gortium/infra
1
1
Fork 0
Code Issues 13 Pull Requests 21 Actions Packages Projects 1 Releases Wiki Activity

Compare commits

base: gortium:feat/hyperspace-pods-module
Branches Tags
gortium:master gortium:feat/worldmonitor gortium:feat/ups-config gortium:feat/rollback-sentinel-on-fresh-branch gortium:fix/honcho-vector-dim-empty gortium:fix/backup-submodule-update gortium:feat/restrict-docker-blacklist gortium:feat/restrict-docker-commands-for-ai-worker gortium:fix/hermes-matrix-deps-venv-persist gortium:feat/uconsole-cm5-v3 gortium:fix/update-compose-submodule-matrix-bridge gortium:feat/nix-deployment-v2 gortium:kvm-pr gortium:feat/nixos-ci-workflow gortium:kvm-pr-consolidate gortium:feat/hermes-workspace-combined gortium:feat/hyperspace-pods-module gortium:feat/hermes-workspace gortium:feat/hermes-workers gortium:feat/add-paperclip-agent-orchestrator gortium:feat/syncthing-org-sync gortium:fix/vpn-iptables-nft-v3 gortium:fix/vpn-iptables-nft-v2 gortium:fix/vpn-iptables-nft-upstream gortium:feat/nixos-ci gortium:feat/update-compose-submodule-custom-tools gortium:feat/kvm-libvirt gortium:fix/wg-easy-iptables-nft gortium:feat/compose-submodule-v2 gortium:feat/hermes-fork-dockerfile gortium:ai-worker-restricted-access gortium:feat/wireguard-vpn gortium:feat/k3s-pod-cluster gortium:feature/server-hardening-clean gortium:docs/merge-priority-order gortium:feat/hermes-voice-gpu-support gortium:feat/uconsole-cm5-v2 gortium:fix/matrix-bridge-v2 gortium:fix/backup-network-v2 gortium:feat/docker-add-qemu-cross-compilation gortium:feat/docker-add-latex-stack gortium:feat/docker-add-chromium-browser-deps gortium:feat/docker-add-curl-poppler-imagemagick gortium:feat/add-uconsole-host gortium:home_manager
..
compare: gortium:ai-worker-restricted-access
Branches Tags
gortium:feat/worldmonitor gortium:feat/ups-config gortium:feat/rollback-sentinel-on-fresh-branch gortium:fix/honcho-vector-dim-empty gortium:fix/backup-submodule-update gortium:feat/restrict-docker-blacklist gortium:feat/restrict-docker-commands-for-ai-worker gortium:fix/hermes-matrix-deps-venv-persist gortium:feat/uconsole-cm5-v3 gortium:fix/update-compose-submodule-matrix-bridge gortium:feat/nix-deployment-v2 gortium:kvm-pr gortium:feat/nixos-ci-workflow gortium:kvm-pr-consolidate gortium:feat/hermes-workspace-combined gortium:feat/hyperspace-pods-module gortium:feat/hermes-workspace gortium:feat/hermes-workers gortium:feat/add-paperclip-agent-orchestrator gortium:master gortium:feat/syncthing-org-sync gortium:fix/vpn-iptables-nft-v3 gortium:fix/vpn-iptables-nft-v2 gortium:fix/vpn-iptables-nft-upstream gortium:feat/nixos-ci gortium:feat/update-compose-submodule-custom-tools gortium:feat/kvm-libvirt gortium:fix/wg-easy-iptables-nft gortium:feat/compose-submodule-v2 gortium:feat/hermes-fork-dockerfile gortium:ai-worker-restricted-access gortium:feat/wireguard-vpn gortium:feat/k3s-pod-cluster gortium:feature/server-hardening-clean gortium:docs/merge-priority-order gortium:feat/hermes-voice-gpu-support gortium:feat/uconsole-cm5-v2 gortium:fix/matrix-bridge-v2 gortium:fix/backup-network-v2 gortium:feat/docker-add-qemu-cross-compilation gortium:feat/docker-add-latex-stack gortium:feat/docker-add-chromium-browser-deps gortium:feat/docker-add-curl-poppler-imagemagick gortium:feat/add-uconsole-host gortium:home_manager

