feat: add uConsole CM5 host configuration

- Add nixos-uconsole and nixos-hardware inputs for CM5/RPi5 support - Create hosts/uconsole/configuration.nix with HAM radio, SDR, and security tools - Create hosts/uconsole/hardware-configuration.nix for CM5 hardware - Register uConsole in flake.nix nixosConfigurations - Add uconsole host key placeholder to lib/keys.nix
2026-04-29 17:26:33 +00:00
20 changed files with 245 additions and 1573 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -5,7 +5,6 @@ This document outlines the development conventions for this NixOS-based infrastr
 ## Build & Deployment
 - **Build/Deploy:** Use `nixos-rebuild switch --flake .#<hostname>` to build and deploy the configuration for a specific host.
 - **CRITICAL — Validate before pushing:** Always `nix build --no-link '.#nixosConfigurations.<hostname>.config.system.build.toplevel'` (or `nh os build`) and confirm it succeeds before pushing any changes. Never push untested NixOS configs.
 - **Development Shell:** Activate the development environment with `nix develop`.
 ## Linting & Formatting
--- a/assets/compose
+++ b/assets/compose
--- a/assets/ollama/Dockerfile
+++ b/assets/ollama/Dockerfile
@@ -1,106 +0,0 @@
 # ollama-gfx906/Dockerfile
 #
 # Custom ollama image with ROCm 6.1 + gfx906 (MI50) support.
 # The official ollama/rocm image ships ROCm 7.2 which dropped gfx906.
 # This uses v0.23.2's native CMake build system with AMDGPU_TARGETS including gfx906.
 #
 # Build: docker build -t ollama/ollama:rocm-gfx906 ai/ollama
 FROM rocm/dev-ubuntu-22.04:6.1.2-complete AS builder
 # Build dependencies (CMake, Ninja, Go)
 ARG CMAKEVERSION=3.31.2
 ARG NINJAVERSION=1.12.1
 ARG GOLANG_VERSION=1.22.0
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
    curl git ccache build-essential pkg-config unzip \
    && rm -rf /var/lib/apt/lists/*
 # Install CMake from official binaries
 RUN curl -fsSL https://github.com/Kitware/CMake/releases/download/v${CMAKEVERSION}/cmake-${CMAKEVERSION}-linux-x86_64.tar.gz \
    | tar xz -C /usr/local --strip-components 1
 # Install Ninja
 RUN curl -fsSL -o /tmp/ninja.zip \
    https://github.com/ninja-build/ninja/releases/download/v${NINJAVERSION}/ninja-linux.zip \
    && unzip /tmp/ninja.zip -d /usr/local/bin && rm /tmp/ninja.zip
 # Install Go
 RUN curl -fsSL https://go.dev/dl/go${GOLANG_VERSION}.linux-amd64.tar.gz \
    | tar xz -C /usr/local
 ENV PATH=/usr/local/go/bin:$PATH
 ARG OLLAMA_VERSION=v0.23.2
 RUN git clone --depth 1 --branch ${OLLAMA_VERSION} https://github.com/ollama/ollama.git /build
 WORKDIR /build
 # ROCm paths
 ENV HIP_PATH=/opt/rocm
 ENV ROCM_PATH=/opt/rocm
 ENV CMAKE_GENERATOR=Ninja
 ENV LDFLAGS=-s
 # Step 1: Build CPU backends with GCC (no ROCm preset)
 # Pre-set CMAKE_HIP_COMPILER="" to prevent check_language(HIP) from
 # finding a HIP compiler (it searches /opt/rocm even without PATH).
 # Remove /opt/rocm from PATH to prevent find_program from finding hipcc.
 RUN mkdir -p build-cpu && \
    PATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
    cmake -B build-cpu -DCMAKE_BUILD_TYPE=Release \
      -DCMAKE_HIP_COMPILER="" \
      -DCMAKE_INSTALL_PREFIX=/build/dist && \
    cmake --build build-cpu --target ggml-cpu -- -l $(nproc) && \
    cmake --install build-cpu --component CPU --strip && \
    echo "=== CPU install ===" && \
    (find /build/dist/lib/ollama -type f -o -type l 2>&1 | head -20 || echo "empty")
 # Step 2: Build HIP backend with ROCm preset + gfx906 target only
 # The ROCm 6 preset enables HIP language detection (enable_language(HIP))
 # which ensures GPU kernels are properly compiled for gfx906.
 # OLLAMA_RUNNER_DIR=rocm from the preset, so HIP goes to lib/ollama/rocm/
 # Need CMAKE_PREFIX_PATH so find_package(hip) finds hip-config.cmake
 # at /opt/rocm/lib/cmake/hip/hip-config.cmake.
 RUN mkdir -p build-hip && \
    cmake -B build-hip \
      --preset 'ROCm 6' \
      -DAMDGPU_TARGETS="gfx906:xnack-" \
      -DCMAKE_BUILD_TYPE=Release \
      -DCMAKE_PREFIX_PATH="/opt/rocm" && \
    cmake --build build-hip --target ggml-hip -- -l $(nproc) && \
    cmake --install build-hip --component HIP --strip && \
    echo "=== HIP install ===" && \
    find /build/dist/lib/ollama -type f -o -type l | head -20
 # Step 3: Build Go binary (GCC for CGo linking)
 ENV CGO_ENABLED=1
 RUN go build -trimpath -ldflags="-X=github.com/ollama/ollama/version.Version=${OLLAMA_VERSION}" -o /build/dist/ollama .
 # ---------- Runtime image ----------
 FROM ubuntu:24.04
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
    ca-certificates curl libstdc++6 libgomp1 libvulkan1 libopenblas0 \
    && rm -rf /var/lib/apt/lists/*
 # Copy ROCm 6.1 runtime libraries
 # These are needed at runtime by ggml-hip via LD_LIBRARY_PATH
 COPY --from=builder /opt/rocm/lib/ /opt/rocm/lib/
 COPY --from=builder /opt/rocm/share/ /opt/rocm/share/
 # Copy ollama binary + all backends (CPU + HIP)
 # CPU install:  /build/dist/lib/ollama/libggml-*.so
 # HIP install:  /build/dist/lib/ollama/rocm/libggml-hip.so
 COPY --from=builder /build/dist/ollama /usr/bin/ollama
 COPY --from=builder /build/dist/lib/ollama/ /usr/lib/ollama/
 RUN ldconfig
 ENV LD_LIBRARY_PATH=/opt/rocm/lib:/usr/lib/ollama/rocm:/usr/lib/ollama
 ENV HSA_OVERRIDE_GFX_VERSION=9.0.6
 ENV HCC_AMDGPU_TARGET=gfx906
 ENV HSA_ENABLE_SDMA=0
 EXPOSE 11434
 ENTRYPOINT ["/bin/ollama"]
 CMD ["serve"]
--- a/flake.nix
+++ b/flake.nix
@@ -12,18 +12,14 @@
      url = "git+https://git.lix.systems/lix-project/lix?ref=main";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    nixos-uconsole = {
+    # uConsole CM5 hardware support
-      url = "github:nixos-uconsole/nixos-uconsole";
+    nixos-uconsole.url = "github:nixos-uconsole/nixos-uconsole";
-      inputs.nixpkgs.follows = "nixpkgs";
+    # Raspberry Pi 5 hardware support
-    };
+    nixos-hardware.url = "github:nixos/nixos-hardware/master";
    nixos-raspberrypi = {
      url = "github:nvmd/nixos-raspberrypi/v1.20260317.0";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    self.submodules = true;
  };
-  outputs = { self, nixpkgs, agenix, lix, nixos-uconsole, nixos-raspberrypi, ... }@inputs:
+  outputs = { self, nixpkgs, agenix, lix, ... }@inputs:
    let
      system = "x86_64-linux";
      keys = import ./lib/keys.nix;
@@ -34,7 +30,7 @@
          "/etc/ssh/ssh_host_ed25519_key"
          "/root/.age/bootstrap.key" ];
      };
-      overlays = [ agenix.overlays.default (import ./overlays/reticulum.nix) ];
+      overlays = [ agenix.overlays.default ];
      pkgs = import nixpkgs {
        inherit system overlays;
        config.allowUnfree = true;
@@ -69,8 +65,6 @@
              ./modules/nixos/services/open_code_server.nix
              ./modules/nixos/services/ollama_init_custom_models.nix
              ./modules/nixos/services/openclaw_node.nix
              ./modules/nixos/services/rollback-sentinel.nix
              ./modules/nixos/security/ai-worker-restricted.nix
              ./users/gortium.nix
              ./users/ai-worker.nix
            ];
@@ -90,8 +84,8 @@
            ];
          };
-          uConsole = nixos-raspberrypi.lib.nixosSystem {
+          uConsole = nixpkgs.lib.nixosSystem {
-            specialArgs = { inherit self keys paths inputs nixos-raspberrypi; };
+            specialArgs = { inherit self keys paths inputs; };
            modules = [
              {
                nixpkgs.overlays = overlays;
@@ -99,10 +93,8 @@
                nixpkgs.hostPlatform = "aarch64-linux";
                nix.package = lix.packages."aarch64-linux".default;
              }
-              nixos-raspberrypi.nixosModules.raspberry-pi-5.base
+              ./hosts/uconsole/configuration.nix
-              nixos-uconsole.nixosModules.uconsole-cm5
+              ./hosts/uconsole/hardware-configuration.nix
              ./hosts/uConsole/configuration.nix
              ./hosts/uConsole/hardware-configuration.nix
            ];
          };
        };
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -36,7 +36,7 @@
    "transparent_hugepage=always" # because mucho ram
  ];
  # 2. Load the specific drivers found by sensors-detect
-  boot.kernelModules = [ "nct6775" "lm96163" "iptable_nat" "iptable_filter" ];
+  boot.kernelModules = [ "nct6775" "lm96163" ];
  # 3. Force the nct6775 driver to recognize the chip if it's stubborn
  boot.extraModprobeConfig = ''
    options nct6775 force_id=0xd280
@@ -49,26 +49,6 @@
  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
  networking.hostId = "deadbeef";
  # WireGuard VPN client -- always up, connects to wg-easy server
  # Create age-encrypted secrets before deploying (run on the host):
  #   echo -n "<private_key>" | agenix -e secrets/wireguard_private_key.age
  #   echo -n "<preshared_key>" | agenix -e secrets/wireguard_preshared_key.age
  networking.wireguard.interfaces = {
    wg0 = {
      ips = [ "10.8.0.3/24" ];
      privateKeyFile = config.age.secrets.wireguard_private_key.path;
      peers = [
        {
          publicKey = "rY9zII3AOm8rog2rv02PyA3Bq7zdvTOGkZapfCV1DkE=";
          presharedKeyFile = config.age.secrets.wireguard_preshared_key.path;
          allowedIPs = [ "10.8.0.0/24" ];
          endpoint = "vpn.lazyworkhorse.net:51820";
          persistentKeepalive = 25;
        }
      ];
    };
  };
