penal-colony/nixos-vps
2
0
Fork 1
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

.

Browse source
This commit is contained in:
ashisgreat22 2026-03-21 20:23:32 +00:00
parent ad55793d41
commit 6b64254eab
11 changed files with 155 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

27
.claude/settings.local.json
View file

@ -9,7 +9,32 @@
"mcp__web-reader__webReader", "mcp__web-reader__webReader",
"Bash(python3 -c \"import json; json.load\\(open\\('modules/openclaw-config.json'\\)\\); print\\('JSON is valid'\\)\")", "Bash(python3 -c \"import json; json.load\\(open\\('modules/openclaw-config.json'\\)\\); print\\('JSON is valid'\\)\")",
"mcp__zread__search_doc", "mcp__zread__search_doc",
"mcp__zread__read_file" "mcp__zread__read_file",
"Bash(sudo podman:*)",
"Bash(curl:*)",
"Bash(sudo ls:*)",
"Bash(sudo systemctl:*)",
"Bash(sudo mkdir:*)",
"Bash(sudo chown:*)",
"Bash(sudo chmod:*)",
"Read(//var/lib/**)",
"Bash(sudo cat:*)",
"Bash(sudo journalctl:*)",
"Bash(sudo nginx:*)",
"Bash(systemctl status:*)",
"Bash(nix-instantiate:*)",
"Bash(sudo head:*)",
"Bash(ls:*)",
"Bash(systemctl show:*)",
"Bash(nix-store:*)",
"Read(//etc/**)",
"Bash(sudo iptables:*)",
"Bash(sudo find:*)",
"Bash(sudo grep:*)",
"Bash(find:*)",
"Bash(systemctl cat:*)",
"Bash(readlink:*)",
"Bash(nixos-option:*)"
] ]
} }
} }

15
custom/public/assets/img/favicon.svg Normal file
View file

@ -0,0 +1,15 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" fill="none">
<!-- The Harrow — Favicon -->
<!-- Central needle -->
<rect x="29" y="6" width="6" height="52" fill="#E63946"/>
<!-- Scratches — left -->
<line x1="29" y1="22" x2="12" y2="18" stroke="#E63946" stroke-width="4" stroke-linecap="square"/>
<line x1="29" y1="36" x2="8" y2="40" stroke="#E63946" stroke-width="4" stroke-linecap="square"/>
<line x1="29" y1="48" x2="18" y2="54" stroke="#E63946" stroke-width="4" stroke-linecap="square"/>
<!-- Scratches — right -->
<line x1="35" y1="26" x2="52" y2="20" stroke="#E63946" stroke-width="4" stroke-linecap="square"/>
<line x1="35" y1="40" x2="56" y2="44" stroke="#E63946" stroke-width="4" stroke-linecap="square"/>
<line x1="35" y1="52" x2="46" y2="58" stroke="#E63946" stroke-width="4" stroke-linecap="square"/>
<!-- Needle tip -->
<polygon points="29,58 35,58 32,64" fill="#E63946"/>
</svg>
Side by side

After

Width:  |  Height:  |  Size: 937 B

15
custom/public/assets/img/logo.svg Normal file
View file

@ -0,0 +1,15 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" fill="none">
<!-- The Harrow — Penal Colony Git Forge -->
<!-- Central needle -->
<rect x="244" y="40" width="24" height="432" fill="#E63946"/>
<!-- Etched scratches — left -->
<line x1="244" y1="180" x2="120" y2="160" stroke="#E63946" stroke-width="14" stroke-linecap="square"/>
<line x1="244" y1="260" x2="80" y2="280" stroke="#E63946" stroke-width="14" stroke-linecap="square"/>
<line x1="244" y1="340" x2="140" y2="380" stroke="#E63946" stroke-width="14" stroke-linecap="square"/>
<!-- Etched scratches — right -->
<line x1="268" y1="200" x2="392" y2="170" stroke="#E63946" stroke-width="14" stroke-linecap="square"/>
<line x1="268" y1="290" x2="430" y2="310" stroke="#E63946" stroke-width="14" stroke-linecap="square"/>
<line x1="268" y1="370" x2="370" y2="410" stroke="#E63946" stroke-width="14" stroke-linecap="square"/>
<!-- Needle tip — descending point -->
<polygon points="244,472 268,472 256,510" fill="#E63946"/>
</svg>
Side by side

