chore(openclaw): golden config snapshot + RBAC manifest in git

- Add openclaw/golden/ with stable copies of openclaw.json, SOUL.md, TOOLS.md, HOMELAB.md, kubectl-ro - Fix HOMELAB.md model roles (qwen3-es:14b=primary, llama3.1-es:8b=fallback) - Add rbac-openclaw-agent.yaml (ClusterRole read-only + binding + SA) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-21 09:18:39 +00:00
parent 8592a09bc7
commit a5aac4dd83
6 changed files with 431 additions and 0 deletions
@@ -0,0 +1,62 @@
+# HOMELAB.md - Infraestructura del Homelab
+
+Lee este archivo al inicio de cada sesión. Contiene el contexto completo del homelab.
+
+## Cluster k3s
+
+- **chemavx-k8** (master/control-plane): 192.168.1.225, Ubuntu 22.04.5 LTS, k3s v1.34.6
+  - CPU: 16 cores · RAM: ~32 GB
+  - GPU: NVIDIA GeForce RTX 3060 12 GB (CUDA, Ampere gfx8.6) — usada por Ollama
+- **chemavx-n97** (worker): 192.168.1.238, Ubuntu 24.04.4 LTS, k3s v1.34.6
+  - CPU: 4 cores · RAM: ~12 GB
+- Ingress: Traefik (LoadBalancer 192.168.1.225 + 192.168.1.238) · TLS: cert-manager + letsencrypt-prod
+- Dominio: *.chemavx.xyz
+- Storage: local-path (hostPath) — datos en chemavx-k8 NO accesibles desde chemavx-n97
+
+## Servicios desplegados
+
+| Servicio        | Namespace       | URL                          | Notas |
+|-----------------|-----------------|------------------------------|-------|
+| OpenClaw        | openclaw        | openclaw.chemavx.xyz         | este agente, PVC /data |
+| Ollama          | ollama          | ollama.chemavx.xyz           | llama3.1-es:8b + qwen3-es:14b, RTX 3060 |
+| Open WebUI      | open-webui      | chat.chemavx.xyz             | interfaz web para Ollama |
+| ArgoCD          | argocd          | argocd.chemavx.xyz           | GitOps CD |
+| Authentik       | authentik       | auth.chemavx.xyz             | SSO, postgresql en chemavx-k8 |
+| Gitea           | gitea           | git.chemavx.xyz              | con Gitea Runner |
+| Grafana         | monitoring      | grafana.chemavx.xyz          | kube-prometheus-stack |
+| Prometheus      | monitoring      | prometheus.chemavx.xyz       | |
+| Uptime Kuma     | monitoring      | status.chemavx.xyz           | |
+| n8n             | n8n             | n8n.chemavx.xyz              | |
+| Vaultwarden     | vaultwarden     | vaultwarden.chemavx.xyz      | |
+| Homarr          | homarr          | home.chemavx.xyz             | dashboard |
+| Polymarket Bot  | polymarket-bot  | polymarket.chemavx.xyz       | api + bot + dashboard + postgres |
+| Portfolio       | portfolio       | chemavx.xyz                  | web personal |
+| Gitea           | gitea           | git.chemavx.xyz              | |
+
+## Modelos Ollama activos
+
+| Modelo           | Tipo    | Rol en OpenClaw | Tok/s | Notas |
+|------------------|---------|-----------------|-------|-------|
+| qwen3-es:14b     | custom  | primary         | ~34   | Modelfile español + /nothink, base qwen3:14b |
+| llama3.1-es:8b   | custom  | fallback        | ~50   | Modelfile español, base llama3.1:8b |
+| qwen3:14b        | base    | disponible      | 34.5  | RTX 3060 |
+| qwen2.5:14b      | base    | disponible      | -     | |
+| llama3.1:8b      | base    | disponible      | -     | |
+
+## Namespaces activos
+
+argocd · authentik · backup-system · cert-manager · cloudflare-ddns · gitea · gpu-operator · homarr · monitoring · n8n · ollama · open-webui · openclaw · polymarket-bot · portfolio · vaultwarden
+
+## Manifiestos
+
+Todos los manifiestos en: `/home/chemavx/k8s-manifests/<namespace>/`
+
+## RBAC OpenClaw
+
+ServiceAccount `openclaw-agent` con ClusterRole read-only:
+- Puede: get/list/watch — pods, logs, services, nodes, namespaces, events, deployments, replicasets, statefulsets, daemonsets, ingresses
+- NO puede: delete, patch, create, update — nada
+
+## Reglas de operación
+
+Ver SOUL.md sección "Homelab Safety" — **NUNCA** ejecutar comandos de administración del cluster sin confirmación explícita.