gortium/infra
1
1
Fork 0
Code Issues 13 Pull Requests 21 Actions Packages Projects 1 Releases Wiki Activity

Compare commits

base: gortium:feat/hyperspace-pods-module
Branches Tags
gortium:master gortium:feat/worldmonitor gortium:feat/ups-config gortium:feat/rollback-sentinel-on-fresh-branch gortium:fix/honcho-vector-dim-empty gortium:fix/backup-submodule-update gortium:feat/restrict-docker-blacklist gortium:feat/restrict-docker-commands-for-ai-worker gortium:fix/hermes-matrix-deps-venv-persist gortium:feat/uconsole-cm5-v3 gortium:fix/update-compose-submodule-matrix-bridge gortium:feat/nix-deployment-v2 gortium:kvm-pr gortium:feat/nixos-ci-workflow gortium:kvm-pr-consolidate gortium:feat/hermes-workspace-combined gortium:feat/hyperspace-pods-module gortium:feat/hermes-workspace gortium:feat/hermes-workers gortium:feat/add-paperclip-agent-orchestrator gortium:feat/syncthing-org-sync gortium:fix/vpn-iptables-nft-v3 gortium:fix/vpn-iptables-nft-v2 gortium:fix/vpn-iptables-nft-upstream gortium:feat/nixos-ci gortium:feat/update-compose-submodule-custom-tools gortium:feat/kvm-libvirt gortium:fix/wg-easy-iptables-nft gortium:feat/compose-submodule-v2 gortium:feat/hermes-fork-dockerfile gortium:ai-worker-restricted-access gortium:feat/wireguard-vpn gortium:feat/k3s-pod-cluster gortium:feature/server-hardening-clean gortium:docs/merge-priority-order gortium:feat/hermes-voice-gpu-support gortium:feat/uconsole-cm5-v2 gortium:fix/matrix-bridge-v2 gortium:fix/backup-network-v2 gortium:feat/docker-add-qemu-cross-compilation gortium:feat/docker-add-latex-stack gortium:feat/docker-add-chromium-browser-deps gortium:feat/docker-add-curl-poppler-imagemagick gortium:feat/add-uconsole-host gortium:home_manager
..
compare: gortium:feat/hermes-workspace-combined
Branches Tags
gortium:feat/worldmonitor gortium:feat/ups-config gortium:feat/rollback-sentinel-on-fresh-branch gortium:fix/honcho-vector-dim-empty gortium:fix/backup-submodule-update gortium:feat/restrict-docker-blacklist gortium:feat/restrict-docker-commands-for-ai-worker gortium:fix/hermes-matrix-deps-venv-persist gortium:feat/uconsole-cm5-v3 gortium:fix/update-compose-submodule-matrix-bridge gortium:feat/nix-deployment-v2 gortium:kvm-pr gortium:feat/nixos-ci-workflow gortium:kvm-pr-consolidate gortium:feat/hermes-workspace-combined gortium:feat/hyperspace-pods-module gortium:feat/hermes-workspace gortium:feat/hermes-workers gortium:feat/add-paperclip-agent-orchestrator gortium:master gortium:feat/syncthing-org-sync gortium:fix/vpn-iptables-nft-v3 gortium:fix/vpn-iptables-nft-v2 gortium:fix/vpn-iptables-nft-upstream gortium:feat/nixos-ci gortium:feat/update-compose-submodule-custom-tools gortium:feat/kvm-libvirt gortium:fix/wg-easy-iptables-nft gortium:feat/compose-submodule-v2 gortium:feat/hermes-fork-dockerfile gortium:ai-worker-restricted-access gortium:feat/wireguard-vpn gortium:feat/k3s-pod-cluster gortium:feature/server-hardening-clean gortium:docs/merge-priority-order gortium:feat/hermes-voice-gpu-support gortium:feat/uconsole-cm5-v2 gortium:fix/matrix-bridge-v2 gortium:fix/backup-network-v2 gortium:feat/docker-add-qemu-cross-compilation gortium:feat/docker-add-latex-stack gortium:feat/docker-add-chromium-browser-deps gortium:feat/docker-add-curl-poppler-imagemagick gortium:feat/add-uconsole-host gortium:home_manager

