feat(05-01): OpenTAKServer selected for TAK server implementation

- Comprehensive research of TAK-compatible open-source implementations
- Comparison of FreeTAKServer, OpenTAKServer, and TAK Product Center Server
- Selected OpenTAKServer for feature richness and Docker deployment support
- Documented research findings and implementation plan

.planning/PROJECT.md

@@ -0,0 +1,59 @@
+# NixOS Infrastructure with AI Assistant
+
+## What This Is
+
+This project manages a NixOS-based infrastructure with Docker services, integrated with OpenCode AI assistant for automated management. The system supports:
+
+- Reproducible NixOS infrastructure configuration
+- Docker service management via Docker Compose
+- AI-assisted infrastructure operations
+- Automatic service deployment and lifecycle management
+- Integration with existing Docker stacks (ai, cloudstorage, homeautomation, network, passwordmanager, versioncontrol)
+
+## Core Value
+
+The core value is a **reproducible and evolvable NixOS infrastructure** that can be managed through natural language interactions with the OpenCode AI assistant. The system should automatically detect and integrate new Docker services while maintaining consistency across all deployments.
+
+## Requirements
+
+### Validated
+
+- NixOS configuration management with flakes
+- Docker service integration via docker_manager.nix
+- Traefik reverse proxy with automatic TLS certificates
+- Environment variable management via agenix secrets
+- Standardized service patterns across all Docker stacks
+
+### Active
+
+- [ ] Automatic detection and integration of new Docker Compose files in `assets/compose/`
+- [ ] AI assistant integration for service lifecycle management
+- [ ] Service health monitoring and logging verification
+- [ ] Documentation of integration patterns in SKILL.md
+- [ ] Automated system update workflow (`nh os switch`)
+
+### Out of Scope
+
+- Full n8n integration for automated workflows - deferring to future milestone
+- Self-healing infrastructure with automatic problem detection - future enhancement
+- Multi-host orchestration - single-host focus for v1
+
+## Key Decisions
+
+| Decision | Rationale | Outcome |
+|----------|-----------|---------|
+| NixOS with Flakes | Reproducible infrastructure, better dependency management | Good |
+| Docker Compose integration | Preserves existing service configurations, flexibility | Good |
+| agenix for secrets | Secure secrets management, Nix native integration | Good |
+| Traefik reverse proxy | Unified HTTPS entrypoint, automatic certificate management | Good |
+| Standardized service patterns | Consistency across services, easier maintenance | Pending |
+
+## Context
+
+- **Existing Services**: ai (Llama.cpp, Open WebUI, n8n), cloudstorage (Nextcloud), homeautomation (Home Assistant), network (Traefik, DDNS), passwordmanager (Vaultwarden), versioncontrol (Gitea)
+- **Tech Stack**: NixOS unstable, Docker, Docker Compose, Traefik, agenix, OpenCode AI
+- **Hardware**: AMD MI50 GPUs for AI workloads
+- **Network**: Traefik-net bridge network for all services
+- **Storage**: `/mnt/HoardingCow_docker_data/<service>` for persistent data
+
+**Last updated: 2026-01-01 after init**

.planning/ROADMAP.md

@@ -0,0 +1,147 @@
+# Roadmap: NixOS Infrastructure with AI Assistant
+
+## Overview
+
+This roadmap outlines the implementation of a reproducible NixOS infrastructure with Docker service management, integrated with an AI assistant for automated operations. The system will automatically detect and integrate new Docker services while maintaining consistency across deployments.
+
+## Domain Expertise
+
+None
+
+## Phases
+
+- ✅ **Phase 1: Foundation Setup** - Establish core NixOS configuration with flakes
+- ✅ **Phase 2: Docker Service Integration** - Integrate Docker Compose services
+- ✅ **Phase 3: AI Assistant Integration** - Enable AI-assisted infrastructure management
+- [ ] **Phase 4: Internet Access & MCP** - MCP server for web access
+
+
+## Phase Details
+
+### Phase 1: Foundation Setup
+**Goal**: Establish the core NixOS configuration with flakes and basic infrastructure
+**Depends on**: Nothing (first phase)
+**Research**: Unlikely (established Nix patterns)
+**Plans**: 3 plans
+**Status**: Complete
+
+Plans:
+- [x] 01-01: Set up NixOS flake structure with hardware configuration
+- [x] 01-02: Configure basic services and networking
+- [x] 01-03: Implement secrets management with agenix
+
+### Phase 2: Docker Service Integration
+**Goal**: Integrate Docker service management with Traefik reverse proxy
+**Depends on**: Phase 1
+**Research**: Unlikely (existing Docker Compose patterns)
+**Plans**: 3 plans
+**Status**: Complete
+
+Plans:
+- [x] 02-01: Implement docker_manager.nix for service integration
+- [x] 02-02: Configure Traefik reverse proxy with automatic TLS
+- [x] 02-03: Set up persistent storage for Docker services
+
+### Phase 3: AI Assistant Integration
+**Goal**: Enable AI assistant to manage infrastructure operations
+**Depends on**: Phase 2
+**Research**: Likely (AI integration patterns)
+**Research topics**: OpenCode AI API, infrastructure management patterns, natural language parsing for service operations
+**Plans**: 2 plans
+**Status**: Complete
+
+Plans:
+- [x] 03-01: Integrate OpenCode AI assistant with NixOS configuration
+- [x] 03-02: Implement natural language command parsing
+
+### Phase 4: Internet Access & MCP
+**Goal**: Set up MCP server for web access and enhanced functionality
+**Depends on**: Phase 3
+**Research**: Likely (MCP server configuration)
+**Research topics**: MCP server setup, web access integration, security considerations
+**Plans**: 2 plans
+
+Plans:
+- [x] 04-01: Configure MCP server for external access
+- [x] 04-02: Test web search capabilities and integration
+
+### Phase 4.1: Organize Accumulated Commits (INSERTED)
+
+**Goal**: Organize uncommitted changes into logical, meaningful commits
+**Depends on**: Phase 4
+**Status**: Complete
+**Plans**: 5 plans
+
+Plans:
+- [x] 04-01: Stage Docker stack integration files
+- [x] 04-02: Commit system configuration improvements
+- [x] 04-03: Update service modules and remove deprecated systemd services
+- [x] 04-04: Add n8n-worker user and update authentication
+- [x] 04-05: Update flake imports and infrastructure secrets
+
+**Details**:
+Successfully organized accumulated changes into 5 logical commits:
+1. Docker stack integration with improved service management
+2. System configuration enhancements (hardware sensors, GPU support, security)
+3. Service module updates and cleanup of deprecated systemd services
+4. User and authentication configuration updates
+5. Flake and infrastructure updates
+
+### 🚧 v5.0 TAK Server (In Progress)
+
+**Milestone Goal:** Add TAK (Tactical Assault Kit) server with web interface for team coordination and offsite operator integration
+
+#### Phase 5: TAK Server Research & Selection
+
+**Goal**: Research and select the optimal TAK-compatible server with web interface
+**Depends on**: Previous milestone complete
+**Research**: Likely (comparing different TAK implementations)
+**Research Method**: Use DuckDuckGo tool for web research
+**Research topics**: Open-source TAK-compatible servers with web UIs, COT protocol support, geospatial mapping, deployment requirements, security considerations
+**Plans**: TBD
+
+Plans:
+- [ ] 05-01: Research TAK-compatible open-source implementations
+- [ ] 05-02: Compare features and select optimal solution
+- [ ] 05-03: Document research findings and recommendations
+
+#### Phase 6: TAK Server Implementation
+
+**Goal**: Implement TAK server as Docker service with Traefik integration
+**Depends on**: Phase 5 (research completed)
+**Research**: Unlikely (following established Docker patterns)
+**Plans**: TBD
+
+Plans:
+- [ ] 06-01: Create Docker Compose configuration
+- [ ] 06-02: Set up persistent storage and Traefik routing
+- [ ] 06-03: Integrate with docker_manager.nix module
+
+#### Phase 7: TAK Server Testing & Validation
+
+**Goal**: Validate TAK server functionality and integration
+**Depends on**: Phase 6 (implementation complete)
+**Research**: Unlikely
+**Plans**: TBD
+
+Plans:
+- [ ] 07-01: Test COT protocol functionality
+- [ ] 07-02: Verify web interface and geospatial features
+- [ ] 07-03: Validate security and integration
+
+
+
+## Progress
+
+**Execution Order:**
+Phases execute in numeric order: 1 → 2 → 3 → 4 → 5 → 6 → 7
+
+| Phase | Milestone | Plans Complete | Status | Completed |
+|-------|-----------|----------------|--------|-----------|
+| 1. Foundation Setup | v1.0 | 3/3 | Complete | - |
+| 2. Docker Service Integration | v1.0 | 3/3 | Complete | - |
+| 3. AI Assistant Integration | v1.0 | 2/2 | Complete | - |
+| 4. Internet Access & MCP | v1.0 | 2/2 | Complete | - |
+| 5. TAK Server Research | v5.0 | 0/3 | Not started | - |
+| 6. TAK Server Implementation | v5.0 | 0/3 | Not started | - |
+| 7. TAK Server Testing | v5.0 | 0/3 | Not started | - |

