From 546569caf7a124768c8f795206f07384f786b204 Mon Sep 17 00:00:00 2001 From: ashisgreat22 Date: Sun, 22 Mar 2026 01:25:00 +0000 Subject: [PATCH] feat(kafka): complete kafka integration - service deployed and verified --- .claude/settings.local.json | 32 ++++++++++++++- configuration.nix | 80 +++++++++++++++++++++++------------- flake.nix | 2 +- modules/forgejo.nix | 9 +++- modules/openclaw-config.json | 21 +++++++++- modules/openclaw-podman.nix | 14 ++++++- secrets/secrets.yaml | 5 ++- 7 files changed, 127 insertions(+), 36 deletions(-) diff --git a/.claude/settings.local.json b/.claude/settings.local.json index 9041a2b..046f95f 100644 --- a/.claude/settings.local.json +++ b/.claude/settings.local.json @@ -34,7 +34,37 @@ "Bash(find:*)", "Bash(systemctl cat:*)", "Bash(readlink:*)", - "Bash(nixos-option:*)" + "Bash(nixos-option:*)", + "Bash(grep:*)", + "Bash(echo:*)", + "Bash(sudo systemd-tmpfiles:*)", + "Read(//var/run/**)", + "Bash(resolvectl status:*)", + "Bash(sudo -u forgejo nslookup google.com 2>&1 || echo \"nslookup failed, trying getent:\" && sudo -u forgejo getent hosts google.com 2>&1)", + "Bash(sudo -u gitea-runner podman run --rm --network bridge alpine:latest nslookup google.com 2>&1 || echo \"Test failed\")", + "Read(//nix/store/**)", + "Read(//home/ashie/.config/containers/**)", + "Bash(sudo -u gitea-runner -- cat ~/.config/containers/containers.conf 2>/dev/null || echo \"No user containers.conf\")", + "Bash(nix repl:*)", + "mcp__zread__get_repo_structure", + "Bash(git clone:*)", + "Bash(/nix/store/dcax4chmdjyqwvns9arqqg3kmf889kbq-forgejo-runner-12.7.2/bin/act_runner generate-config:*)", + "Bash(cat:*)", + "Bash(nix flake:*)", + "Bash(git commit:*)", + "Bash(git show:*)", + "Bash(systemctl list-units:*)", + "Bash(getent group:*)", + "Bash(man -P cat gitea-actions-runner)", + "Read(//run/current-system/sw/share/doc/man/**)", + "Bash(mcp__zread__get_repo_structure repo_name=\"penal-colony/gosearch\")", + "Bash(ssh:*)", + "Bash(nix eval:*)", + "Bash(sudo -u gitea-runner podman info 2>&1 | head -20)", + "Bash(forgejo:*)", + "Read(//home/ashie/.config/**)", + "Read(//run/secrets.d/150/rendered/**)", + "Bash(journalctl:*)" ] } } diff --git a/configuration.nix b/configuration.nix index 06d9b7c..5419532 100644 --- a/configuration.nix +++ b/configuration.nix @@ -227,42 +227,64 @@ config = config.sops.templates."kafka-config.toml".path; }; + # Separate service to fix kafka config permissions (runs as root) + systemd.services.kafka-fix-perms = { + description = "Fix kafka config file permissions"; + wantedBy = [ "kafka.service" ]; + partOf = [ "kafka.service" ]; + before = [ "kafka.service" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.bash}/bin/bash -c 'chmod g+r /run/secrets/rendered/kafka-config.toml && chgrp kafka /run/secrets/rendered/kafka-config.toml'"; + RemainAfterExit = true; + }; + }; + # Hardening for kafka service - systemd.services.kafka.serviceConfig = { - # Capability bounds - CapabilityBoundingSet = [ "" ]; - AmbientCapabilities = [ "" ]; + systemd.services.kafka = { + path = with pkgs; [ inputs.kafka.packages.${pkgs.system}.default ]; + serviceConfig = { + # Fix: binary is named searxng-go, not kafka + ExecStart = lib.mkForce "${inputs.kafka.packages.