.

.claude/settings.local.json

@@ -9,7 +9,32 @@
       "mcp__web-reader__webReader",
       "Bash(python3 -c \"import json; json.load\\(open\\('modules/openclaw-config.json'\\)\\); print\\('JSON is valid'\\)\")",
       "mcp__zread__search_doc",
-      "mcp__zread__read_file"
+      "mcp__zread__read_file",
+      "Bash(sudo podman:*)",
+      "Bash(curl:*)",
+      "Bash(sudo ls:*)",
+      "Bash(sudo systemctl:*)",
+      "Bash(sudo mkdir:*)",
+      "Bash(sudo chown:*)",
+      "Bash(sudo chmod:*)",
+      "Read(//var/lib/**)",
+      "Bash(sudo cat:*)",
+      "Bash(sudo journalctl:*)",
+      "Bash(sudo nginx:*)",
+      "Bash(systemctl status:*)",
+      "Bash(nix-instantiate:*)",
+      "Bash(sudo head:*)",
+      "Bash(ls:*)",
+      "Bash(systemctl show:*)",
+      "Bash(nix-store:*)",
+      "Read(//etc/**)",
+      "Bash(sudo iptables:*)",
+      "Bash(sudo find:*)",
+      "Bash(sudo grep:*)",
+      "Bash(find:*)",
+      "Bash(systemctl cat:*)",
+      "Bash(readlink:*)",
+      "Bash(nixos-option:*)"
     ]
   }
 }

custom/public/assets/img/favicon.svg

@@ -0,0 +1,15 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" fill="none">
+  <!-- The Harrow — Favicon -->
+  <!-- Central needle -->
+  <rect x="29" y="6" width="6" height="52" fill="#E63946"/>
+  <!-- Scratches — left -->
+  <line x1="29" y1="22" x2="12" y2="18" stroke="#E63946" stroke-width="4" stroke-linecap="square"/>
+  <line x1="29" y1="36" x2="8" y2="40" stroke="#E63946" stroke-width="4" stroke-linecap="square"/>
+  <line x1="29" y1="48" x2="18" y2="54" stroke="#E63946" stroke-width="4" stroke-linecap="square"/>
+  <!-- Scratches — right -->
+  <line x1="35" y1="26" x2="52" y2="20" stroke="#E63946" stroke-width="4" stroke-linecap="square"/>
+  <line x1="35" y1="40" x2="56" y2="44" stroke="#E63946" stroke-width="4" stroke-linecap="square"/>
+  <line x1="35" y1="52" x2="46" y2="58" stroke="#E63946" stroke-width="4" stroke-linecap="square"/>
+  <!-- Needle tip -->
+  <polygon points="29,58 35,58 32,64" fill="#E63946"/>
+</svg>

custom/public/assets/img/logo.svg

@@ -0,0 +1,15 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" fill="none">
+  <!-- The Harrow — Penal Colony Git Forge -->
+  <!-- Central needle -->
+  <rect x="244" y="40" width="24" height="432" fill="#E63946"/>
+  <!-- Etched scratches — left -->
+  <line x1="244" y1="180" x2="120" y2="160" stroke="#E63946" stroke-width="14" stroke-linecap="square"/>
+  <line x1="244" y1="260" x2="80" y2="280" stroke="#E63946" stroke-width="14" stroke-linecap="square"/>
+  <line x1="244" y1="340" x2="140" y2="380" stroke="#E63946" stroke-width="14" stroke-linecap="square"/>
+  <!-- Etched scratches — right -->
+  <line x1="268" y1="200" x2="392" y2="170" stroke="#E63946" stroke-width="14" stroke-linecap="square"/>
+  <line x1="268" y1="290" x2="430" y2="310" stroke="#E63946" stroke-width="14" stroke-linecap="square"/>
+  <line x1="268" y1="370" x2="370" y2="410" stroke="#E63946" stroke-width="14" stroke-linecap="square"/>
+  <!-- Needle tip — descending point -->
+  <polygon points="244,472 268,472 256,510" fill="#E63946"/>
+</svg>

modules/adguard.nix

@@ -185,12 +185,18 @@ in
       iptables -t nat -D PREROUTING -i tailscale0 -p tcp --dport 53 -j REDIRECT --to-ports 5353 || true
     '';
 
