feat: add Hyperspace Pods NixOS module

Create modules/nixos/services/hyperspace.nix for Hyperspace Pods P2P AI cluster agent. Registered in flake.nix under lazyworkhorse modules list.

- Fetches CLI binary v5.45.30 via fetchurl with SRI hash verification
- Systemd system service: auto profile, api port 8080, ai-worker user
- GPU device access via DeviceAllow (kfd+dri) and video+render groups
- Service hardening: NoNewPrivileges, ProtectHome, ProtectSystem, PrivateTmp
- Firewall: TCP 4001 (libp2p), 30301 (chain), 8080 (API); UDP 4001 (libp2p)
- AMD MI50 ROCm compatibility via HSA_OVERRIDE_GFX_VERSION=9.0.6

flake.nix

@@ -12,17 +12,10 @@
       url = "git+https://git.lix.systems/lix-project/lix?ref=main";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    home-manager = {
+    self.submodules = true;
-      url = "github:nix-community/home-manager/release-25.11";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    dotfiles = {
-      url = "git+https://code.lazyworkhorse.net/gortium/dotfiles.git";
-      flake = false;
-    };
   };
 
-  outputs = { self, nixpkgs, agenix, lix, home-manager, dotfiles, ... }@inputs:
+  outputs = { self, nixpkgs, agenix, lix, ... }@inputs:
     let
       system = "x86_64-linux";
       keys = import ./lib/keys.nix;
@@ -63,12 +56,12 @@
               agenix.nixosModules.default
               ./hosts/lazyworkhorse/configuration.nix
               ./hosts/lazyworkhorse/hardware-configuration.nix
-              ./modules/nixos/home-manager/default.nix
               ./modules/nixos/filesystem/hoardingcow-mount.nix
               ./modules/nixos/services/docker_manager.nix
               ./modules/nixos/services/open_code_server.nix
               ./modules/nixos/services/ollama_init_custom_models.nix
               ./modules/nixos/services/openclaw_node.nix
+              ./modules/nixos/services/hyperspace.nix
               ./modules/nixos/security/ai-worker-restricted.nix
               ./users/gortium.nix
               ./users/ai-worker.nix

modules/nixos/home-manager/default.nix

@@ -1,12 +0,0 @@
-{ config, pkgs, lib, inputs, ... }:
-
-{
-  imports = [ inputs.home-manager.nixosModules.home-manager ];
-
-  home-manager = {
-    useGlobalPkgs = true;
-    useUserPackages = true;
-
-    users.gortium = import ./dotfiles.nix { inherit config pkgs lib inputs; };
-  };
-}

modules/nixos/home-manager/dotfiles.nix

@@ -1,87 +0,0 @@
-{ config, pkgs, lib, inputs, ... }:
-
-{
-  home = {
-    username = "gortium";
-    homeDirectory = "/home/gortium";
-    stateVersion = "25.11";
-  };
-
-  # Import dotfiles as-is via home.file (Option 3 — git way)
-  # Hyprland
-  home.file.".config/hypr/hyprland.conf".source =
-    "${inputs.dotfiles}/hypr/.config/hypr/hyprland.conf";
-  home.file.".config/hypr/mocha.conf".source =
-    "${inputs.dotfiles}/hypr/.config/hypr/mocha.conf";
-  home.file.".config/hypr/hyprlock.conf".source =
-    "${inputs.dotfiles}/hypr/.config/hypr/hyprlock.conf";
-  home.file.".config/hypr/hypridle.conf".source =
-    "${inputs.dotfiles}/hypr/.config/hypr/hypridle.conf";
-  home.file.".config/hypr/hyprpaper.conf".source =
-    "${inputs.dotfiles}/hypr/.config/hypr/hyprpaper.conf";
-  home.file.".config/hypr/hyprshade.toml".source =
-    "${inputs.dotfiles}/hypr/.config/hypr/hyprshade.toml";
-
-  # Host-specific overrides: sourced from hyprland.conf
-  # hyprland.conf includes: source = ~/.config/hypr/hosts/$HOST.conf
-  # This file is created per-host and contains only the diffs.
-  home.file.".config/hypr/hosts" = {
-    source = "${inputs.dotfiles}/hypr/.config/hypr/hosts";
-    recursive = true;
-  };
-
-  # Zsh
-  home.file.".zshrc".source = "${inputs.dotfiles}/zsh/.zshrc";
-
-  # Tmux
-  home.file.".tmux.conf".source = "${inputs.dotfiles}/tmux/.tmux.conf";
-
-  # Neovim
-  home.file.".config/nvim" = {
-    source = "${inputs.dotfiles}/nvim/.config/nvim";
-    recursive = true;
-  };
-
-  # Wallpapers
-  home.file.".config/wallpapers" = {
-    source = "${inputs.dotfiles}/wallpapers/.config/wallpapers";
-    recursive = true;
-  };
-
-  # Wofi
-  home.file.".config/wofi" = {
-    source = "${inputs.dotfiles}/wofi/.config/wofi";
-    recursive = true;
-  };
-
-  # Packages that should be installed with home-manager
-  home.packages = with pkgs; [
-    # CLI tools
-    ripgrep
-    fd
-    jq
-    fzf
-    bat
-    eza
-    zoxide
-
-    # Development
-    git
-    lazygit
-    gh
-
-    # Hyprland extras
-    hyprshot
-    swaynotificationcenter
-    swww
-    wofi
-    waybar
-    kitty
-    foot
-    brightnessctl
-    playerctl
-    udiskie
-    hyprshade
-    pyprland
-  ];
-}

