820de72c0f
fix: remove duplicate ai-worker user definition in configuration.nix
...
ai-worker is now defined in users/ai-worker/ai-worker.nix module
2026-06-16 19:05:03 -04:00
1550219e77
Merge remote changes + feat: AIO v2 board module
...
- Cross-compile overlays for Hyprland (libcamera, pipewire, gjs)
- Refactor uconsoleBaseModules into reusable list
- Add wireguard-client service module
- Restructure users into subdirectories
- New: hardware.uconsole-cm5-aio-v2 module (GPIO rails, aiov2_ctl, GPS UART)
- Update configuration.nix with Hyprland + AIO v2
- Add AIO v2 module to both toplevel and SD image config
2026-06-16 19:02:38 -04:00
2572f47e41
feat: add NixOS module for HackerGadgets AIO v2 board (uConsole CM5)
...
- New module: hardware.uconsole-cm5-aio-v2
- GPIO rail control for GPS (27), LORA (16), SDR (7), USB (23)
- Systemd oneshot service (aiov2-rails-boot) to apply states at boot
- aiov2_ctl CLI tool packaged from GitHub source
- GPS UART support (ttyAMA0, 9600 baud) with dialout group
- Optional systemd user service for system tray GUI
- Wired into uconsole-cm5 NixOS config + SD image
All rails default OFF — activate on demand with:
aiov2_ctl <GPS|LORA|SDR|USB> on
2026-06-16 19:00:50 -04:00
bd8b1c564e
feat: add reusable wireguard-client NixOS module
...
- modules/nixos/services/wireguard-client.nix — optional module under
gortium.wireguard-client namespace with enable, vpnIp, privateKeyFile,
and presharedKeyFile options
- Added to lazyworkhorse, cyt-pi, and uconsoleBaseModules (covers both
uconsole-cm5 toplevel and SD image)
- Migrated lazyworkhorse from inline networking.wireguard to module
- Split-tunnel: allowedIPs = [ "10.8.0.0/24" ]
Usage in a host config:
gortium.wireguard-client = {
enable = true;
vpnIp = "10.8.0.X/24";
privateKeyFile = config.age.secrets.wireguard_private_key.path;
presharedKeyFile = config.age.secrets.wireguard_preshared_key.path;
};
2026-06-15 10:55:40 -04:00
6399196a2c
fix: move gortium passwordFile to shared user module (applies to all hosts)
2026-06-14 21:55:48 -04:00
fba52fa66d
fix: use passwordFile instead of hashedPasswordFile (matches other secrets: plain text)
2026-06-14 21:09:10 -04:00
cdbb7de04d
fix: properly structure uConsole config (ai-worker, gortium password, age secret)
2026-06-14 19:56:33 -04:00
9004163891
feat: add agenix secret for gortium password on uConsole
...
- Add gortium_password.age entry in secrets.nix
- Add age.secrets.gortium_password in uConsole config
- Add hashedPasswordFile to existing gortium user
- Add ai-worker user for Hermes SSH access
2026-06-14 19:53:40 -04:00
f06d9028f0
feat: add ai-worker user to uConsole for Hermes SSH access
2026-06-14 19:52:11 -04:00
ce7f74c66f
remove hyperspace files accidentally committed from feat/hyperspace-pods-module
...
These files were mixed into commit 16acc6a
2026-06-14 18:58:35 -04:00
9978ea36f4
fix: disable libcamera in pipewire via mesonFlags for both pkgs and rpi
2026-06-14 00:56:31 -04:00
f00477dacc
fix: force -Dlibcamera=disabled in pipewire mesonFlags for cross-compile
2026-06-14 00:16:09 -04:00
86d8b7bf8b
fix: disable libcamera in pipewire for cross-compile (rpi-pisp blocks)
2026-06-13 23:45:58 -04:00
4610a08072
feat: add Hyprland Wayland compositor from archive/uconsole-cm5-v3
2026-06-13 23:26:15 -04:00
0f765d99cb
feat: add CWU50 display patch (no-burst) + fix flake syntax
...
Remove extra '};' that broke flake.nix parsing.