-    # Nginx reverse proxy for AdGuard Home Web UI and DoH
+    # Nginx reverse proxy for AdGuard Home Web UI and DoH (Tailscale only)
     myModules.nginx.domains."${cfg.domain}" = {
       port = cfg.port;
+      internalOnly = true; # Restrict access to Tailscale network and localhost only
       contentSecurityPolicy = null; # AdGuard Home handles its own CSP
     };
 
+    # Allow direct Tailscale access to AdGuard Home dashboard
+    networking.firewall.extraCommands = lib.mkAfter ''
+      iptables -I ts-input 3 -p tcp --dport ${toString cfg.port} -s 100.64.0.0/10 -j ACCEPT
+    '';
+
     # Ensure nginx user can access ACME certs
     users.users.nginx.extraGroups = [ "acme" ];
   };

modules/forgejo.nix

@@ -67,7 +67,7 @@
         enable = true;
         database.type = "postgres";
 
-        customDir = toString (pkgs.copyPathToStore ../custom);
+        customDir = "/var/lib/forgejo/custom";
         settings = {
           server = {
             DOMAIN = cfg.domain;
@@ -116,6 +116,13 @@
         config.services.forgejo.stateDir
       ];
 
+      # Copy branding assets to custom directory (Forgejo serves from /assets/img/)
+      systemd.tmpfiles.rules = [
+        "d /var/lib/forgejo/custom/public/assets/img 0755 forgejo forgejo -"
+        "C+ /var/lib/forgejo/custom/public/assets/img/logo.svg - - - - ${toString ../custom/public/assets/img/logo.svg}"
+        "C+ /var/lib/forgejo/custom/public/assets/img/favicon.svg - - - - ${toString ../custom/public/assets/img/favicon.svg}"
+      ];
+
       services.gitea-actions-runner = lib.mkIf cfg.runner.enable {
         package = pkgs.forgejo-runner;
         instances.default = {

modules/netdata.nix

@@ -56,7 +56,7 @@ in
 
     # Allow direct Tailscale access to Netdata port
     networking.firewall.extraCommands = lib.mkAfter ''
-      iptables -I INPUT 1 -p tcp --dport ${toString cfg.port} -s 100.64.0.0/10 -j ACCEPT
+      iptables -I ts-input 3 -p tcp --dport ${toString cfg.port} -s 100.64.0.0/10 -j ACCEPT
     '';
   };
 

modules/nginx.nix

@@ -89,6 +89,10 @@
               };
             };
 
+            websockets = {
+              enable = lib.mkEnableOption "WebSocket proxy support for this domain";
+            };
+
             extraLocations = lib.mkOption {
               type = lib.types.attrsOf (lib.types.submodule {
                 options = {
@@ -135,6 +139,12 @@
         commonHttpConfig = lib.optionalString cfg.rateLimit.enable ''
           limit_req_zone $binary_remote_addr zone=global:10m rate=${toString cfg.rateLimit.requests}r/s;
           limit_conn_zone $binary_remote_addr zone=connlimit:10m;
+        ''
+        + ''
+          map $http_upgrade $connection_upgrade {
+            default upgrade;
+            ''' close;
+          }
         '';
 
         virtualHosts = lib.mapAttrs' (domain: opts: {
@@ -161,7 +171,13 @@
             locations = {
               "/" = {
                 proxyPass = "http://127.0.0.1:${toString opts.port}";
-                extraConfig = opts.extraConfig + lib.optionalString (if opts.rateLimit.enable != null then
+                extraConfig = opts.extraConfig
+                  + lib.optionalString opts.websockets.enable ''
+                    proxy_http_version 1.1;
+                    proxy_set_header Upgrade $http_upgrade;
+                    proxy_set_header Connection $connection_upgrade;
+                  ''
+                  + lib.optionalString (if opts.rateLimit.enable != null then
   opts.rateLimit.enable else cfg.rateLimit.enable) ''
                   limit_req zone=global burst=${toString (if opts.rateLimit.burst != null then opts.rateLimit.burst
   else cfg.rateLimit.burst)} nodelay;

modules/open-webui.nix

@@ -50,6 +50,7 @@ in
       environment = {
         OLLAMA_API_BASE_URL = cfg.ollamaUrl;
         WEBUI_URL = "https://${cfg.domain}";
+        OPENAI_API_BASE_URL = "https://api.tng-chimera.ai/v1/";
       };
       environmentFile = config.sops.templates."openwebui.env".path;
     };
@@ -58,10 +59,12 @@ in
     sops.templates."openwebui.env" = {
       content = ''
         WEBUI_SECRET_KEY=${config.sops.placeholder.openwebui_secret_key}
+        OPENAI_API_KEY=${config.sops.placeholder.tng_api_key}
       '';
     };
 
     sops.secrets.openwebui_secret_key = { };
+    sops.secrets.tng_api_key = { };
 