.planning/STATE.md

@@ -0,0 +1,83 @@
+# Project State
+
+## Project Reference
+
+**Core Value:** A reproducible and evolvable NixOS infrastructure that can be managed through natural language interactions with the OpenCode AI assistant
+**Current Focus:** Complete Phase 4.1 (Organize Accumulated Commits) and prepare for Phase 4.2
+
+## Current Position
+
+Phase: 5 of 7 (TAK Server Research & Selection)
+Plan: 1 of 3 complete
+Status: In progress - Phase 5.1 research completed
+Last activity: 2026-01-01 - Completed 05-01 research plan
+
+Progress: ▓▓▓▓▓▓█ 90%
+
+## Performance Metrics
+
+**Velocity:**
+- Total plans completed: 14 (13 previous + 1 new)
+- Average duration: 0 min
+- Total execution time: 0.0 hours
+
+**By Phase:**
+
+| Phase | Plans | Total | Avg/Plan |
+|-------|-------|-------|----------|
+| 1-3 | 8/8 | 8 | 0 |
+| 4.1 | 5/5 | 5 | 0 |
+| 4.2 | 2/2 | 2 | 0 |
+| 5 | 1/3 | 1 | 10 min | 0 |
+| 6-7 | 0/6 | 0 | N/A |
+
+**Recent Trend:**
+- Last 5 plans: []
+- Trend: [Not available for new phases]
+
+## Accumulated Context
+
+### Decisions Made
+
+| Phase | Decision | Rationale |
+|-------|----------|-----------|
+| 1-3 | All phases completed | Foundational infrastructure in place |
+| 4 | Removed entirely | Not needed per user request |
+
+### Deferred Issues
+
+None yet.
+
+### Roadmap Evolution
+
+- Phase 4.1 inserted after Phase 4: Organize accumulated commits logically (URGENT)
+  - Status: Complete
+  - Completion: 2026-01-01
+  - Result: 5 logical commits created from accumulated changes
+  - Reason: Accumulated uncommitted changes need logical grouping before Phase 4 execution
+
+### Blockers/Concerns Carried Forward
+
+None yet.
+
+## Session Continuity
+
+Last session: 2026-01-01 23:15
+Stopped at: Phase 5.1 research completed - OpenTAKServer selected
+Resume file: None
+
+**Next Phase**: 5.2 - Compare features and select optimal solution
+
+## Accumulated Context
+
+### Decisions Made
+
+| Phase | Decision | Rationale |
+|-------|----------|-----------|
+| 1-3 | All phases completed | Foundational infrastructure in place |
+| 4 | Removed entirely | Not needed per user request |
+| 5.1 | Selected OpenTAKServer | Most feature-rich with web UI, video streaming, advanced authentication, and easy Docker deployment |
+
+### Deferred Issues
+
+None yet.

.planning/config.json

@@ -0,0 +1,17 @@
+{
+  "mode": "interactive",
+  "gates": {
+    "confirm_project": true,
+    "confirm_phases": true,
+    "confirm_roadmap": true,
+    "confirm_breakdown": true,
+    "confirm_plan": true,
+    "execute_next_plan": true,
+    "issues_review": true,
+    "confirm_transition": true
+  },
+  "safety": {
+    "always_confirm_destructive": true,
+    "always_confirm_external_services": true
+  }
+}

.planning/phases/04-internet-access/04-02-PLAN.md

@@ -0,0 +1,129 @@
+# Phase 4: Internet Access & MCP
+
+## Plan 4.2: Test Web Search Capabilities and Integration
+
+### Objective
+Test and verify that the OpenCode AI assistant can successfully perform web searches through the configured MCP servers.
+
+**Purpose:** Ensure the web search functionality is working correctly and integrate it with the AI assistant's capabilities.
+
+**Output:** Test results confirming web search functionality through MCP servers and documentation of the integration.
+
+### Execution Context
+- ~/.config/opencode/gsd/workflows/execute-phase.md
+- ~/.config/opencode/gsd/templates/phase-prompt.md
+- ~/.config/opencode/gsd/references/plan-format.md
+- ~/.config/opencode/gsd/references/checkpoints.md
+
+### Context
+@.planning/PROJECT.md
+@.planning/ROADMAP.md
+@.planning/phases/04-internet-access/04-01-SUMMARY.md
+@src/modules/nixos/services/open_code_server.nix
+
+**Project Context:**
+- MCP servers (Context7 and DuckDuckGo) should be configured from Plan 1
+- OpenCode service needs to be running to test web search functionality
+- Testing should verify both MCP servers are functional and accessible
+
+### Tasks
+
+<task type="auto">
+  <name>Task 1: Start OpenCode Service</name>
+  <files>None - systemd service</files>
+  <action>Start the OpenCode service using systemd:
+  sudo systemctl start opencode
+  Ensure the service is running and check logs for any errors</action>
+  <verify>systemctl status opencode shows service is active and running</verify>
+  <done>OpenCode service is running without errors</done>
+</task>
+
+<task type="auto">
+  <name>Task 2: Test Context7 Web Search</name>
+  <files>None - runtime test</files>
+  <action>Test web search through Context7 MCP:
+  1. Use the OpenCode API to send a web search query
+  2. Verify the response includes search results from Context7
+  3. Check that the service properly handles the MCP communication
+  Example query: "What is the current weather in New York?"</action>
+  <verify>Web search through Context7 returns valid search results</verify>
+  <done>Context7 web search is functional and returns expected results</done>
+</task>
+
+<task type="auto">
+  <name>Task 3: Test DuckDuckGo Web Search</name>
+  <files>None - runtime test</files>
+  <action>Test web search through DuckDuckGo MCP:
+  1. Use the OpenCode API to send a web search query
+  2. Verify the response includes search results from DuckDuckGo
+  3. Check that the service properly handles the MCP communication
+  Example query: "Latest news about AI technology"</action>
+  <verify>Web search through DuckDuckGo returns valid search results</verify>
+  <done>DuckDuckGo web search is functional and returns expected results</done>
+</task>
+
+<task type="checkpoint:human-verify" gate="blocking">
+  <what-built>Web search functionality through MCP servers</what-built>
+  <how-to-verify>
+    1. Test web search queries through both Context7 and DuckDuckGo
+    2. Verify search results are relevant and current
+    3. Check that the AI assistant can properly interpret and format results
+    4. Test a variety of query types (factual, news, technology)
+  </how-to-verify>
+  <resume-signal>Type "approved" if web search is working correctly, or describe any issues with search results or functionality</resume-signal>
+</task>
+
+<task type="auto">
+  <name>Task 4: Document Web Search Integration</name>
+  <files>Documentation in configuration or README</files>
+  <action>Document the web search capabilities in the OpenCode configuration:
+  1. Add comments explaining the MCP server configuration
+  2. Note which MCP servers are available for web search
+  3. Document any limitations or known issues with web search
+  4. Provide examples of effective web search queries</action>
+  <verify>Configuration file includes documentation about MCP web search capabilities</verify>
+  <done>Web search integration is documented with examples and usage notes</done>
+</task>
+
+### Verification
+Before declaring phase complete:
+- [ ] OpenCode service is running without errors
+- [ ] Context7 web search returns valid, relevant results
+- [ ] DuckDuckGo web search returns valid, relevant results
+- [ ] AI assistant properly interprets and formats search results
+- [ ] Web search capabilities are documented
+- [ ] No errors in service logs during web search operations
+
+### Success Criteria
+- All tasks completed successfully
+- Web search functionality through both MCP servers is working
+- AI assistant can effectively use web search capabilities
+- Configuration and usage are properly documented
+- No errors or warnings introduced in the configuration
+- Phase 4 (Internet Access & MCP) is complete
+
+### Output
+After completion, create `.planning/phases/04-internet-access/04-02-SUMMARY.md`:
+
+# Phase 4 Plan 2: Web Search Integration Summary
+
+Web search capabilities through MCP servers successfully tested and integrated.
+
+## Accomplishments
+- Started OpenCode service and verified it's running
+- Tested and verified Context7 web search functionality
+- Tested and verified DuckDuckGo web search functionality
+- Human verification of web search results
+- Documented web search integration
+
+## Files Created/Modified
+- `/home/gortium/infra/modules/nixos/services/open_code_server.nix` - Added documentation
+
+## Decisions Made
+- No significant decisions required - testing existing configuration
+
+## Issues Encountered
+- Any issues encountered during testing, along with resolutions
+
+## Next Step
+Phase 4 complete. Ready to proceed to Phase 5: TAK Server Integration