  # Set your time zone.
  time.timeZone = "America/Montreal";
@@ -178,7 +158,7 @@
    settings = {
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
-      # Additional hardening settings below in SERVER HARDENING section
+      PermitRootLogin = "prohibit-password"; 
    };
    hostKeys = [
      {
@@ -207,7 +187,6 @@
    ai = {
      path = self + "/assets/compose/ai";
      envFile = config.age.secrets.containers_env.path;
      ports = [ 22000 ];  # Syncthing TCP sync
    };
    cloudstorage = {
@@ -242,11 +221,6 @@
      path = self + "/assets/compose/homepage";
    };
    vpn = {
      path = self + "/assets/compose/vpn";
      envFile = config.age.secrets.containers_env.path;
    };
    # tak = {
    #   path = self + "/assets/compose/tak";
    # };
@@ -290,20 +264,6 @@
        mode = "0440";
        path = "/run/secrets/openclaw_gateway_token";
      };
      wireguard_private_key = {
        file = ../../secrets/wireguard_private_key.age;
        owner = "root";
        group = "root";
        mode = "0400";
        path = "/run/secrets/wireguard_private_key";
      };
      wireguard_preshared_key = {
        file = ../../secrets/wireguard_preshared_key.age;
        owner = "root";
        group = "root";
        mode = "0400";
        path = "/run/secrets/wireguard_preshared_key";
      };
    };
  };
@@ -321,40 +281,10 @@
  environment.etc."ssh/ssh_host_ed25519_key.pub".text =
    "${keys.hosts.lazyworkhorse.main}";
  # ── Boot sentinel: auto-rollback on critical service failure ───────────────
  services.rollbackSentinel.enable = true;
  # Tier-1: failure triggers rollback
  services.rollbackSentinel.tier1Services = [
    "sshd" "docker" "traefik" "authelia"
  ];
  # Tier-2: warn only
  services.rollbackSentinel.tier2Services = [
    "gitea" "hermes" "ollama" "synapse" "nextcloud"
    "vaultwarden" "wireguard" "homeassistant" "fail2ban"
  ];
  # Wait 2 minutes after boot before checking (lets services initialize)
  services.rollbackSentinel.bootDelay = "120";
  # Change boot default only (not --rollback-now) for safety
  services.rollbackSentinel.rollbackMode = "set-default";
  services.fstrim.enable = true;
  services.zfs.autoSnapshot.enable = true;
  services.zfs.autoScrub.enable = true;
  # Ensure com.sun:auto-snapshot is set on ZFS datasets so auto-snapshots actually run
  systemd.services."zfs-set-auto-snapshot" = {
    description = "Set com.sun:auto-snapshot=true on ZFS datasets";
    after = [ "zfs-import.target" ];
    wants = [ "zfs-import.target" ];
    wantedBy = [ "multi-user.target" ];
    path = with pkgs; [ zfs ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = "${pkgs.zfs}/bin/zfs set -r com.sun:auto-snapshot=true rpool";
    };
  };
  # Mi50 config
  hardware.graphics = {
@@ -378,203 +308,6 @@
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # =============================================================================
  # SERVER HARDENING - Firewall, Fail2ban, SSH, Kernel
  # =============================================================================
  # Firewall - default deny, explicit allow
  networking.firewall = {
    # Enable firewall with default deny policy (NixOS firewall denies all by default)
    enable = true;
    allowPing = true;
    # Only essential ports exposed to internet
    allowedTCPPorts = [
      2424  # SSH (non-standard port)
      2222  # Gitea (version control)
      80    # HTTP (Traefik redirect)
      443   # HTTPS (Traefik)
      # 8000  # Portainer - REVIEW: internal only?
      # 4242  # Coms - REVIEW: internal only?
      # 5000  # TAK API - REVIEW: internal only?
      # 8087  # TAK Connect - REVIEW: internal only?
      # 8089  # TAK Management - REVIEW: internal only?
    ];
    allowedUDPPorts = [
      51820 # WireGuard VPN
    ];
    # Rate limiting and attack prevention
    extraCommands = ''
      # 1. Wipe the INPUT chain clean at the start of every activation
      iptables -F INPUT
      # Rate limit SSH connections (max 20 new connections per 60 seconds)
      iptables -A INPUT -p tcp --dport 2424 -m state --state NEW -m recent --set
      iptables -A INPUT -p tcp --dport 2424 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
      # Rate limit HTTP/HTTPS (protects Traefik)
      iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
      iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
      # Drop invalid packets
      iptables -A INPUT -m state --state INVALID -j DROP
      # Log dropped packets (rate limited)
      iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
      # 3. CRITICAL: Re-link the NixOS default firewall chain
      # Without this line, the 'allowedTCPPorts' in your Nix config will be ignored!
      iptables -A INPUT -j nixos-fw
    '';
  };
  # Fail2ban - automatic IP banning
  services.fail2ban = {
    enable = true;
    maxretry = 3;
    bantime = "1h";
    banaction = "iptables-multiport";
    jails = {
      # SSH brute force protection (uses systemd journal backend)
      sshd = {
        enabled = true;
        settings = {
          filter = "sshd";
          port = "2424";
          maxretry = 3;
          bantime = "1h";
        };
      };
      # Recidive - ban repeat offenders for 1 week
      recidive = {
        enabled = true;
        settings = {
          filter = "recidive";
          logpath = "/var/log/fail2ban.log";
          bantime = "1w";
          findtime = "1d";
          maxretry = 3;
        };
      };
      # HTTP authentication failures (Traefik)
      http-auth = {
        enabled = true;
        settings = {
          filter = "traefik-auth";
          port = "80,443";
          logpath = "/var/log/traefik/access.log";
          maxretry = 5;
          bantime = "1h";
        };
      };
      # HTTP scanning/attacks (Traefik)
      http-botsearch = {
        enabled = true;
        settings = {
          filter = "traefik-botsearch";
          port = "80,443";
          logpath = "/var/log/traefik/access.log";
          maxretry = 2;
          bantime = "2h";
        };
      };
    };
  };
  # Custom fail2ban filters for Traefik
  environment.etc."fail2ban/filter.d/traefik-auth.conf".text = ''
    [Definition]
    failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" (401|403) \d+.*$
    ignoreregex =
  '';
  environment.etc."fail2ban/filter.d/traefik-botsearch.conf".text = ''
    [Definition]
    failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" 404 \d+.*$
                ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*/(\.|wp-|php|admin|login|xmlrpc|\.env|\.git|\.aws|\.azure).*" \d+.*$
    ignoreregex =
  '';
  # SSH hardening
  services.openssh.settings = {
    PermitRootLogin = "no";
    MaxAuthTries = 3;
    MaxSessions = 20;
    LoginGraceTime = 30;
    ClientAliveInterval = 300;
    ClientAliveCountMax = 2;
    PermitEmptyPasswords = "no";
    ChallengeResponseAuthentication = "no";
    UsePAM = true;
    LogLevel = "VERBOSE";
    X11Forwarding = false;
    AllowTcpForwarding = "no";
    AllowAgentForwarding = "no";
    PermitTunnel = "no";
  };
  # Kernel network hardening
  boot.kernel.sysctl = {
    # IP Spoofing protection
    "net.ipv4.conf.all.rp_filter" = 1;
    "net.ipv4.conf.default.rp_filter" = 1;
    # Ignore ICMP broadcasts
    "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
    # Disable source routing
    "net.ipv4.conf.all.accept_source_route" = 0;
    "net.ipv4.conf.default.accept_source_route" = 0;
    "net.ipv6.conf.all.accept_source_route" = 0;
    "net.ipv6.conf.default.accept_source_route" = 0;
    # Disable redirects
    "net.ipv4.conf.all.send_redirects" = 0;
    "net.ipv4.conf.default.send_redirects" = 0;
    # SYN flood protection
    "net.ipv4.tcp_syncookies" = 1;
    "net.ipv4.tcp_max_syn_backlog" = 2048;
    "net.ipv4.tcp_synack_retries" = 2;
    "net.ipv4.tcp_syn_retries" = 5;
    # Log martian packets
    "net.ipv4.conf.all.log_martians" = 1;
    "net.ipv4.conf.default.log_martians" = 1;
    # Ignore redirects
    "net.ipv4.conf.all.accept_redirects" = 0;
    "net.ipv4.conf.default.accept_redirects" = 0;
    "net.ipv4.conf.all.secure_redirects" = 0;
    "net.ipv4.conf.default.secure_redirects" = 0;
    "net.ipv6.conf.all.accept_redirects" = 0;
    "net.ipv6.conf.default.accept_redirects" = 0;
    # Connection tuning
    "net.core.somaxconn" = 4096;
    "net.core.netdev_max_backlog" = 65536;
    "net.ipv4.tcp_max_orphans" = 65536;
    "net.ipv4.tcp_fin_timeout" = 15;
    "net.ipv4.tcp_keepalive_time" = 300;
    "net.ipv4.tcp_keepalive_probes" = 5;
    "net.ipv4.tcp_keepalive_intvl" = 15;
  };
  # Audit logging
  security.auditd.enable = true;
  # Fail2ban log directory
  systemd.tmpfiles.rules = [
    "d /var/log/fail2ban 0755 root root -"
    "d /var/log/traefik 0755 root root -"
  ];
  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
--- a/hosts/uConsole/configuration.nix
+++ b/hosts/uConsole/configuration.nix
@@ -1,167 +0,0 @@
 { config, lib, pkgs, paths, self, ... }:
 {
  # Basic Host Info
  networking.hostName = "uConsole";
  time.timeZone = "America/Montreal";
  i18n.defaultLocale = "en_CA.UTF-8";
  # System State
  system.stateVersion = "25.05";
  # Boot & Hardware (uconsole-cm5 module handles boot.loader)
  boot.kernelPackages = pkgs.linuxPackages_latest;
  # Networking
  networking.networkmanager.enable = true;
  services.openssh = {
    enable = true;
    settings.PermitRootLogin = "prohibit-password";
    settings.PasswordAuthentication = false;
  };
  # User
  users.users.gortium = {
    isNormalUser = true;
    extraGroups = [ "wheel" "networkmanager" "video" "dialout" "kismet" ];
    openssh.authorizedKeys.keys = [
      keys.users.gortium.main
      keys.users.gortium.gitea
    ];
  };
  security.sudo.extraRules = [
    {
      users = [ "gortium" ];
      commands = [
        {
          command = "ALL";
          options = [ "NOPASSWD" ];
        }
      ];
    }
  ];
  # ============================================================
  # Package groups
  # ============================================================
  environment.systemPackages = with pkgs; [
    # ===== Base =====
    emacs-pgtk
    git
    ripgrep
    fd
    htop
    tmux
    neovim
    # ===== HAM Radio =====
    js8call
    wsjtx
    fldigi
    pat                        # Winlink client
    direwolf                   # AX.25 packet modem
    chirp                      # Radio programming tool
    hamlib                     # Ham radio control libraries
    trustedqsl                 # Logbook of the World (LoTW)
    # ===== SDR / RF =====
    sdrpp                      # SDR++ spectrum analyzer
    gqrx                       # SDR receiver GUI
    rtl-sdr                    # RTL-SDR drivers & utilities
    inspectrum                # Offline signal analysis
    soapysdr-with-plugins      # SoapySDR + hardware support plugins
    # ===== Mesh / LoRa =====
    meshtastic                 # Python CLI for Meshtastic devices
    reticulumStack             # Reticulum Network Stack (rnsd, rnsh, rncp, rnx, rnpath, etc.)
