feat: fw add moltbot

2026-01-30 08:59:52 +01:00 · 2026-01-30 08:59:52 +01:00 · 1ca4a59fe5
commit 1ca4a59fe5
parent 190c2ee5c5
5 changed files with 138 additions and 50 deletions
--- a/hosts/fw/modules/dnsmasq.nix
+++ b/hosts/fw/modules/dnsmasq.nix
@ -139,6 +139,7 @@
        "/dl.cloonar.com/${config.networkPrefix}.97.5"
        "/jellyfin.cloonar.com/${config.networkPrefix}.97.5"
        "/audiobooks.cloonar.com/${config.networkPrefix}.97.5"
+        "/moltbot.cloonar.com/${config.networkPrefix}.97.5"

        "/deconz.cloonar.multimedia/${config.networkPrefix}.97.22"

--- a/hosts/fw/modules/moltbot.nix
+++ b/hosts/fw/modules/moltbot.nix
@ -0,0 +1,58 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+{
+  # Moltbot - AI assistant with WebChat
+  # Container with browser support for web automation
+
+  virtualisation.oci-containers.backend = "podman";
+
+  # Secret for gateway authentication token
+  sops.secrets.moltbot-gateway-token = {
+    key = "moltbot-gateway-token";
+  };
+
+  # Persistent directories on host for backup
+  # UID 1000 is the 'node' user inside the container
+  systemd.tmpfiles.rules = [
+    "d /var/lib/moltbot 0755 1000 1000 - -"
+    "d /var/lib/moltbot/home 0755 1000 1000 - -"
+    "d /var/lib/moltbot/extensions 0755 1000 1000 - -"
+    "d /run/moltbot 0700 root root - -"
+  ];
+
+  virtualisation.oci-containers.containers.moltbot = {
+    image = "ghcr.io/moltbot/moltbot:main";
+
+    # Run gateway mode, bind to all interfaces in container
+    cmd = [ "dist/index.js" "gateway" "--bind" "lan" "--port" "18789" "--allow-unconfigured" ];
+
+    ports = [
+      "${config.networkPrefix}.97.1:18789:18789" # Gateway/WebChat
+      "${config.networkPrefix}.97.1:18790:18790" # Bridge
+    ];
+
+    volumes = [
+      "/var/lib/moltbot/home:/home/node:rw"
+      "/var/lib/moltbot/extensions:/app/extensions:rw"
+    ];
+
+    environment = {
+      HOME = "/home/node";
+      TERM = "xterm-256color";
+      MOLTBOT_STATE_DIR = "/home/node/.moltbot";
+      CLAWDBOT_STATE_DIR = "/home/node/.moltbot";
+      PUPPETEER_SKIP_CHROMIUM_DOWNLOAD = "false";
+    };
+
+    extraOptions = [
+      "--pull=newer"
+      "--network=server"
+      "--ip=${config.networkPrefix}.97.60"
+      "--init"
+      # Chrome sandbox capabilities
+      "--cap-add=SYS_ADMIN"
+      "--security-opt=seccomp=unconfined"
+    ];
+  };
+}
--- a/hosts/fw/modules/web/proxies.nix
+++ b/hosts/fw/modules/web/proxies.nix
@ -103,4 +103,31 @@
      '';
    };
  };
+
+  services.nginx.virtualHosts."moltbot.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+
+    # Restrict to internal networks only (LAN + VPN)
+    extraConfig = ''
+      allow ${config.networkPrefix}.96.0/24;
+      allow ${config.networkPrefix}.97.0/24;
+      allow ${config.networkPrefix}.98.0/24;
+      deny all;
+    '';
+
+    locations."/" = {
+      proxyPass = "http://${config.networkPrefix}.97.60:18789";
+      extraConfig = ''
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+      '';
+    };
+  };
 }