Compare commits

..

No commits in common. "7f519f804bb80c3bdf5ac913d579ba49b1d8d4ac" and "671f7b511719403b78156f5be8bcadb232bbea6d" have entirely different histories.

5 changed files with 42 additions and 78 deletions

View file

@ -1,45 +0,0 @@
{ pkgs, ... }:
{
project.name = "openclaw";
networks.openclaw.external = false;
services = {
app = {
service = {
image = "node:lts-alpine";
container_name = "openclaw";
restart = "unless-stopped";
networks = [ "openclaw" ];
volumes = [
"/var/openclaw/app:/app"
"/root/.openclaw:/root/.openclaw:ro"
];
ports = [ "127.0.0.1:4310:4310" ];
environment = {
PORT = "4310";
OPENCLAW_HOME = "/root/.openclaw";
};
command = [
"sh" "-c"
''
set -e
apk add --no-cache git
if [ ! -d /app/repo ]; then
git clone https://github.com/TianyiDataScience/openclaw-control-center.git /app/repo
fi
cd /app/repo
if [ ! -f .env ]; then
cp .env.example .env
sed -i "s|OPENCLAW_HOME=.*|OPENCLAW_HOME=/root/.openclaw|" .env
sed -i "s|PORT=.*|PORT=4310|" .env
fi
npm install
npm run build
exec npm run dev:ui
''
];
};
};
};
}

View file

@ -1,3 +0,0 @@
import <nixpkgs> {
system = "x86_64-linux";
}

View file

@ -20,5 +20,6 @@
networking.firewall.extraCommands = '' networking.firewall.extraCommands = ''
iptables -I nixos-fw -s 10.89.0.0/16 -p udp --dport 53 -j nixos-fw-accept iptables -I nixos-fw -s 10.89.0.0/16 -p udp --dport 53 -j nixos-fw-accept
iptables -I nixos-fw -s 10.89.0.0/16 -p tcp --dport 53 -j nixos-fw-accept iptables -I nixos-fw -s 10.89.0.0/16 -p tcp --dport 53 -j nixos-fw-accept
iptables -I nixos-fw -s 10.89.0.0/16 -p tcp --dport 5901 -j nixos-fw-accept
''; '';
} }