Apply kernel patch '0008-panel-cwu50-no-burst.patch' to remove
MIPI_DSI_MODE_VIDEO_BURST flag in panel-cwu50.c.
Switch nixos-uconsole module to consolidated uconsole-cm5 module.
Keep patches/0008-panel-cwu50-remove-sync-pulse.patch as variant.
2026-06-13 16:27:32 -04:00
4d8087badf
fix: apply DSI burst mode fix as kernel patch overlay
2026-06-13 13:47:35 -04:00
3d86af76b9
fix: remove non-existent ssh opts for nixpkgs-25.11
2026-06-12 20:55:42 -04:00
053dd535d3
deploy1(uconsole): minimal config — no rasberry-pi-5.base, just SSH + WiFi + keys
2026-06-12 20:47:11 -04:00
e8218c322a
fix(uconsole): set ignore_lcd=0 + disable conflicting dt-overlays
2026-06-12 20:19:21 -04:00
931ed2ac27
fix(uconsole): clean config.txt — clear conflicting defaults, single [pi5] section
2026-06-12 20:16:50 -04:00
ce7c594562
feat: enable ca-derivations experimental feature on lazyworkhorse
2026-06-12 16:50:16 -04:00
16acc6a153
fix(uconsole): resolve conflicting SSH options + properly override nixos-uconsole's nixos-raspberrypi input
...
- mkForce on PermitRootLogin and PasswordAuthentication
- nixos-uconsole.inputs.nixos-raspberrypi follows our fork
2026-06-12 16:43:33 -04:00
a527b65eae
fix(uconsole): rename secret to home_wifi (shared across hosts, not uconsole-specific)
2026-06-12 16:17:48 -04:00
698d3f91eb
feat(uconsole): add agenix secret for WiFi credentials
...
- age.secrets.uconsole-wifi (SSID+password in encrypted file)
- systemd service ensure-wifi reads decrypted secret and configures NM
- agenix.nixosModules.default imported for uconsole-cm5
- uconsole-wifi.age declared in secrets/secrets.nix
2026-06-12 16:15:37 -04:00
1f99ca0d37
feat(uconsole): add cm5 cross-compiled nixosConfiguration
...
- New host: uconsole-cm5 (aarch64-linux, cross-built from x86_64)
- SSH authorizedKeys: gortium.main + ai-worker.main
- NetworkManager enabled (WiFi password via agenix later)
- Display: vc4/panel_cwu50/rp1_dsi with empty initrd
- Config.txt [pi5] section (not [cm5])
- Backlight fix service
- nixos-raspberrypi → gortium/cm5-cross-v1 fork (PR #197 )
- nixpkgs-uconsole pinned to nixos-25.11 (kernel patch compat)
V3 branch saved as archive/uconsole-cm5-v3 (Reticulum/SDR/HAM config).
2026-06-12 16:02:13 -04:00
96bc20ab70
feat: add Syncthing firewall port and update compose submodule
2026-05-14 21:36:26 -04:00
Robert
23fc5e0597
Give a little more ssh room for tramp
2026-05-13 12:41:09 -04:00
c53460c400
fix: remove dns option from wireguard config (not a valid nixos option)
2026-05-05 03:26:44 +00:00
Robert
ee96593e3d
Merge branch 'feat/wireguard-vpn' of ssh://code.lazyworkhorse.net:2222/gortium/infra into feat/wireguard-vpn
2026-05-04 23:22:35 -04:00
Robert
5935747902
Security fixes
2026-05-04 23:20:57 -04:00
5c481d664a
fix: split tunnel on host VPN - only route 10.8.0.0/24
2026-05-05 02:41:29 +00:00
94a7c7195a
fix: remove exposed keys from comments
2026-05-05 02:12:55 +00:00
cf279c4fb0
feat: add host-level WireGuard client via networking.wireguard
...