3 Commits
feat/hyper ... ai-worker-

Author SHA1 Message Date
Hermes
6b2e7a626f feat: update compose submodule for ollama-gfx906 (v0.23.2) + add Dockerfile 2026-05-10 10:09:06 -04:00
Hermes Agent
878cfc1d99 Merge remote-tracking branch 'origin/master' into ai-worker-restricted-access 2026-05-09 16:11:32 +00:00
Hermes Agent
ceb58bcf76 chore: update flake.lock and fix merge conflict 2026-05-09 16:10:30 +00:00
8 changed files with 47 additions and 223 deletions
Expand all files Collapse all files

2
assets/compose

Submodule assets/compose updated: d3f2e3b7b9...d97f1cb1e5

14
flake.lock generated
View File

@@ -70,11 +70,11 @@
"pre-commit-hooks": "pre-commit-hooks" "pre-commit-hooks": "pre-commit-hooks"
}, },
"locked": { "locked": {
"lastModified": 1774721317, "lastModified": 1777373577,
"narHash": "sha256-KS0ElyhZKdUFcfaxfwid3yi2Id3EP9i+dGL16/wx1T8=", "narHash": "sha256-K0sXr8tRA9L1FGE8Khl42NR+DmZOY9gNYCP8ljX7TAo=",
"ref": "main", "ref": "main",
"rev": "d0190cff6f2314cc1c727ff113aea20e086f4bcc", "rev": "faaa14a303dabc6309a52cc8e5eba86f9e29ccaf",
"revCount": 19103, "revCount": 19152,
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/lix" "url": "https://git.lix.systems/lix-project/lix"
}, },
@@ -178,11 +178,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1774386573, "lastModified": 1777268161,
"narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=", "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9", "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
flake.nix
View File

@@ -61,7 +61,6 @@
./modules/nixos/services/open_code_server.nix ./modules/nixos/services/open_code_server.nix
./modules/nixos/services/ollama_init_custom_models.nix ./modules/nixos/services/ollama_init_custom_models.nix
./modules/nixos/services/openclaw_node.nix ./modules/nixos/services/openclaw_node.nix
./modules/nixos/services/hyperspace.nix
./modules/nixos/security/ai-worker-restricted.nix ./modules/nixos/security/ai-worker-restricted.nix
./users/gortium.nix ./users/gortium.nix
./users/ai-worker.nix ./users/ai-worker.nix

3
hosts/lazyworkhorse/configuration.nix
View File

@@ -207,7 +207,6 @@
ai = { ai = {
path = self + "/assets/compose/ai"; path = self + "/assets/compose/ai";
envFile = config.age.secrets.containers_env.path; envFile = config.age.secrets.containers_env.path;
ports = [ 22000 ]; # Syncthing TCP sync
}; };
cloudstorage = { cloudstorage = {
@@ -475,7 +474,7 @@
services.openssh.settings = { services.openssh.settings = {
PermitRootLogin = "no"; PermitRootLogin = "no";
MaxAuthTries = 3; MaxAuthTries = 3;
MaxSessions = 20; MaxSessions = 10;
LoginGraceTime = 30; LoginGraceTime = 30;
ClientAliveInterval = 300; ClientAliveInterval = 300;
ClientAliveCountMax = 2; ClientAliveCountMax = 2;

