feat: update compose submodule for ollama-gfx906 (v0.23.2) + add Dockerfile

Merge remote-tracking branch 'origin/master' into ai-worker-restricted-access
chore: update flake.lock and fix merge conflict
2026-05-10 10:09:06 -04:00 · 2026-05-09 16:11:32 +00:00 · 2026-05-09 16:10:30 +00:00
9 changed files with 47 additions and 568 deletions
--- a/.gitea/workflows/build-nixos.yml
+++ b/.gitea/workflows/build-nixos.yml
@@ -1,64 +0,0 @@
 name: NixOS Build & Test
 run-name: Build ${{ gitea.event_name == 'push' && gitea.ref_name || format('PR #{0}', gitea.event.pull_request.number) }}
 on:
  push:
    branches:
      - master
    paths:
      - '**.nix'
      - 'flake.lock'
      - 'secrets/**'
      - 'hosts/**'
      - 'modules/**'
  pull_request:
    branches:
      - master
    paths:
      - '**.nix'
      - 'flake.lock'
      - 'secrets/**'
      - 'hosts/**'
      - 'modules/**'
 jobs:
  build:
    runs-on: nixos-builder
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up Nix environment
        run: |
          echo "extra-experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf
          cat ~/.config/nix/nix.conf
      - name: Install nh (nix helper)
        run: |
          nix --extra-experimental-features "nix-command flakes" \
            profile add nixpkgs#nh
          nh --version
      - name: Build NixOS configuration (lazyworkhorse)
        run: |
          nh os build .#lazyworkhorse
        env:
          NIX_CONFIG: "extra-experimental-features = nix-command flakes"
      - name: Build NixOS configuration (cyt-pi)
        run: |
          nh os build .#cyt-pi
        env:
          NIX_CONFIG: "extra-experimental-features = nix-command flakes"
      - name: Integration tests (placeholder)
        run: |
          echo "TODO: Add integration tests here"
          echo ""
          echo "Suggested future checks:"
          echo "  - nix flake check  (evaluate all NixOS configs)"
          echo "  - Validate agenix secrets are decryptable"
          echo "  - Check services are defined correctly"
          echo "  - Run VM test if nixos-test infrastructure exists"
--- a/assets/compose
+++ b/assets/compose
--- a/flake.lock
+++ b/flake.lock
@@ -70,11 +70,11 @@
        "pre-commit-hooks": "pre-commit-hooks"
      },
      "locked": {
-        "lastModified": 1774721317,
+        "lastModified": 1777373577,
-        "narHash": "sha256-KS0ElyhZKdUFcfaxfwid3yi2Id3EP9i+dGL16/wx1T8=",
+        "narHash": "sha256-K0sXr8tRA9L1FGE8Khl42NR+DmZOY9gNYCP8ljX7TAo=",
        "ref": "main",
-        "rev": "d0190cff6f2314cc1c727ff113aea20e086f4bcc",
+        "rev": "faaa14a303dabc6309a52cc8e5eba86f9e29ccaf",
-        "revCount": 19103,
+        "revCount": 19152,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/lix"
      },
@@ -178,11 +178,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1774386573,
+        "lastModified": 1777268161,
-        "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=",
+        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9",
+        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -59,7 +59,6 @@
              ./modules/nixos/filesystem/hoardingcow-mount.nix
              ./modules/nixos/services/docker_manager.nix
              ./modules/nixos/services/open_code_server.nix
              ./modules/nixos/services/staging-vm.nix
              ./modules/nixos/services/ollama_init_custom_models.nix
              ./modules/nixos/services/openclaw_node.nix
              ./modules/nixos/security/ai-worker-restricted.nix
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -207,7 +207,6 @@
    ai = {
      path = self + "/assets/compose/ai";
      envFile = config.age.secrets.containers_env.path;
      ports = [ 22000 ];  # Syncthing TCP sync
    };
    cloudstorage = {
@@ -475,7 +474,7 @@
  services.openssh.settings = {
    PermitRootLogin = "no";
    MaxAuthTries = 3;
-    MaxSessions = 20;
+    MaxSessions = 10;
    LoginGraceTime = 30;
    ClientAliveInterval = 300;
    ClientAliveCountMax = 2;
--- a/modules/nixos/services/ollama_init_custom_models.nix
+++ b/modules/nixos/services/ollama_init_custom_models.nix
@@ -1,87 +1,67 @@
 { pkgs, ... }: {
  systemd.services.init-ollama-model = {
    description = "Initialize LLM models with extra context in Ollama Docker";
-    
+    after = [ "docker-ollama.service" ];
    # On s'assure que Docker tourne avant de lancer ce script
    after = [ "docker.service" ];
    wantedBy = [ "multi-user.target" ];
    script = ''
-      # Fonction de création asynchrone pour ne pas bloquer le démarrage
+      # Wait for Ollama
-      (
+      while ! ${pkgs.curl}/bin/curl -s http://localhost:11434/api/tags > /dev/null; do
-        echo "Starting asynchronous Ollama initialization..."
