feat: opencode web at oc.commoninternet.net (one server, named sessions)
configuration.nix: - systemd.services.opencode-web: one shared opencode server on 127.0.0.1:4096, EnvironmentFile=/srv/cc-ci/.testenv (TINFOIL_API_KEY), ExecStartPre clears stale /tmp/opencode so restarts never fail on the EEXIST race. - services.nginx: reverse-proxy oc.commoninternet.net → localhost:4096, bound to tailscale IP 100.84.190.30 (tailnet-only, plain HTTP). DNS: A record oc.commoninternet.net → 100.84.190.30 (operator step). launch.sh + launch-upgrader.sh: - Drop per-session ports / OPENCODE_HOST; add OPENCODE_SERVER=http://127.0.0.1:4096. - opencode backend: agents use `opencode run --attach $OPENCODE_SERVER --title $session` so each shows up as a named session in the web UI. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@ -25,6 +25,7 @@
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
trustedInterfaces = [ "tailscale0" ];
|
||||
# Port 80 open only on the tailscale interface (trusted) — nginx binds there for oc.commoninternet.net.
|
||||
allowedTCPPorts = [ 22 ];
|
||||
};
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
@ -117,6 +118,44 @@ SSHCFG
|
||||
'';
|
||||
};
|
||||
|
||||
# opencode web server — one shared instance; all agent sessions attach to it.
|
||||
# Serves the web UI at http://oc.commoninternet.net (via nginx below, tailscale-only).
|
||||
# TINFOIL_API_KEY and other creds are read from /srv/cc-ci/.testenv at startup.
|
||||
systemd.services.opencode-web = {
|
||||
description = "opencode web server for cc-ci agents (tinfoil/deepseek backend)";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network-online.target" "tailscaled.service" ];
|
||||
wants = [ "network-online.target" ];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
User = "loops"; Group = "users";
|
||||
WorkingDirectory = "/srv/cc-ci";
|
||||
EnvironmentFile = "/srv/cc-ci/.testenv";
|
||||
ExecStartPre = "${pkgs.coreutils}/bin/rm -rf /tmp/opencode";
|
||||
ExecStart = "/home/loops/.local/bin/opencode serve --hostname 127.0.0.1 --port 4096";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "5s";
|
||||
};
|
||||
environment = { HOME = "/home/loops"; };
|
||||
path = [ pkgs.bash pkgs.coreutils ];
|
||||
};
|
||||
|
||||
# nginx — reverse-proxy oc.commoninternet.net → opencode web server.
|
||||
# Bound to the tailscale IP so it is only reachable on the tailnet.
|
||||
# DNS: add A record oc.commoninternet.net → 100.84.190.30 (operator step).
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
virtualHosts."oc.commoninternet.net" = {
|
||||
# Listen on the tailscale interface only — not the public IP.
|
||||
listen = [{ addr = "100.84.190.30"; port = 80; ssl = false; }];
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:4096";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# cc-ci-loops supervisor — workspace staged 2026-05-31, so ENABLED for reboot-resilience.
|
||||
systemd.services.cc-ci-loops = {
|
||||
description = "cc-ci Builder/Adversary loops + watchdog (launch.sh start)";
|
||||
|
||||
Reference in New Issue
Block a user