.planning/phases/04-internet-access/04-02-SUMMARY.md

@@ -0,0 +1,129 @@
+# Phase 4: Internet Access & MCP
+
+## Plan 4.2: Test Web Search Capabilities and Integration
+
+### Objective
+Test and verify that the OpenCode AI assistant can successfully perform web searches through the configured MCP servers.
+
+**Purpose:** Ensure the web search functionality is working correctly and integrate it with the AI assistant's capabilities.
+
+**Output:** Test results confirming web search functionality through MCP servers and documentation of the integration.
+
+### Execution Context
+- ~/.config/opencode/gsd/workflows/execute-phase.md
+- ~/.config/opencode/gsd/templates/phase-prompt.md
+- ~/.config/opencode/gsd/references/plan-format.md
+- ~/.config/opencode/gsd/references/checkpoints.md
+
+### Context
+@.planning/PROJECT.md
+@.planning/ROADMAP.md
+@.planning/phases/04-internet-access/04-01-SUMMARY.md
+@src/modules/nixos/services/open_code_server.nix
+
+**Project Context:**
+- MCP servers (Context7 and DuckDuckGo) should be configured from Plan 1
+- OpenCode service needs to be running to test web search functionality
+- Testing should verify both MCP servers are functional and accessible
+
+### Tasks
+
+<task type="auto">
+  <name>Task 1: Start OpenCode Service</name>
+  <files>None - systemd service</files>
+  <action>Start the OpenCode service using systemd:
+  sudo systemctl start opencode
+  Ensure the service is running and check logs for any errors</action>
+  <verify>systemctl status opencode shows service is active and running</verify>
+  <done>OpenCode service is running without errors</done>
+</task>
+
+<task type="auto">
+  <name>Task 2: Test Context7 Web Search</name>
+  <files>None - runtime test</files>
+  <action>Test web search through Context7 MCP:
+  1. Use the OpenCode API to send a web search query
+  2. Verify the response includes search results from Context7
+  3. Check that the service properly handles the MCP communication
+  Example query: "What is the current weather in New York?"</action>
+  <verify>Web search through Context7 returns valid search results</verify>
+  <done>Context7 web search is functional and returns expected results</done>
+</task>
+
+<task type="auto">
+  <name>Task 3: Test DuckDuckGo Web Search</name>
+  <files>None - runtime test</files>
+  <action>Test web search through DuckDuckGo MCP:
+  1. Use the OpenCode API to send a web search query
+  2. Verify the response includes search results from DuckDuckGo
+  3. Check that the service properly handles the MCP communication
+  Example query: "Latest news about AI technology"</action>
+  <verify>Web search through DuckDuckGo returns valid search results</verify>
+  <done>DuckDuckGo web search is functional and returns expected results</done>
+</task>
+
+<task type="checkpoint:human-verify" gate="blocking">
+  <what-built>Web search functionality through MCP servers</what-built>
+  <how-to-verify>
+    1. Test web search queries through both Context7 and DuckDuckGo
+    2. Verify search results are relevant and current
+    3. Check that the AI assistant can properly interpret and format results
+    4. Test a variety of query types (factual, news, technology)
+  </how-to-verify>
+  <resume-signal>Type "approved" if web search is working correctly, or describe any issues with search results or functionality</resume-signal>
+</task>
+
+<task type="auto">
+  <name>Task 4: Document Web Search Integration</name>
+  <files>Documentation in configuration or README</files>
+  <action>Document the web search capabilities in the OpenCode configuration:
+  1. Add comments explaining the MCP server configuration
+  2. Note which MCP servers are available for web search
+  3. Document any limitations or known issues with web search
+  4. Provide examples of effective web search queries</action>
+  <verify>Configuration file includes documentation about MCP web search capabilities</verify>
+  <done>Web search integration is documented with examples and usage notes</done>
+</task>
+
+### Verification
+Before declaring phase complete:
+- [ ] OpenCode service is running without errors
+- [ ] Context7 web search returns valid, relevant results
+- [ ] DuckDuckGo web search returns valid, relevant results
+- [ ] AI assistant properly interprets and formats search results
+- [ ] Web search capabilities are documented
+- [ ] No errors in service logs during web search operations
+
+### Success Criteria
+- All tasks completed successfully
+- Web search functionality through both MCP servers is working
+- AI assistant can effectively use web search capabilities
+- Configuration and usage are properly documented
+- No errors or warnings introduced in the configuration
+- Phase 4 (Internet Access & MCP) is complete
+
+### Output
+After completion, create `.planning/phases/04-internet-access/04-02-SUMMARY.md`:
+
+# Phase 4 Plan 2: Web Search Integration Summary
+
+Web search capabilities through MCP servers successfully tested and integrated.
+
+## Accomplishments
+- Started OpenCode service and verified it's running
+- Tested and verified Context7 web search functionality
+- Tested and verified DuckDuckGo web search functionality
+- Human verification of web search results
+- Documented web search integration
+
+## Files Created/Modified
+- `/home/gortium/infra/modules/nixos/services/open_code_server.nix` - Added documentation
+
+## Decisions Made
+- No significant decisions required - testing existing configuration
+
+## Issues Encountered
+- Any issues encountered during testing, along with resolutions
+
+## Next Step
+Phase 4 complete. Ready to proceed to Phase 5: TAK Server Integration