     # Nginx configuration
     myModules.nginx.domains.${cfg.domain} = {
@@ -69,8 +72,12 @@ in
       extraConfig = ''
         client_max_body_size 100M;
       '';
+      # Disable rate limiting for OpenWebUI (loads many assets at once)
+      rateLimit.enable = false;
+      # Enable WebSocket support for Socket.IO
+      websockets.enable = true;
       # Relaxed CSP for OpenWeb UI — needs unsafe-eval for some JS, WebSockets, external images
-      contentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' wss: https:; frame-ancestors 'self'";
+      contentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' wss: https: ws:; frame-ancestors 'self'";
     };
   };
 }

modules/openclaw-podman.nix

@@ -52,6 +52,7 @@ in
     # Create directory for OpenClaw data
     systemd.tmpfiles.rules = [
       "d /var/lib/openclaw 0755 1000 1000 -" # Assuming node user is uid 1000
+      "d /var/lib/openclaw/local 0755 1000 1000 -" # For Go toolchain
     ];
 
     # OpenClaw container (bridge network — isolated from host services)
@@ -63,6 +64,7 @@ in
       ];
       volumes = [
         "/var/lib/openclaw:/home/node/.openclaw"
+        "/var/lib/openclaw/local:/home/node/.local"
       ] ++ lib.optionals cfg.superpowers.enable [
         "${cfg.superpowers.src}:/home/node/superpowers-src:ro"
       ];
@@ -71,7 +73,7 @@ in
     # Copy the declarative config before starting the container
     # This allows OpenClaw to safely write/rename the file at runtime without EBUSY errors
     systemd.services."podman-openclaw".preStart = lib.mkBefore ''
-      mkdir -p /var/lib/openclaw
+      mkdir -p /var/lib/openclaw/local
       cp -f ${./openclaw-config.json} /var/lib/openclaw/openclaw.json
       chown -R 1000:1000 /var/lib/openclaw
       chmod -R u+rwX /var/lib/openclaw
@@ -100,13 +102,56 @@ in
       ''}
     '';
 
+    # Go toolchain installation script
+    # Stored in /var/lib/openclaw and executed inside the container
+    environment.etc."openclaw/install-go.sh".source = pkgs.writeScript "install-go.sh" ''
+      #!/bin/bash
+      set -e
+      GO_URL="https://go.dev/dl/go1.24.1.linux-amd64.tar.gz"
+      GO_DIR="/home/node/.local/go"
+
+      if [ -d "$GO_DIR" ]; then
+        echo "Go already installed at $GO_DIR"
+        exit 0
+      fi
+
+      echo "Installing Go toolchain"
+      mkdir -p /home/node/.local
+
+      if command -v curl &> /dev/null; then
+        curl -fsSL "$GO_URL" | tar -C /home/node/.local -xzf -
+      elif command -v wget &> /dev/null; then
+        wget -qO- "$GO_URL" | tar -C /home/node/.local -xzf -
+      else
+        echo "ERROR - Neither curl nor wget available"
+        exit 1
+      fi
+
+      echo "Go installed successfully"
+      "$GO_DIR/bin/go" version
+    '';
+
+    # Go toolchain installation
+    # Downloads Go to a persistent volume for use inside the container
+    systemd.services."openclaw-go-setup" = {
+      description = "Install Go toolchain for OpenClaw";
+      after = [ "podman-openclaw.service" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        # Copy script to container-accessible location, then execute
+        ExecStart = "${pkgs.bash}/bin/bash -c 'cp /etc/openclaw/install-go.sh /var/lib/openclaw/ && chmod +x /var/lib/openclaw/install-go.sh && ${pkgs.podman}/bin/podman exec -u node openclaw /home/node/.openclaw/install-go.sh'";
+        RemainAfterExit = true;
+      };
+    };
+
     # Optional: Install PyYAML inside the container on startup
-    # We do this as a postStart or a simple background loop if needed, 
-    # but a better way is to ensure the image has it. 
+    # We do this as a postStart or a simple background loop if needed,
+    # but a better way is to ensure the image has it.
     # Since we can't easily change the image here, we'll try to run a one-time pip install.
     systemd.services."openclaw-superpowers-setup" = lib.mkIf cfg.superpowers.enable {
       description = "One-time setup for OpenClaw superpowers (PyYAML and Cron)";
-      after = [ "podman-openclaw.service" ];
+      after = [ "podman-openclaw.service" "openclaw-go-setup.service" ];
       wantedBy = [ "multi-user.target" ];
       serviceConfig = {
         Type = "oneshot";