134
modules/nixos/services/hyperspace.nix
View File

@@ -1,134 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.hyperspace;
hyperspacePkg = pkgs.stdenv.mkDerivation {
name = "hyperspace-pods-${cfg.version}";
src = pkgs.fetchurl {
url = "https://github.com/hyperspaceai/aios-cli/releases/download/v${cfg.version}/aios-cli-x86_64-unknown-linux-gnu.tar.gz";
hash = cfg.packageHash;
};
sourceRoot = ".";
installPhase = ''
mkdir -p $out/libexec $out/bin
cp -r * $out/libexec/
chmod +x $out/libexec/aios-cli
ln -s $out/libexec/aios-cli $out/bin/hyperspace
'';
};
in {
options.services.hyperspace = {
enable = lib.mkEnableOption "Hyperspace Pods P2P AI cluster agent";
version = lib.mkOption {
type = lib.types.str;
default = "5.45.30";
description = "Hyperspace CLI version to download.";
};
packageHash = lib.mkOption {
type = lib.types.str;
default = "sha256-f6fJ8t3exqtYwUD5j+WvD+Hm0oN/Eef0X+R9Rj23dE0=";
description = ''
SRI hash of the hyperspace release tarball (sha256-<base64>).
Must be updated when version changes. Generate with:
nix store prefetch-file --hash-algo sha256 \\
https://github.com/hyperspaceai/aios-cli/releases/download/v{version}/aios-cli-x86_64-unknown-linux-gnu.tar.gz
'';
};
user = lib.mkOption {
type = lib.types.str;
default = "ai-worker";
description = "System user to run the Hyperspace agent.";
};
apiPort = lib.mkOption {
type = lib.types.port;
default = 8080;
description = "OpenAI-compatible API port (configurable via --api-port).";
};
profile = lib.mkOption {
type = lib.types.str;
default = "auto";
description = ''
Agent profile. Options: auto (auto-detect hardware), full (all capabilities),
inference (GPU inference only), embedding (CPU embedding only),
relay (lightweight relay), storage (storage + memory).
'';
};
autoStart = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Start the agent automatically on boot.";
};
openFirewall = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Open P2P mesh (4001 TCP+UDP, 30301 TCP) and API port in the firewall.";
};
extraArgs = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "Extra arguments to pass to 'hyperspace start'.";
};
};
config = lib.mkIf cfg.enable {
systemd.services.hyperspace = {
description = "Hyperspace Pods P2P AI Cluster Agent";
after = [ "network.target" "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = lib.mkIf cfg.autoStart [ "multi-user.target" ];
path = with pkgs; [ bash coreutils ];
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.user;
WorkingDirectory = "${hyperspacePkg}/libexec";
ExecStart = "${hyperspacePkg}/bin/hyperspace start --profile ${cfg.profile} --api-port ${toString cfg.apiPort} ${lib.escapeShellArgs cfg.extraArgs}";
Restart = "on-failure";
RestartSec = 5;
# AMD MI50 (ROCm) device access
DeviceAllow = [ "/dev/kfd rw" "/dev/dri rw" ];
# Supplementary groups for GPU/accelerator access
SupplementaryGroups = [ "video" "render" ];
# Hardening
NoNewPrivileges = true;
ProtectHome = "tmpfs";
ProtectSystem = "strict";
PrivateTmp = true;
PrivateDevices = false; # Needs /dev/kfd and /dev/dri
};
environment = {
HSA_OVERRIDE_GFX_VERSION = "9.0.6";
HOME = "/home/${cfg.user}";
};
};
# Firewall ports for P2P mesh (libp2p 4001, chain 30301) and API
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ 4001 30301 cfg.apiPort ];
networking.firewall.allowedUDPPorts = lib.mkIf cfg.openFirewall [ 4001 ];
# Add GPU/accelerator groups to the service user (persistent beyond service restarts)
users.users = lib.mkIf (cfg.user == "ai-worker") {
ai-worker = {
extraGroups = [ "video" "render" ];
};
};
# ROCm override for AMD MI50 (gfx906) compatibility
environment.variables.HSA_OVERRIDE_GFX_VERSION = "9.0.6";
};
}