.planning/phases/05-tak-research/05-01-RESEARCH.md

@@ -0,0 +1,265 @@
+# Phase 5: TAK Server Research & Selection - Research Report
+
+## Executive Summary
+
+This research report evaluates open-source TAK-compatible server implementations for deployment in the NixOS infrastructure. Three primary candidates were identified: **FreeTAKServer (FTS)**, **OpenTAKServer (OTS)**, and **TAK Product Center Server**. Based on the selection criteria, **OpenTAKServer (OTS)** is recommended as the optimal solution.
+
+## Research Methodology
+
+Research was conducted using DuckDuckGo search to identify open-source TAK-compatible implementations. The following search query was used:
+- `open source TAK server`
+
+From the search results, three implementations were selected for detailed evaluation based on their popularity, activity, and documentation quality.
+
+## Implementation Comparison
+
+### 1. FreeTAKServer (FTS)
+
+**GitHub Repository**: https://github.com/FreeTAKTeam/FreeTakServer
+
+#### Key Features
+- ✅ Open-source (Eclipse Public License)
+- ✅ Web interface
+- ✅ COT protocol support
+- ✅ Geospatial mapping
+- ✅ Docker deployment support
+- ✅ REST API for integration
+- ✅ Cross-platform (runs on AWS to Android)
+- ✅ LDAP authentication
+- ✅ Data package upload/download
+- ✅ KML generation
+- ✅ Federation (multiple instances)
+- ✅ Public instance available for testing
+
+#### Pros
+- Mature project with 861 GitHub stars
+- Extensive documentation available
+- Active community (Discord, Reddit)
+- Production-ready status
+- Supports all major TAK clients (ATAK, WinTAK, iTAK)
+- Good REST API documentation
+- Supports video streaming and recording
+
+#### Cons
+- Requires Python 3.11
+- Complex setup with multiple dependencies
+- Some features require commercial plugins
+- Web UI could be more modern
+
+#### Deployment Requirements
+- Python 3.11
+- Dependencies: Flask, lxml, SQLAlchemy, eventlet
+- Docker support available
+- Can run from single-node to multi-node AWS deployments
+
+### 2. OpenTAKServer (OTS)
+
+**GitHub Repository**: https://github.com/brian7704/OpenTAKServer
+
+#### Key Features
+- ✅ Open-source (GPL-3.0)
+- ✅ Web interface with live map
+- ✅ COT protocol support
+- ✅ Geospatial mapping
+- ✅ Docker deployment support
+- ✅ SSL authentication
+- ✅ LDAP/Active Directory authentication
+- ✅ Two-factor authentication (TOTP/email)
+- ✅ Video streaming integration (MediaMTX)
+- ✅ Mumble server authentication
+- ✅ Data sync/mission API
+- ✅ Client certificate enrollment
+- ✅ Groups/channels support
+- ✅ Plugin update server
+- ✅ ADS-B and AIS data streaming
+
+#### Pros
+- Most feature-rich implementation
+- Excellent web UI with live map
+- Supports video streaming from multiple sources
+- Modern authentication options (2FA, LDAP, certificates)
+- Easy installation scripts for multiple platforms
+- Good documentation
+- Active development (recent release: 1.7.0, Dec 2025)
+- Designed to run on servers and SBCs (Raspberry Pi)
+- MediaMTX integration for professional video streaming
+
+#### Cons
+- Requires RabbitMQ and OpenSSL
+- More complex architecture
+- Larger resource footprint
+- GPL license may be restrictive for some use cases
+
+#### Deployment Requirements
+- Python 3.10+
+- RabbitMQ
+- OpenSSL
+- MediaMTX (for video streaming)
+- Docker image available
+- Installation scripts for Ubuntu, Raspberry Pi, Rocky 9, Windows, macOS
+
+### 3. TAK Product Center Server
+
+**GitHub Repository**: https://github.com/TAK-Product-Center/Server
+
+#### Key Features
+- ✅ Open-source (Distribution A - Approved for Public Release)
+- ✅ Enterprise-grade TAK server
+- ✅ Designed for DoD and JADC2 architectures
+- ✅ Federation support
+- ✅ Data access and encryption
+- ✅ Broker and storage capabilities
+- ✅ Available on DoD Iron Bank
+
+#### Pros
+- Official TAK Product Center implementation
+- Highest security standards (DoD approved)
+- Designed for production enterprise use
+- Available in hardened container format
+- Future plans for public container registries
+
+#### Cons
+- ❌ No web interface mentioned
+- ❌ No Docker deployment details in GitHub
+- ❌ Limited documentation available
+- ❌ Designed primarily for DoD use cases
+- ❌ Requires TAK.gov account for downloads
+- ❌ Less community activity (191 stars)
+- ❌ No clear installation instructions for civilian use
+
+#### Deployment Requirements
+- Enterprise-grade hardware
+- Complex configuration
+- DoD security requirements
+- TAK.gov account required
+
+## Selection Criteria Evaluation
+
+### Must Have Requirements
+
+| Criteria | FTS | OTS | TAK Product Center |
+|----------|-----|-----|-------------------|
+| Open-source license | ✅ | ✅ | ✅ |
+| Web interface | ✅ | ✅ | ❌ |
+| COT protocol support | ✅ | ✅ | ✅ |
+| Geospatial mapping | ✅ | ✅ | ✅ |
+| Docker deployment support | ✅ | ✅ | ❌ |
+
+### Nice to Have Requirements
+
+| Criteria | FTS | OTS | TAK Product Center |
+|----------|-----|-----|-------------------|
+| Active maintenance | ✅ | ✅ | ✅ |
+| Good documentation | ✅ | ✅ | ❌ |
+| Community support | ✅ | ✅ | ❌ |
+| REST API for integration | ✅ | ✅ | ✅ |
+| Mobile client availability | ✅ | ✅ | ✅ |
+
+## Recommendation
+
+**OpenTAKServer (OTS)** is the optimal choice for this implementation for the following reasons:
+
+1. **Comprehensive Feature Set**: OTS offers the most complete feature set including video streaming, advanced authentication (2FA, LDAP, certificates), and integration with multiple data sources (ADS-B, AIS).
+
+2. **Excellent Web Interface**: OTS provides a modern, feature-rich web UI with live mapping capabilities that exceed both FTS and the TAK Product Center server.
+
+3. **Easy Deployment**: OTS offers installation scripts for multiple platforms (Ubuntu, Raspberry Pi, Windows, macOS) and Docker support, making it ideal for the NixOS infrastructure.
+
+4. **Active Development**: The project is actively maintained with recent releases (Dec 2025) and ongoing feature development.
+
+5. **Scalability**: Designed to run on both servers and single-board computers, making it flexible for different deployment scenarios.
+
+6. **Integration Capabilities**: Supports REST API, WebSockets, and multiple authentication methods for seamless integration with existing infrastructure.
+
+### Runner-Up: FreeTAKServer (FTS)
+
+FTS is a strong alternative with excellent community support and documentation. It would be suitable if:
+- Simpler deployment is preferred
+- Extensive REST API usage is planned
+- Production-ready status is a priority
+
+### Not Recommended: TAK Product Center Server
+
+While this is the official implementation, it lacks critical features for this use case:
+- No web interface
+- Limited documentation
+- Complex deployment requirements
+- Designed primarily for DoD environments
+- No clear Docker deployment path
+
+## Implementation Plan
+
+### Deployment Strategy
+
+1. **Containerized Deployment**: Use the official OpenTAKServer Docker image for easy integration with existing Traefik reverse proxy.
+
+2. **Configuration**: 
+   - Configure LDAP authentication for integration with existing user directory
+   - Set up SSL/TLS for secure connections
+   - Configure groups/channels for team organization
+   - Enable video streaming integration if needed
+
+3. **Integration**:
+   - Add to docker_manager.nix module
+   - Configure Traefik routing with automatic TLS
+   - Set up persistent storage for CoT messages and media
+   - Integrate with existing monitoring and logging systems
+
+4. **Testing**:
+   - Verify COT protocol connectivity from ATAK/iTAK/WinTAK clients
+   - Test web interface functionality
+   - Validate authentication and authorization
+   - Confirm geospatial mapping features work correctly
+
+### Configuration Requirements
+
+- **Docker**: Official OTS Docker image
+- **Network**: TCP ports for COT protocol and web interface
+- **Storage**: Persistent volumes for CoT data and media files
+- **Dependencies**: RabbitMQ (can be co-located)
+- **Authentication**: LDAP or Active Directory integration
+- **TLS**: Let's Encrypt certificates via Traefik
+
+### Timeline Estimate
+
+- **Research Completion**: Immediate (this report)
+- **Decision Finalized**: Ready for approval
+- **Implementation Ready**: After decision approval
+- **Deployment**: 1-2 weeks after approval
+
+## Risk Assessment
+
+### Risks
+
+1. **License Compatibility**: GPL-3.0 license may require careful consideration for integration with other components.
+
+2. **Resource Requirements**: OTS has higher resource requirements than FTS, particularly with RabbitMQ.
+
+3. **Complexity**: More features mean more configuration complexity.
+
+### Mitigation Strategies
+
+1. **License**: Review GPL-3.0 compatibility with existing infrastructure components.
+
+2. **Resources**: Monitor resource usage and scale accordingly. Consider separating RabbitMQ into its own container.
+
+3. **Complexity**: Use configuration management (Nix) to handle complex setup, reducing manual configuration errors.
+
+## Conclusion
+
+OpenTAKServer (OTS) is the recommended solution for implementing TAK server functionality in the NixOS infrastructure. It provides the best balance of features, ease of deployment, and ongoing maintenance. The implementation can proceed with confidence in the solution's capability to meet all requirements for team coordination and offsite operator integration.
+
+## Next Steps
+
+1. Approve the selection of OpenTAKServer
+2. Begin Phase 6 implementation planning
+3. Create Docker Compose configuration for OTS
+4. Set up persistent storage requirements
+5. Integrate with docker_manager.nix module
+6. Configure Traefik routing and TLS
+7. Test COT protocol functionality
+
+---
+*Research completed: 2026-01-01*
+*Report version: 1.0*
+*Recommended solution: OpenTAKServer (OTS)*