- Add wg0 interface config with agenix-managed secrets
- Revert compose submodule to remove NET_ADMIN from Hermes
- WireGuard runs at host level, all containers inherit the tunnel
2026-05-05 02:11:41 +00:00
48245518a1
fix: load iptables kernel modules for WireGuard NAT
...
wg-easy needs iptable_nat and iptable_filter to set up
masquerading for VPN traffic. These modules must be loaded
at boot for the container to access iptables.
2026-05-05 01:17:14 +00:00
1673a56439
feat: add WireGuard VPN stack
...
- Add vpn stack to services.dockerStacks
- Open UDP port 51820 for WireGuard protocol
- Update compose submodule to include vpn stack
2026-05-04 22:49:06 +00:00
bcebf18676
fix: move filter into jail settings (NixOS submodule doesn't pass string filters)
2026-05-01 11:59:33 +00:00
0370d784a0
fix: http-botsearch logpath must be string, not list
2026-05-01 04:02:06 +00:00
260b2d2756
fix: restructure fail2ban jails per NixOS module - recidive in jails, settings attr, str bantime
2026-05-01 03:59:32 +00:00
2477acdfc7
fix: services.fail2ban top-level options - no findtime, maxretry lowercase
2026-05-01 03:57:21 +00:00
81c25d3f20
fix: use security.auditd instead of services.auditd
2026-05-01 03:55:09 +00:00
9b1f467db9
fix: remove invalid networking.firewall.defaultAllow option
2026-05-01 03:52:57 +00:00
65fa778b2b
fix: add custom traefik fail2ban filters for http-auth and http-botsearch jails
2026-05-01 03:40:59 +00:00
7994aad8d8
security: harden lazyworkhorse with firewall, fail2ban, SSH hardening
...
- Firewall (default deny):
- Allow only essential ports: SSH(2424), Gitea(2222), HTTP(80), HTTPS(443)
- Rate limit SSH (max 4 new connections/60s)
- Rate limit HTTP/HTTPS (25/minute)
- Drop invalid packets, log dropped packets
- Fail2ban (auto-ban attackers):
- SSH jail: 3 strikes = 1 hour ban
- HTTP auth failures: 5 strikes = 1 hour ban
- HTTP scanning: 2 strikes = 2 hour ban
- Recidive jail: repeat offenders = 1 week ban
- SSH hardening:
- No root login
- Max 3 auth tries, 5 sessions
- 30s login grace time
- No X11/TCP/agent forwarding
- Verbose logging
- Kernel network hardening:
- SYN flood protection (syncookies)
- IP spoofing protection (rp_filter)
- Disable source routing, redirects
- Log martian packets
- Connection tuning for high load
- Audit logging enabled
Ports commented for review (likely internal-only):
- 8000 (Portainer), 4242 (Coms), 5000/8087/8089 (TAK)
2026-04-30 17:46:39 +00:00
Robert
bc875ef9fb
feat: isolate docker networks and add cyt-pi remote node config
...
- Refactor all 12 compose stacks to use isolated networks with Traefik as the hub
- Add openclaw-ssh sidecar to ai stack for reverse tunneling (port 2425)
- Add sshnode entrypoint to Traefik configuration
- Add cyt-pi host configuration for Pi Zero 2 W (headless)
- Include kismet and target_detector_cli services for remote Wi-Fi monitoring
- Add reverse SSH tunnel service via autossh
2026-04-06 19:14:57 -04:00
Robert
8aa85e62e5
feat: add openclaw CLI to system packages
2026-04-04 17:23:15 -04:00
Robert
b9cf8a47f7
fix: set openclaw secret group to ai-worker
2026-04-04 17:15:24 -04:00
Robert
ce20fad4d3
fix: enable flake-self-attrs for lix compatibility
2026-04-04 16:54:10 -04:00
Robert
401b23ce46
feat: add openclaw node service and migrate to lix
...
- Add headless openclaw node systemd service for host execution
- Migrate from nix to lix package manager
- Permit openclaw-2026.3.12 (insecure package warning)
- Use ai-worker user for node service
2026-04-04 16:26:33 -04:00
13dbf18f67
Progress dump before ai agent
2026-04-04 04:57:47 -04:00
0845262c05
style: format Nix files after modifications
2026-01-01 14:32:17 -05:00