+        sleep 2
-        
+      done
        # Attente d'Ollama (maximum 120 secondes pour éviter une boucle infinie)
        TIMEOUT=60
        COUNT=0
        while ! ${pkgs.curl}/bin/curl -s -f http://127.0.0.1:11434/api/tags > /dev/null; do
          if [ $COUNT -ge $TIMEOUT ]; then
            echo "Ollama did not become ready in time. Exiting."
            exit 1
          fi
          echo "Waiting for Ollama API to be reachable..."
          sleep 5
          COUNT=$((COUNT + 5))
        done
-        create_model_if_missing() {
+      create_model_if_missing() {
-          local model_name=$1
+        local model_name=$1
-          local base_model=$2
+        local base_model=$2
        if ! ${pkgs.docker}/bin/docker exec ollama ollama list | grep -q "$model_name"; then
          echo "$model_name not found, creating from $base_model..."
-          # Vérification robuste via l'API HTTP d'Ollama plutôt que docker exec (évite les conflits de tty)
+          # We use a custom TEMPLATE block to strip the 'currentDate' function 
-          if ! ${pkgs.curl}/bin/curl -s http://127.0.0.1:11434/api/tags | ${pkgs.jq}/bin/jq -e ".models[] | select(.name == \"$model_name\")" > /dev/null; then
+          # which is unsupported in Ollama 0.5.7 but present in Devstral's default manifest.
-            echo "$model_name not found, creating from $base_model..."
+          ${pkgs.docker}/bin/docker exec ollama sh -c "cat <<EOF > /root/.ollama/$model_name.modelfile
            # Utilisation d'un fichier temporaire sur l'hôte pour l'injecter proprement dans Docker
            TMP_FILE=$(mktemp)
            cat <<EOF > "$TMP_FILE"
 FROM $base_model
-TEMPLATE """{{- if .System }}
+TEMPLATE \"\"\"{{- if .System }}
 [SYSTEM_PROMPT]
 {{ .System }}
 [/SYSTEM_PROMPT]
 {{- end }}
 {{- range .Messages }}
-{{- if eq .Role "user" }}
+{{- if eq .Role \"user\" }}
 [INST]
 {{ .Content }}
 [/INST]
-{{- else if eq .Role "assistant" }}
+{{- else if eq .Role \"assistant\" }}
 {{ .Content }}
 {{- end }}
-{{- end }}"""
+{{- end }}\"\"\"
 PARAMETER num_ctx 131072
 PARAMETER num_predict 4096
 PARAMETER num_keep 1024
 PARAMETER repeat_penalty 1.1
 PARAMETER top_k 40
-PARAMETER stop "[INST]"
+PARAMETER stop \"[INST]\"
-PARAMETER stop "[/INST]"
+PARAMETER stop \"[/INST]\"
-PARAMETER stop "</s>"
+PARAMETER stop \"</s>\"
-EOF
+EOF"
          ${pkgs.docker}/bin/docker exec ollama ollama create "$model_name" -f "/root/.ollama/$model_name.modelfile"
          ${pkgs.docker}/bin/docker exec ollama rm "/root/.ollama/$model_name.modelfile"
        else
          echo "$model_name already exists, skipping."
