconsole-cm5,
nixos-raspberrypi.nixosModules.raspberry-pi-5.base
- Full package list: base tools, HAM radio, SDR/RF, mesh/LoRa,
security tools, GPS/maps
- Reticulum stack (rns 1.2.9, lxmf 0.9.8, nomadnet 1.1.1) built
from PyPI via overlays/reticulum.nix
- systemd services: rnsd (Reticulum daemon), kismet (Wi-Fi IDS)
- Kernel modules for SDR (rtl-sdr, dvb) and USB WiFi
- Follows existing host config conventions (cyt-pi as template)
2026-05-20 14:34:15 -04:00
96bc20ab70
feat: add Syncthing firewall port and update compose submodule
2026-05-14 21:36:26 -04:00
Robert
23fc5e0597
Give a little more ssh room for tramp
2026-05-13 12:41:09 -04:00
c53460c400
fix: remove dns option from wireguard config (not a valid nixos option)
2026-05-05 03:26:44 +00:00
Robert
ee96593e3d
Merge branch 'feat/wireguard-vpn' of ssh://code.lazyworkhorse.net:2222/gortium/infra into feat/wireguard-vpn
2026-05-04 23:22:35 -04:00
Robert
5935747902
Security fixes
2026-05-04 23:20:57 -04:00
5c481d664a
fix: split tunnel on host VPN - only route 10.8.0.0/24
2026-05-05 02:41:29 +00:00
94a7c7195a
fix: remove exposed keys from comments
2026-05-05 02:12:55 +00:00
cf279c4fb0
feat: add host-level WireGuard client via networking.wireguard
...
- Add wg0 interface config with agenix-managed secrets
- Revert compose submodule to remove NET_ADMIN from Hermes
- WireGuard runs at host level, all containers inherit the tunnel
2026-05-05 02:11:41 +00:00
48245518a1
fix: load iptables kernel modules for WireGuard NAT
...
wg-easy needs iptable_nat and iptable_filter to set up
masquerading for VPN traffic. These modules must be loaded
at boot for the container to access iptables.
2026-05-05 01:17:14 +00:00
1673a56439
feat: add WireGuard VPN stack
...
- Add vpn stack to services.dockerStacks
- Open UDP port 51820 for WireGuard protocol
- Update compose submodule to include vpn stack
2026-05-04 22:49:06 +00:00
bcebf18676
fix: move filter into jail settings (NixOS submodule doesn't pass string filters)
2026-05-01 11:59:33 +00:00
0370d784a0
fix: http-botsearch logpath must be string, not list
2026-05-01 04:02:06 +00:00
260b2d2756
fix: restructure fail2ban jails per NixOS module - recidive in jails, settings attr, str bantime
2026-05-01 03:59:32 +00:00
2477acdfc7
fix: services.fail2ban top-level options - no findtime, maxretry lowercase
2026-05-01 03:57:21 +00:00
81c25d3f20
fix: use security.auditd instead of services.auditd
2026-05-01 03:55:09 +00:00
9b1f467db9
fix: remove invalid networking.firewall.defaultAllow option
2026-05-01 03:52:57 +00:00
65fa778b2b
fix: add custom traefik fail2ban filters for http-auth and http-botsearch jails
2026-05-01 03:40:59 +00:00
7994aad8d8
security: harden lazyworkhorse with firewall, fail2ban, SSH hardening
...
- Firewall (default deny):
- Allow only essential ports: SSH(2424), Gitea(2222), HTTP(80), HTTPS(443)
- Rate limit SSH (max 4 new connections/60s)
- Rate limit HTTP/HTTPS (25/minute)
- Drop invalid packets, log dropped packets
- Fail2ban (auto-ban attackers):
- SSH jail: 3 strikes = 1 hour ban
- HTTP auth failures: 5 strikes = 1 hour ban
- HTTP scanning: 2 strikes = 2 hour ban
- Recidive jail: repeat offenders = 1 week ban
- SSH hardening:
- No root login
- Max 3 auth tries, 5 sessions
- 30s login grace time
- No X11/TCP/agent forwarding
- Verbose logging
- Kernel network hardening:
- SYN flood protection (syncookies)
- IP spoofing protection (rp_filter)
- Disable source routing, redirects
- Log martian packets
- Connection tuning for high load
- Audit logging enabled
Ports commented for review (likely internal-only):
- 8000 (Portainer), 4242 (Coms), 5000/8087/8089 (TAK)
2026-04-30 17:46:39 +00:00
Robert
bc875ef9fb
feat: isolate docker networks and add cyt-pi remote node config
...
- Refactor all 12 compose stacks to use isolated networks with Traefik as the hub
- Add openclaw-ssh sidecar to ai stack for reverse tunneling (port 2425)
- Add sshnode entrypoint to Traefik configuration
- Add cyt-pi host configuration for Pi Zero 2 W (headless)
- Include kismet and target_detector_cli services for remote Wi-Fi monitoring
- Add reverse SSH tunnel service via autossh
2026-04-06 19:14:57 -04:00
Robert
8aa85e62e5
feat: add openclaw CLI to system packages
2026-04-04 17:23:15 -04:00
Robert
b9cf8a47f7
fix: set openclaw secret group to ai-worker
2026-04-04 17:15:24 -04:00
Robert
ce20fad4d3
fix: enable flake-self-attrs for lix compatibility
2026-04-04 16:54:10 -04:00
Robert
401b23ce46
feat: add openclaw node service and migrate to lix
...
- Add headless openclaw node systemd service for host execution
- Migrate from nix to lix package manager
- Permit openclaw-2026.3.12 (insecure package warning)
- Use ai-worker user for node service
2026-04-04 16:26:33 -04:00
13dbf18f67
Progress dump before ai agent
2026-04-04 04:57:47 -04:00
0845262c05
style: format Nix files after modifications
2026-01-01 14:32:17 -05:00
9531bff929
chore: enhance system configuration with hardware sensors, GPU support, and security
2026-01-01 02:25:11 -05:00
1210a44ecc
Commented graphic drivers. longer janitor time.
2025-12-27 17:17:16 -05:00
f5b3a04378
Added amd driver, rocm
2025-08-31 20:23:43 -04:00
3497d93dcb
Added a bootstrap key
2025-08-19 18:00:09 -04:00
955c3255a0
WIP on host ssh key. broken.
2025-08-17 17:26:59 -04:00
6b367a7c95
WIP on fan control
2025-08-15 21:15:59 -04:00
02155976ab
Enable ssd health and zfs snapshot
2025-08-15 21:11:22 -04:00
911f3589a2
Used agenix to manage secrets, 4 services up, ssh
2025-08-08 17:00:47 -04:00
ac6c3688ef
Some more work toward a modular config
2025-08-04 22:15:59 -04:00
94f0ce50ae
Preparing to switch to flakes
2025-08-03 15:42:02 -04:00
b69b0853d3
Initial commit
2025-08-03 12:47:46 -04:00