After

Width:  |  Height:  |  Size: 1 KiB

8
modules/adguard.nix
View file

@ -185,12 +185,18 @@ in
iptables -t nat -D PREROUTING -i tailscale0 -p tcp --dport 53 -j REDIRECT --to-ports 5353 || true iptables -t nat -D PREROUTING -i tailscale0 -p tcp --dport 53 -j REDIRECT --to-ports 5353 || true
''; '';
# Nginx reverse proxy for AdGuard Home Web UI and DoH # Nginx reverse proxy for AdGuard Home Web UI and DoH (Tailscale only)
myModules.nginx.domains."${cfg.domain}" = { myModules.nginx.domains."${cfg.domain}" = {
port = cfg.port; port = cfg.port;
internalOnly = true; # Restrict access to Tailscale network and localhost only
contentSecurityPolicy = null; # AdGuard Home handles its own CSP contentSecurityPolicy = null; # AdGuard Home handles its own CSP
}; };
# Allow direct Tailscale access to AdGuard Home dashboard
networking.firewall.extraCommands = lib.mkAfter ''
iptables -I ts-input 3 -p tcp --dport ${toString cfg.port} -s 100.64.0.0/10 -j ACCEPT
'';
# Ensure nginx user can access ACME certs # Ensure nginx user can access ACME certs
users.users.nginx.extraGroups = [ "acme" ]; users.users.nginx.extraGroups = [ "acme" ];
}; };

9
modules/forgejo.nix
View file

@ -67,7 +67,7 @@
enable = true; enable = true;
database.type = "postgres"; database.type = "postgres";
customDir = toString (pkgs.copyPathToStore ../custom); customDir = "/var/lib/forgejo/custom";
settings = { settings = {
server = { server = {
DOMAIN = cfg.domain; DOMAIN = cfg.domain;
@ -116,6 +116,13 @@
config.services.forgejo.stateDir config.services.forgejo.stateDir
]; ];
# Copy branding assets to custom directory (Forgejo serves from /assets/img/)
systemd.tmpfiles.rules = [
"d /var/lib/forgejo/custom/public/assets/img 0755 forgejo forgejo -"
"C+ /var/lib/forgejo/custom/public/assets/img/logo.svg - - - - ${toString ../custom/public/assets/img/logo.svg}"
"C+ /var/lib/forgejo/custom/public/assets/img/favicon.svg - - - - ${toString ../custom/public/assets/img/favicon.svg}"
];
services.gitea-actions-runner = lib.mkIf cfg.runner.enable { services.gitea-actions-runner = lib.mkIf cfg.runner.enable {
package = pkgs.forgejo-runner; package = pkgs.forgejo-runner;
instances.default = { instances.default = {

2
modules/netdata.nix
View file

@ -56,7 +56,7 @@ in
# Allow direct Tailscale access to Netdata port # Allow direct Tailscale access to Netdata port
networking.firewall.extraCommands = lib.mkAfter '' networking.firewall.extraCommands = lib.mkAfter ''
iptables -I INPUT 1 -p tcp --dport ${toString cfg.port} -s 100.64.0.0/10 -j ACCEPT iptables -I ts-input 3 -p tcp --dport ${toString cfg.port} -s 100.64.0.0/10 -j ACCEPT
''; '';
}; };

18
modules/nginx.nix
View file

@ -89,6 +89,10 @@
}; };
}; };
websockets = {
enable = lib.mkEnableOption "WebSocket proxy support for this domain";
};
extraLocations = lib.mkOption { extraLocations = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule { type = lib.types.attrsOf (lib.types.submodule {
options = { options = {
@ -135,6 +139,12 @@
commonHttpConfig = lib.optionalString cfg.rateLimit.enable '' commonHttpConfig = lib.optionalString cfg.rateLimit.enable ''
limit_req_zone $binary_remote_addr zone=global:10m rate=${toString cfg.rateLimit.requests}r/s; limit_req_zone $binary_remote_addr zone=global:10m rate=${toString cfg.rateLimit.requests}r/s;
limit_conn_zone $binary_remote_addr zone=connlimit:10m; limit_conn_zone $binary_remote_addr zone=connlimit:10m;
''
+ ''
map $http_upgrade $connection_upgrade {
default upgrade;
''' close;
}
''; '';
virtualHosts = lib.mapAttrs' (domain: opts: { virtualHosts = lib.mapAttrs' (domain: opts: {
@ -161,7 +171,13 @@
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:${toString opts.port}"; proxyPass = "http://127.0.0.1:${toString opts.port}";
extraConfig = opts.extraConfig + lib.optionalString (if opts.rateLimit.enable != null then extraConfig = opts.extraConfig
+ lib.optionalString opts.websockets.enable ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
''
+ lib.optionalString (if opts.rateLimit.enable != null then
opts.rateLimit.enable else cfg.rateLimit.enable) '' opts.rateLimit.enable else cfg.rateLimit.enable) ''
limit_req zone=global burst=${toString (if opts.rateLimit.burst != null then opts.rateLimit.burst limit_req zone=global burst=${toString (if opts.rateLimit.burst != null then opts.rateLimit.burst
else cfg.rateLimit.burst)} nodelay; else cfg.rateLimit.burst)} nodelay;