.planning/phases/05-tak-research/05-01-SUMMARY.md

@@ -0,0 +1,49 @@
+# Phase 5.1: TAK Server Research - Summary
+
+**OpenTAKServer (OTS) selected as optimal TAK-compatible solution with web interface, COT protocol support, geospatial mapping, and Docker deployment capabilities**
+
+## Performance
+
+- **Duration:** 10 min
+- **Started:** 2026-01-01T23:05:51Z
+- **Completed:** 2026-01-01T23:15:51Z
+- **Tasks:** 1 (research and evaluation)
+- **Files modified:** 1 (research report)
+
+## Accomplishments
+
+- Conducted comprehensive web research using DuckDuckGo
+- Identified and evaluated three TAK-compatible open-source implementations
+- Created detailed comparison matrix of FreeTAKServer, OpenTAKServer, and TAK Product Center Server
+- Selected OpenTAKServer as optimal solution based on feature completeness and deployment requirements
+- Documented research findings, selection rationale, and implementation plan
+
+## Files Created/Modified
+
+- `.planning/phases/05-tak-research/05-01-RESEARCH.md` - Comprehensive research report with comparison matrix and recommendation
+
+## Decisions Made
+
+- Selected OpenTAKServer (OTS) as primary implementation
+- Rationale: Most feature-rich with web UI, video streaming, advanced authentication, and easy Docker deployment
+- Alternative considered: FreeTAKServer (strong runner-up with excellent community support)
+- Rejected: TAK Product Center Server (lacks web interface, complex deployment, DoD-focused)
+
+## Deviations from Plan
+
+None - plan executed exactly as written
+
+## Issues Encountered
+
+None
+
+## Next Phase Readiness
+
+- Research complete and documented
+- OpenTAKServer selected as optimal solution
+- Ready to proceed to Phase 6 implementation
+- All requirements met: open-source, web interface, COT protocol, geospatial mapping, Docker support
+
+---
+*Phase: 05-tak-research*
+*Completed: 2026-01-01*

.planning/phases/05-tak-research/PLAN.md

@@ -0,0 +1,102 @@
+# Phase 5: TAK Server Research & Selection
+
+## Goal
+Research and select the optimal TAK-compatible server with web interface for team coordination and offsite operator integration.
+
+## Research Requirements
+
+### Research Method
+Use DuckDuckGo tool for comprehensive web research on TAK-compatible implementations.
+
+### Key Research Areas
+
+1. **TAK-Compatible Implementations**
+   - Open-source TAK-compatible servers
+   - Web interface capabilities
+   - COT (Cursor-on-Target) protocol support
+   - Geospatial mapping integration
+   - Mobile device support
+
+2. **Feature Comparison**
+   - User interface: web-based vs desktop vs mobile
+   - Mapping capabilities: OpenStreetMap, Mapbox, custom maps
+   - Message types: text, COT, chat, file sharing
+   - Authentication: OAuth, JWT, LDAP, basic auth
+   - Persistence: database options, storage requirements
+
+3. **Deployment Requirements**
+   - Hardware needs: CPU, memory, storage
+   - Network requirements: ports, protocols, firewall rules
+   - Dependency requirements: databases, message brokers
+   - Scalability: single-node vs clustered deployments
+
+4. **Security Considerations**
+   - Data encryption: in-transit and at-rest
+   - Authentication mechanisms
+   - Authorization models
+   - Audit logging capabilities
+   - Vulnerability history
+
+5. **Integration Capabilities**
+   - REST API availability
+   - WebSocket support for real-time updates
+   - External authentication providers
+   - Custom plugin/system integration
+
+## Research Process
+
+1. **Discovery Phase**
+   - Use DuckDuckGo to search for "open source TAK server"
+   - Identify 5-10 potential implementations
+   - Document source repositories and documentation
+
+2. **Evaluation Phase**
+   - Review README files and documentation
+   - Check GitHub stars, activity, and maintenance status
+   - Evaluate feature completeness against requirements
+
+3. **Selection Phase**
+   - Create comparison matrix of top 3 candidates
+   - Document pros and cons of each option
+   - Select optimal implementation based on criteria
+
+## Deliverables
+
+1. **Research Report** (PLAN.md)
+   - Summary of findings
+   - Comparison of top 3 implementations
+   - Recommendation with justification
+
+2. **Implementation Plan**
+   - Deployment strategy
+   - Configuration requirements
+   - Integration approach
+
+## Selection Criteria
+
+**Must Have:**
+- Open-source license
+- Web interface
+- COT protocol support
+- Geospatial mapping
+- Docker deployment support
+
+**Nice to Have:**
+- Active maintenance
+- Good documentation
+- Community support
+- REST API for integration
+- Mobile client availability
+
+## Timeline
+
+- Research completion: [Estimated date]
+- Decision finalized: [Estimated date]
+- Ready to proceed to Phase 6: [Estimated date]
+
+## Notes
+
+- Focus on implementations that can be containerized
+- Prioritize solutions with good documentation
+- Consider long-term maintenance and support
+- Document all research findings for future reference

flake.nix

@@ -41,8 +41,12 @@
               agenix.nixosModules.default
               ./hosts/lazyworkhorse/configuration.nix
               ./hosts/lazyworkhorse/hardware-configuration.nix
-              ./modules/default.nix
+              ./modules/nixos/filesystem/hoardingcow-mount.nix
+              ./modules/nixos/services/docker_manager.nix
+              ./modules/nixos/services/open_code_server.nix
+              ./modules/nixos/services/ollama_init_custom_models.nix
               ./users/gortium.nix
+              ./users/n8n-worker.nix
             ];
           };
         };

hosts/lazyworkhorse/configuration.nix

@@ -1,8 +1,8 @@
-# Edit this configuration file to define what should be installed on
+# edit this configuration file to define what should be installed on
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 
-{ config, lib, pkgs, self, paths, keys, ... }:
+{ config, lib, pkgs, paths, self, keys, ... }:
 