    lxmf                       # LXMF messaging protocol
    nomadnet                   # Nomad Network client
    # ===== Security =====
    nmap
    aircrack-ng
    kismet                     # Wi-Fi monitor / IDS
    bettercap                  # MITM/network attack framework
    wireshark                  # Packet analyzer
    hashcat                    # GPU password cracker
    john                       # John the Ripper
    sqlmap                     # SQL injection tool
    # ===== GPS / Maps =====
    foxtrotgps
    viking                     # GPS map editor
    gpsbabel                   # GPS data conversion
  ];
  # Packages noted but not in unstable nixpkgs:
  #   - metasploit: unfree; install manually via Git clone
  #   - burpsuite: unfree Java app (Community Edition available for download)
  #   - sidechannel: not a distinct PyPI package; functionality covered by
  #     the Reticulum stack. For LXMF GUI client, install Sideband manually
  #     from github.com/markqvist/Sideband
  # ============================================================
  # Reticulum Service (rnsd)
  # ============================================================
  systemd.services.rnsd = {
    description = "Reticulum Network Stack Daemon";
    after = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      User = "gortium";
      Group = "gortium";
      ExecStart = "${pkgs.reticulumStack}/bin/rnsd";
      Restart = "always";
      RestartSec = "10s";
      LimitNOFILE = 65536;
    };
  };
  # ============================================================
  # Kismet Service (Wi-Fi monitoring / mesh node)
  # ============================================================
  systemd.services.kismet = {
    description = "Kismet Wi-Fi Monitor & IDS";
    after = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      User = "gortium";
      Group = "kismet";
      ExecStart = "${pkgs.kismet}/bin/kismet -c wlan0 --log-base=/home/gortium/kismet_logs --no-nc-ui";
      Restart = "always";
      RestartSec = "10s";
    };
  };
  # ============================================================
  # Kernel modules for SDR and radio
  # ============================================================
  boot.kernelModules = [
    "88x2bu"          # Realtek 8812/8821BU USB WiFi (common adapter)
    "rtl8xxxu"        # RTL8188/8192/8723 USB WiFi
    "rtl2832_sdr"     # RTL-SDR kernel module
    "dvb_usb_rtl28xxu" # RTL-SDR DVB-T
  ];
  boot.blacklistedKernelModules = [ ];
  # ============================================================
  # Extra udev rules for SDR and HAM radio devices
  # ============================================================
  services.udev.packages = with pkgs; [ rtl-sdr ];
  # ============================================================
  # Enable IPv6 for Reticulum mesh
  # ============================================================
  networking.enableIPv6 = true;
  # ============================================================
  # Firewall: open ports for Reticulum (optional)
  # ============================================================
  networking.firewall.allowedTCPPorts = [ 22 ]; # SSH only
  networking.firewall.allowedUDPPorts = [ ];
  # Reticulum uses its own encryption and doesn't need open ports
  # for basic mesh operations (peer-to-peer discovery).
  # For TCP interfaces, open additional ports as needed.
 }
--- a/hosts/uConsole/hardware-configuration.nix
+++ b/hosts/uConsole/hardware-configuration.nix
@@ -1,26 +0,0 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "sdhci_pci" "nvme" ];
  boot.initrd.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  # uConsole CM5 uses NVMe or eMMC for boot storage
  # The uconsole-cm5 module sets up /boot/firmware and default /
  # Override device label here if using different storage
  fileSystems."/" = lib.mkDefault {
    device = "/dev/disk/by-label/NIXOS_UCM5";
    fsType = "ext4";
    options = [ "noatime" ];
  };
  swapDevices = [ ];
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
  hardware.enableRedistributableFirmware = true;
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
--- a/hosts/uconsole/configuration.nix
+++ b/hosts/uconsole/configuration.nix
@@ -0,0 +1,139 @@
 { config, lib, pkgs, paths, self, keys, inputs, ... }:
 {
  # --- CORE HARDWARE (CM5 / RPi5) ---
  imports = [
    inputs.nixos-uconsole.nixosModules.uconsole
    inputs.nixos-hardware.nixosModules.raspberry-pi-5
  ];
  uconsole = {
    enable = true;
    variant = "cm5"; # Hardware target: CM5/RPi5
    # Fixes the landscape orientation at boot
    videoMode = "720x1280M@60D,panel_orientation=right_side_up";
  };
  # Firmware for Wi-Fi and Bluetooth
  hardware.enableRedistributableFirmware = true;
  hardware.raspberry-pi."5".apply-overlays-dtmerge.enable = true;
  # Enable GPU acceleration (VideoCore VII)
  hardware.graphics.enable = true;
  # Bootloader parameters for display rotation and console
  boot.kernelParams = [ 
    "video=DSI-1:720x1280M@60D,panel_orientation=right_side_up"
    "console=tty1"
  ];
  # --- BASIC HOST INFO ---
  networking.hostName = "uConsole";
  networking.networkmanager.enable = true;
  time.timeZone = "America/Montreal";
  i18n.defaultLocale = "en_CA.UTF-8";
  # --- GPS DAEMON ---
  services.gpsd = {
    enable = true;
    devices = [ "/dev/ttyAMA0" ]; # Default port for RPi5/CM5 GPS
    nowait = true;
  };
  # --- USER CONFIGURATION ---
  users.users.thierry = {
    isNormalUser = true;
    description = "Thierry";
    extraGroups = [ 
      "wheel"      # Sudo
      "dialout"    # Access to serial/HAM rigs
      "plugdev"    # Access to USB SDRs
      "wireshark"  # Packet capture without root
      "video"      # Hardware acceleration access
      "networkmanager"
    ];
    openssh.authorizedKeys.keys = [
      keys.users.gortium.main
      keys.users.gortium.gitea
    ];
  };
  # --- INTERFACE (WAYLAND/SWAY) ---
  # Sway is recommended for the uConsole's low resources
  programs.sway = {
    enable = true;
    extraOptions = [ "--unsupported-gpu" ]; # Often needed for RPi
  };
  # --- SOFTWARE TOOLKITS ---
  environment.systemPackages = with pkgs; [
    # Base Tools (for your Doom Emacs environment)
    emacs-pgtk      # Emacs with Wayland support
    git             # Required for Doom Emacs / Flakes
    ripgrep         # Fast searching for Emacs/CLI
    fd              # Better find for Emacs
    htop            # Resource monitor
    tmux            # Terminal multiplexer
    neovim          # Alternative editor
    # HAM RADIO (Digital Modes)
    js8call         # Weak-signal keyboard messaging
    wsjtx           # FT8, JT65, etc.
