Initial commit: Nexus Mission Control Platform

- ASP.NET Core 10 Backend (JWT Auth, Agent config API)
- Vue 3 Frontend (Dashboard, Team, Agents, Config Editor)
- PostgreSQL Database
- Docker Compose setup
- Mission Control Dashboard redesign

ops/deploy.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+# Nexus Deployment Script
+# Auf dem VPS-HOST ausführen, nicht im Container!
+set -e
+
+SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
+NEXUS_DIR="$(dirname "$SCRIPT_DIR")"
+
+echo "=== Nexus Deployment ==="
+echo "Verzeichnis: $NEXUS_DIR"
+
+cd "$NEXUS_DIR"
+
+echo ""
+echo "[1/3] Prüfe Konfiguration..."
+docker compose config --quiet && echo "  ✅ Konfiguration gültig"
+
+echo ""
+echo "[2/3] Starte Stack..."
+docker compose up -d
+
+echo ""
+echo "[3/3] Warte auf Services..."
+sleep 5
+docker compose ps
+
+echo ""
+echo "=== Fertig ==="
+echo "Nexus Web: http://nexus.noveria.net:18880"
+echo "Login:    vmbao62@hotmail.de"
+echo "Passwort: wird beim ersten Start im Container-Log ausgegeben"
+echo ""
+echo "Logs:     docker compose logs api | grep 'Initial owner'"
+echo "Status:   docker compose ps"
+# Patch für compose.yaml
+sed -i 's/${OWNER_PASSWORD:?Set OWNER_PASSWORD in .env}/${OWNER_PASSWORD:-}/' "$NEXUS_DIR/compose.yaml"

ops/install-ollama-host.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+MODEL="${OLLAMA_MODEL:-qwen3:4b}"
+BIND_ADDRESS="${OLLAMA_BIND_ADDRESS:-172.18.0.1:11434}"
+BACKUP_DIR="/root/security-backups/ollama-$(date -u +%Y%m%dT%H%M%SZ)"
+
+if [[ "${EUID}" -ne 0 ]]; then
+  echo "Run this script as root on the Ubuntu host." >&2
+  exit 1
+fi
+
+mkdir -p "${BACKUP_DIR}"
+if systemctl cat ollama.service >/dev/null 2>&1; then
+  systemctl cat ollama.service > "${BACKUP_DIR}/ollama.service.before.txt"
+fi
+if [[ -d /etc/systemd/system/ollama.service.d ]]; then
+  cp -a /etc/systemd/system/ollama.service.d "${BACKUP_DIR}/"
+fi
+
+if ! command -v ollama >/dev/null 2>&1; then
+  curl -fsSL https://ollama.com/install.sh -o /tmp/ollama-install.sh
+  sh /tmp/ollama-install.sh
+fi
+
+install -d -m 755 /etc/systemd/system/ollama.service.d
+cat > /etc/systemd/system/ollama.service.d/10-openclaw.conf <<OVERRIDE
+[Service]
+Environment="OLLAMA_HOST=${BIND_ADDRESS}"
+Environment="OLLAMA_KEEP_ALIVE=15m"
+OVERRIDE
+
+systemctl daemon-reload
+systemctl enable --now ollama
+systemctl restart ollama
+
+for attempt in {1..30}; do
+  if curl -fsS "http://${BIND_ADDRESS}/api/tags" >/dev/null; then
+    break
+  fi
+  if [[ "${attempt}" -eq 30 ]]; then
+    systemctl status ollama --no-pager
+    exit 1
+  fi
+  sleep 2
+done
+
+OLLAMA_HOST="http://${BIND_ADDRESS}" ollama pull "${MODEL}"
+OLLAMA_HOST="http://${BIND_ADDRESS}" ollama show "${MODEL}" >/dev/null
+curl -fsS "http://${BIND_ADDRESS}/api/tags"
+echo
+echo "Ollama ${MODEL} is ready on ${BIND_ADDRESS}. Backup: ${BACKUP_DIR}"

