Compare commits
3 commits
671f7b5117
...
7f519f804b
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
7f519f804b | ||
|
|
19b9844881 | ||
|
|
26d4bcc857 |
5 changed files with 78 additions and 42 deletions
45
nixos/arion-openclaw/arion-compose.nix
Normal file
45
nixos/arion-openclaw/arion-compose.nix
Normal file
|
|
@ -0,0 +1,45 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
project.name = "openclaw";
|
||||
|
||||
networks.openclaw.external = false;
|
||||
|
||||
services = {
|
||||
app = {
|
||||
service = {
|
||||
image = "node:lts-alpine";
|
||||
container_name = "openclaw";
|
||||
restart = "unless-stopped";
|
||||
networks = [ "openclaw" ];
|
||||
volumes = [
|
||||
"/var/openclaw/app:/app"
|
||||
"/root/.openclaw:/root/.openclaw:ro"
|
||||
];
|
||||
ports = [ "127.0.0.1:4310:4310" ];
|
||||
environment = {
|
||||
PORT = "4310";
|
||||
OPENCLAW_HOME = "/root/.openclaw";
|
||||
};
|
||||
command = [
|
||||
"sh" "-c"
|
||||
''
|
||||
set -e
|
||||
apk add --no-cache git
|
||||
if [ ! -d /app/repo ]; then
|
||||
git clone https://github.com/TianyiDataScience/openclaw-control-center.git /app/repo
|
||||
fi
|
||||
cd /app/repo
|
||||
if [ ! -f .env ]; then
|
||||
cp .env.example .env
|
||||
sed -i "s|OPENCLAW_HOME=.*|OPENCLAW_HOME=/root/.openclaw|" .env
|
||||
sed -i "s|PORT=.*|PORT=4310|" .env
|
||||
fi
|
||||
npm install
|
||||
npm run build
|
||||
exec npm run dev:ui
|
||||
''
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
3
nixos/arion-openclaw/arion-pkgs.nix
Normal file
3
nixos/arion-openclaw/arion-pkgs.nix
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
import <nixpkgs> {
|
||||
system = "x86_64-linux";
|
||||
}
|
||||
|
|
@ -20,6 +20,5 @@
|
|||
networking.firewall.extraCommands = ''
|
||||
iptables -I nixos-fw -s 10.89.0.0/16 -p udp --dport 53 -j nixos-fw-accept
|
||||
iptables -I nixos-fw -s 10.89.0.0/16 -p tcp --dport 53 -j nixos-fw-accept
|
||||
iptables -I nixos-fw -s 10.89.0.0/16 -p tcp --dport 5901 -j nixos-fw-accept
|
||||
'';
|
||||
}
|
||||
|
|
|
|||
|
|
@ -18,8 +18,6 @@
|
|||
nixPkgs = specialArgs.nixPkgs;
|
||||
ourRustVersion = pkgs.rust-bin.selectLatestNightlyWith (toolchain: toolchain.complete);
|
||||
|
||||
vncContext = builtins.path { path = ./vnc-desktop; name = "vnc-desktop-context"; };
|
||||
|
||||
ourRustPlatform = nixPkgs.makeRustPlatform {
|
||||
rustc = ourRustVersion;
|
||||
cargo = ourRustVersion;
|
||||
|
|
@ -114,8 +112,8 @@ in {
|
|||
}
|
||||
];
|
||||
|
||||
# KDE Plasma on the host — the noVNC container (vnc-desktop) is a thin WebSocket
|
||||
# proxy that connects to the VNC server started here.
|
||||
# KDE Plasma on the host — the novnc systemd service (websockify) proxies
|
||||
# WebSocket traffic from nginx to the VNC server started here.
|
||||
services.xserver = {
|
||||
enable = true;
|
||||
desktopManager.plasma5.enable = true;
|
||||
|
|
@ -175,6 +173,7 @@ in {
|
|||
projects.riverside.settings = import ./arion-riverside/arion-compose.nix;
|
||||
projects.pluto.settings = import ./arion-pluto/arion-compose.nix;
|
||||
projects.paperless.settings = import ./arion-paperless/arion-compose.nix;
|
||||
#projects.openclaw.settings = import ./arion-openclaw/arion-compose.nix;
|
||||
};
|
||||
|
||||
# The arion NixOS module sets backend = "podman-socket" but doesn't inject
|
||||
|
|
@ -184,36 +183,20 @@ in {
|
|||
systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
||||
systemd.services.arion-pluto.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
||||
systemd.services.arion-paperless.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
||||
#systemd.services.arion-openclaw.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