    fldigi          # Digital modem (PSK, RTTY)
    pat             # Winlink client (Use 'pat configure' after install)
    direwolf        # Software TNC for APRS
    chirp           # Radio programming
    hamlib          # Rig control (rigctl)
    trustedqsl      # LotW log signing
    # SDR + RF ANALYSIS
    sdrpp           # Modern SDR GUI (Best for uConsole)
    gqrx            # Classic SDR receiver
    rtl-sdr         # Drivers for RTL2832U
    inspectrum      # Offline signal analysis
    soapysdr-with-plugins # Hardware abstraction layer
    # LORA, MESH & RETICULUM
    meshtastic      # CLI tools for Meshtastic nodes
    reticulum-network-stack # The RNS stack (rnsd, rnsh)
    nomadnet        # Reticulum browser/messaging
    lxmf            # Lightweight Mesh Exchange Protocol
    sidechannel-rns # Visual UI for Reticulum communication
    # HACKING & SECURITY (Kali-like suite)
    nmap            # Port scanning
    metasploit      # Exploitation framework
    aircrack-ng     # Wi-Fi auditing
    kismet          # Wireless sniffer (Essential for your Pi Zero project)
    bettercap       # MITM and network attack tool
    wireshark       # Protocol analyzer
    burpsuite       # Web vulnerability scanner
    hashcat         # Password recovery
    john            # John the Ripper (password cracking)
    sqlmap          # Automated SQL injection
    # GPS & OFFLINE MAPPING
    foxtrotgps      # Lightweight map viewer (Perfect for small screens)
    viking          # GPS data editor and map viewer
    gpsbabel        # GPS data conversion
    marble          # KDE Virtual Globe (supports offline tiles)
  ];
  # Udev rules for SDR and Radio hardware access
  services.udev.packages = [ 
    pkgs.rtl-sdr 
    pkgs.librtlsdr 
  ];
  # Enable Wireshark privilege separation
  programs.wireshark.enable = true;
  # Enable OpenSSH
  services.openssh = {
    enable = true;
    settings.PermitRootLogin = "prohibit-password";
  };
  # System state version
  system.stateVersion = "23.11";
 }
--- a/hosts/uconsole/hardware-configuration.nix
+++ b/hosts/uconsole/hardware-configuration.nix
@@ -0,0 +1,30 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "sdhci_pci" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  # uConsole CM5 specific filesystem (SD card boot)
  fileSystems."/" =
    { device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
      options = [ "noatime" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-label/FIRMWARE";
      fsType = "vfat";
    };
  swapDevices = [ ];
  # uConsole CM5 is ARM64
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
  hardware.enableRedistributableFirmware = true;
 }
--- a/lib/keys.nix
+++ b/lib/keys.nix
@@ -18,5 +18,9 @@
      gitea = "";
      bootstrap = "age1r796v2uldtspawyh863pks74sd2pwcan8j4e4pjzsvkmr3vjja9qpz5ste";
    };
    # uConsole CM5 - key to be generated on first boot
    uconsole = {
      main = "";
    };
  };
 }
--- a/modules/nixos/security/README-ai-worker.md
+++ b/modules/nixos/security/README-ai-worker.md
@@ -1,105 +0,0 @@
 # AI Worker Restricted Access
 This module provides SSH access for the AI worker (hermes-agent) to run ollama benchmarks on the host.
 ## Security Model
 The `ai-worker` user has:
 ### Filesystem Access
 - **Home directory**: `/home/ai-worker` (standard user home)
 - **No bind mounts**: Cannot access `/home/gortium/infra` or other host files
 - **Cannot access**: Any files outside standard system paths
 ### Sudo Access
 - **NONE**: ai-worker has no sudo privileges
 - Cannot run `nh`, `nixos-rebuild`, `nixpkgs-fmt`, or `nix` with elevated permissions
 ### Docker Access
 - Member of `docker` group - can run `docker` and `docker exec` commands
 - Primary use: `docker exec ollama ollama ...` for benchmarking
 - Can run `docker exec --privileged ollama rocm-smi ...` for VRAM monitoring
 ## Workflow: SSH + Docker Benchmarking
 The AI worker connects from the Hermes container to the host via SSH, runs ollama benchmarks, then returns to save results.
 ### Example Workflow
 ```bash
 # From Hermes container, SSH to host
 ssh -i /path/to/ssh/key ai-worker@host.docker.internal
 # On host, run ollama benchmarks via docker
 docker exec ollama ollama pull devstral-small-2:24b
 # Create test modelfile
 docker exec ollama bash -c 'cat <<EOF > /root/.ollama/test.modelfile
 FROM devstral-small-2:24b
 PARAMETER num_ctx 65536
 PARAMETER num_gpu 99
 PARAMETER flash_attn true
 EOF'
 # Create and test model
 docker exec ollama ollama create test-model -f /root/.ollama/test.modelfile
 docker exec ollama ollama run test-model "Write a Python async function"
 # Check VRAM usage
 docker exec --privileged ollama rocm-smi --showmeminfo vram
 # Cleanup
 docker exec ollama ollama rm test-model
 # Exit SSH, return to Hermes container
 exit
 # Save results in Hermes container
 # /opt/data/ai-optimizer/state.json
 # /opt/data/ai-optimizer/results.csv
 ```
 ## SSH Access
 Connect as:
 ```bash
 ssh ai-worker@lazyworkhorse
 ```
 The working directory will be `/home/ai-worker`. No infra repo access.
 ## Verification
 Check ai-worker permissions:
 ```bash
 # On the host, as root or gortium:
 sudo -u ai-worker sudo -l
 # Should show: no sudo access
 # Check docker group membership
 groups ai-worker
 # Should show: ai-worker docker
 ```
 ## Troubleshooting
 If ai-worker cannot run docker commands:
 ```bash
 # Check docker group membership
 groups ai-worker
 # Verify ollama container is running
 docker ps | grep ollama
 # Test docker access
 sudo -u ai-worker docker exec ollama ollama list
 ```
 If SSH connection fails:
 ```bash
 # Check SSH key is authorized
 cat /home/ai-worker/.ssh/authorized_keys
 # Check SSH service
 systemctl status sshd
 ```
--- a/modules/nixos/security/ai-worker-restricted.nix
+++ b/modules/nixos/security/ai-worker-restricted.nix
@@ -1,17 +0,0 @@
 { config, pkgs, lib, ... }:
 with lib;
 {
  options.services.aiWorkerAccess = mkOption {
    type = types.bool;
    default = false;
    description = "Enable AI worker SSH access with docker group membership for ollama benchmarking";
  };
  config = mkIf config.services.aiWorkerAccess {
    # ai-worker is member of docker group - can run docker commands via SSH
    # No bind mounts, no sudo access - docker-only for ollama benchmarking
    users.groups.docker.members = [ "ai-worker" ];
  };
 }
--- a/modules/nixos/services/nixos-rollback.sh
+++ b/modules/nixos/services/nixos-rollback.sh
@@ -1,400 +0,0 @@
 #!/usr/bin/env bash
 # =============================================================================
 # nixos-rollback.sh — NixOS systemd-boot Rollback Script
 #
 # Detects a failed NixOS generation (critical services not starting) and sets
 # the previous generation as the default boot option for systemd-boot.
 # Logs all actions to syslog/journald and a local logfile. Fails safely when
 # no previous generation exists or required files are missing.
 #
 # Integration with the boot sentinel:
 #   sentinel-check.sh  →  detects Tier-1 service failures (sshd, docker,
 #                          traefik, authelia) after a boot
 #   nixos-rollback.sh  ←  called when sentinel exits nonzero; sets previous
 #                          generation as default for next boot
 #
 # Usage:
 #   nixos-rollback.sh                        # auto-detect & set previous gen
 #   nixos-rollback.sh --dry-run              # show what would be done
 #   nixos-rollback.sh --rollback-now         # also run nixos-rebuild switch
 #                                            #   --rollback for immediate fix
 #   nixos-rollback.sh --help                 # full help text
 #
 # Exit codes:
 #   0 — rollback applied (or dry-run would apply)
 #   1 — preflight failure (missing files, permissions)
 #   2 — no previous generation available
 #   3 — nixos-rebuild --rollback failed (only with --rollback-now)
 #
 # Installation on NixOS:
 #   Place in /usr/local/bin/nixos-rollback.sh and make executable.
 #   Add a systemd oneshot service to run it after sentinel-check detects
 #   failures, or invoke directly from a sentinel timer.
 # =============================================================================
 set -euo pipefail
 # ── Configuration ────────────────────────────────────────────────────────────
 # These can be overridden via environment variables for testing.
 LOADER_CONF="${NIXOS_ROLLBACK_LOADER_CONF:-/boot/loader/loader.conf}"
 ENTRIES_DIR="${NIXOS_ROLLBACK_ENTRIES_DIR:-/boot/loader/entries}"
 LOGFILE="${NIXOS_ROLLBACK_LOGFILE:-/var/log/nixos-rollback.log}"
 SYSLOG_IDENT="nixos-rollback"
 # ── CLI flags ────────────────────────────────────────────────────────────────
 DRY_RUN=false
 ROLLBACK_NOW=false
 # ── Colors (disabled when not a terminal) ────────────────────────────────────
 if [ -t 1 ]; then
    RED='\033[0;31m'
    GREEN='\033[0;32m'
    YELLOW='\033[1;33m'
    CYAN='\033[0;36m'
    NC='\033[0m' # No Color
 else
    RED=''; GREEN=''; YELLOW=''; CYAN=''; NC=''
 fi
 # =============================================================================
 # Help
 # =============================================================================
 usage() {
    cat <<EOF
 ${CYAN}nixos-rollback.sh${NC} — Set the previous NixOS generation as systemd-boot default
 ${CYAN}USAGE${NC}
    nixos-rollback.sh [OPTIONS]
 ${CYAN}OPTIONS${NC}
    --dry-run           Show what would be done without making changes
    --rollback-now      Also run 'nixos-rebuild switch --rollback' for
                        immediate fix of the running system (requires
                        nixos-rebuild on PATH)
    -h, --help          Show this help text
 ${CYAN}DESCRIPTION${NC}
    Reads the current default boot entry from ${LOADER_CONF},
    determines the previous generation number, and writes it as the
    new default.  The script only modifies systemd-boot config —
    it does NOT touch the Nix store or system profile unless
    --rollback-now is passed.