ops/nginx-nexus.conf

@@ -0,0 +1,49 @@
+# /etc/nginx/sites-available/nexus.noveria.net
+# Symlink: ln -s /etc/nginx/sites-available/nexus.noveria.net /etc/nginx/sites-enabled/
+
+server {
+    listen 80;
+    server_name nexus.noveria.net;
+
+    # Let's Encrypt challenge
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    server_name nexus.noveria.net;
+
+    # SSL wird per certbot automatisch befüllt
+    ssl_certificate     /etc/letsencrypt/live/nexus.noveria.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/nexus.noveria.net/privkey.pem;
+
+    # Security-Header
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options DENY;
+
+    client_max_body_size 16m;
+
+    location / {
+        proxy_pass http://127.0.0.1:18880;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # API-Direktzugriff falls nötig
+    location /api/ {
+        proxy_pass http://127.0.0.1:18880;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}

ops/setup-https.sh

@@ -0,0 +1,107 @@
+#!/bin/bash
+# HTTPS-Setup für nexus.noveria.net
+# Auf dem VPS-HOST ausführen!
+
+set -e
+
+echo "=== HTTPS Setup für nexus.noveria.net ==="
+
+SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
+
+# 1. Zuerst nur HTTP-Config ausrollen (keine SSL-Referenz!)
+echo "[1/5] Installiere HTTP-only Nginx-Config..."
+sudo tee /etc/nginx/sites-available/nexus.noveria.net > /dev/null << 'NGINXEOF'
+server {
+    listen 80;
+    server_name nexus.noveria.net;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:18880;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+NGINXEOF
+
+sudo ln -sf /etc/nginx/sites-available/nexus.noveria.net /etc/nginx/sites-enabled/
+sudo nginx -t && sudo systemctl reload nginx
+echo "  ✅ HTTP-Config aktiv"
+
+# 2. Firewall
+echo "[2/5] Firewall..."
+if command -v ufw &>/dev/null; then
+    sudo ufw allow 80/tcp 2>/dev/null || true
+    sudo ufw allow 443/tcp 2>/dev/null || true
+    echo "  ✅ ufw: 80+443 offen"
+else
+    echo "  ⏭ ufw nicht installiert"
+fi
+
+# 3. HTTP-Test
+echo "[3/5] Teste HTTP..."
+sleep 1
+STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://nexus.noveria.net)
+echo "  HTTP-Status: $STATUS"
+
+# 4. Zertifikat holen
+echo "[4/5] Fordere Let's-Encrypt-Zertifikat an..."
+sudo certbot certonly --webroot -w /var/www/html -d nexus.noveria.net --non-interactive --agree-tos --email vmbao62@hotmail.de 2>&1 || {
+    echo "  ⚠️  certbot fehlgeschlagen – manuell nachholen:"
+    echo "     sudo certbot --nginx -d nexus.noveria.net"
+    exit 1
+}
+echo "  ✅ Zertifikat erhalten"
+
+# 5. HTTPS-Config ausrollen
+echo "[5/5] Aktiviere HTTPS-Config..."
+sudo tee /etc/nginx/sites-available/nexus.noveria.net > /dev/null << 'NGINXSSL'
+server {
+    listen 80;
+    server_name nexus.noveria.net;
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+    }
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    server_name nexus.noveria.net;
+
+    ssl_certificate     /etc/letsencrypt/live/nexus.noveria.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/nexus.noveria.net/privkey.pem;
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options DENY;
+
+    client_max_body_size 16m;
+
+    location / {
+        proxy_pass http://127.0.0.1:18880;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+NGINXSSL
+
+sudo nginx -t && sudo systemctl reload nginx
+echo "  ✅ HTTPS aktiv"
+
+# Test
+echo ""
+sleep 2
+curl -s -o /dev/null -w "HTTPS-Status: %{http_code}\n" https://nexus.noveria.net
+echo ""
+echo "=== Fertig ==="
+echo "Nexus: https://nexus.noveria.net"