modules/podman.nix

@@ -28,5 +28,11 @@ in
 
     # Give main user access to podman
     users.users.${mainUser}.extraGroups = [ "podman" ];
+
+    # Enable IP forwarding for container networking
+    boot.kernel.sysctl = {
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv6.conf.all.forwarding" = 1;
+    };
   };
 }

secrets/secrets.yaml

@@ -15,6 +15,7 @@ forgejo_token: ENC[AES256_GCM,data:/ugEQr0bqai0QPbW9FqdqQEBrF8bSqTtGtCswRP7BYfMR
 forgejo_user: ENC[AES256_GCM,data:Ralbwu6+6Htc2+I=,iv:dicPMRRriz6MVp0PtbezI6UcxdCmszp9PnTsJaHAzKk=,tag:g2mUMYmnDJZ42F+KVsvHhg==,type:str]
 github_token: ENC[AES256_GCM,data:OAh6v6xrLr47ZdytdSR4uBpj6vJB8kJa8qc3eFBByK53nkrb3SUuBQ==,iv:GM/DpFSVl1CeQLX4tH2WxBuWBbI1YWzSsmvZK+2jdWM=,tag:lPQSjIlYbe3AczfDN3Nk+g==,type:str]
 openwebui_secret_key: ENC[AES256_GCM,data:c1Mnc0juYBAmHap3f0G5vwRDUymYWb92nIk78Rw5ApkhhW4k4ifRccCsv0fU2TXNSwHCc7d6OeP60kJYEpr5ZA==,iv:wCqfwhn6WFv3A0asZnbPdBdmw24QdKbJE0BplWzq9CE=,tag:WU8Rlyf+CIL2uG8yWKHjcw==,type:str]
+tng_api_key: ENC[AES256_GCM,data:KxfGd46SSp13zo1IxchDVq8dY7wTReyAS58JTIqJbv10YoXKY2fq4R4o6EaWSqyJC+k=,iv:QBVLbDDV94pwsHSngABiL17wVcHYNTUBtoOvQgg8Fcc=,tag:A/4Ieeb1nIKVEJ6FVL6gJQ==,type:str]
 sops:
     age:
         - recipient: age1rz4eyzmmtmua6s9cny3pjjwv80n4fpvhkwc4jzdd8vpre8zc5vtqfjtuy0
@@ -26,7 +27,7 @@ sops:
             SnI3Z3p6U0x1YzVUTHZ0RVh0cHBDSGMKbDXwp9MM9cL/9DgWPV/btH6iYgaVXmvw
             Gk4IsH7zEWbS1kxIEapzBpIINTSQKZ30aPqwuspVKdSa8lsfi1X1jA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-20T21:46:27Z"
-    mac: ENC[AES256_GCM,data:EnwV1ghvueIVy0zSfBiJYITz79/WgtABjY+UC8l7IdUUppymWMpU1AotqxZmBwGuVmheffGNxjmeJGyq4vjBssz8AKagtqNO7l3MAkqDfcFBJbBip5zR7b6kh2izhWUfokB73Fvp7nwnYFsaGKDVPMzsCZ2hWSxhTzdzn4/iv9w=,iv:kZSS5F3l1nId8gcZmHbLKIIyquwbnUrdjHVWDnwV+yI=,tag:yTbpzExgwmGQKELbriyzPw==,type:str]
+    lastmodified: "2026-03-20T23:38:03Z"
+    mac: ENC[AES256_GCM,data:B9s77SPIEI22K1QVyE4iUx9sDlPph7jbGVP2R5ulA+LU0ctjVqybvQQIepY1lN7OmnOVteK1Ed3B+BlqxlYhotZgTU14Sjh0fy5NKViLG2eQOJRbMoYPSXL7aLugGkfhTWr0qvdR9O4S4e6jR2AFWfp07x+HRSM95hKKCKgOFYI=,iv:TBAICXdmp0L4iAbAbST1K9/eysqNq3gqRy1mrMOap9o=,tag:eqBRamo+TdE6wleiiZC3eQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.1