9
modules/open-webui.nix
View file

@ -50,6 +50,7 @@ in
environment = { environment = {
OLLAMA_API_BASE_URL = cfg.ollamaUrl; OLLAMA_API_BASE_URL = cfg.ollamaUrl;
WEBUI_URL = "https://${cfg.domain}"; WEBUI_URL = "https://${cfg.domain}";
OPENAI_API_BASE_URL = "https://api.tng-chimera.ai/v1/";
}; };
environmentFile = config.sops.templates."openwebui.env".path; environmentFile = config.sops.templates."openwebui.env".path;
}; };
@ -58,10 +59,12 @@ in
sops.templates."openwebui.env" = { sops.templates."openwebui.env" = {
content = '' content = ''
WEBUI_SECRET_KEY=${config.sops.placeholder.openwebui_secret_key} WEBUI_SECRET_KEY=${config.sops.placeholder.openwebui_secret_key}
OPENAI_API_KEY=${config.sops.placeholder.tng_api_key}
''; '';
}; };
sops.secrets.openwebui_secret_key = { }; sops.secrets.openwebui_secret_key = { };
sops.secrets.tng_api_key = { };
# Nginx configuration # Nginx configuration
myModules.nginx.domains.${cfg.domain} = { myModules.nginx.domains.${cfg.domain} = {
@ -69,8 +72,12 @@ in
extraConfig = '' extraConfig = ''
client_max_body_size 100M; client_max_body_size 100M;
''; '';
# Disable rate limiting for OpenWebUI (loads many assets at once)
rateLimit.enable = false;
# Enable WebSocket support for Socket.IO
websockets.enable = true;
# Relaxed CSP for OpenWeb UI — needs unsafe-eval for some JS, WebSockets, external images # Relaxed CSP for OpenWeb UI — needs unsafe-eval for some JS, WebSockets, external images
contentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' wss: https:; frame-ancestors 'self'"; contentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' wss: https: ws:; frame-ancestors 'self'";
}; };
}; };
} }

