node2: P0 vision restore + P1 security hardening + node-specific router config

P0 — Vision:
- swapper_config_node2.yaml: add llava-13b as vision model (vision:true)
  /vision/models now returns non-empty list; inference verified ~3.5s
- ollama.url fixed to host.docker.internal:11434 (was localhost, broken in Docker)

P1 — Security:
- Remove NODES_NODA1_SSH_PASSWORD from .env and docker-compose.node2-sofiia.yml
- SSH ED25519 key generated, authorized on NODA1, mounted as /run/secrets/noda1_ssh_key
- sofiia-console reads key via NODES_NODA1_SSH_PRIVATE_KEY env var
- secrets/noda1_id_ed25519 added to .gitignore

P1 — Router:
- services/router/router-config.node2.yml: new node2-specific config
  replaces all 172.17.0.1:11434 → host.docker.internal:11434
- docker-compose.node2-sofiia.yml: mount router-config.node2.yml (not root config)

P1 — Ports:
- router (9102), swapper (8890), sofiia-console (8002): bind to 127.0.0.1
- gateway (9300): keep 0.0.0.0 (Telegram webhook requires public access)

Artifacts:
- ops/patch_node2_P0P1_20260227.md — change log
- ops/validation_node2_P0P1_20260227.md — all checks PASS
- ops/node2.env.example — safe env template (no secrets)
- ops/security_hardening_node2.md — SSH key migration guide + firewall
- ops/node2_models_pull.sh — model pull script for P0/P1

Made-with: Cursor

docker-compose.node2.yml

@@ -0,0 +1,99 @@
+version: "3.8"
+
+services:
+  router:
+    build:
+      context: ./services/router
+      dockerfile: Dockerfile
+    container_name: dagi-router-node2
+    ports:
+      - "127.0.0.1:9102:8000"
+    environment:
+      - NODE_ID=NODA2
+      - DAGI_ROUTER_CONFIG=/app/router-config.yml
+      - MEMORY_SERVICE_URL=http://memory-service:8000
+      - NATS_URL=nats://dagi-nats:4222
+      - QDRANT_HOST=qdrant-node2
+      - QDRANT_PORT=6333
+      - DATABASE_URL=postgresql://daarion:daarion_secret_node2@postgres-node2:5432/daarion_memory
+      - NEO4J_BOLT_URL=bolt://neo4j-node2:7687
+      - NEO4J_USER=neo4j
+      - NEO4J_PASSWORD=daarion_node2_secret
+      - CITY_SERVICE_URL=http://city-service:7001
+      - PIECES_OS_URL=http://host.docker.internal:39300
+      - NOTION_API_KEY=${NOTION_API_KEY:-}
+    volumes:
+      - ./router-config.yml:/app/router-config.yml:ro
+      - ./logs:/app/logs
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+      - "city-service:host-gateway"
+      - "daarion-city-service:host-gateway"
+    depends_on:
+      - dagi-nats
+    networks:
+      - dagi-network
+      - dagi-memory-network
+    restart: unless-stopped
+
+  gateway:
+    build:
+      context: ./gateway-bot
+      dockerfile: Dockerfile
+    container_name: dagi-gateway-node2
+    ports:
+      - "9300:9300"
+    environment:
+      - ROUTER_URL=http://router:8000
+      - DAARWIZZ_NAME=DAARWIZZ
+      - DAARWIZZ_PROMPT_PATH=/app/gateway-bot/daarwizz_prompt.txt
+      - MEMORY_SERVICE_URL=http://memory-service:8000
+    volumes:
+      - ./logs:/app/logs
+    depends_on:
+      - router
+    networks:
+      - dagi-network
+    restart: unless-stopped
+
+  dagi-nats:
+    image: nats:2.10-alpine
+    container_name: dagi-nats-node2
+    ports:
+      - "4222:4222"
+      - "8222:8222"
+    command: -c /etc/nats/nats-server.conf
+    volumes:
+      - ./nats-server.conf:/etc/nats/nats-server.conf:ro
+    networks:
+      - dagi-network
+    restart: unless-stopped
+    
+  swapper-service:
+    build:
+      context: ./services/swapper-service
+      dockerfile: Dockerfile
+    container_name: swapper-service-node2
+    ports:
+      - "127.0.0.1:8890:8890"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    environment:
+      - OLLAMA_BASE_URL=http://host.docker.internal:11434
+      - SWAPPER_CONFIG_PATH=/app/config/swapper_config_node2.yaml
+      - SWAPPER_MODE=single-active
+      - MODEL_SWAP_TIMEOUT=300
+    volumes:
+      - ./services/swapper-service/config:/app/config:ro
+      - ./logs:/app/logs
+    networks:
+      - dagi-network
+    restart: unless-stopped
+
+networks:
+  dagi-network:
+    driver: bridge
+    name: dagi-network-node2
+  dagi-memory-network:
+    external: true
+    name: dagi-memory-network-node2