Add rollback-sentinel NixOS module that:
- Deploys sentinel-check.sh (inline) and nixos-rollback.sh (from file) as
system packages
- Runs a boot-time systemd oneshot service after multi-user.target with
configurable delay — checks Tier-1 services, triggers rollback on failure
- Runs a post-rebuild service via activation script after every
nixos-rebuild switch
- Exposes options for tier1Services, tier2Services, tier3InfoServices,
bootDelay, rollbackMode (set-default/rollback-now/dry-run), and
enablePostRebuild
Module wired into flake.nix for lazyworkhorse and enabled in
configuration.nix with standard Tier-1/2 service lists and 120s delay.
- Add wg0 interface config with agenix-managed secrets
- Revert compose submodule to remove NET_ADMIN from Hermes
- WireGuard runs at host level, all containers inherit the tunnel
wg-easy needs iptable_nat and iptable_filter to set up
masquerading for VPN traffic. These modules must be loaded
at boot for the container to access iptables.
- Refactor all 12 compose stacks to use isolated networks with Traefik as the hub
- Add openclaw-ssh sidecar to ai stack for reverse tunneling (port 2425)
- Add sshnode entrypoint to Traefik configuration
- Add cyt-pi host configuration for Pi Zero 2 W (headless)
- Include kismet and target_detector_cli services for remote Wi-Fi monitoring
- Add reverse SSH tunnel service via autossh
- Add headless openclaw node systemd service for host execution
- Migrate from nix to lix package manager
- Permit openclaw-2026.3.12 (insecure package warning)
- Use ai-worker user for node service