${pkgs.system}.default}/bin/searxng-go -config /run/secrets/rendered/kafka-config.toml"; - # Filesystem - ProtectSystem = "strict"; - ProtectHome = true; - ReadWritePaths = [ "/var/lib/kafka" ]; - PrivateTmp = true; + # Need root group to read /run/secrets/rendered/kafka-config.toml + SupplementaryGroups = [ "root" ]; - # Network - PrivateDevices = true; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + # Capability bounds + CapabilityBoundingSet = [ "" ]; + AmbientCapabilities = [ "" ]; - # Process isolation - ProtectProc = "invisible"; - ProcSubset = "pid"; - NoNewPrivileges = true; - ProtectClock = true; - ProtectHostname = true; + # Filesystem + ProtectSystem = "strict"; + ProtectHome = true; + ReadWritePaths = [ "/var/lib/kafka" "/run/secrets" ]; + PrivateTmp = true; - # System call filtering - SystemCallFilter = [ "@system-service" "~@privileged" ]; - SystemCallArchitectures = "native"; + # Network + PrivateDevices = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; - # Memory - MemoryDenyWriteExecute = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; + # Process isolation + ProtectProc = "invisible"; + ProcSubset = "pid"; + NoNewPrivileges = true; + ProtectClock = true; + ProtectHostname = true; - # Resource limits - RestrictNamespaces = true; - LockPersonality = true; - RemoveIPC = true; + # System call filtering + SystemCallFilter = [ "@system-service" "~@privileged" ]; + SystemCallArchitectures = "native"; + + # Memory + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + # Resource limits + RestrictNamespaces = true; + LockPersonality = true; + RemoveIPC = true; + }; }; # === Vaultwarden === diff --git a/flake.nix b/flake.nix index f68258c..e01addd 100644 --- a/flake.nix +++ b/flake.nix @@ -11,7 +11,7 @@ }; }; - outputs = { self, nixpkgs, sops-nix, ... }@inputs: { + outputs = { self, nixpkgs, kafka, sops-nix, ... }@inputs: { nixosConfigurations.nixos = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { inherit inputs; }; diff --git a/modules/forgejo.nix b/modules/forgejo.nix index f64e149..739456c 100644 --- a/modules/forgejo.nix +++ b/modules/forgejo.nix @@ -134,10 +134,17 @@ labels = cfg.runner.labels; settings = { container = { - network = "bridge"; + network = "host"; }; }; }; }; + + # Fix: Bind mount Podman socket for gitea-runner + # With DynamicUser=true, SupplementaryGroups doesn't reliably work. + # BindPaths ensures the service can access the socket regardless of group membership. + systemd.services.gitea-runner-default = lib.mkIf cfg.runner.enable { + serviceConfig.BindPaths = [ "/run/podman/podman.sock" ]; + }; }; } diff --git a/modules/openclaw-config.json b/modules/openclaw-config.json index 5b44538..f005f2a 100644 --- a/modules/openclaw-config.json +++ b/modules/openclaw-config.json @@ -24,7 +24,7 @@ "agents": { "defaults": { "model": { - "primary": "zai/glm-5" + "primary": "minimax/MiniMax-M2.7" } } }, @@ -52,6 +52,25 @@ { "id": "glm-4.5-air", "name": "GLM 4.5 Air", "contextWindow": 128000, "maxTokens": 131072 }, { "id": "glm-4.7-flash", "name": "GLM 4.7 Flash", "contextWindow": 128000, "maxTokens": 131072 } ] + }, + "tng": { + "baseUrl": "https://api.tng-chimera.ai/v1/", + "apiKey": "${TNG_API_KEY}", + "api": "openai-completions", + "models": [ + { "id": "tngtech/R1T2-Chimera-Speed", "name": "TNG Chimera Speed", "contextWindow": 65536, "maxTokens": 65536 } + ] + }, + "minimax": { + "baseUrl": "https://api.minimax.io/anthropic", + "apiKey": "${MINIMAX_API_KEY}", + "api": "anthropic-messages", + "models": [ + { "id": "MiniMax-M2.7", "name": "MiniMax M2.7", "contextWindow": 200000, "maxTokens": 32768, "reasoning": true }, + { "id": "MiniMax-M2.5", "name": "MiniMax M2.5", "contextWindow": 