|
||||
|
||||
# Build the VNC desktop image locally from the Dockerfile — no registry push/pull needed.
|
||||
# vncContext is a Nix store path that changes whenever any file under vnc-desktop/ changes,
|
||||
# which causes build-vnc-image to re-run and podman-vnc-desktop to restart on nixos-rebuild.
|
||||
systemd.services.build-vnc-image = {
|
||||
description = "Build VNC desktop container image from Dockerfile";
|
||||
wantedBy = [ "podman-vnc-desktop.service" ];
|
||||
before = [ "podman-vnc-desktop.service" ];
|
||||
systemd.services.novnc = {
|
||||
description = "noVNC WebSocket proxy for VNC desktop";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "vnc-kde.service" "network.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStart = pkgs.writeShellScript "build-vnc-image" ''
|
||||
STAMP=/var/lib/build-vnc-image/context-hash
|
||||
EXPECTED="${vncContext}"
|
||||
if [ -f "$STAMP" ] && [ "$(cat "$STAMP")" = "$EXPECTED" ]; then
|
||||
echo "VNC image is up to date, skipping build"
|
||||
exit 0
|
||||
fi
|
||||
echo "Building VNC desktop image..."
|
||||
${pkgs.podman}/bin/podman build \
|
||||
-t forge.quinefoundation.com/ironmagma/vnc-desktop:latest \
|
||||
${vncContext}
|
||||
mkdir -p "$(dirname "$STAMP")"
|
||||
echo "$EXPECTED" > "$STAMP"
|
||||
'';
|
||||
Type = "simple";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "3s";
|
||||
ExecStart = "${pkgs.python3Packages.websockify}/bin/websockify --web ${pkgs.novnc}/share/webapps/novnc 127.0.0.1:6080 localhost:5901";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.podman-vnc-desktop.restartTriggers = [ "${vncContext}" ];
|
||||
|
||||
services.gitea-actions-runner.instances."ubuntu" = {
|
||||
enable = true;
|
||||
name = "ubuntu";
|
||||
|
|
@ -259,6 +242,7 @@ in {
|
|||
"d /var/paperless/consume 0755 root root"
|
||||
"d /var/paperless/postgres 0755 root root"
|
||||
"d /var/paperless/redis 0755 root root"
|
||||
"d /var/openclaw/app 0755 root root"
|
||||
"d /var/riverside/files 0755 root root"
|
||||
"d /var/riverside/postgres 0755 root root"
|
||||
"d /var/lib/gitea-runner/ubuntu 0755 gitea-runner gitea-runner"
|
||||
|
|
@ -307,18 +291,6 @@ in {
|
|||
# ports = ["8081:80"];
|
||||
# };
|
||||
|
||||
"vnc-desktop" = {
|
||||
autoStart = true;
|
||||
image = "forge.quinefoundation.com/ironmagma/vnc-desktop:latest";
|
||||
environmentFiles = [ config.age.secrets.vnc-password.path ];
|
||||
volumes = [ "/root/.ssh:/root/host-ssh:ro" ];
|
||||
ports = [ "127.0.0.1:6080:6080" ];
|
||||
extraOptions = [
|
||||
"--add-host=hetzner-host:host-gateway"
|
||||
"--pids-limit=-1"
|
||||
];
|
||||
};
|
||||
|
||||
"navidrome" = {
|
||||
autoStart = true;
|
||||
environment = {
|
||||
|
|
@ -479,6 +451,7 @@ in {
|
|||
"acme-selfsigned-www.philippeterson.com.service"
|
||||
"acme-selfsigned-riverside.coldairnetworks.com.service"
|
||||
"acme-selfsigned-vnc.quinefoundation.com.service"
|
||||
"acme-selfsigned-claw.quineglobal.com.service"
|
||||
"acme-selfsigned-webdav.philippeterson.com.service"
|
||||
"acme-selfsigned-pluto.philippeterson.com.service"
|
||||
"acme-selfsigned-paperless.philippeterson.com.service"
|
||||
|
|
|
|||
|
|
@ -52,6 +52,22 @@
|
|||
};
|
||||
};
|
||||
|
||||
"claw.quineglobal.com" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:4310/";
|
||||
extraConfig = ''
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $host;
|
||||
proxy_read_timeout 86400;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
"hyper.quineglobal.com" = {
|
||||
enableACME = true;
|
||||
forceSSL = false;
|
||||
|
|
|
|||
Loading…
Reference in a new issue