        fi
      }
-            # Copie et création dans le conteneur
+      # Create Nemotron
-            ${pkgs.docker}/bin/docker cp "$TMP_FILE" ollama:/tmp/model.modelfile
+      create_model_if_missing "nemotron-3-nano:30b-128k" "nemotron-3-nano:30b"
-            ${pkgs.docker}/bin/docker exec ollama ollama create "$model_name" -f /tmp/model.modelfile
+      
-            ${pkgs.docker}/bin/docker exec ollama rm /tmp/model.modelfile
+      # Create Devstral
-            rm -f "$TMP_FILE"
+      create_model_if_missing "devstral-small-2:24b-128k" "devstral-small-2:24b" 
-          else
+      
-            echo "$model_name already exists, skipping."
+      # create_model_if_missing "qwen2.5-coder:32b-128k" "qwen2.5-coder:32b"
-          fi
+      
-        }
+      # create_model_if_missing "mistral-large-planner:123b" "mistral-large:123b-instruct-v2407-q4_K_S"
        # Create Nemotron
        create_model_if_missing "nemotron-3-nano:30b-128k" "nemotron-3-nano:30b"
        # Create Devstral
        create_model_if_missing "devstral-small-2:24b-128k" "devstral-small-2:24b" 
      ) &
    '';
    serviceConfig = {
-      Type = "forking"; # Permet à systemd de savoir que le script passe en arrière-plan via '&'
+      Type = "oneshot";
-      User = "root";
+      RemainAfterExit = true;
    };
  };
 }
--- a/modules/nixos/services/staging-vm.nix
+++ b/modules/nixos/services/staging-vm.nix
@@ -1,415 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.staging-vm;
  # Resolve the first IP in the subnet (the gateway address for the NAT network)
  networkIp = head (splitString "/" cfg.network.subnet);
  # ── pr-test-vm helper script ──────────────────────────────────────────
  pr-test-vm = pkgs.writeShellScriptBin "pr-test-vm" ''
    set -euo pipefail
    LIBVIRT_URI="qemu:///system"
    STORAGE_POOL="${cfg.storagePool}"
    VM_DIR="${cfg.dataDir}"
    NETWORK="${cfg.network.name}"
    SCRIPT_NAME="$(basename "$0")"
    usage() {
      cat <<EOF
    Usage: $SCRIPT_NAME <command> [options]
    Commands:
      build   <nixos-config> [--name <name>]   Build VM image from a NixOS config
      start   <vm-name>                         Start a VM
      stop    <vm-name>                         Gracefully shut down a VM
      destroy <vm-name>                         Force-power-off and undefine a VM
      ssh     [user@]<vm-name>                  SSH into a running VM
      console <vm-name>                         Connect to VM serial console
      list                                      List all staging VMs
      status  <vm-name>                         Show VM status
      rebuild <vm-name>                         Redeploy the VM (stop + start)
    Examples:
      $SCRIPT_NAME build ./vm-config.nix --name my-test
      $SCRIPT_NAME start my-test
      $SCRIPT_NAME ssh root@my-test
    EOF
      exit 1
    }
    # Find the VM's IP address from the DHCP lease
    vm_ip() {
      local name="$1"
      local mac
      mac=$(${pkgs.libvirt}/bin/virsh -c "$LIBVIRT_URI" domiflist "$name" 2>/dev/null \
        | ${pkgs.gawk}/bin/awk 'NR>2 && $1 ~ /^vnet/ {print $NF; exit}')
      [ -z "$mac" ] && { echo "error: cannot find MAC for VM '$name'"; exit 1; }
      local ip
      ip=$(${pkgs.libvirt}/bin/virsh -c "$LIBVIRT_URI" net-dhcp-leases "$NETWORK" 2>/dev/null \
        | ${pkgs.gawk}/bin/awk -v mac="$mac" '$0 ~ mac {gsub(/-.*/, "", $3); print $3; exit}')
      [ -z "$ip" ] && { echo "error: no DHCP lease found for VM '$name' (MAC: $mac)"; exit 1; }
      echo "$ip"
    }
    case "''${1:-help}" in
      build)
        shift
        CONFIG="''${1:?Missing NixOS config path}"
        VM_NAME="''${2:-}"
        [ -f "$CONFIG" ] || { echo "error: config file not found: $CONFIG"; exit 1; }
        # Extract name from --name flag or config basename
        if [ "''${2:-}" = "--name" ] && [ -n "''${3:-}" ]; then
          VM_NAME="$3"
        elif [ -z "$VM_NAME" ] || [ "''${VM_NAME#--}" != "$VM_NAME" ]; then
          VM_NAME="$(basename "$CONFIG" .nix)"
        fi
        BUILD_DIR="$VM_DIR/$VM_NAME"
        IMAGE="$BUILD_DIR/disk-image.qcow2"
        echo "==> Building VM '$VM_NAME' from config: $CONFIG"
        mkdir -p "$BUILD_DIR"
        # Build the NixOS VM derivation
        nix build --no-link -f "$CONFIG" vm 2>&1 || {
          # Fallback: try as flake output
          echo "Trying flake build..."
