# ============================================================================= # Agent Zero AI Stack — NUC Deployment (RKE2 Bare-Metal) # ============================================================================= # Deploys: AgentZero (agent UI) on RKE2 cluster # Ollama: edge1 Pi 5 at 10.0.57.15:11434 (qwen2.5-coder:7b, CPU) # Target: RKE2 bare-metal cluster, namespace: agent-zero # # Differences from LOCAL (WSL K3s): # - Uses Longhorn StorageClass (not local-path) # - Connects to edge1 Pi 5 Ollama (not workstation R9700) # - NO Anthropic API key (free/local models only) # - NO Piper TTS or Kiwix (edge1 handles TTS, no Wikipedia needed) # - NO hostPath volumes (no access to Windows filesystem) # - Traefik IngressRoute for LAN access at agent-zero.iamworkin.lan # - Knowledge base loaded via ConfigMap (not hostPath) # # Available Ollama models on edge1: # - qwen2.5-coder:7b ~4.7 GB Code generation (CPU, Q4_K_M) # # Apply: KUBECONFIG=~/.kube/rke2.yaml kubectl apply -f agent-zero-nuc.yaml # ============================================================================= --- apiVersion: v1 kind: Namespace metadata: name: agent-zero labels: app.kubernetes.io/part-of: agent-zero-stack # ============================================================================= # Persistent Volume Claims (Longhorn) # ============================================================================= --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: agent-zero-data namespace: agent-zero spec: accessModes: [ReadWriteOnce] storageClassName: longhorn resources: requests: storage: 5Gi --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: agent-zero-knowledge namespace: agent-zero spec: accessModes: [ReadWriteOnce] storageClassName: longhorn resources: requests: storage: 1Gi # ============================================================================= # RBAC — Give Agent Zero kubectl access to the cluster # ============================================================================= --- apiVersion: v1 kind: ServiceAccount metadata: name: agent-zero namespace: agent-zero --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: agent-zero-cluster-admin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: agent-zero namespace: agent-zero # ============================================================================= # Agent Zero — AI Agent Web UI (NUC Edition) # ============================================================================= # Connects to edge1 Pi 5 Ollama (free, local models only) # No paid API keys — uses qwen2.5-coder:7b for everything --- apiVersion: apps/v1 kind: Deployment metadata: name: agent-zero namespace: agent-zero labels: app: agent-zero annotations: agent-zero/deployment: "nuc" agent-zero/ollama: "edge1 Pi 5 (10.0.57.15:11434)" spec: replicas: 1 selector: matchLabels: app: agent-zero strategy: type: Recreate template: metadata: labels: app: agent-zero spec: serviceAccountName: agent-zero containers: - name: agent-zero image: agent0ai/agent-zero:latest command: ["/bin/bash", "-c"] args: - | # Install kubectl if not cached if [ -f /a0/work/kubectl ]; then cp /a0/work/kubectl /usr/local/bin/kubectl else curl -sLO "https://dl.k8s.io/release/v1.32.0/bin/linux/amd64/kubectl" && \ chmod +x kubectl && mv kubectl /usr/local/bin/kubectl && \ cp /usr/local/bin/kubectl /a0/work/kubectl fi # Run the original entrypoint exec /exe/initialize.sh $BRANCH ports: - containerPort: 80 env: # Agent identity - name: AGENT_NAME value: "Blue Jay (NUC)" # Chat model — qwen2.5-coder:7b on edge1 Pi 5 - name: A0_SET_chat_model_provider value: "ollama" - name: A0_SET_chat_model_name value: "qwen2.5-coder:7b" - name: A0_SET_chat_model_api_base value: "http://10.0.57.15:11434" - name: A0_SET_chat_model_ctx_length value: "32768" - name: A0_SET_chat_model_kwargs value: '{"temperature": 0, "num_ctx": 32768}' # Utility model — same as chat (only one model available) - name: A0_SET_util_model_provider value: "ollama" - name: A0_SET_util_model_name value: "qwen2.5-coder:7b" - name: A0_SET_util_model_api_base value: "http://10.0.57.15:11434" - name: A0_SET_util_model_kwargs value: '{"num_ctx": 8192}' # Embedding model — nomic on edge1 (if installed, fallback to none) - name: A0_SET_embed_model_provider value: "ollama" - name: A0_SET_embed_model_name value: "nomic-embed-text" - name: A0_SET_embed_model_api_base value: "http://10.0.57.15:11434" # Browser model — disabled (no vision model on Pi) - name: A0_SET_browser_model_provider value: "ollama" - name: A0_SET_browser_model_name value: "qwen2.5-coder:7b" - name: A0_SET_browser_model_api_base value: "http://10.0.57.15:11434" - name: A0_SET_browser_model_vision value: "false" # Agent profile - name: A0_SET_agent_profile value: "default" # Memory settings - name: A0_SET_memory_memorize_enabled value: "true" - name: A0_SET_memory_memorize_consolidation value: "true" - name: A0_SET_memory_memorize_replace_threshold value: "0.85" - name: A0_SET_memory_recall_enabled value: "true" # Speech-to-text disabled (no GPU for Whisper) - name: A0_SET_stt_model_size value: "tiny" # Kubernetes - name: KUBERNETES_SERVICE_HOST value: "kubernetes.default.svc" - name: KUBERNETES_SERVICE_PORT value: "443" volumeMounts: - name: workspace mountPath: /a0/work - name: knowledge mountPath: /a0/knowledge/custom/main resources: requests: memory: "2Gi" cpu: "1000m" limits: memory: "3Gi" cpu: "2000m" volumes: - name: workspace persistentVolumeClaim: claimName: agent-zero-data - name: knowledge persistentVolumeClaim: claimName: agent-zero-knowledge --- apiVersion: v1 kind: Service metadata: name: agent-zero namespace: agent-zero spec: type: ClusterIP selector: app: agent-zero ports: - port: 80 targetPort: 80 # ============================================================================= # Traefik IngressRoute — LAN access at agent-zero.iamworkin.lan # ============================================================================= --- apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: agent-zero namespace: agent-zero spec: entryPoints: - websecure routes: - match: Host(`agent-zero.iamworkin.lan`) kind: Rule services: - name: agent-zero port: 80 tls: secretName: agent-zero-tls # ============================================================================= # NetworkPolicy — Restrict traffic # ============================================================================= --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: agent-zero-netpol namespace: agent-zero spec: podSelector: matchLabels: app: agent-zero policyTypes: - Ingress - Egress ingress: # Allow from Traefik - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: traefik-system ports: - port: 80 egress: # DNS - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - port: 53 protocol: UDP - port: 53 protocol: TCP # Ollama on edge1 - to: - ipBlock: cidr: 10.0.57.15/32 ports: - port: 11434 # K8s API - to: - ipBlock: cidr: 10.0.56.11/32 ports: - port: 6443 # Allow internet (for kubectl image pull, etc) - to: - ipBlock: cidr: 0.0.0.0/0 except: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16