    Designed as the rollback half of a boot sentinel:
      1. System boots into generation N
      2. sentinel-check.sh detects Tier-1 service failures
      3. nixos-rollback.sh sets default to generation N-1
      4. Next reboot uses the working generation
 ${CYAN}EXIT CODES${NC}
    0   Rollback applied (or dry-run would apply)
    1   Preflight failure (missing files, permissions)
    2   No previous generation available (only one generation)
    3   nixos-rebuild --rollback failed (with --rollback-now)
 ${CYAN}FILES${NC}
    ${LOADER_CONF}      systemd-boot loader configuration
    ${ENTRIES_DIR}/     generation entry .conf files
    ${LOGFILE}          action log (append-only)
 EOF
 }
 # =============================================================================
 # Logging
 # =============================================================================
 log() {
    local level="$1"; shift
    local msg="$*"
    local timestamp
    timestamp="$(date '+%Y-%m-%d %H:%M:%S')"
    echo "${timestamp} [${level}] ${msg}" >> "${LOGFILE}"
    logger -t "${SYSLOG_IDENT}" -p "user.${level}" "${msg}"
    # Also print to stderr for ERROR/WARN, stdout for INFO
    case "${level}" in
        ERROR) echo >&2 "${RED}[ERROR]${NC} ${msg}" ;;
        WARN)  echo >&2 "${YELLOW}[WARN]${NC}  ${msg}" ;;
        INFO)  echo " ${GREEN}[INFO]${NC}  ${msg}" ;;
    esac
 }
 info()  { log "INFO" "$@"; }
 warn()  { log "WARN" "$@"; }
 error() { log "ERROR" "$@"; }
 # =============================================================================
 # Preflight checks
 # =============================================================================
 preflight() {
    # Must run as root (need to write to /boot), unless overridden for testing
    if [ -z "${NIXOS_ROLLBACK_SKIP_ROOT_CHECK:-}" ] && [ "$(id -u)" -ne 0 ]; then
        error "This script must be run as root (needs write access to /boot/loader)"
        error "Set NIXOS_ROLLBACK_SKIP_ROOT_CHECK=1 for testing against mock paths."
        exit 1
    fi
    # Directories and files
    if [ ! -d "${ENTRIES_DIR}" ]; then
        error "Boot entries directory not found: ${ENTRIES_DIR}"
        exit 1
    fi
    if [ ! -f "${LOADER_CONF}" ]; then
        error "Loader config not found: ${LOADER_CONF}"
        exit 1
    fi
    if [ ! -r "${LOADER_CONF}" ]; then
        error "Cannot read loader config: ${LOADER_CONF}"
        exit 1
    fi
    # Check write access to /boot/loader (parent of loader.conf)
    local loader_dir
    loader_dir="$(dirname "${LOADER_CONF}")"
    if [ ! -w "${loader_dir}" ]; then
        error "Cannot write to ${loader_dir} (insufficient permissions)"
        exit 1
    fi
    # Logfile directory must exist
    local log_dir
    log_dir="$(dirname "${LOGFILE}")"
    if [ ! -d "${log_dir}" ]; then
        warn "Log directory ${log_dir} does not exist, creating it"
        mkdir -p "${log_dir}" 2>/dev/null || {
            error "Cannot create log directory ${log_dir}"
            exit 1
        }
    fi
    # Check --rollback-now dependencies
    if [ "${ROLLBACK_NOW}" = true ]; then
        if ! command -v nixos-rebuild &>/dev/null; then
            error "nixos-rebuild not found on PATH (required for --rollback-now)"
            exit 1
        fi
    fi
 }
 # =============================================================================
 # Generation helpers
 # =============================================================================
 # get_current_default: reads the current default entry from loader.conf
 # Returns: "nixos-generation-N.conf" or empty string
 get_current_default() {
    grep -E '^default\s+' "${LOADER_CONF}" 2>/dev/null \
        | awk '{print $2}' \
        || true
 }
 # extract_gen_number: extracts the numeric generation from a conf filename
 # Input:  "nixos-generation-367.conf"
 # Output: 367
 extract_gen_number() {
    echo "$1" | sed 's/nixos-generation-//;s/\.conf//'
 }
 # get_all_gen_numbers: returns sorted list of generation numbers from entries dir
 get_all_gen_numbers() {
    local -a gens=()
    local f n
    for f in "${ENTRIES_DIR}"/nixos-generation-*.conf; do
        [ -f "${f}" ] || continue
        n="$(basename "${f}" | sed 's/nixos-generation-//;s/\.conf//')"
        gens+=("${n}")
    done
    if [ "${#gens[@]}" -eq 0 ]; then
        return 1
    fi
    # Sort numerically and output
    printf '%s\n' "${gens[@]}" | sort -n
 }
 # get_previous_gen: given current generation number, find the previous one
 # from the list of all available generations
 get_previous_gen() {
    local current="$1"
    shift
    local -a gens=("$@")
    local prev=""
    local g
    for g in "${gens[@]}"; do
        if [ "${g}" -lt "${current}" ]; then
            prev="${g}"
        fi
    done
    if [ -z "${prev}" ]; then
        return 1
    fi
    echo "${prev}"
 }
 # =============================================================================
 # Main rollback logic
 # =============================================================================
 do_rollback() {
    # Step 1: Read current default
    local current_entry
    current_entry="$(get_current_default)"
    if [ -z "${current_entry}" ]; then
        error "No 'default' entry found in ${LOADER_CONF}"
        error "Cannot determine current generation — aborting"
        exit 1
    fi
    info "Current default boot entry: ${current_entry}"
    # Step 2: Build sorted list of all available generations
    local -a all_gens=()
    local line
    while IFS= read -r line; do
        all_gens+=("${line}")
    done < <(get_all_gen_numbers || true)
    if [ "${#all_gens[@]}" -eq 0 ]; then
        error "No NixOS generation .conf files found in ${ENTRIES_DIR}"
        exit 1
    fi
    info "Available generations: ${all_gens[*]}"
    # Step 3: Find current generation number
    local current_gen
    current_gen="$(extract_gen_number "${current_entry}")"
    # Verify current_gen is a valid number
    if ! [[ "${current_gen}" =~ ^[0-9]+$ ]]; then
        error "Could not parse generation number from '${current_entry}'"
        exit 1
    fi
    # Step 4: Find the previous generation
    local prev_gen
    prev_gen="$(get_previous_gen "${current_gen}" "${all_gens[@]}")" || {
        error "No previous generation found before generation ${current_gen}"
        error "This is the oldest available generation — cannot roll back further"
        exit 2
    }
    local prev_entry="nixos-generation-${prev_gen}.conf"
    local prev_conf_path="${ENTRIES_DIR}/${prev_entry}"
    if [ ! -f "${prev_conf_path}" ]; then
        error "Previous generation entry not found: ${prev_conf_path}"
        error "The .conf file for generation ${prev_gen} is missing — cannot roll back"
        exit 1
    fi
    info "Target rollback generation: ${prev_gen} → ${prev_entry}"
    # Step 5: Apply the rollback
    if [ "${DRY_RUN}" = true ]; then
        echo ""
        echo " ${CYAN}[DRY RUN]${NC} Would change ${LOADER_CONF}:"
        echo "   ${YELLOW}-${NC} default ${current_entry}"
        echo "   ${GREEN}+${NC} default ${prev_entry}"
        echo ""
        info "DRY RUN — no changes made"
        exit 0
    fi
    # Write new default
    # Use sed with a backup (.bak)
    sed -i.bak "s/^default\s\+${current_entry}/default ${prev_entry}/" "${LOADER_CONF}"
    # Verify the change was applied
    local new_default
    new_default="$(get_current_default)"
    if [ "${new_default}" != "${prev_entry}" ]; then
        error "Failed to set default boot entry to ${prev_entry}"
        error "Current default is still: ${new_default}"
        # Attempt to restore backup
        if [ -f "${LOADER_CONF}.bak" ]; then
            cp "${LOADER_CONF}.bak" "${LOADER_CONF}"
            info "Restored backup from ${LOADER_CONF}.bak"
        fi
        exit 1
    fi
    info "Successfully set default boot entry to ${prev_entry} (generation ${prev_gen})"
    info "Backup of previous config saved to ${LOADER_CONF}.bak"
    # Step 6: Optionally run nixos-rebuild switch --rollback
    if [ "${ROLLBACK_NOW}" = true ]; then
        echo ""
        info "Running nixos-rebuild switch --rollback for immediate effect..."
        if nixos-rebuild switch --rollback 2>&1 | while IFS= read -r line; do
            logger -t "${SYSLOG_IDENT}" "nixos-rebuild: ${line}"
            echo "    ${line}"
        done; then
            info "nixos-rebuild switch --rollback completed successfully"
        else
            local rc=$?
            error "nixos-rebuild switch --rollback failed with exit code ${rc}"
            error "The boot default has been changed but the current system was NOT rolled back"
            error "Reboot to apply the rollback"
            exit 3
        fi
    fi
    info "Rollback complete. Next boot will use generation ${prev_gen}."
    if [ "${ROLLBACK_NOW}" = false ]; then
        echo ""
        echo " ${YELLOW}NOTE:${NC} The current running system is unchanged."
        echo "       Reboot to boot into generation ${prev_gen}."
        echo "       Or re-run with --rollback-now for immediate effect."
    fi
 }
 # =============================================================================
 # Main
 # =============================================================================
 main() {
    # Parse arguments
    while [ $# -gt 0 ]; do
        case "$1" in
            --dry-run)
                DRY_RUN=true
                shift
                ;;
            --rollback-now)
                ROLLBACK_NOW=true
                shift
                ;;
            -h|--help)
                usage
                exit 0
                ;;
            *)
                echo >&2 "Unknown option: $1"
                echo >&2 "Use --help for usage information."
                exit 1
                ;;
        esac
    done
    echo ""
    echo " ${CYAN}═══ NixOS systemd-boot Rollback ═══${NC}"
    echo ""
    preflight
    if [ "${DRY_RUN}" = true ]; then
        info "DRY RUN mode — no changes will be made"
    fi
    if [ "${ROLLBACK_NOW}" = true ]; then
        info "ROLLBACK NOW mode — will also run nixos-rebuild switch --rollback"
    fi
    echo ""
    do_rollback
 }
 main "$@"
--- a/modules/nixos/services/ollama_init_custom_models.nix
+++ b/modules/nixos/services/ollama_init_custom_models.nix
@@ -1,87 +1,45 @@
 { pkgs, ... }: {
  systemd.services.init-ollama-model = {
    description = "Initialize LLM models with extra context in Ollama Docker";
-    
+    after = [ "docker-ollama.service" ];
    # On s'assure que Docker tourne avant de lancer ce script
    after = [ "docker.service" ];
    wantedBy = [ "multi-user.target" ];
    script = ''
-      # Fonction de création asynchrone pour ne pas bloquer le démarrage
+      # Wait for Ollama
-      (
+      while ! ${pkgs.curl}/bin/curl -s http://localhost:11434/api/tags > /dev/null; do
-        echo "Starting asynchronous Ollama initialization..."