 {
   # NAS Mounting
@@ -16,7 +16,7 @@
   nix.gc = {
     automatic = true;
     dates = "daily";  # You can also use "daily" or a cron-like spec
-    options = "--delete-older-than 7d";  # Keep only 7 days of unreferenced data
+    options = "--delete-older-than 30d";
   };
 
   nix.settings = {
@@ -29,7 +29,19 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;
 
-  boot.kernelModules = [ "nct6775" "lm63" ];
+  # 1. Force the kernel to ignore BIOS resource locks
+  boot.kernelParams = [ 
+    "acpi_enforce_resources=lax" 
+    "nct6775.force_id=0xd120" # This forces the driver to ignore BIOS locks for NCT6116
+    "transparent_hugepage=always" # because mucho ram
+  ];
+  # 2. Load the specific drivers found by sensors-detect
+  boot.kernelModules = [ "nct6775" "lm96163" ];
+  # 3. Force the nct6775 driver to recognize the chip if it's stubborn
+  boot.extraModprobeConfig = ''
+    options nct6775 force_id=0xd280
+  '';
+
   boot.blacklistedKernelModules = [ "eeepc_wmi" ];
   networking.hostName = "lazyworkhorse"; # Define your hostname.
   # Pick only one of the below networking options.
@@ -58,6 +70,14 @@
     LC_CTYPE = "en_CA.UTF-8";
   };
 
+  programs.zsh = {
+    enable = true;
+    autosuggestions.enable = true;
+    syntaxHighlighting.enable = true;
+    enableCompletion = true;
+  
+    setOptions = [ "HIST_IGNORE_ALL_DUPS" "SHARE_HISTORY" ]; 
+  };
   # Configure network proxy if necessary
   # networking.proxy.default = "http://user:password@proxy:port/";
   # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
@@ -85,6 +105,7 @@
     pulse.enable = true;
   };
 
+  # Nix Helper cli tool
   environment.sessionVariables = {
     NH_FLAKE = paths.flake;
   };
@@ -95,19 +116,23 @@
   # nvim please
   environment.variables.EDITOR = "nvim";
 
-  # programs.firefox.enable = true;
-
   # List packages installed in system profile.
   # You can use https://Search.nixos.org/ to find more packages (and options).
   environment.systemPackages = with pkgs; [
-    agenix
     neovim
     docker-compose
     wget
     age
+    agenix
     git
-    nh
     lm_sensors
+    rocmPackages.rocminfo
+    rocmPackages.rocm-smi
+    clinfo
+    ncurses
+    kitty.terminfo
+    nodejs_22
+    uv
   ];
 
   # Some programs need SUID wrappers, can be configured further or are
@@ -123,7 +148,12 @@
   # Enable the OpenSSH daemon
   services.openssh = {
     enable = true;
-    settings.PermitRootLogin = "no";
+    ports = [ 22 2424 ];
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "prohibit-password"; 
+    };
     hostKeys = [
       {
         path = "/etc/ssh/ssh_host_ed25519_key";
@@ -132,6 +162,77 @@
     ];
   };
 
+  # services.ollama = {
+  #   enable = true;
+  #   acceleration = "rocm";
+  #   # Optional: force Ollama to use the MI50 target
+  #   rocmOverrideGfx = "9.0.6"; 
+  #   environmentVariables = {
+  #     ROCR_VISIBLE_DEVICES = "0,1";
+  #     # This helps with memory allocation on dual-GPU setups
+  #     HSA_ENABLE_SDMA = "0"; 
+  #   };
+  # };
+
+  services.dockerStacks = {
+    versioncontrol = {
+      path = self + "/assets/compose/versioncontrol";
+      ports = [ 2222 ];
+    };
+    
+    network = {
+      path = self + "/assets/compose/network";
+      envFile = config.age.secrets.containers_env.path;
+      ports = [ 80 443 ];
+    };
+
+    passwordmanager = {
+      path = self + "/assets/compose/passwordmanager";
+    };
+
+    ai = {
+      path = self + "/assets/compose/ai";
+      envFile = config.age.secrets.containers_env.path;
+    };
+
+    cloudstorage = {
+      path = self + "/assets/compose/cloudstorage";
+      envFile = config.age.secrets.containers_env.path;
+    };
+
+    homeautomation = {
+      path = self + "/assets/compose/homeautomation";
+      envFile = config.age.secrets.containers_env.path;
+    };
+  };
+
+  services.opencode = {
+    enable = true;
+    port = 4099;
+    ollamaUrl = "http://127.0.0.1:11434/v1"; 
+  };
+
+  # services.systemd-fancon = {
+  #   enable = true;
+  #   config = ''
+  #   [MI50_Cooling]
+  #   # The lm96163 controller
+  #   hwmon = hwmon0
+    
+  #   # Most lm96163 chips use pwm1 for the main fan header
+  #   pwm = 1
+  #   pwm = 2
+
+  #   # Watch both MI50 cards
+  #   sensor = hwmon3/temp1_input
+  #   sensor = hwmon4/temp1_input
+    
+  #   # Servers cards need air early! 
+  #   # Starts spinning at 40C, full blast by 70C
+  #   curve = 40:60 55:160 70:255
+  #   '';
+  # };
+
   # Private host ssh key managed by agenix
   age = {
     identityPaths = paths.identities;
@@ -150,6 +251,13 @@
         mode = "0600";
         path = "/etc/ssh/ssh_host_ed25519_key";
       };
+      n8n_ssh_key = {
+        file = ../../secrets/n8n_ssh_key.age;
+        owner = "root";
+        group = "root";
+        mode = "0600";
+        path = "/home/n8n-worker/.ssh/n8n_ssh_key";
+      };
     };
   };
 
@@ -162,18 +270,22 @@
   services.zfs.autoSnapshot.enable = true;
   services.zfs.autoScrub.enable = true;
   
+  # Mi50 config
   hardware.graphics = {
     enable = true;
-    enable32Bit = true;
+    enable32Bit = true; # Useful for some compatibility layers
     extraPackages = with pkgs; [
-      rocmPackages.clr
-      rocmPackages.rocblas
-      rocmPackages.rocrand
-      rocmPackages.rocminfo
-      rocmPackages.hipcc
-      rocmPackages.hiprt
+      rocmPackages.clr.icd # OpenCL/HIP runtime
+      amdvlk               # Vulkan drivers
     ];
   };
+  nixpkgs.config.rocmTargets = [ "gfx906" ];
+  environment.variables = {
+    # This "tricks" ROCm into supporting the MI50 if using newer versions
+    HSA_OVERRIDE_GFX_VERSION = "9.0.6";
+    # Ensures the system sees both GPUs
+    HIP_VISIBLE_DEVICES = "0,1";
+  };
 
