gortium/infra
1
1
Fork 0
Code Issues 13 Pull Requests 20 Actions Packages Projects 1 Releases Wiki Activity
145 Commits 48 Branches 0 Tags
a312c29221f19bad1803f4f285faab3fca03b8fb
Commit Graph

23 Commits

Author SHA1 Message Date
Hermes
a312c29221 fix: remove boot.loader.raspberry-pi reference (option removed with rasberry-pi-5.base) 2026-06-12 20:48:30 -04:00
Hermes
053dd535d3 deploy1(uconsole): minimal config — no rasberry-pi-5.base, just SSH + WiFi + keys 2026-06-12 20:47:11 -04:00
Hermes
35e4155b8c fix(uconsole): remove configtxt module (conflicting overlays) — use extra-config only 2026-06-12 20:20:39 -04:00
Hermes
052081616c test: remove self.submodules to check Lix compatibility 2026-06-12 19:24:43 -04:00
Hermes
d3d7cdff44 Revert "fix: remove self.submodules (not supported by Lix)" 
This reverts commit 5202bc1fcb.
 2026-06-12 18:59:04 -04:00
Hermes
5202bc1fcb fix: remove self.submodules (not supported by Lix) 2026-06-12 18:56:44 -04:00
Hermes
9319e32683 fix(uconsole): cross-compile Lix instead of using native aarch64 flake package 2026-06-12 18:41:44 -04:00
Hermes
7da46d5769 refactor(uconsole): use standard inject-overlays helpers instead of manual overlay list 2026-06-12 18:21:45 -04:00
Hermes
8ea6be7ac1 fix: remove rpi-cross-overlay import from uconsole-cm5 modules 2026-06-12 17:11:17 -04:00
Hermes
16acc6a153 fix(uconsole): resolve conflicting SSH options + properly override nixos-uconsole's nixos-raspberrypi input 
- mkForce on PermitRootLogin and PasswordAuthentication
- nixos-uconsole.inputs.nixos-raspberrypi follows our fork
 2026-06-12 16:43:33 -04:00
Hermes
5ee644e9dd feat(uconsole): add rpi-cross-overlay module + Lix 
- rpi-cross-overlay.nix: override pkgs.rpi with cross-compilation
  when buildPlatform != hostPlatform (0 QEMU)
- Lix nix daemon for uConsole (aarch64-linux)
- Remove broken inline overlay from flake.nix
 2026-06-12 16:36:49 -04:00
Hermes
698d3f91eb feat(uconsole): add agenix secret for WiFi credentials 
- age.secrets.uconsole-wifi (SSID+password in encrypted file)
- systemd service ensure-wifi reads decrypted secret and configures NM
- agenix.nixosModules.default imported for uconsole-cm5
- uconsole-wifi.age declared in secrets/secrets.nix
 2026-06-12 16:15:37 -04:00
Hermes
1f99ca0d37 feat(uconsole): add cm5 cross-compiled nixosConfiguration 
- New host: uconsole-cm5 (aarch64-linux, cross-built from x86_64)
- SSH authorizedKeys: gortium.main + ai-worker.main
- NetworkManager enabled (WiFi password via agenix later)
- Display: vc4/panel_cwu50/rp1_dsi with empty initrd
- Config.txt [pi5] section (not [cm5])
- Backlight fix service
- nixos-raspberrypi → gortium/cm5-cross-v1 fork (PR #197)
- nixpkgs-uconsole pinned to nixos-25.11 (kernel patch compat)

V3 branch saved as archive/uconsole-cm5-v3 (Reticulum/SDR/HAM config).
 2026-06-12 16:02:13 -04:00
Hermes Agent
18df45819d Add restricted AI worker access with deployment capabilities 
- New module: modules/nixos/security/ai-worker-restricted.nix
  - Bind mount for infra repo access (RW)
  - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix
  - Audit logging for infra changes
  - Documentation in README-ai-worker.md

- Updated users/ai-worker.nix:
  - Enable services.aiWorkerAccess
  - Lock password (SSH key only)
  - Security documentation comments

- Updated flake.nix:
  - Include new security module

SECURITY: AI must ask for user confirmation before running nh os switch
 2026-04-28 15:34:38 +00:00
Robert
bc875ef9fb feat: isolate docker networks and add cyt-pi remote node config 
- Refactor all 12 compose stacks to use isolated networks with Traefik as the hub
- Add openclaw-ssh sidecar to ai stack for reverse tunneling (port 2425)
- Add sshnode entrypoint to Traefik configuration
- Add cyt-pi host configuration for Pi Zero 2 W (headless)
- Include kismet and target_detector_cli services for remote Wi-Fi monitoring
- Add reverse SSH tunnel service via autossh
 2026-04-06 19:14:57 -04:00
Robert
401b23ce46 feat: add openclaw node service and migrate to lix 
- Add headless openclaw node systemd service for host execution
- Migrate from nix to lix package manager
- Permit openclaw-2026.3.12 (insecure package warning)
- Use ai-worker user for node service
 2026-04-04 16:26:33 -04:00
Thierry Pouplier
13dbf18f67 Progress dump before ai agent 2026-04-04 04:57:47 -04:00
Thierry Pouplier
056c39aa71 chore: update flake imports and infrastructure secrets 2026-01-01 02:25:40 -05:00
Thierry Pouplier
a8851c19e4 Working bootstrap key 2025-08-24 19:02:42 -04:00
Thierry Pouplier
98c0142938 Fixed the git submodule for flake 2025-08-08 19:11:29 -04:00
Thierry Pouplier
911f3589a2 Used agenix to manage secrets, 4 services up, ssh 2025-08-08 17:00:47 -04:00
Thierry Pouplier
ac6c3688ef Some more work toward a modular config 2025-08-04 22:15:59 -04:00
Thierry Pouplier
94f0ce50ae Preparing to switch to flakes 2025-08-03 15:42:02 -04:00