+        sleep 2
-        
+      done
        # Attente d'Ollama (maximum 120 secondes pour éviter une boucle infinie)
        TIMEOUT=60
        COUNT=0
        while ! ${pkgs.curl}/bin/curl -s -f http://127.0.0.1:11434/api/tags > /dev/null; do
          if [ $COUNT -ge $TIMEOUT ]; then
            echo "Ollama did not become ready in time. Exiting."
            exit 1
          fi
          echo "Waiting for Ollama API to be reachable..."
          sleep 5
          COUNT=$((COUNT + 5))
        done
-        create_model_if_missing() {
+      create_model_if_missing() {
-          local model_name=$1
+        local model_name=$1
-          local base_model=$2
+        local base_model=$2
-          
+        if ! ${pkgs.docker}/bin/docker exec ollama ollama list | grep -q "$model_name"; then
-          # Vérification robuste via l'API HTTP d'Ollama plutôt que docker exec (évite les conflits de tty)
+          echo "$model_name not found, creating from $base_model..."
-          if ! ${pkgs.curl}/bin/curl -s http://127.0.0.1:11434/api/tags | ${pkgs.jq}/bin/jq -e ".models[] | select(.name == \"$model_name\")" > /dev/null; then
+          ${pkgs.docker}/bin/docker exec ollama sh -c "cat <<EOF > /root/.ollama/$model_name.modelfile
            echo "$model_name not found, creating from $base_model..."
            # Utilisation d'un fichier temporaire sur l'hôte pour l'injecter proprement dans Docker
            TMP_FILE=$(mktemp)
            cat <<EOF > "$TMP_FILE"
 FROM $base_model
 TEMPLATE """{{- if .System }}
 [SYSTEM_PROMPT]
 {{ .System }}
 [/SYSTEM_PROMPT]
 {{- end }}
 {{- range .Messages }}
 {{- if eq .Role "user" }}
 [INST]
 {{ .Content }}
 [/INST]
 {{- else if eq .Role "assistant" }}
 {{ .Content }}
 {{- end }}
 {{- end }}"""
 PARAMETER num_ctx 131072
 PARAMETER num_predict 4096
 PARAMETER num_keep 1024
 PARAMETER repeat_penalty 1.1
 PARAMETER top_k 40
-PARAMETER stop "[INST]"
+PARAMETER stop \"[INST]\"
-PARAMETER stop "[/INST]"
+PARAMETER stop \"[/INST]\"
-PARAMETER stop "</s>"
+PARAMETER stop \"</s>\"
-EOF
+EOF"
          ${pkgs.docker}/bin/docker exec ollama ollama create "$model_name" -f "/root/.ollama/$model_name.modelfile"
        else
          echo "$model_name already exists, skipping."
        fi
      }
-            # Copie et création dans le conteneur
+      # Create Nemotron
-            ${pkgs.docker}/bin/docker cp "$TMP_FILE" ollama:/tmp/model.modelfile
+      create_model_if_missing "nemotron-3-nano:30b-128k" "nemotron-3-nano:30b"
-            ${pkgs.docker}/bin/docker exec ollama ollama create "$model_name" -f /tmp/model.modelfile
+      
-            ${pkgs.docker}/bin/docker exec ollama rm /tmp/model.modelfile
+      # Create Devstral
-            rm -f "$TMP_FILE"
+      create_model_if_missing "devstral-small-2:24b-128k" "devstral-small-2:24b" 
          else
            echo "$model_name already exists, skipping."
          fi
        }
        # Create Nemotron
        create_model_if_missing "nemotron-3-nano:30b-128k" "nemotron-3-nano:30b"
        # Create Devstral
        create_model_if_missing "devstral-small-2:24b-128k" "devstral-small-2:24b" 
      ) &
    '';
    serviceConfig = {
-      Type = "forking"; # Permet à systemd de savoir que le script passe en arrière-plan via '&'
+      Type = "oneshot";
-      User = "root";
+      RemainAfterExit = true;
    };
  };
 }
--- a/modules/nixos/services/rollback-sentinel.nix
+++ b/modules/nixos/services/rollback-sentinel.nix
@@ -1,184 +0,0 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.services.rollbackSentinel;
  # ── Scripts ────────────────────────────────────────────────────────────────
  # Sentinel check — verifies Tier-1 services are active after boot.
  # Exits nonzero when any Tier-1 service is down, which triggers the rollback.
  sentinelCheck = pkgs.writeShellScriptBin "sentinel-check.sh" ''
    #!/usr/bin/env bash
    set -euo pipefail
    SYSLOG_IDENT="nixos-sentinel"
    LOGFILE="/var/log/nixos-sentinel.log"
    echo "=== NixOS Sentinel Check ==="
    echo "Tier-1 services: ${builtins.toString cfg.tier1Services}"
    echo "Tier-2 services: ${builtins.toString cfg.tier2Services}"
    FAILED=0
    # Check Tier-1 services — any failure means rollback
    for svc in ${builtins.toString cfg.tier1Services}; do
      if systemctl is-active --quiet "$svc" 2>/dev/null; then
        echo "  [OK]  Tier-1: $svc"
      else
        echo "  [FAIL] Tier-1: $svc is NOT active"
        logger -t "$SYSLOG_IDENT" -p user.err "Tier-1 FAILURE: $svc is not active"
        FAILED=1
      fi
    done
    # Check Tier-2 services — warn only
    for svc in ${builtins.toString cfg.tier2Services}; do
      if systemctl is-active --quiet "$svc" 2>/dev/null; then
        echo "  [OK]  Tier-2: $svc"
      else
        echo "  [WARN] Tier-2: $svc is NOT active"
        logger -t "$SYSLOG_IDENT" -p user.warn "Tier-2 WARNING: $svc is not active"
      fi
    done
    echo "=== Sentinel result: $([ "$FAILED" -eq 0 ] && echo 'PASS' || echo 'FAIL') ==="
    echo "$(date '+%Y-%m-%d %H:%M:%S') [INFO] sentinel $([ "$FAILED" -eq 0 ] && echo 'PASS' || echo 'FAIL')" >> "$LOGFILE"
    exit $FAILED
  '';
  # Rollback script — package the companion shell script from this directory.
  # Uses builtins.readFile to embed the content at evaluation time.
  rollbackScript = pkgs.writeShellScriptBin "nixos-rollback.sh" (builtins.readFile ./nixos-rollback.sh);
  # Resolve rollback flags from config
  rollbackFlags =
    if cfg.rollbackMode == "dry-run" then "--dry-run"
    else if cfg.rollbackMode == "rollback-now" then "--rollback-now"
    else "";
 in {
  options.services.rollbackSentinel = {
    enable = mkEnableOption "NixOS Rollback Sentinel — auto-rollback on critical service failure";
    tier1Services = mkOption {
      type = types.listOf types.str;
      default = [ "sshd" "docker" "traefik" "authelia" ];
      description = ''
        Tier-1 services whose failure triggers an automatic systemd-boot rollback.
        On boot, the sentinel waits ${cfg.bootDelay} seconds, then checks each
        service. If ANY service in this list is inactive, it runs the rollback
        script which sets the previous NixOS generation as the default boot entry.
      '';
    };
    tier2Services = mkOption {
      type = types.listOf types.str;
      default = [
        "gitea" "hermes" "ollama" "synapse" "nextcloud"
        "vaultwarden" "wireguard" "homeassistant" "fail2ban"
      ];
      description = ''
        Tier-2 services whose failure is logged as a warning but does NOT trigger
        an automatic rollback. Useful for detecting non-critical service issues.
      '';
    };
    tier3InfoServices = mkOption {
      type = types.listOf types.str;
      default = [
        "act_runner" "syncthing" "restic" "fava"
        "homer" "cups" "fstrim"
      ];
      description = ''
        Tier-3 informational checks (log-only, no warning). These are services
        that the sentinel will note the status of for diagnostics.
      '';
    };
    bootDelay = mkOption {
      type = types.str;
      default = "120";
      description = ''
        Seconds to wait after multi-user.target before running the boot-time
        sentinel check. This gives Tier-1 services time to start before
        the sentinel decides they've failed.
      '';
    };
    rollbackMode = mkOption {
      type = types.enum [ "set-default" "rollback-now" "dry-run" ];
      default = "set-default";
      description = ''
        Rollback strategy when Tier-1 failures are detected:
        - set-default: Write the previous generation to loader.conf (next reboot).
        - rollback-now: Also run nixos-rebuild switch --rollback for immediate fix.
        - dry-run: Log what would happen but take no action (testing).