  # Open ports in the firewall.
   # networking.firewall.allowedTCPPorts = [ ... ];

lib/keys.nix

@@ -5,6 +5,10 @@
       github = "";
       gitea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9tKezYidZglWBRI9/2I/cBGUUHj2dHY8rHXppYmf7F";
     };
+    
+    n8n-worker = {
+      main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAXeGtPPcsP2IYRQNvII41NVWhJsarEk8c4qxs/a5sXf";
+    };
   };
 
   hosts = {

modules/nixos/services/docker_manager.nix

@@ -0,0 +1,50 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+{
+  options.services.dockerStacks = mkOption {
+    type = types.attrsOf (types.submodule {
+      options = {
+        path = mkOption { type = types.str; };
+        envFile = mkOption { type = types.nullOr types.path; default = null; };
+        ports = mkOption { type = types.listOf types.int; default = [ ]; };
+      };
+    });
+    default = {};
+  };
+
+  config = {
+    virtualisation.docker.enable = true;
+    virtualisation.docker.daemon.settings.dns = [ "1.1.1.1" "8.8.8.8" ];
+
+    networking.firewall.allowedTCPPorts = flatten (mapAttrsToList (name: value: value.ports) config.services.dockerStacks);
+
+    systemd.services = mapAttrs' (name: value: nameValuePair "${name}_stack" {
+      description = "Docker Compose stack: ${name}";
+      
+      # Added 'docker.socket' to both after and wants to ensure the API is reachable
+      after = [ "network.target" "docker.service" "docker.socket" "agenix.service" ];
+      wants = [ "docker.socket" "agenix.service" ];
+      requires = [ "docker.service" ];
+
+      wantedBy = [ "multi-user.target" ];
+      
+      serviceConfig = {
+        Type = "oneshot";
+        WorkingDirectory = value.path;
+        User = "root";
+        
+        # This line forces the service to wait until the docker socket is actually responsive
+        ExecStartPre = "${pkgs.bash}/bin/bash -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'";
+        
+        ExecStart = "${pkgs.docker-compose}/bin/docker-compose up -d --remove-orphans";
+        ExecStop = "${pkgs.docker-compose}/bin/docker-compose down";
+        RemainAfterExit = true;
+        
+        # Ensure the environment file is passed correctly
+        EnvironmentFile = mkIf (value.envFile != null) [ value.envFile ];
+      };
+    }) config.services.dockerStacks;
+  };
+}

modules/nixos/services/ollama_init_custom_models.nix

@@ -0,0 +1,45 @@
+{ pkgs, ... }: {
+  systemd.services.init-ollama-model = {
+    description = "Initialize LLM models with extra context in Ollama Docker";
+    after = [ "docker-ollama.service" ];
+    wantedBy = [ "multi-user.target" ];
+    script = ''
+      # Wait for Ollama
+      while ! ${pkgs.curl}/bin/curl -s http://localhost:11434/api/tags > /dev/null; do
+        sleep 2
+      done
+
+      create_model_if_missing() {
+        local model_name=$1
+        local base_model=$2
+        if ! ${pkgs.docker}/bin/docker exec ollama ollama list | grep -q "$model_name"; then
+          echo "$model_name not found, creating from $base_model..."
+          ${pkgs.docker}/bin/docker exec ollama sh -c "cat <<EOF > /root/.ollama/$model_name.modelfile
+FROM $base_model
+PARAMETER num_ctx 131072
+PARAMETER num_predict 4096
+PARAMETER num_keep 1024
+PARAMETER repeat_penalty 1.1
+PARAMETER top_k 40
+PARAMETER stop \"[INST]\"
+PARAMETER stop \"[/INST]\"
+PARAMETER stop \"</s>\"
+EOF"
+          ${pkgs.docker}/bin/docker exec ollama ollama create "$model_name" -f "/root/.ollama/$model_name.modelfile"
+        else
+          echo "$model_name already exists, skipping."
+        fi
+      }
+
+      # Create Nemotron
+      create_model_if_missing "nemotron-3-nano:30b-128k" "nemotron-3-nano:30b"
+      
+      # Create Devstral
+      create_model_if_missing "devstral-small-2:24b-128k" "devstral-small-2:24b" 
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+  };
+}

modules/nixos/services/open_code_server.nix

@@ -0,0 +1,143 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.services.opencode;
+in {
+  options.services.opencode = {
+    enable = lib.mkEnableOption "OpenCode AI Service";
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 4099;
+    };
+    ollamaUrl = lib.mkOption {
+      type = lib.types.str;
+      default = "http://127.0.0.1:11434/v1"; 
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    programs.nix-ld.enable = true;
+
+     environment.etc."opencode/opencode.json".text = builtins.toJSON {
+      "$schema" = "https://opencode.ai/config.json";
+      "model" = "devstral-2-small-llama_cpp";
+      
+       # MCP servers for web search and enhanced functionality
+       # context7: Remote HTTP server for up-to-date documentation and code examples
+       # duckduckgo: Local MCP server for web search capabilities
+       "mcp" = {
+        "context7" = {
+          "type" = "remote";
+          "url" = "https://mcp.context7.com/mcp";
+        };
+        "duckduckgo" = {
+          "type" = "local";
+          "command" = [ "uvx" "duckduckgo-mcp-server" ]; 
+          "environment" = {
+            "PATH" = "/run/current-system/sw/bin:/home/gortium/.nix-profile/bin";
+          };
+        };
+      };
+
+      "provider" = {
+        "llamacpp" = {
+          "name" = "Llama.cpp (Local MI50)";
+          "npm" = "@ai-sdk/openai-compatible";
+          "options" = {
+            "baseURL" = "http://localhost:8300/v1";
+            "apiKey" = "not-needed";
+          };
+          "models" = {
+            "devstral-2-small-llama_cpp" = {
+              "name" = "Devstral 2 small 24B Q8 (llama.cpp)";
+              "tools" = true;
+              "reasoning" = false;
+            };
+          };
+        };
+        "ollama" = {
+          "name" = "Ollama (Local)";
+          "npm" = "@ai-sdk/openai-compatible";
+          "options" = {
+            "baseURL" = cfg.ollamaUrl;
+            "headers" = { "Content-Type" = "application/json"; };
+          };
+          "models" = {
+            "devstral-small-2:24b-128k" = {
+              "name" = "Mistral Devstral Small 2 (Ollama)";
+              "tools" = true;
+              "reasoning" = false;
+            };
+          };
+        };
+      };
+     };
+
+    systemd.services.opencode-gsd-install = {
+      description = "Install Get Shit Done OpenCode Components";
+      after = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      path = with pkgs; [ 
+        nodejs
+        git
+        coreutils 
+        bash
+      ];
+      serviceConfig = {
+        Type = "oneshot";
+        User = "gortium";
+        RemainAfterExit = true;
+        Environment = [
+          "HOME=/home/gortium"
+          "SHELL=${pkgs.bash}/bin/bash"
+          "PATH=${lib.makeBinPath [ pkgs.nodejs pkgs.git pkgs.bash pkgs.coreutils ]}"
+        ];
+      };
+      script = ''
+        # Check if the GSD directory exists
+  if [ ! -d "/home/gortium/.config/opencode/gsd" ]; then
+    echo "GSD not found. Installing..."
+    ${pkgs.nodejs}/bin/npx -y github:dbachelder/get-shit-done-opencode --global --force
+  else
+    echo "GSD already installed. Skipping auto-reinstall."
+    echo "To force update, run: sudo systemctl restart opencode-gsd-install.service"
+  fi
+      '';
+    };
+
+    systemd.services.opencode = {
+      description = "OpenCode AI Coding Agent Server";
+      after = [ "network.target" "ai_stack.service" "opencode-gsd-install.service" ];
+      requires = [ "ai_stack.service" "opencode-gsd-install.service" ];
+      wantedBy = [ "multi-user.target" ];
+
+      path = with pkgs; [
+        bash
+        coreutils
+        nodejs
+        git
+        nix
+        ripgrep
+        fd
+      ];
+
+      serviceConfig = {
+        Type = "simple";
+        User = "gortium";
+        WorkingDirectory = "/home/gortium/infra";
+        ExecStart = "${pkgs.nodejs}/bin/npx -y opencode-ai serve --hostname 0.0.0.0 --port ${toString cfg.port}";
+        Restart = "on-failure";
+      };
+
+      environment = {
+        OLLAMA_BASE_URL = "http://127.0.0.1:11434";
+        # Important: GSD  at ~/.config/opencode, so we ensure the server sees our /etc config
+        OPENCODE_CONFIG = "/etc/opencode/opencode.json";
+        HOME = "/home/gortium";
+        NODE_PATH = "${pkgs.nodejs}/lib/node_modules";
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [ cfg.port ];
+  };
+}

