Sókrates Box NixOS Image
Summary
The Sókrates Box is the on-premises hardware appliance deployed to Icelandic SME customer sites. It runs a hardened, headless NixOS image designed for the CWWK 4-LAN N305 (Intel i3-N305, 8C/8T) that hosts the Sókrates service infrastructure—including the knowledge graph and agent runtimes—within a strictly controlled network environment.
Details
The Sókrates Box serves as the local execution environment for the project’s intelligence layer. The architecture is designed for zero-touch deployment, high reproducibility, and strict security boundaries, ensuring that customer data remains within the on-premises environment while allowing for remote fleet management.
Hardware and OS Layer
The target hardware is the CWWK 4-LAN N305 featuring the Intel i3-N305 processor (8 Cores, 8 Threads, up to 3.80GHz), a single DDR5 SODIMM slot supporting up to 32GB, 4x Intel i226-V 2.5GbE LAN ports with native Linux kernel support, and fanless passive cooling. The operating system is a headless NixOS configuration managed via Nix flakes. This ensures that every box in the fleet runs a bit-identical base OS, with atomic generations allowing for safe, pull-based updates and instant rollbacks in case of failure. See CWWK 4-LAN N305 (Sokrates Box) for full hardware specifications.
Containerized Service Topology
While the host is managed by Nix, the application services run within Docker containers alongside the Hermes Agent framework. The resource budget for a standard 16GB box (upgradeable to 32GB DDR5) is allocated as follows:
- Hermes Agent: 4GB RAM. A Python-based agent runtime executing communication, agent logic, and proactive discovery via the
nix-hermesNixOS module. - Eidos (Eidos API): 2GB RAM. A FastAPI service managing the knowledge graph and Voyage AI embeddings.
- Neo4j: 2GB RAM. The graph database backend, utilizing APOC and tuned for the local hardware constraints.
- Fleet Agent: 512MB RAM. A lightweight Python service responsible for system heartbeats, encrypted backup orchestration, and triggering container updates.
- Host/Overhead: ~7.5GB remaining for system operations and Docker overhead.
Networking and Security
The networking model prioritizes “always-works” simplicity for Icelandic office environments. The hardware features 4x Intel i226-V 2.5GbE LAN ports, enabling sophisticated network isolation via nftables. The standard configuration uses a single NIC connected to the customer LAN, with additional ports available for dedicated management and customer network egress.
Security is enforced through a strict nftables egress whitelist baked into the NixOS image. The box is configured with a default-deny policy, only allowed to communicate with:
- Sókrates API endpoints (for inference proxies, fleet heartbeats, and backup shipping).
- Microsoft 365 and Google Workspace API domains (required for MCP connectors).
- Essential services: DNS and NTP.
The remaining LAN ports are dormant by default but available for customers requiring physical network segmentation (e.g., dedicated ports for management, customer LAN, and WAN uplink). Remote access is restricted to SSH locked to specific Sókrates developer keys.
Update and Maintenance Model
The system utilizes a two-channel update strategy:
- Host Channel (NixOS): Updates to the base OS, firewall rules, and systemd services are handled via NixOS generations. These are pull-based; the box polls the Sókrates infrastructure for new configurations.
- Service Channel (Docker): Frequent updates to the Hermes Agent or Eidos logic are handled via image pulls from the GitHub Container Registry (GHCR). The Fleet Agent monitors for new image digests and performs a
docker-compose pull && docker-compose up -dto update services without requiring a full OS rebuild.
Backups of the Eidos (Neo4j) graph are encrypted client-side on the box before being shipped to the Sókrates infrastructure over the whitelisted management channel.