View file

@ -18,6 +18,8 @@
nixPkgs = specialArgs.nixPkgs; nixPkgs = specialArgs.nixPkgs;
ourRustVersion = pkgs.rust-bin.selectLatestNightlyWith (toolchain: toolchain.complete); ourRustVersion = pkgs.rust-bin.selectLatestNightlyWith (toolchain: toolchain.complete);
vncContext = builtins.path { path = ./vnc-desktop; name = "vnc-desktop-context"; };
ourRustPlatform = nixPkgs.makeRustPlatform { ourRustPlatform = nixPkgs.makeRustPlatform {
rustc = ourRustVersion; rustc = ourRustVersion;
cargo = ourRustVersion; cargo = ourRustVersion;
@ -112,8 +114,8 @@ in {
} }
]; ];
# KDE Plasma on the host — the novnc systemd service (websockify) proxies # KDE Plasma on the host — the noVNC container (vnc-desktop) is a thin WebSocket
# WebSocket traffic from nginx to the VNC server started here. # proxy that connects to the VNC server started here.
services.xserver = { services.xserver = {
enable = true; enable = true;
desktopManager.plasma5.enable = true; desktopManager.plasma5.enable = true;
@ -173,7 +175,6 @@ in {
projects.riverside.settings = import ./arion-riverside/arion-compose.nix; projects.riverside.settings = import ./arion-riverside/arion-compose.nix;
projects.pluto.settings = import ./arion-pluto/arion-compose.nix; projects.pluto.settings = import ./arion-pluto/arion-compose.nix;
projects.paperless.settings = import ./arion-paperless/arion-compose.nix; projects.paperless.settings = import ./arion-paperless/arion-compose.nix;
#projects.openclaw.settings = import ./arion-openclaw/arion-compose.nix;
}; };
# The arion NixOS module sets backend = "podman-socket" but doesn't inject # The arion NixOS module sets backend = "podman-socket" but doesn't inject
@ -183,20 +184,36 @@ in {
systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
systemd.services.arion-pluto.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; systemd.services.arion-pluto.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
systemd.services.arion-paperless.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; systemd.services.arion-paperless.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
#systemd.services.arion-openclaw.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
systemd.services.novnc = { # Build the VNC desktop image locally from the Dockerfile — no registry push/pull needed.
description = "noVNC WebSocket proxy for VNC desktop"; # vncContext is a Nix store path that changes whenever any file under vnc-desktop/ changes,
wantedBy = [ "multi-user.target" ]; # which causes build-vnc-image to re-run and podman-vnc-desktop to restart on nixos-rebuild.
after = [ "vnc-kde.service" "network.target" ]; systemd.services.build-vnc-image = {
description = "Build VNC desktop container image from Dockerfile";
wantedBy = [ "podman-vnc-desktop.service" ];
before = [ "podman-vnc-desktop.service" ];
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "oneshot";
Restart = "on-failure"; RemainAfterExit = true;
RestartSec = "3s"; ExecStart = pkgs.writeShellScript "build-vnc-image" ''
ExecStart = "${pkgs.python3Packages.websockify}/bin/websockify --web ${pkgs.novnc}/share/webapps/novnc 127.0.0.1:6080 localhost:5901"; STAMP=/var/lib/build-vnc-image/context-hash
EXPECTED="${vncContext}"
if [ -f "$STAMP" ] && [ "$(cat "$STAMP")" = "$EXPECTED" ]; then
echo "VNC image is up to date, skipping build"
exit 0
fi
echo "Building VNC desktop image..."
${pkgs.podman}/bin/podman build \
-t forge.quinefoundation.com/ironmagma/vnc-desktop:latest \
${vncContext}
mkdir -p "$(dirname "$STAMP")"
echo "$EXPECTED" > "$STAMP"
'';
}; };
}; };
systemd.services.podman-vnc-desktop.restartTriggers = [ "${vncContext}" ];
services.gitea-actions-runner.instances."ubuntu" = { services.gitea-actions-runner.instances."ubuntu" = {
enable = true; enable = true;
name = "ubuntu"; name = "ubuntu";
@ -242,7 +259,6 @@ in {
"d /var/paperless/consume 0755 root root" "d /var/paperless/consume 0755 root root"
"d /var/paperless/postgres 0755 root root" "d /var/paperless/postgres 0755 root root"
"d /var/paperless/redis 0755 root root" "d /var/paperless/redis 0755 root root"
"d /var/openclaw/app 0755 root root"
"d /var/riverside/files 0755 root root" "d /var/riverside/files 0755 root root"
"d /var/riverside/postgres 0755 root root" "d /var/riverside/postgres 0755 root root"
"d /var/lib/gitea-runner/ubuntu 0755 gitea-runner gitea-runner" "d /var/lib/gitea-runner/ubuntu 0755 gitea-runner gitea-runner"
@ -291,6 +307,18 @@ in {
# ports = ["8081:80"]; # ports = ["8081:80"];
# }; # };
"vnc-desktop" = {
autoStart = true;
image = "forge.quinefoundation.com/ironmagma/vnc-desktop:latest";
environmentFiles = [ config.age.secrets.vnc-password.path ];
volumes = [ "/root/.ssh:/root/host-ssh:ro" ];
ports = [ "127.0.0.1:6080:6080" ];
extraOptions = [
"--add-host=hetzner-host:host-gateway"
"--pids-limit=-1"
];
};
"navidrome" = { "navidrome" = {
autoStart = true; autoStart = true;
environment = { environment = {
@ -451,7 +479,6 @@ in {
"acme-selfsigned-www.philippeterson.com.service" "acme-selfsigned-www.philippeterson.com.service"
"acme-selfsigned-riverside.coldairnetworks.com.service" "acme-selfsigned-riverside.coldairnetworks.com.service"
"acme-selfsigned-vnc.quinefoundation.com.service" "acme-selfsigned-vnc.quinefoundation.com.service"
"acme-selfsigned-claw.quineglobal.com.service"
"acme-selfsigned-webdav.philippeterson.com.service" "acme-selfsigned-webdav.philippeterson.com.service"
"acme-selfsigned-pluto.philippeterson.com.service" "acme-selfsigned-pluto.philippeterson.com.service"
"acme-selfsigned-paperless.philippeterson.com.service" "acme-selfsigned-paperless.philippeterson.com.service"

View file

@ -52,22 +52,6 @@
}; };
}; };
"claw.quineglobal.com" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:4310/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_read_timeout 86400;
'';
};
};
"hyper.quineglobal.com" = { "hyper.quineglobal.com" = {
enableACME = true; enableACME = true;
forceSSL = false; forceSSL = false;