10 Commits
feat/hyper ... feat/herme

Author SHA1 Message Date
Hermes
ff129019e0 Revert "fix: update compose submodule — hermes-workspace HOST fix" 
This reverts commit 8025607a53.
 2026-05-20 14:10:11 -04:00
Hermes
8025607a53 fix: update compose submodule — hermes-workspace HOST fix 2026-05-20 14:08:08 -04:00
Hermes
a322ed0884 feat(secrets): add HERMES_WORKSPACE_PASSWORD to containers.env 2026-05-20 14:06:56 -04:00
Hermes
68b7c40a9e fix(compose): update submodule to fix/hermes-build (dashboard + auth) 2026-05-20 14:06:32 -04:00
Hermes
146c164c91 fix: update compose submodule — hermes-workspace HOST fix and entrypoint improvements 2026-05-20 14:05:58 -04:00
Hermes
8e896e4c0d Revert "fix(compose): update compose submodule to feat/hermes-workspace-combined (dashboard + auth)" 
This reverts commit 1898f39d24.
 2026-05-20 14:05:44 -04:00
Hermes
1898f39d24 fix(compose): update compose submodule to feat/hermes-workspace-combined (dashboard + auth) 2026-05-20 14:04:23 -04:00
Hermes
c7a0a4dae4 Revert "feat(hermes): update compose submodule — drop fork overlay for v0.12.0 kanban" 
This reverts commit b85513ade2.
 2026-05-19 21:29:53 -04:00
Hermes
b85513ade2 feat(hermes): update compose submodule — drop fork overlay for v0.12.0 kanban 2026-05-19 21:23:13 -04:00
Hermes
d064bfb770 feat: add combined Hermes Workspace image with Swarm support 
- Update compose submodule to feat/hermes-workspace-combined
- New ai/hermes-workspace/ Dockerfile combining our Hermes fork
  + workspace web UI + tmux (Swarm workers)
- Hermes dashboard enabled on port 9119
- Existing hermes/ Dockerfile preserved as fallback
 2026-05-19 20:50:15 -04:00
6 changed files with 6 additions and 136 deletions
Expand all files Collapse all files

2
assets/compose

Submodule assets/compose updated: d3f2e3b7b9...ebad994d60

1
flake.nix
View File

@@ -61,7 +61,6 @@
./modules/nixos/services/open_code_server.nix
./modules/nixos/services/ollama_init_custom_models.nix
./modules/nixos/services/openclaw_node.nix
./modules/nixos/services/hyperspace.nix
./modules/nixos/security/ai-worker-restricted.nix
./users/gortium.nix
./users/ai-worker.nix

4
lib/keys.nix
View File

@@ -9,6 +9,10 @@
ai-worker = {
main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAXeGtPPcsP2IYRQNvII41NVWhJsarEk8c4qxs/a5sXf";
};
hermes_agent = {
age = "age178ypgaxn3fldh2aeqz37ncpk7jrplaxacrca8kkcycre3ahjef4s2dp3rp";
};
};
hosts = {