53
modules/openclaw-podman.nix
View file

@ -52,6 +52,7 @@ in
# Create directory for OpenClaw data # Create directory for OpenClaw data
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /var/lib/openclaw 0755 1000 1000 -" # Assuming node user is uid 1000 "d /var/lib/openclaw 0755 1000 1000 -" # Assuming node user is uid 1000
"d /var/lib/openclaw/local 0755 1000 1000 -" # For Go toolchain
]; ];
# OpenClaw container (bridge network — isolated from host services) # OpenClaw container (bridge network — isolated from host services)
@ -63,6 +64,7 @@ in
]; ];
volumes = [ volumes = [
"/var/lib/openclaw:/home/node/.openclaw" "/var/lib/openclaw:/home/node/.openclaw"
"/var/lib/openclaw/local:/home/node/.local"
] ++ lib.optionals cfg.superpowers.enable [ ] ++ lib.optionals cfg.superpowers.enable [
"${cfg.superpowers.src}:/home/node/superpowers-src:ro" "${cfg.superpowers.src}:/home/node/superpowers-src:ro"
]; ];
@ -71,7 +73,7 @@ in
# Copy the declarative config before starting the container # Copy the declarative config before starting the container
# This allows OpenClaw to safely write/rename the file at runtime without EBUSY errors # This allows OpenClaw to safely write/rename the file at runtime without EBUSY errors
systemd.services."podman-openclaw".preStart = lib.mkBefore '' systemd.services."podman-openclaw".preStart = lib.mkBefore ''
mkdir -p /var/lib/openclaw mkdir -p /var/lib/openclaw/local
cp -f ${./openclaw-config.json} /var/lib/openclaw/openclaw.json cp -f ${./openclaw-config.json} /var/lib/openclaw/openclaw.json
chown -R 1000:1000 /var/lib/openclaw chown -R 1000:1000 /var/lib/openclaw
chmod -R u+rwX /var/lib/openclaw chmod -R u+rwX /var/lib/openclaw
@ -100,13 +102,56 @@ in
''} ''}
''; '';
# Go toolchain installation script
# Stored in /var/lib/openclaw and executed inside the container
environment.etc."openclaw/install-go.sh".source = pkgs.writeScript "install-go.sh" ''
#!/bin/bash
set -e
GO_URL="https://go.dev/dl/go1.24.1.linux-amd64.tar.gz"
GO_DIR="/home/node/.local/go"
if [ -d "$GO_DIR" ]; then
echo "Go already installed at $GO_DIR"
exit 0
fi
echo "Installing Go toolchain"
mkdir -p /home/node/.local
if command -v curl &> /dev/null; then
curl -fsSL "$GO_URL" | tar -C /home/node/.local -xzf -
elif command -v wget &> /dev/null; then
wget -qO- "$GO_URL" | tar -C /home/node/.local -xzf -
else
echo "ERROR - Neither curl nor wget available"
exit 1
fi
echo "Go installed successfully"
"$GO_DIR/bin/go" version
'';
# Go toolchain installation
# Downloads Go to a persistent volume for use inside the container
systemd.services."openclaw-go-setup" = {
description = "Install Go toolchain for OpenClaw";
after = [ "podman-openclaw.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
# Copy script to container-accessible location, then execute
ExecStart = "${pkgs.bash}/bin/bash -c 'cp /etc/openclaw/install-go.sh /var/lib/openclaw/ && chmod +x /var/lib/openclaw/install-go.sh && ${pkgs.podman}/bin/podman exec -u node openclaw /home/node/.openclaw/install-go.sh'";
RemainAfterExit = true;
};
};
# Optional: Install PyYAML inside the container on startup # Optional: Install PyYAML inside the container on startup
# We do this as a postStart or a simple background loop if needed, # We do this as a postStart or a simple background loop if needed,
# but a better way is to ensure the image has it. # but a better way is to ensure the image has it.
# Since we can't easily change the image here, we'll try to run a one-time pip install. # Since we can't easily change the image here, we'll try to run a one-time pip install.
systemd.services."openclaw-superpowers-setup" = lib.mkIf cfg.superpowers.enable { systemd.services."openclaw-superpowers-setup" = lib.mkIf cfg.superpowers.enable {
description = "One-time setup for OpenClaw superpowers (PyYAML and Cron)"; description = "One-time setup for OpenClaw superpowers (PyYAML and Cron)";
after = [ "podman-openclaw.service" ]; after = [ "podman-openclaw.service" "openclaw-go-setup.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";

6
modules/podman.nix
View file

@ -28,5 +28,11 @@ in
# Give main user access to podman # Give main user access to podman
users.users.${mainUser}.extraGroups = [ "podman" ]; users.users.${mainUser}.extraGroups = [ "podman" ];
# Enable IP forwarding for container networking
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
}; };
} }

