Agentic SDLC. Bring your own app or create it from scratch.
Run Large Language Models locally with HashiCorp Vault, GPG-signed commits, and rootless Podman.
| Requirement | Value | Notes |
|---|---|---|
| Container Engine | Podman 4.9+ or Docker 24+ | Podman rootless recommended; Docker supported (required for Codespaces) |
| GPG | 2.2+ | All commits must be signed |
| CPU | 4 cores | 8+ cores recommended |
| RAM | 8 GB | 16+ GB for larger models |
| Disk | 32 GB | 128+ GB for multiple models |
| OS | Linux | Ubuntu 22.04+ tested |
Container Engine (choose one):
# Podman (recommended -- primary engine)
sudo apt-get update
sudo apt-get install -y podman podman-compose
# Docker (fallback -- optional)
sudo apt-get install -y docker.io docker-compose-v2Required tools:
sudo apt-get install -y git gnupg2 ghVerify:
podman --version # Should show 4.9+
gpg --version # Should show 2.2+
gh --version # Should show 2.x+Contributors only -- CI tools:
# yamllint (available via apt)
sudo apt-get install -y yamllint
# ShellCheck 0.11.0+ (apt package 0.9.0 is too old -- use GitHub releases)
curl -sSL https://github.com/koalaman/shellcheck/releases/download/v0.11.0/shellcheck-v0.11.0.linux.x86_64.tar.xz | tar -xJ -C /tmp
sudo cp /tmp/shellcheck-v0.11.0/shellcheck /usr/local/bin/shellcheck
# gitleaks 8.21.2+ -- secret scanning (runs in pre-commit and CI)
curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz | tar -xz -C /tmp
sudo mv /tmp/gitleaks /usr/local/bin/gitleaks
# git-cliff 2.x -- changelog generation (required for the release skill)
curl -sSL https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-x86_64-unknown-linux-gnu.tar.gz | tar -xz -C /tmp
sudo mv /tmp/git-cliff-2.13.1-x86_64-unknown-linux-gnu/git-cliff /usr/local/bin/git-cliffVM users (QEMU/SLIRP networking): If image pulls fail mid-download, add the following to
/etc/docker/daemon.jsonto work around MTU limitations:{"dns": ["8.8.8.8", "8.8.4.4"], "mtu": 1400, "max-concurrent-downloads": 1}Then restart Docker:
sudo systemctl restart docker
GitHub Codespaces: Docker is the container engine on Codespaces (Podman is not available -- the stack detects this automatically). Skip the Podman install above; Docker is pre-installed. For CI tools, use pip3 instead of apt for yamllint, as the apt package is not reliably available on Codespace images:
pip3 install yamllintPorts (8080, 8200, 11434, etc.) are automatically forwarded by Codespaces and accessible via the Ports panel. GPG setup (Step 3) is still required -- generate a key inside the Codespace before running
stack start.
git clone https://github.com/xencon/aixcl.git
cd aixcl
./aixcl stack initstack init automatically:
- Detects and configures Podman (rootless) or Docker
- Adds
docker=podmanalias andDOCKER_HOSTto~/.bashrc - Creates
.envfromconfig/.env.example - Creates
opencode.jsonfromconfig/opencode.json.example - Initialises all external Docker/Podman volumes
- Prompts for admin username and email
After init, reload your shell:
source ~/.bashrcGPG is mandatory -- Vault encrypts its unseal keys and root token with your GPG key at first initialisation. Without a GPG key, stack start will fail.
./scripts/utils/setup-gpg.shThis script:
- Generates a 4096-bit RSA key if none exists
- Configures Git for automatic signed commits
- Sets
GPG_TTYin your shell profile so passphrase prompts work in the terminal
Verify before proceeding:
./scripts/utils/setup-gpg.sh --verifyExport your public key and add it to GitHub (Settings > SSH and GPG keys):
./scripts/utils/setup-gpg.sh --export./aixcl stack start --profile sysThis pulls images, starts all services, initialises Vault, and generates bootstrap credentials. Allow 3-5 minutes for full startup on first run.
Note: Use
--profile bldfor a monitoring-only stack (no WebUI). Use--profile sysfor the full stack with WebUI and pgAdmin.