          nix build "''${CONFIG%/.nix}#nixosConfigurations.$VM_NAME.config.system.build.vm" --no-link 2>&1 || {
            echo "error: failed to build VM (tried both import and flake)"
            exit 1
          }
        }
        echo "==> Build complete. Run 'pr-test-vm start $VM_NAME' to launch."
        ;;
      start)
        VM_NAME="''${1:?Missing VM name}"
        IMAGE="$VM_DIR/$VM_NAME/disk-image.qcow2"
        [ -f "$IMAGE" ] || { echo "error: no disk image found at $IMAGE. Build first."; exit 1; }
        # Check if already running
        STATE=$(${pkgs.libvirt}/bin/virsh -c "$LIBVIRT_URI" domstate "$VM_NAME" 2>/dev/null || echo "undefined")
        if [ "$STATE" = "running" ]; then
          echo "VM '$VM_NAME' is already running."
          exit 0
        fi
        echo "==> Starting VM '$VM_NAME'..."
        # Undefine if defined but not running
        if [ "$STATE" != "undefined" ]; then
          ${pkgs.libvirt}/bin/virsh -c "$LIBVIRT_URI" undefine "$VM_NAME" 2>/dev/null || true
        fi
        # Define and start with virt-install
        ${pkgs.virt-manager}/bin/virt-install \
          --connect "$LIBVIRT_URI" \
          --name "$VM_NAME" \
          --memory "${toString cfg.memory}" \
          --vcpus "${toString cfg.vcpus}" \
          --disk "$IMAGE",bus=virtio \
          --import \
          --network network="$NETWORK",model=virtio \
          --graphics none \
          --console pty,target_type=virtio \
          --serial pty \
          --memballoon virtio \
          --rng /dev/urandom \
          --noautoconsole \
          --os-variant detect=on,name=generic
        echo "==> VM '$VM_NAME' started. Get IP with: pr-test-vm status $VM_NAME"
        ;;
      stop)
        VM_NAME="''${1:?Missing VM name}"
        echo "==> Stoping VM '$VM_NAME'..."
        ${pkgs.libvirt}/bin/virsh -c "$LIBVIRT_URI" shutdown "$VM_NAME" 2>/dev/null && {
          echo "Waiting for VM to shut down..."
          for i in $(seq 1 30); do
            STATE=$(${pkgs.libvirt}/bin/virsh -c "$LIBVIRT_URI" domstate "$VM_NAME" 2>/dev/null || echo "undefined")
            [ "$STATE" != "running" ] && { echo "VM stopped."; exit 0; }
            sleep 2
          done
          echo "warning: VM did not shut down gracefully, use 'destroy' for force"
        } || {
          echo "VM '$VM_NAME' not running or does not exist."
        }
        ;;
      destroy)
        VM_NAME="''${1:?Missing VM name}"
        echo "==> Destroying VM '$VM_NAME'..."