5
secrets/secrets.yaml
View file

@ -15,6 +15,7 @@ forgejo_token: ENC[AES256_GCM,data:/ugEQr0bqai0QPbW9FqdqQEBrF8bSqTtGtCswRP7BYfMR
forgejo_user: ENC[AES256_GCM,data:Ralbwu6+6Htc2+I=,iv:dicPMRRriz6MVp0PtbezI6UcxdCmszp9PnTsJaHAzKk=,tag:g2mUMYmnDJZ42F+KVsvHhg==,type:str] forgejo_user: ENC[AES256_GCM,data:Ralbwu6+6Htc2+I=,iv:dicPMRRriz6MVp0PtbezI6UcxdCmszp9PnTsJaHAzKk=,tag:g2mUMYmnDJZ42F+KVsvHhg==,type:str]
github_token: ENC[AES256_GCM,data:OAh6v6xrLr47ZdytdSR4uBpj6vJB8kJa8qc3eFBByK53nkrb3SUuBQ==,iv:GM/DpFSVl1CeQLX4tH2WxBuWBbI1YWzSsmvZK+2jdWM=,tag:lPQSjIlYbe3AczfDN3Nk+g==,type:str] github_token: ENC[AES256_GCM,data:OAh6v6xrLr47ZdytdSR4uBpj6vJB8kJa8qc3eFBByK53nkrb3SUuBQ==,iv:GM/DpFSVl1CeQLX4tH2WxBuWBbI1YWzSsmvZK+2jdWM=,tag:lPQSjIlYbe3AczfDN3Nk+g==,type:str]
openwebui_secret_key: ENC[AES256_GCM,data:c1Mnc0juYBAmHap3f0G5vwRDUymYWb92nIk78Rw5ApkhhW4k4ifRccCsv0fU2TXNSwHCc7d6OeP60kJYEpr5ZA==,iv:wCqfwhn6WFv3A0asZnbPdBdmw24QdKbJE0BplWzq9CE=,tag:WU8Rlyf+CIL2uG8yWKHjcw==,type:str] openwebui_secret_key: ENC[AES256_GCM,data:c1Mnc0juYBAmHap3f0G5vwRDUymYWb92nIk78Rw5ApkhhW4k4ifRccCsv0fU2TXNSwHCc7d6OeP60kJYEpr5ZA==,iv:wCqfwhn6WFv3A0asZnbPdBdmw24QdKbJE0BplWzq9CE=,tag:WU8Rlyf+CIL2uG8yWKHjcw==,type:str]
tng_api_key: ENC[AES256_GCM,data:KxfGd46SSp13zo1IxchDVq8dY7wTReyAS58JTIqJbv10YoXKY2fq4R4o6EaWSqyJC+k=,iv:QBVLbDDV94pwsHSngABiL17wVcHYNTUBtoOvQgg8Fcc=,tag:A/4Ieeb1nIKVEJ6FVL6gJQ==,type:str]
sops: sops:
age: age:
- recipient: age1rz4eyzmmtmua6s9cny3pjjwv80n4fpvhkwc4jzdd8vpre8zc5vtqfjtuy0 - recipient: age1rz4eyzmmtmua6s9cny3pjjwv80n4fpvhkwc4jzdd8vpre8zc5vtqfjtuy0
@ -26,7 +27,7 @@ sops:
SnI3Z3p6U0x1YzVUTHZ0RVh0cHBDSGMKbDXwp9MM9cL/9DgWPV/btH6iYgaVXmvw SnI3Z3p6U0x1YzVUTHZ0RVh0cHBDSGMKbDXwp9MM9cL/9DgWPV/btH6iYgaVXmvw
Gk4IsH7zEWbS1kxIEapzBpIINTSQKZ30aPqwuspVKdSa8lsfi1X1jA== Gk4IsH7zEWbS1kxIEapzBpIINTSQKZ30aPqwuspVKdSa8lsfi1X1jA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-20T21:46:27Z" lastmodified: "2026-03-20T23:38:03Z"
mac: ENC[AES256_GCM,data:EnwV1ghvueIVy0zSfBiJYITz79/WgtABjY+UC8l7IdUUppymWMpU1AotqxZmBwGuVmheffGNxjmeJGyq4vjBssz8AKagtqNO7l3MAkqDfcFBJbBip5zR7b6kh2izhWUfokB73Fvp7nwnYFsaGKDVPMzsCZ2hWSxhTzdzn4/iv9w=,iv:kZSS5F3l1nId8gcZmHbLKIIyquwbnUrdjHVWDnwV+yI=,tag:yTbpzExgwmGQKELbriyzPw==,type:str] mac: ENC[AES256_GCM,data:B9s77SPIEI22K1QVyE4iUx9sDlPph7jbGVP2R5ulA+LU0ctjVqybvQQIepY1lN7OmnOVteK1Ed3B+BlqxlYhotZgTU14Sjh0fy5NKViLG2eQOJRbMoYPSXL7aLugGkfhTWr0qvdR9O4S4e6jR2AFWfp07x+HRSM95hKKCKgOFYI=,iv:TBAICXdmp0L4iAbAbST1K9/eysqNq3gqRy1mrMOap9o=,tag:eqBRamo+TdE6wleiiZC3eQ==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.12.1 version: 3.12.1