Check status:
./aixcl stack statusImportant: Vault auto-seals whenever its container restarts (e.g. after ./aixcl stack stop or host reboot). If services fail to start, unseal Vault first:
# Unseal Vault after every stack restart
./aixcl vault unseal
# Wait 30 seconds for bootstrap agents, then verify
./aixcl stack status./aixcl vault credentials./aixcl models add qwen2.5-coder:0.5bTest via API:
curl http://localhost:11434/v1/chat/completions \
-H "Content-Type: application/json" \
-d '{"model": "qwen2.5-coder:0.5b", "messages": [{"role": "user", "content": "Hello, are you working?"}]}'| Service | URL | Login |
|---|---|---|
| Open WebUI | http://localhost:8080 | Username: admin, Password: ./aixcl vault credentials |
| pgAdmin | http://localhost:5050 | Email: admin@example.com, Password: ./aixcl vault credentials |
| Grafana | http://localhost:3000 | Username: admin, Password: ./aixcl vault credentials |
| Vault UI | http://localhost:8200 | Token: VAULT_DEV_TOKEN env var |
| Prometheus | http://localhost:9090 | No auth (localhost only) |
| Loki | http://localhost:3100 | API only -- use Grafana for log browsing |
| Alertmanager | http://localhost:9093 | No auth (localhost only) |
| Ollama API | http://localhost:11434 | No auth (localhost only) |
Get current service credentials:
./aixcl vault credentialsEvery commit must be GPG-signed:
# Configure Git (one-time)
git config --global commit.gpgsign true
# Commits are automatically signed
vim some-file.txt
git add some-file.txt
git commit -m "feat: add new feature" # Automatically signed
# Verify signature
git log --show-signature -1| Task | Command |
|---|---|
| Check status | ./aixcl stack status |
| View logs | ./aixcl stack logs |
| Stop stack | ./aixcl stack stop |
| Add model | ./aixcl models add <model> |
| Chat CLI | opencode |
| Vault credentials | ./aixcl vault credentials |
| Rotate credentials | ./aixcl vault rotate |
| Verify GPG | gpg --list-secret-keys --keyid-format LONG |
| Install bash completion | ./aixcl utils bash-completion |
| Full clean removal | ./aixcl utils prune --all |
The following are not optional and cannot be disabled:
- Podman rootless - No privileged containers
- GPG-signed commits - All commits to main must be signed (CODEOWNERS only)
- HashiCorp Vault - Dynamic secrets with automatic rotation
- PostgreSQL SSL - Encrypted database connections
- Host firewall - Network isolation at host level
See SECURITY.md for architecture details.
# Re-run setup
./scripts/utils/setup-gpg.sh
# Verify key exists
gpg --list-secret-keys --keyid-format LONG# Check user namespaces
sysctl kernel.unprivileged_userns_clone
# Should return 1, if not:
echo 'kernel.unprivileged_userns_clone=1' | sudo tee /etc/sysctl.d/99-userns.conf
sudo sysctl --systemIf ./scripts/utils/setup-podman-rootless.sh fails, check manually:
# Verify subordinate UIDs/GIDs are configured
grep "^$(whoami):" /etc/subuid
grep "^$(whoami):" /etc/subgid
# If missing, add them manually (requires sudo)
echo "$(whoami):100000:65536" | sudo tee -a /etc/subuid
echo "$(whoami):100000:65536" | sudo tee -a /etc/subgid
# Start the podman socket manually
systemctl --user start podman.socket
# Re-run the setup script
./scripts/utils/setup-podman-rootless.sh# Check Vault status
podman logs vault | tail -20
# Ensure Vault is healthy before init
./aixcl stack status# Check for port conflicts
sudo lsof -i :11434 # Ollama
sudo lsof -i :8080 # Open WebUI
sudo lsof -i :8200 # Vault
# Soft reset -- removes volumes and state, keeps images for fast restart
./aixcl utils prune
./aixcl stack init
./aixcl stack start --profile sys
# Full wipe -- removes everything including images (slow rebuild)
./aixcl utils prune --all
./aixcl stack init
./aixcl stack start --profile sysAIXCL supports bringing your own applications (BYO) via the app framework. Install from a Git URL, scaffold a new app, or manage existing apps:
# Install an app from a Git repository
./aixcl app install https://github.com/example/my-app.git
# Scaffold a new app skeleton
./aixcl app scaffold my-app
# List, start, stop, or remove apps
./aixcl app list
./aixcl app start my-app
./aixcl app stop my-app
./aixcl app remove my-appSee docs/user/apps.md for the complete app guide.
- Add more models:
./aixcl models add qwen2.5-coder:1.5b - Customize: Edit
.envfor your environment - Learn: See docs/ for detailed guides
- Contribute: Read CONTRIBUTING.md
Apache License 2.0