96
modules/nixos/services/ollama_init_custom_models.nix
View File

@@ -1,87 +1,67 @@
{ pkgs, ... }: { { pkgs, ... }: {
systemd.services.init-ollama-model = { systemd.services.init-ollama-model = {
description = "Initialize LLM models with extra context in Ollama Docker"; description = "Initialize LLM models with extra context in Ollama Docker";
after = [ "docker-ollama.service" ];
# On s'assure que Docker tourne avant de lancer ce script
after = [ "docker.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
script = '' script = ''
# Fonction de création asynchrone pour ne pas bloquer le démarrage # Wait for Ollama
( while ! ${pkgs.curl}/bin/curl -s http://localhost:11434/api/tags > /dev/null; do
echo "Starting asynchronous Ollama initialization..." sleep 2
done
# Attente d'Ollama (maximum 120 secondes pour éviter une boucle infinie)
TIMEOUT=60
COUNT=0
while ! ${pkgs.curl}/bin/curl -s -f http://127.0.0.1:11434/api/tags > /dev/null; do
if [ $COUNT -ge $TIMEOUT ]; then
echo "Ollama did not become ready in time. Exiting."
exit 1
fi
echo "Waiting for Ollama API to be reachable..."
sleep 5
COUNT=$((COUNT + 5))
done
create_model_if_missing() { create_model_if_missing() {
local model_name=$1 local model_name=$1
local base_model=$2 local base_model=$2
if ! ${pkgs.docker}/bin/docker exec ollama ollama list | grep -q "$model_name"; then
echo "$model_name not found, creating from $base_model..."
# Vérification robuste via l'API HTTP d'Ollama plutôt que docker exec (évite les conflits de tty) # We use a custom TEMPLATE block to strip the 'currentDate' function
if ! ${pkgs.curl}/bin/curl -s http://127.0.0.1:11434/api/tags | ${pkgs.jq}/bin/jq -e ".models[] | select(.name == \"$model_name\")" > /dev/null; then # which is unsupported in Ollama 0.5.7 but present in Devstral's default manifest.
echo "$model_name not found, creating from $base_model..." ${pkgs.docker}/bin/docker exec ollama sh -c "cat <<EOF > /root/.ollama/$model_name.modelfile
# Utilisation d'un fichier temporaire sur l'hôte pour l'injecter proprement dans Docker
TMP_FILE=$(mktemp)
cat <<EOF > "$TMP_FILE"
FROM $base_model FROM $base_model
TEMPLATE """{{- if .System }} TEMPLATE \"\"\"{{- if .System }}
[SYSTEM_PROMPT] [SYSTEM_PROMPT]
{{ .System }} {{ .System }}
[/SYSTEM_PROMPT] [/SYSTEM_PROMPT]
{{- end }} {{- end }}
{{- range .Messages }} {{- range .Messages }}
{{- if eq .Role "user" }} {{- if eq .Role \"user\" }}
[INST] [INST]
{{ .Content }} {{ .Content }}
[/INST] [/INST]
{{- else if eq .Role "assistant" }} {{- else if eq .Role \"assistant\" }}
{{ .Content }} {{ .Content }}
{{- end }} {{- end }}
{{- end }}""" {{- end }}\"\"\"
PARAMETER num_ctx 131072 PARAMETER num_ctx 131072
PARAMETER num_predict 4096 PARAMETER num_predict 4096
PARAMETER num_keep 1024 PARAMETER num_keep 1024
PARAMETER repeat_penalty 1.1 PARAMETER repeat_penalty 1.1
PARAMETER top_k 40 PARAMETER top_k 40
PARAMETER stop "[INST]" PARAMETER stop \"[INST]\"
PARAMETER stop "[/INST]" PARAMETER stop \"[/INST]\"
PARAMETER stop "</s>" PARAMETER stop \"</s>\"
EOF EOF"
${pkgs.docker}/bin/docker exec ollama ollama create "$model_name" -f "/root/.ollama/$model_name.modelfile"
${pkgs.docker}/bin/docker exec ollama rm "/root/.ollama/$model_name.modelfile"
else
echo "$model_name already exists, skipping."
fi
}
# Copie et création dans le conteneur # Create Nemotron
${pkgs.docker}/bin/docker cp "$TMP_FILE" ollama:/tmp/model.modelfile create_model_if_missing "nemotron-3-nano:30b-128k" "nemotron-3-nano:30b"
${pkgs.docker}/bin/docker exec ollama ollama create "$model_name" -f /tmp/model.modelfile
${pkgs.docker}/bin/docker exec ollama rm /tmp/model.modelfile # Create Devstral
rm -f "$TMP_FILE" create_model_if_missing "devstral-small-2:24b-128k" "devstral-small-2:24b"
else
echo "$model_name already exists, skipping." # create_model_if_missing "qwen2.5-coder:32b-128k" "qwen2.5-coder:32b"
fi
} # create_model_if_missing "mistral-large-planner:123b" "mistral-large:123b-instruct-v2407-q4_K_S"
# Create Nemotron
create_model_if_missing "nemotron-3-nano:30b-128k" "nemotron-3-nano:30b"
# Create Devstral
create_model_if_missing "devstral-small-2:24b-128k" "devstral-small-2:24b"
) &
''; '';
serviceConfig = { serviceConfig = {
Type = "forking"; # Permet à systemd de savoir que le script passe en arrière-plan via '&' Type = "oneshot";
User = "root"; RemainAfterExit = true;
}; };
}; };
} }

