nixos-uconsole's Cachix cache is built with nixpkgs-stable (25.11).
Following our unstable caused a full kernel rebuild every time.
By using nixos-uconsole's pinned nixpkgs, future builds will
download the pre-compiled kernel from the cache instead of
compiling it locally on the CM5.
- Add disko flake input + partition config (/boot/firmware, /, /home)
- Add cm5-backlight-fix service as display fallback
- Add enable-gpio23-usb-hub service for internal USB hub
- Add mt7921u kernel module for MediaTek AC1200 WiFi
- Add gpiod package for GPIO userspace control
- New module: modules/nixos/security/ai-worker-restricted.nix
- Bind mount for infra repo access (RW)
- Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix
- Audit logging for infra changes
- Documentation in README-ai-worker.md
- Updated users/ai-worker.nix:
- Enable services.aiWorkerAccess
- Lock password (SSH key only)
- Security documentation comments
- Updated flake.nix:
- Include new security module
SECURITY: AI must ask for user confirmation before running nh os switch
- Refactor all 12 compose stacks to use isolated networks with Traefik as the hub
- Add openclaw-ssh sidecar to ai stack for reverse tunneling (port 2425)
- Add sshnode entrypoint to Traefik configuration
- Add cyt-pi host configuration for Pi Zero 2 W (headless)
- Include kismet and target_detector_cli services for remote Wi-Fi monitoring
- Add reverse SSH tunnel service via autossh
- Add headless openclaw node systemd service for host execution
- Migrate from nix to lix package manager
- Permit openclaw-2026.3.12 (insecure package warning)
- Use ai-worker user for node service