        ${pkgs.libvirt}/bin/virsh -c "$LIBVIRT_URI" destroy "$VM_NAME" 2>/dev/null || true
        ${pkgs.libvirt}/bin/virsh -c "$LIBVIRT_URI" undefine "$VM_NAME" 2>/dev/null || true
        echo "==> VM '$VM_NAME' destroyed and undefined."
        ;;
      ssh)
        TARGET="''${1:?Usage: $SCRIPT_NAME ssh [user@]<vm-name>}"
        # Split user@hostname if present
        if echo "$TARGET" | ${pkgs.gnugrep}/bin/grep -q '@'; then
          USER="''${TARGET%@*}"
          VM_NAME="''${TARGET#*@}"
        else
          VM_NAME="$TARGET"
          USER=""
        fi
        IP=$(vm_ip "$VM_NAME") || exit 1
        if [ -n "$USER" ]; then
          exec ${pkgs.openssh}/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "''${USER}@''${IP}"
        else
          exec ${pkgs.openssh}/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "$IP"
        fi
        ;;
      console)
        VM_NAME="''${1:?Missing VM name}"
        exec ${pkgs.libvirt}/bin/virsh -c "$LIBVIRT_URI" console "$VM_NAME"
        ;;
      list)
        echo "Staging VMs:"
        ${pkgs.libvirt}/bin/virsh -c "$LIBVIRT_URI" list --all
        echo ""
        echo "Active networks:"
        ${pkgs.libvirt}/bin/virsh -c "$LIBVIRT_URI" net-list
        echo ""
        echo "Storage pools:"
        ${pkgs.libvirt}/bin/virsh -c "$LIBVIRT_URI" pool-list
        ;;
      status)
        VM_NAME="''${1:?Missing VM name}"
        echo "VM: $VM_NAME"
        STATE=$(${pkgs.libvirt}/bin/virsh -c "$LIBVIRT_URI" domstate "$VM_NAME" 2>/dev/null || echo "not found")
        echo "State: $STATE"
        if [ "$STATE" = "running" ]; then
          IP=$(vm_ip "$VM_NAME" 2>/dev/null || echo "N/A")
          echo "IP: $IP"
          ${pkgs.libvirt}/bin/virsh -c "$LIBVIRT_URI" dommemstat "$VM_NAME" 2>/dev/null | head -3 || true
        fi
        ;;
      rebuild)
        VM_NAME="''${1:?Missing VM name}"
        "$0" destroy "$VM_NAME"
        "$0" start "$VM_NAME"
        ;;
      help|--help|-h)
        usage
        ;;
      *)
        usage
        ;;
    esac
  '';
 in
 {
  options.services.staging-vm = {
    enable = mkEnableOption "Staging VM infrastructure with libvirt/KVM";
    network = {
      name = mkOption {
        type = types.str;
        default = "staging";
        description = "Name of the libvirt NAT network for staging VMs";
      };
      bridge = mkOption {
        type = types.str;
        default = "virbr1";
        description = "Bridge interface name for the staging network";
      };
      subnet = mkOption {
        type = types.str;
        default = "192.168.122.0/24";
        description = "NAT network subnet in CIDR notation";
      };
      dhcpStart = mkOption {
        type = types.str;
        default = "192.168.122.2";
        description = "Start of the DHCP range";
      };
      dhcpEnd = mkOption {
        type = types.str;
        default = "192.168.122.254";
        description = "End of the DHCP range";
      };
    };
    storagePool = mkOption {
      type = types.str;
      default = "/var/lib/libvirt/images";
      description = "Directory path for the libvirt storage pool";
    };
    dataDir = mkOption {
      type = types.str;
      default = "/var/lib/staging-vm";
      description = "Directory for staging VM test data (images, cloud-init configs)";
    };
    memory = mkOption {
      type = types.int;
      default = 2048;
      description = "Default RAM in MiB for staging VMs";
    };
    vcpus = mkOption {
      type = types.int;
      default = 2;
      description = "Default number of vCPUs for staging VMs";
    };
  };
  config = mkIf cfg.enable {
    # ── libvirtd with QEMU/KVM ──────────────────────────────────────────
    virtualisation.libvirtd = {