      '';
    };
    enablePostRebuild = mkOption {
      type = types.bool;
      default = true;
      description = ''
        When enabled, the sentinel check runs after every nixos-rebuild switch
        activation. If a newly deployed generation has Tier-1 failures, it
        triggers rollback immediately.
      '';
    };
  };
  config = mkIf cfg.enable {
    # ── Deploy scripts to PATH ───────────────────────────────────────────────
    environment.systemPackages = [ sentinelCheck rollbackScript ];
    # Ensure log directory exists
    systemd.tmpfiles.rules = [
      "d /var/log/nixos-sentinel 0755 root root -"
    ];
    # ── Boot-time sentinel service ───────────────────────────────────────────
    # Runs after multi-user.target with a configurable delay, checks Tier-1
    # services, and triggers rollback if any are down.
    systemd.services.nixos-sentinel = {
      description = "NixOS Boot Sentinel — check critical services, roll back on failure";
      after = [ "network.target" "multi-user.target" ];
      wants = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [ coreutils gawk gnused systemd ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        ExecStartPre = "${pkgs.coreutils}/bin/sleep ${cfg.bootDelay}";
        ExecStart = "${sentinelCheck}/bin/sentinel-check.sh";
        ExecStartPost = "${rollbackScript}/bin/nixos-rollback.sh ${rollbackFlags}";
      };
    };
    # ── Post-rebuild sentinel service (triggered by activation script) ──────
    systemd.services.nixos-sentinel-rebuild = mkIf cfg.enablePostRebuild {
      description = "NixOS Post-Rebuild Sentinel — check services after nixos-rebuild";
      after = [ "network.target" ];
      path = with pkgs; [ coreutils gawk gnused systemd ];
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${sentinelCheck}/bin/sentinel-check.sh";
        ExecStartPost = "${rollbackScript}/bin/nixos-rollback.sh ${rollbackFlags}";
      };
    };
    # Activation script — fires after every nixos-rebuild switch
    system.activationScripts.rollback-sentinel = mkIf cfg.enablePostRebuild ''
      # Start the post-rebuild sentinel in the background.
      # This runs on every activation (boot + nixos-rebuild). On boot the
      # boot-time service handles it, so this is primarily for nixos-rebuild,
      # but running twice is safe (idempotent rollback).
      systemctl start nixos-sentinel-rebuild.service --no-block 2>/dev/null || true
    '';
  };
 }
--- a/overlays/reticulum.nix
+++ b/overlays/reticulum.nix
@@ -1,77 +0,0 @@
 final: prev: let
  python3 = final.python3;
  pyPkgs = python3.pkgs;
 in {
  reticulumStack = python3.pkgs.buildPythonApplication rec {
    pname = "reticulum";
    version = "1.2.9";
    src = pyPkgs.fetchPypi {
      pname = "rns";
      inherit version;
      sha256 = "554814231c237b9caacf8df669312e57dd7d3f84b6d4810125087d1a79a75d75";
    };
    propagatedBuildInputs = with pyPkgs; [ cryptography pyserial ];
    doCheck = false;
    pythonImportsCheck = [ "RNS" ];
    meta = with final.lib; {
      description = "Self-configuring, encrypted and resilient mesh networking stack";
      homepage = "https://reticulum.network/";
      license = licenses.mit;
      platforms = platforms.linux;
    };
  };
  lxmf = python3.pkgs.buildPythonApplication rec {
    pname = "lxmf";
    version = "0.9.8";
    src = pyPkgs.fetchPypi {
      inherit pname version;
      sha256 = "30f39f3a975a049c12ee2cfceb3261d24cb5adec881c6821f7354464b3f3650c";
    };
    propagatedBuildInputs = [ final.reticulumStack ];
    doCheck = false;
    pythonImportsCheck = [ "LXMF" ];
    meta = with final.lib; {
      description = "Lightweight Extensible Message Format for Reticulum";
      homepage = "https://github.com/markqvist/lxmf";
      license = licenses.mit;
      platforms = platforms.linux;
    };
  };
  nomadnet = python3.pkgs.buildPythonApplication rec {
    pname = "nomadnet";
    version = "1.1.1";
    src = pyPkgs.fetchPypi {
      inherit pname version;
      sha256 = "fa13b64a10e75b705a58024815ab72451700aa726af96d415ba99dec28dfc40a";
    };
    propagatedBuildInputs = with pyPkgs; [ final.reticulumStack final.lxmf urwid qrcode ];
    doCheck = false;
    pythonImportsCheck = [ "nomadnet" ];
    meta = with final.lib; {
      description = "Nomad Network — resilient mesh communications platform";
      homepage = "https://github.com/markqvist/NomadNet";
      license = licenses.mit;
      platforms = platforms.linux;
    };
  };
  rnsh = python3.pkgs.buildPythonApplication rec {
    pname = "rnsh";
    version = "0.1.7";
    src = pyPkgs.fetchPypi {
      inherit pname version;
      sha256 = "9cb72f25abb1c6d300f8014b264184ff78f592fe88e36094938012990b797c93";
    };
    propagatedBuildInputs = [ final.reticulumStack ];
    doCheck = false;
    pythonImportsCheck = [ "rnsh" ];
    meta = with final.lib; {
      description = "Remote shell over Reticulum";
      homepage = "https://github.com/acehoss/rnsh";
      license = licenses.mit;
      platforms = platforms.linux;
    };
  };
 }
--- a/secrets/containers.env.age
+++ b/secrets/containers.env.age
@@ -1,36 +1,34 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSBWNEpt
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSBOL29w
-cGFNeVBBaDRqb3pLSEZGQW0wb3VmVnBoZCswUFkzbnBLUnJ0QTNrClRqVkk4RUVO
+eGk1N2xxTHJtaUEvWWZmbkh1bk11Tjk3anNnMDB1cCtPYUMzdTNJCkdhQ08vblNG
-d29KYjd5YUcwankvaTFmVHUxQVpDT2ZYWHRaY3JXTUtQMU0KLT4gKXBtQ3UsXi1n
+UlV1K2xVTGZVTzFWYXAzcjZaMWs0RTFWdStKSmlSTURvK1EKLT4gLC1zKU8zVkgt
-cmVhc2UgNnwxYCBXVyA/KCQmIHt9NAo3OTZVUHR2UXkvaEFwY0ZBdEJsaFpsbHJ0
+Z3JlYXNlIFUiXFcpS302IHByVn5jOy0gRDMKQjV3SHpDWUIybGFyQUg3ZlR0R2hV
-cklKcDVHcEdWMEdPSkpnN0FiRU43RW5hUWFMdjR3WFRRSFBLSGlmClM3cTNJWlNM
+eWM3SFlCVW5mdlpBVUF3a0xpNlZCeGNUd1oxTTlkc1RkTXdZS0lFTmN3Ci0tLSA3
-TExkdHdXUHJISkNIaE1TTUxUc1NUWkV1a09HeFU3bVZwQXMKLS0tIGhOcXFTUElS
+VlBqM1VLWllZc0JnOTMvUFRjMU13OTdzMmhsdGJubkk5eGpERVVLYUk4Cnzh5UbU
-azJJNnEreUhMWTJBaVZGSTJPRUFqQkVYS01KRENUVVpZSDgK8+8onFejroBo7MeO
+FlgqpM8jkJ6XlsaIDCw/G3D6uJ/GRJW4gIekuhAUxpZJrc8eOA8ZuHfGrBbH3acV
-dW+so4lOsq4zJKn3f0cxmCFg1f0X8zt6h4Uc3A5Cvr1uU+6yw1FWmJ7xa3jJz3lO
+tVafX5F0Kr2oOblqZ6gduZOUS52KmWH8stiBJM+e5ZZ7zRQVE4PJUKUPCzi+WdcH
-EEaKQJXYC+xIIKGcA7qILa0SFp4a/4OuYjcg27HrlPhg7u5wDhQrd0LdVEe1Xngp
+zr295T//FOdicrYHdsjfziKEHzBtUCFiATW05+O2zMjYjO6cPzePcCzPWinwiID6
-ZivX7P7HwIna3X8C+TL+K2v/AG2N/z86cdKfRvxyMKNbHhYw+CfHEnWgh8tJ++4h
+V+f6ngfkkQaj3wBGkzaieQJzRcdSwky21aVhGCCX/bvqx61iW2d5QAKxGbtQ2RcG
-G9evNniuNqte6cQaRe7jODfPNW4FuY/Sb7barlJ/M9iAQdYAdyLAzU1LABeHeUfD