134
modules/nixos/services/hyperspace.nix
View File

@@ -1,134 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.hyperspace;
hyperspacePkg = pkgs.stdenv.mkDerivation {
name = "hyperspace-pods-${cfg.version}";
src = pkgs.fetchurl {
url = "https://github.com/hyperspaceai/aios-cli/releases/download/v${cfg.version}/aios-cli-x86_64-unknown-linux-gnu.tar.gz";
hash = cfg.packageHash;
};
sourceRoot = ".";
installPhase = ''
mkdir -p $out/libexec $out/bin
cp -r * $out/libexec/
chmod +x $out/libexec/aios-cli
ln -s $out/libexec/aios-cli $out/bin/hyperspace
'';
};
in {
options.services.hyperspace = {
enable = lib.mkEnableOption "Hyperspace Pods P2P AI cluster agent";
version = lib.mkOption {
type = lib.types.str;
default = "5.45.30";
description = "Hyperspace CLI version to download.";
};
packageHash = lib.mkOption {
type = lib.types.str;
default = "sha256-f6fJ8t3exqtYwUD5j+WvD+Hm0oN/Eef0X+R9Rj23dE0=";
description = ''
SRI hash of the hyperspace release tarball (sha256-<base64>).
Must be updated when version changes. Generate with:
nix store prefetch-file --hash-algo sha256 \\
https://github.com/hyperspaceai/aios-cli/releases/download/v{version}/aios-cli-x86_64-unknown-linux-gnu.tar.gz
'';
};
user = lib.mkOption {
type = lib.types.str;
default = "ai-worker";
description = "System user to run the Hyperspace agent.";
};
apiPort = lib.mkOption {
type = lib.types.port;
default = 8080;
description = "OpenAI-compatible API port (configurable via --api-port).";
};
profile = lib.mkOption {
type = lib.types.str;
default = "auto";
description = ''
Agent profile. Options: auto (auto-detect hardware), full (all capabilities),
inference (GPU inference only), embedding (CPU embedding only),
relay (lightweight relay), storage (storage + memory).
'';
};
autoStart = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Start the agent automatically on boot.";
};
openFirewall = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Open P2P mesh (4001 TCP+UDP, 30301 TCP) and API port in the firewall.";
};
extraArgs = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "Extra arguments to pass to 'hyperspace start'.";
};
};
config = lib.mkIf cfg.enable {
systemd.services.hyperspace = {
description = "Hyperspace Pods P2P AI Cluster Agent";
after = [ "network.target" "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = lib.mkIf cfg.autoStart [ "multi-user.target" ];
path = with pkgs; [ bash coreutils ];
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.user;
WorkingDirectory = "${hyperspacePkg}/libexec";
ExecStart = "${hyperspacePkg}/bin/hyperspace start --profile ${cfg.profile} --api-port ${toString cfg.apiPort} ${lib.escapeShellArgs cfg.extraArgs}";
Restart = "on-failure";
RestartSec = 5;
# AMD MI50 (ROCm) device access
DeviceAllow = [ "/dev/kfd rw" "/dev/dri rw" ];
# Supplementary groups for GPU/accelerator access
SupplementaryGroups = [ "video" "render" ];
# Hardening
NoNewPrivileges = true;
ProtectHome = "tmpfs";
ProtectSystem = "strict";
PrivateTmp = true;
PrivateDevices = false; # Needs /dev/kfd and /dev/dri
};
environment = {
HSA_OVERRIDE_GFX_VERSION = "9.0.6";
HOME = "/home/${cfg.user}";
};
};
# Firewall ports for P2P mesh (libp2p 4001, chain 30301) and API
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ 4001 30301 cfg.apiPort ];
networking.firewall.allowedUDPPorts = lib.mkIf cfg.openFirewall [ 4001 ];
# Add GPU/accelerator groups to the service user (persistent beyond service restarts)
users.users = lib.mkIf (cfg.user == "ai-worker") {
ai-worker = {
extraGroups = [ "video" "render" ];
};
};
# ROCm override for AMD MI50 (gfx906) compatibility
environment.variables.HSA_OVERRIDE_GFX_VERSION = "9.0.6";
};
}

BIN
secrets/containers.env.age
View File

Binary file not shown.

1
secrets/secrets.nix
View File

@@ -4,6 +4,7 @@ let
keys.users.gortium.main
keys.hosts.lazyworkhorse.main
keys.hosts.lazyworkhorse.bootstrap
keys.users.hermes_agent.age
];
in
{