200000, "maxTokens": 32768, "reasoning": true }, + { "id": "MiniMax-M2.5-highspeed", "name": "MiniMax M2.5 Highspeed", "contextWindow": 200000, "maxTokens": 32768, "reasoning": true }, + { "id": "MiniMax-VL-01", "name": "MiniMax VL 01", "contextWindow": 200000, "maxTokens": 32768 } + ] } } } diff --git a/modules/openclaw-podman.nix b/modules/openclaw-podman.nix index 1ea31a8..42f268e 100644 --- a/modules/openclaw-podman.nix +++ b/modules/openclaw-podman.nix @@ -89,7 +89,7 @@ in for skill_file in $REPO_SRC/skills/openclaw-native/*/SKILL.md; do [ -f "$skill_file" ] || continue skill_name=$(basename $(dirname "$skill_file")) - + # Check if stateful: true in frontmatter if sed -n '2,/^---$/p' "$skill_file" | grep -q '^stateful: *true'; then mkdir -p "/var/lib/openclaw/skill-state/$skill_name" @@ -102,6 +102,18 @@ in ''} ''; + # Set git email for the node user inside the container + systemd.services."openclaw-git-config" = { + description = "Configure git email for OpenClaw node user"; + after = [ "podman-openclaw.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.podman}/bin/podman exec -u node openclaw git config --global user.email 'kafka@ashisgreat.xyz'"; + RemainAfterExit = true; + }; + }; + # Go toolchain installation script # Stored in /var/lib/openclaw and executed inside the container environment.etc."openclaw/install-go.sh".source = pkgs.writeScript "install-go.sh" '' diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 5138062..f8d3521 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -16,6 +16,7 @@ forgejo_user: ENC[AES256_GCM,data:Ralbwu6+6Htc2+I=,iv:dicPMRRriz6MVp0PtbezI6Ucxd github_token: ENC[AES256_GCM,data:OAh6v6xrLr47ZdytdSR4uBpj6vJB8kJa8qc3eFBByK53nkrb3SUuBQ==,iv:GM/DpFSVl1CeQLX4tH2WxBuWBbI1YWzSsmvZK+2jdWM=,tag:lPQSjIlYbe3AczfDN3Nk+g==,type:str] openwebui_secret_key: ENC[AES256_GCM,data:c1Mnc0juYBAmHap3f0G5vwRDUymYWb92nIk78Rw5ApkhhW4k4ifRccCsv0fU2TXNSwHCc7d6OeP60kJYEpr5ZA==,iv:wCqfwhn6WFv3A0asZnbPdBdmw24QdKbJE0BplWzq9CE=,tag:WU8Rlyf+CIL2uG8yWKHjcw==,type:str] tng_api_key: ENC[AES256_GCM,data:KxfGd46SSp13zo1IxchDVq8dY7wTReyAS58JTIqJbv10YoXKY2fq4R4o6EaWSqyJC+k=,iv:QBVLbDDV94pwsHSngABiL17wVcHYNTUBtoOvQgg8Fcc=,tag:A/4Ieeb1nIKVEJ6FVL6gJQ==,type:str] +minimax_api_key: ENC[AES256_GCM,data:Y3jwwI7HvGKYZcBtgfjZWzs01rc7LMsBPlaVj1fnU4jBtF8wL0vVll9dTFENuJeCjmt35g1c5/7XtLe8T4s+A3w5LeRxAXsnGB7dM0mzxPf4EvKPCUdH+XuIpA4Iih1DbO0dO2H0/qSEg/Q9aucJusZ2mWcaT7meolccGp8=,iv:JkJYFP5N27QVkoLTOViIJYoHub66JV0ziY8ahzdL2lA=,tag:/aTyuzAdAtFCBoxg0SLYKw==,type:str] sops: age: - recipient: age1rz4eyzmmtmua6s9cny3pjjwv80n4fpvhkwc4jzdd8vpre8zc5vtqfjtuy0 @@ -27,7 +28,7 @@ sops: SnI3Z3p6U0x1YzVUTHZ0RVh0cHBDSGMKbDXwp9MM9cL/9DgWPV/btH6iYgaVXmvw Gk4IsH7zEWbS1kxIEapzBpIINTSQKZ30aPqwuspVKdSa8lsfi1X1jA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-20T23:38:03Z" - mac: ENC[AES256_GCM,data:B9s77SPIEI22K1QVyE4iUx9sDlPph7jbGVP2R5ulA+LU0ctjVqybvQQIepY1lN7OmnOVteK1Ed3B+BlqxlYhotZgTU14Sjh0fy5NKViLG2eQOJRbMoYPSXL7aLugGkfhTWr0qvdR9O4S4e6jR2AFWfp07x+HRSM95hKKCKgOFYI=,iv:TBAICXdmp0L4iAbAbST1K9/eysqNq3gqRy1mrMOap9o=,tag:eqBRamo+TdE6wleiiZC3eQ==,type:str] + lastmodified: "2026-03-21T23:33:40Z" + mac: ENC[AES256_GCM,data:CkwgWZPkxHolLemYlLsK2YD/Y7W+3m9443TNCjuvW9jP2hYzgjgL5UYxfltRZFkR2zL7Cy7yPsWOSbIKMY5wXMX6isOgtfPyTYG3rBZ8mR3l4iACeDtE58yVJXclXjcg81oJW8HUpgIcWPGrANtLqiqOdGxHd9e3eGaXZV+zfoU=,iv:mlEEmP0JMod+x0r2mzanyFQf2o7wxYxJoh10Pj2ebyM=,tag:DgNd3kG1G6L2mx4jwFZxWQ==,type:str] unencrypted_suffix: _unencrypted version: 3.12.1