modules/nixos/services/hyperspace.nix

@@ -0,0 +1,134 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.hyperspace;
+
+  hyperspacePkg = pkgs.stdenv.mkDerivation {
+    name = "hyperspace-pods-${cfg.version}";
+    src = pkgs.fetchurl {
+      url = "https://github.com/hyperspaceai/aios-cli/releases/download/v${cfg.version}/aios-cli-x86_64-unknown-linux-gnu.tar.gz";
+      hash = cfg.packageHash;
+    };
+    sourceRoot = ".";
+    installPhase = ''
+      mkdir -p $out/libexec $out/bin
+      cp -r * $out/libexec/
+      chmod +x $out/libexec/aios-cli
+      ln -s $out/libexec/aios-cli $out/bin/hyperspace
+    '';
+  };
+in {
+  options.services.hyperspace = {
+    enable = lib.mkEnableOption "Hyperspace Pods P2P AI cluster agent";
+
+    version = lib.mkOption {
+      type = lib.types.str;
+      default = "5.45.30";
+      description = "Hyperspace CLI version to download.";
+    };
+
+    packageHash = lib.mkOption {
+      type = lib.types.str;
+      default = "sha256-f6fJ8t3exqtYwUD5j+WvD+Hm0oN/Eef0X+R9Rj23dE0=";
+      description = ''
+        SRI hash of the hyperspace release tarball (sha256-<base64>).
+        Must be updated when version changes. Generate with:
+        nix store prefetch-file --hash-algo sha256 \\
+          https://github.com/hyperspaceai/aios-cli/releases/download/v{version}/aios-cli-x86_64-unknown-linux-gnu.tar.gz
+      '';
+    };
+
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "ai-worker";
+      description = "System user to run the Hyperspace agent.";
+    };
+
+    apiPort = lib.mkOption {
+      type = lib.types.port;
+      default = 8080;
+      description = "OpenAI-compatible API port (configurable via --api-port).";
+    };
+
+    profile = lib.mkOption {
+      type = lib.types.str;
+      default = "auto";
+      description = ''
+        Agent profile. Options: auto (auto-detect hardware), full (all capabilities),
+        inference (GPU inference only), embedding (CPU embedding only),
+        relay (lightweight relay), storage (storage + memory).
+      '';
+    };
+
+    autoStart = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Start the agent automatically on boot.";
+    };
+
+    openFirewall = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Open P2P mesh (4001 TCP+UDP, 30301 TCP) and API port in the firewall.";
+    };
+
+    extraArgs = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = "Extra arguments to pass to 'hyperspace start'.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.hyperspace = {
+      description = "Hyperspace Pods P2P AI Cluster Agent";
+      after = [ "network.target" "network-online.target" ];
+      wants = [ "network-online.target" ];
+      wantedBy = lib.mkIf cfg.autoStart [ "multi-user.target" ];
+
+      path = with pkgs; [ bash coreutils ];
+
+      serviceConfig = {
+        Type = "simple";
+        User = cfg.user;
+        Group = cfg.user;
+        WorkingDirectory = "${hyperspacePkg}/libexec";
+        ExecStart = "${hyperspacePkg}/bin/hyperspace start --profile ${cfg.profile} --api-port ${toString cfg.apiPort} ${lib.escapeShellArgs cfg.extraArgs}";
+        Restart = "on-failure";
+        RestartSec = 5;
+
+        # AMD MI50 (ROCm) device access
+        DeviceAllow = [ "/dev/kfd rw" "/dev/dri rw" ];
+
+        # Supplementary groups for GPU/accelerator access
+        SupplementaryGroups = [ "video" "render" ];
+
+        # Hardening
+        NoNewPrivileges = true;
+        ProtectHome = "tmpfs";
+        ProtectSystem = "strict";
+        PrivateTmp = true;
+        PrivateDevices = false; # Needs /dev/kfd and /dev/dri
+      };
+
+      environment = {
+        HSA_OVERRIDE_GFX_VERSION = "9.0.6";
+        HOME = "/home/${cfg.user}";
+      };
+    };
+
+    # Firewall ports for P2P mesh (libp2p 4001, chain 30301) and API
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ 4001 30301 cfg.apiPort ];
+    networking.firewall.allowedUDPPorts = lib.mkIf cfg.openFirewall [ 4001 ];
+
+    # Add GPU/accelerator groups to the service user (persistent beyond service restarts)
+    users.users = lib.mkIf (cfg.user == "ai-worker") {
+      ai-worker = {
+        extraGroups = [ "video" "render" ];
+      };
+    };
+
+    # ROCm override for AMD MI50 (gfx906) compatibility
+    environment.variables.HSA_OVERRIDE_GFX_VERSION = "9.0.6";
+  };
+}