      enable = true;
      qemu = {
        package = pkgs.qemu_kvm;
        runAsRoot = true;
        swtpm = {
          enable = true;
        };
        ovmf = {
          enable = true;
          packages = [ pkgs.OVMF ];
        };
      };
      # Allow the staging bridge for guest networking
      allowedBridges = [ cfg.network.bridge ];
    };
    # ── System packages ─────────────────────────────────────────────────
    environment.systemPackages = with pkgs; [
      libvirt                # virsh, virt-admin
      qemu_kvm               # QEMU/KVM
      swtpm                  # Software TPM
      OVMF                   # UEFI firmware for VMs
      virt-manager           # GUI management
      virt-viewer            # SPICE/VNC viewer
      libguestfs             # virt-install, virt-customize, guestfish
      cdrtools               # genisoimage for cloud-init ISOs
      jq                     # JSON parsing
      gawk                   # awk for DHCP lease parsing
      gnugrep                # grep
    ];
    # ── User permissions ────────────────────────────────────────────────
    users.users.gortium.extraGroups = [ "libvirtd" ];
    # ── Directories ─────────────────────────────────────────────────────
    systemd.tmpfiles.rules = [
      "d ${cfg.storagePool} 0755 root root -"
      "d ${cfg.dataDir} 0755 root root -"
    ];
    # ── Default NAT network definition ──────────────────────────────────
    systemd.services.define-staging-network = {
      description = "Define the staging libvirt NAT network";
      after = [ "libvirtd.service" ];
      requires = [ "libvirtd.service" ];
      wantedBy = [ "multi-user.target" ];
      before = [ "define-staging-pool.service" ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
      script = let
        networkXml = pkgs.writeText "staging-network.xml" ''
          <network>
            <name>${cfg.network.name}</name>
            <forward mode='nat'/>
            <bridge name='${cfg.network.bridge}' stp='on' delay='0'/>
            <ip address='${networkIp}' netmask='255.255.255.0'>
              <dhcp>
                <range start='${cfg.network.dhcpStart}' end='${cfg.network.dhcpEnd}'/>
              </dhcp>
            </ip>
          </network>
        '';
      in ''
        set -e
        ${pkgs.libvirt}/bin/virsh -c qemu:///system net-info "${cfg.network.name}" 2>/dev/null && {
          echo "Network '${cfg.network.name}' already exists"
        } || {
          echo "Defining network '${cfg.network.name}'..."
          ${pkgs.libvirt}/bin/virsh -c qemu:///system net-define "${networkXml}"
        }
        ${pkgs.libvirt}/bin/virsh -c qemu:///system net-autostart "${cfg.network.name}"
        # Start the network if not already active
        STATE=$(${pkgs.libvirt}/bin/virsh -c qemu:///system net-state "${cfg.network.name}" 2>/dev/null || echo "inactive")
        if [ "$STATE" != "active" ]; then
          ${pkgs.libvirt}/bin/virsh -c qemu:///system net-start "${cfg.network.name}"
        fi
        echo "Network '${cfg.network.name}' is ready."
      '';
    };
    # ── Storage pool definition ─────────────────────────────────────────
    systemd.services.define-staging-pool = {
      description = "Define the staging libvirt storage pool";
      after = [ "libvirtd.service" "define-staging-network.service" ];
      requires = [ "libvirtd.service" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
      script = ''
        set -e
        ${pkgs.libvirt}/bin/virsh -c qemu:///system pool-info staging 2>/dev/null && {
          echo "Storage pool 'staging' already exists"
        } || {
          echo "Defining storage pool 'staging' at ${cfg.storagePool}..."