9
secrets/wireguard_preshared_key.age
View File

@@ -1,9 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSA3VG9Z
MVFPVFc2VVJ3d0h0dmtBUnI3WHl2SzUxTkRZbjFCaGloWmV3dnd3ClcxdnVPeGd6
SU4zR0Q0K1dtVjRRVHd0VW5XSFI0dVFpTjZnYk1DNjRxTVEKLT4gQzlgRy1ncmVh
c2UKeUozOWgyUytSTVF0NjY2STBEb2VadwotLS0gblI3bmJCUWxxU3QrYTEyVFBI
Snc4NC9rTkh0NnZYbUtxUE9hRWRkelpmMAq58fmH6cK13GeD7wGLxKmx10hmJeW4
b7KqnCD1ZP7uG85s32xzVRwRG8RrG4xZo5nR9Mrtg1CoTSFfUGeFnf5xveN+Ej0X
wDVB1LwC+Q==
-----END AGE ENCRYPTED FILE-----

11
secrets/wireguard_private_key.age
View File

@@ -1,11 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSA5dzVG
WUNvT3NlRmcrWS81bzJqSWlTekVYaDFFTE10SkI2dEgzaGpxcUI4Cmk5Y0FGYTRZ
K0NGYzY3VUp4aS9ZZGRmWTgybDJFUURva2pZNmVOS3QxdEUKLT4gPnVRTCtldGMt
Z3JlYXNlCk04OTJZeFRNeDI5aGpMVTk1ZTE0Y2FMMnFEMjlJalJpMHRlaTE4ZWIx
d2lCRGQ5RHVjcktOMGJCb1VERlNWcTYKaSt0L1Z6dVJ0QWIyZkhsYzFEVjZSQWUr
ZWpwVlo1TmhoUFJZdkEvR0gxNlVhcXF2ZTRnCi0tLSBLcmM2MThNVkdWclpHUXRr
VTF6QVk2WUZlTXpZMVNLMlpBOFc3M1o5WjZzCs9xbPlIX+u5vRSQ/z9utu+I9S2c
02DOsIb1kzxzb1OK91b8Kh4JucQSq3qkyEvRucsNn5QW8hIHDnRuND6EbPyN7p4S
YB/F0dxSqgnq
-----END AGE ENCRYPTED FILE-----