+X1okr+xunAM94nzDMv46vyN97KxY7cZd4pAaOxoICc2Tfhtw6F+iS6QkQh1odJzO
-wtHjxy9DUZ55Vg8bB8M2JJU9MkoRT4ewiVd9LeC1GWeVmKsm93wsmrov714i7U2j
+7ZH+sSQCvndG+8z9shXGiHalASF5tdguM+JlEvAGljcaiAUtsQWxr9CoWiEkC6c6
-wHtDkjqEF2MmzuQc18sjNaAHiwz8j6o5xU2L/Q4+Q707yISWG7RGZYh389Cr1rnw
+NCaECSYO8Il+SXBQnSZSGJSNDhuPYCYrsjXGSAONFixuyeslAkq9x2WUaUS4H063
-siUq/Vunqw2wk13+J/4vu9nqt5mMktBaCtp+QiWIurjwB5LUAyChrSm+dg5lb0Mt
+1QvRF7XO2tBPtgCLsSjdiGp0h+ImUaGdu6fDR7zrDsGsaAFCSFeH/rGNNXRQ2vP2
-UhSc0lq1+E3vxAXM2Hmk+vP86VD+6WJvAU82VFApF1s6zG2FU1/AcOVVf54nan/q
+CSfPfDDCqpUSCn0WuA30BtaPLxGmZT6OjFevKzYMNDmdeq9ia/q8K0hmjLUBdN3k
-f+rgSFfASHQCYSblUJHyEtwLNsWEmTGmOEn1buUKD/H0zatPQnc0rYpjlx2V0Sjd
+tdYWbwoaf4gYbUWxSleD768b0Jgxss9Vod+sFQ+NYRksdGIeyND+aQIc312XehfA
-6yB5+wPrZ0AkN1pjcsPKOv8Kaog2DzqIjib+SaSTaRxWHQEb9uzvaReAcYI5HOpE
+qHFBS8nlj7eUF5bdvCYQ64z741mH4cNlGxyjPBH1x8FHnEOocJXYt1l2AZSRJmJA
-gkC040HN33BItATbo4+hz70Im8Ni/VXD+g6yzM6Hj1hJL+PinTKeg5keQRFIZjMx
+c3z0QGXyuCbsrLBXWK1EKa/Juo4PGGsEVoLRhwJAQy9+i1JN0yrfRvSPyzvD4px6
-grzievB2wVBBgLgN3qMdTFmpplaL7iL702JjXZUTTK9Izp+9wiCsV1fTa53FWDht
+wRPzlZ80MQdb2lv84WS/zcOEZmZzlLntszTRRdIfAsuaavP2Rquh4rEXABYeTZwp
-ylFL5SWElqXjK+QBXxAe+Jk6VQov5HI21YDXL67S554ABeRok23wxrQ31TCI4xq9
+5dem79s8bdW2nFsGMNz1OQKQwocyjYu1jJMHu6Gp7Ngdl1xyW7xfg0dezE1c0cIh
-PQV7VtNRjyVud7S29m3OwpWOsgTZhn+JclHj2v4bNJzJkJnZRTmcvGPktzRI5+R4
+xt1aLER9YJp4n5to5cOH16l3mjDHnAvABx38xE9loNL3399J/evw7LxpTYQ4v2Xv
-e5vxVhGnJDzI71txaHl8+xS1lu9VzCQUrxX6TXyTRV4KjIOz0g06JOBgmBRBvJca
+x8xnDHcqJ+deFSwyuUnMS5DkUeYuHmUl0Q2WYcfY+ibCmcgCb2ObTtuN1/ZxNYrL
-7MZbC65xpisl/gyLRbgkVga3t94dPV+dpZsn8eq6427IyRbKslJefatggR9//c6I
+OKrnmfuSvBgyuIOj5e6uWW0+Zs8dHKXu2TgV8WignxOhl5zQgCpCBlqVfO0t+NCu
-5N5fl0fR3gJQMB+HRbipBH2YsdbdWJyb4Nn6STZxIfrqoG/xC6C1raF0xK7hUx6i
+Gi26hU/fhGWQ/1oQa3VkpGsypZbJpgQvfWxfcGHP/MMhnl01zzlP8/aexSY3pAxf
-4DUDSPohM8fOIswQPfE+FH3eygfzu/Ln5+ghsgHTEhgFvmgMvyxaAt6kHIzIUhMX
+fz9v0IVh6xxtu3zbiiVzUsXbfG7t+xY98jMphf4AS2mWva3GWVmhhu0lS3J3P+go
-M3dASr4VPDpIXuXsRWwYLEifhzxsuvwVxfwtsnCaR6XKijsYECWGDdYOWHdleeqx
+YEEP4rOFHeU0Y1/6kLydTXvz4jMH0H92XQIzshd7vzQnEJPUPAzqRmw3LKYGgCI+
-wDPhxEesfFVhKxhrKY9Ir8k9/FFBKQU/3GjW4+SMAg5Al1YEzxshP9vKuVcsei7W
+wZEnxJ6ckqTkGBFnxTpy9LLllwmnz2Ky87nY3XAmqxlhb2Ap1XFAlfgszmGjc+Il
-JDwAwotNXaCm6NBckiyZJE53ou6+gckPY7V9cOfnuH74Z9ywkFzB3HW3ZlonaGyM
+KkIgoWQHTUm6QM9ta++oUTIDneOvxGd0zZsqoEhiC/7E01BNNZ6E58TeJU3fDlA3
-oGmLGcccavFtyhg5s/As4i6X8ARIpDiwe59Pn3GNXMctySqIrrr2ogUoXgrfFCie
+mX6n05XjwPRpgXZfayPoAgBlZc2H4KeiynxwNZ/dWu7qz7L6Ppk6Nvtly8giTbFx
-6GOTdeMW7GeOSdJUxCofghlspS/nq01Og77VI/beWYrIwLubSka6Zaltww9zgObk
+CA+tto7vq+D+CAEJ4bgyq4BCH4GL4APrhPcWp98Mko1WCiRTIKgkZxQCYvlg/LZq
-/FGEMgFkEpq7iyCvYSPA8F46pJKvnMP3S84AWCPmcTcHeg4lwGPvs6btexXBGdoz
+LNhMacP9T1qTvNC+yR1NEMiegE3APzk6CkDpVaO9+5f/sqifNPINCMothenI9ePw
-nkCyq7wdH5Nngm7jUbl88LtaLZPAQkuqXphBVTnrF9Ofbnb4iRZ2Op4xpx9rGyvx
+zjQLI3Mo1m73bkomytUZ7i1VstP5sEZ5LF72Sq7BpR3oQ3Gp0CAN9w==
 mO6UEhL6V1i2YZFNkNMg/W8aoMiUgBdqbkxaxblT9L0aNdlFU9+LbWYolURVEadd
 Qjv0Z1gMA+tsuBbVszwsMfneZ5+B9Q==
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/wireguard_preshared_key.age
+++ b/secrets/wireguard_preshared_key.age
@@ -1,9 +0,0 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSA3VG9Z
 MVFPVFc2VVJ3d0h0dmtBUnI3WHl2SzUxTkRZbjFCaGloWmV3dnd3ClcxdnVPeGd6
 SU4zR0Q0K1dtVjRRVHd0VW5XSFI0dVFpTjZnYk1DNjRxTVEKLT4gQzlgRy1ncmVh
 c2UKeUozOWgyUytSTVF0NjY2STBEb2VadwotLS0gblI3bmJCUWxxU3QrYTEyVFBI
 Snc4NC9rTkh0NnZYbUtxUE9hRWRkelpmMAq58fmH6cK13GeD7wGLxKmx10hmJeW4
 b7KqnCD1ZP7uG85s32xzVRwRG8RrG4xZo5nR9Mrtg1CoTSFfUGeFnf5xveN+Ej0X
 wDVB1LwC+Q==
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/wireguard_private_key.age
+++ b/secrets/wireguard_private_key.age
@@ -1,11 +0,0 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSA5dzVG
 WUNvT3NlRmcrWS81bzJqSWlTekVYaDFFTE10SkI2dEgzaGpxcUI4Cmk5Y0FGYTRZ
 K0NGYzY3VUp4aS9ZZGRmWTgybDJFUURva2pZNmVOS3QxdEUKLT4gPnVRTCtldGMt
 Z3JlYXNlCk04OTJZeFRNeDI5aGpMVTk1ZTE0Y2FMMnFEMjlJalJpMHRlaTE4ZWIx
 d2lCRGQ5RHVjcktOMGJCb1VERlNWcTYKaSt0L1Z6dVJ0QWIyZkhsYzFEVjZSQWUr
 ZWpwVlo1TmhoUFJZdkEvR0gxNlVhcXF2ZTRnCi0tLSBLcmM2MThNVkdWclpHUXRr
 VTF6QVk2WUZlTXpZMVNLMlpBOFc3M1o5WjZzCs9xbPlIX+u5vRSQ/z9utu+I9S2c
 02DOsIb1kzxzb1OK91b8Kh4JucQSq3qkyEvRucsNn5QW8hIHDnRuND6EbPyN7p4S
 YB/F0dxSqgnq
 -----END AGE ENCRYPTED FILE-----
--- a/users/ai-worker.nix
+++ b/users/ai-worker.nix
@@ -9,85 +9,6 @@
    openssh.authorizedKeys.keys = [
      keys.users.ai-worker.main
    ];
    # No password login - SSH key only
    hashedPassword = "!";
  };
  users.groups.ai-worker = {};
  # Enable restricted AI worker SSH access for ollama benchmarking
  # SECURITY: ai-worker can only:
  #   - SSH into host from Hermes container
  #   - Run docker commands (docker exec ollama ...) via docker group
  #   - Run specific security audit commands
  #   - NO access to infra repo (no bind mount)
  #   - NO sudo access (no nh, nixos-rebuild, nixpkgs-fmt, nix)
  # WORKFLOW: SSH from Hermes container, run docker benchmarks, return and save results to /opt/data/ai-optimizer/
  services.aiWorkerAccess = true;
  # Restricted sudo for ai-worker - security checks only
  security.sudo.extraRules = [
    {
      users = [ "ai-worker" ];
      commands = [
        # Firewall checks
        {
          command = "/run/wrappers/bin/sudo iptables -L -n -v";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/wrappers/bin/sudo iptables -S";
          options = [ "NOPASSWD" ];
        }
        # Fail2ban status
        {
          command = "/run/current-system/sw/bin/fail2ban-client status";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/fail2ban-client status *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/fail2ban-client get * banned";
          options = [ "NOPASSWD" ];
        }
        # Log inspection
        {
          command = "/run/current-system/sw/bin/journalctl -t kernel -n 100";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/journalctl -u fail2ban -n 50";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/journalctl -u firewall -n 50";
          options = [ "NOPASSWD" ];
        }
        # SSH config verification
        {
          command = "/run/current-system/sw/bin/sshd -T";
          options = [ "NOPASSWD" ];
        }
        # Docker service checks
        {
          command = "/run/current-system/sw/bin/docker ps";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker inspect *";
          options = [ "NOPASSWD" ];
        }
        # Network diagnostics
        {
          command = "/run/current-system/sw/bin/ss -tlnp";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/cat /proc/net/tcp";
          options = [ "NOPASSWD" ];
        }
      ];
    }
  ];
 }