modules/nixos/services/podman.nix

@@ -1,9 +1,5 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
+{ config, lib, pkgs, ... }:
+
 with lib; let
   cfg = config.services.podman;
 in {

modules/nixos/services/systemd/default.nix

@@ -1,16 +0,0 @@
-{ pkgs, lib, config, self, keys, paths, ... }: {
-  imports =
-    [
-      ./network.nix
-      ./passwordmanager.nix
-      ./versioncontrol.nix
-      ./fancontrol.nix
-    ];
-
-  virtualisation.docker = {
-    enable = true;
-    daemon.settings = {
-      "dns" = [ "1.1.1.1" "8.8.8.8" ];
-    };
-  };
-}

modules/nixos/services/systemd/network.nix

@@ -1,40 +0,0 @@
-{ config, pkgs, self, ... }:
-
-let
-  network_compose_dir = pkgs.stdenv.mkDerivation {
-    name = "network_compose_dir";
-    src = self + "/assets/compose/network";
-    dontUnpack = true;
-    installPhase = ''
-      mkdir -p $out
-      cp -r $src/* $out/
-    '';
-  };
-in
-{
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-  systemd.services.network_stack = {
-    description = "Traefik + DDNS updater via Docker Compose";
-    after = [ "network-online.target" "docker.service" ];
-    wants = [ "network-online.target" "docker.service" ];
-    serviceConfig = {
-      WorkingDirectory = "${network_compose_dir}";
-
-      EnvironmentFile = config.age.secrets.containers_env.path;
-
-      # Stop left over container by the same name
-      ExecStartPre = "${pkgs.bash}/bin/bash -c '${pkgs.docker-compose}/bin/docker-compose down || true'";
-
-      # Start the services using Docker Compose
-      ExecStart = "${pkgs.docker-compose}/bin/docker-compose up -d";
-
-      # Stop and remove containers on shutdown
-      ExecStop = "${pkgs.docker-compose}/bin/docker-compose down";
-
-      RemainAfterExit = true;
-      TimeoutStartSec = 0;
-    };
-    wantedBy = [ "multi-user.target" ];
-  };
-}

modules/nixos/services/systemd/passwordmanager.nix

@@ -1,36 +0,0 @@
-{ config, pkgs, self, ... }:
-
-let
-  passwordmanager_compose_dir = pkgs.stdenv.mkDerivation {
-    name = "passwordmanager_compose_dir";
-    src = self + "/assets/compose/passwordmanager";
-    dontUnpack = true;
-    installPhase = ''
-      mkdir -p $out
-      cp -r $src/* $out/
-    '';
-  };
-in
-{
-  systemd.services.passwordmanager_stack = {
-    description = "Bitwarden via Docker Compose";
-    after = [ "network-online.target" "docker.service" ];
-    wants = [ "network-online.target" "docker.service" ];
-    serviceConfig = {
-      WorkingDirectory = "${passwordmanager_compose_dir}";
-
-      # Stop left over container by the same name
-      ExecStartPre = "${pkgs.bash}/bin/bash -c '${pkgs.docker-compose}/bin/docker-compose down || true'";
-
-      # Start the services using Docker Compose
-      ExecStart = "${pkgs.docker-compose}/bin/docker-compose up -d";
-
-      # Stop and remove containers on shutdown
-      ExecStop = "${pkgs.docker-compose}/bin/docker-compose down";
-
-      RemainAfterExit = true;
-      TimeoutStartSec = 0;
-    };
-    wantedBy = [ "multi-user.target" ];
-  };
-}

modules/nixos/services/systemd/versioncontrol.nix

@@ -1,38 +0,0 @@
-{ config, pkgs, self, ... }:
-
-let
-  versioncontrol_compose_dir = pkgs.stdenv.mkDerivation {
-    name = "versioncontrol_compose_dir";
-    src = self + "/assets/compose/versioncontrol";
-    dontUnpack = true;
-    installPhase = ''
-      mkdir -p $out
-      cp -r $src/* $out/
-    '';
-  };
-in
-{
-  networking.firewall.allowedTCPPorts = [ 2222 ];
-
-  systemd.services.versioncontrol_stack = {
-    description = "Gitea via Docker Compose";
-    after = [ "network-online.target" "docker.service" ];
-    wants = [ "network-online.target" "docker.service" ];
-    serviceConfig = {
-      WorkingDirectory = "${versioncontrol_compose_dir}";
-
-      # Stop left over container by the same name
-      ExecStartPre = "${pkgs.bash}/bin/bash -c '${pkgs.docker-compose}/bin/docker-compose down || true'";
-
-      # Start the services using Docker Compose
-      ExecStart = "${pkgs.docker-compose}/bin/docker-compose up -d";
-
-      # Stop and remove containers on shutdown
-      ExecStop = "${pkgs.docker-compose}/bin/docker-compose down";
-
-      RemainAfterExit = true;
-      TimeoutStartSec = 0;
-    };
-    wantedBy = [ "multi-user.target" ];
-  };
-}

secrets/secrets.nix

@@ -1,8 +1,13 @@
 let
   keys = import ../lib/keys.nix;
-  authorizedKeys = [ keys.users.gortium.main keys.hosts.lazyworkhorse.main keys.hosts.lazyworkhorse.bootstrap ];
+  authorizedKeys = [
+    keys.users.gortium.main
+    keys.hosts.lazyworkhorse.main
+    keys.hosts.lazyworkhorse.bootstrap
+  ];
 in
 {
   "containers.env.age".publicKeys = authorizedKeys;
   "lazyworkhorse_host_ssh_key.age".publicKeys = authorizedKeys;
+  "n8n_ssh_key.age".publicKeys = authorizedKeys;
 }

users/gortium.nix

@@ -1,17 +1,18 @@
 { pkgs, inputs, config, keys, ... }: {
   users.users.gortium = {
     isNormalUser = true;
-    extraGroups = [ "wheel" "docker" ]; # Enable ‘sudo’ for the user.
+    extraGroups = [ "wheel" "docker" "video" "render"];
+
     packages = with pkgs; [
       tree
       btop
+      nh
     ];
     shell = pkgs.zsh;
     openssh.authorizedKeys.keys = [
       keys.users.gortium.main
     ];
   };
-  programs.zsh.enable = true;
   security.sudo.extraRules = [
     {
       users = [ "gortium" ];

users/n8n-worker.nix

@@ -0,0 +1,12 @@
+{ pkgs, inputs, config, keys, ... }: {
+  users.users.n8n-worker = {
+    isSystemUser = true;
+    group = "n8n-worker";
+    extraGroups = [ "docker" ];
+    shell = pkgs.bashInteractive;
+    openssh.authorizedKeys.keys = [
+      keys.users.n8n-worker.main
+    ];
+  };
+  users.groups.n8n-worker = {};
+}