          ${pkgs.libvirt}/bin/virsh -c qemu:///system pool-define-as \
            --name staging --type dir --target "${cfg.storagePool}"
        }
        ${pkgs.libvirt}/bin/virsh -c qemu:///system pool-autostart staging
        STATE=$(${pkgs.libvirt}/bin/virsh -c qemu:///system pool-state staging 2>/dev/null || echo "inactive")
        if [ "$STATE" != "running" ]; then
          ${pkgs.libvirt}/bin/virsh -c qemu:///system pool-build staging
          ${pkgs.libvirt}/bin/virsh -c qemu:///system pool-start staging
        fi
        echo "Storage pool 'staging' is ready."
      '';
    };
    # ── Firewall rules for libvirt guests ───────────────────────────────
    networking.firewall = {
      # Trust the bridge interface to allow guest traffic
      trustedInterfaces = [ cfg.network.bridge ];
      extraCommands = mkAfter ''
        # Allow forwarding between the staging bridge and the outside world
        iptables -I FORWARD -i ${cfg.network.bridge} -j ACCEPT 2>/dev/null || true
        iptables -I FORWARD -o ${cfg.network.bridge} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
        # NAT for guest outbound traffic
        iptables -t nat -I POSTROUTING -s ${cfg.network.subnet} -j MASQUERADE 2>/dev/null || true
      '';
    };
    # ── pr-test-vm helper script ────────────────────────────────────────
    environment.systemPackages = [ pr-test-vm ];
  };
 }
--- a/secrets/wireguard_preshared_key.age
+++ b/secrets/wireguard_preshared_key.age
@@ -1,9 +0,0 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSA3VG9Z
 MVFPVFc2VVJ3d0h0dmtBUnI3WHl2SzUxTkRZbjFCaGloWmV3dnd3ClcxdnVPeGd6
 SU4zR0Q0K1dtVjRRVHd0VW5XSFI0dVFpTjZnYk1DNjRxTVEKLT4gQzlgRy1ncmVh
 c2UKeUozOWgyUytSTVF0NjY2STBEb2VadwotLS0gblI3bmJCUWxxU3QrYTEyVFBI
 Snc4NC9rTkh0NnZYbUtxUE9hRWRkelpmMAq58fmH6cK13GeD7wGLxKmx10hmJeW4
 b7KqnCD1ZP7uG85s32xzVRwRG8RrG4xZo5nR9Mrtg1CoTSFfUGeFnf5xveN+Ej0X
 wDVB1LwC+Q==
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/wireguard_private_key.age
+++ b/secrets/wireguard_private_key.age
@@ -1,11 +0,0 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSA5dzVG
 WUNvT3NlRmcrWS81bzJqSWlTekVYaDFFTE10SkI2dEgzaGpxcUI4Cmk5Y0FGYTRZ
 K0NGYzY3VUp4aS9ZZGRmWTgybDJFUURva2pZNmVOS3QxdEUKLT4gPnVRTCtldGMt
 Z3JlYXNlCk04OTJZeFRNeDI5aGpMVTk1ZTE0Y2FMMnFEMjlJalJpMHRlaTE4ZWIx
 d2lCRGQ5RHVjcktOMGJCb1VERlNWcTYKaSt0L1Z6dVJ0QWIyZkhsYzFEVjZSQWUr
 ZWpwVlo1TmhoUFJZdkEvR0gxNlVhcXF2ZTRnCi0tLSBLcmM2MThNVkdWclpHUXRr
 VTF6QVk2WUZlTXpZMVNLMlpBOFc3M1o5WjZzCs9xbPlIX+u5vRSQ/z9utu+I9S2c
 02DOsIb1kzxzb1OK91b8Kh4JucQSq3qkyEvRucsNn5QW8hIHDnRuND6EbPyN7p4S
 YB/F0dxSqgnq
 -----END AGE ENCRYPTED FILE-----
Author	SHA1	Message	Date
Hermes	6b2e7a626f	feat: update compose submodule for ollama-gfx906 (v0.23.2) + add Dockerfile	2026-05-10 10:09:06 -04:00
Hermes Agent	878cfc1d99	Merge remote-tracking branch 'origin/master' into ai-worker-restricted-access	2026-05-09 16:11:32 +00:00
Hermes Agent	ceb58bcf76	chore: update flake.lock and fix merge conflict	2026-05-09 16:10:30 +00:00