phantom-ship + vps-relay: add bananasimulator service + vhost

bananasimulator.service mirrors shelfish/scuttle (fastapi + uvicorn
+ httpx + python-telegram-bot). Port 8083. ENV BS_RIPE_MIN_PER_STAGE=2
in prod (30 min total banana lifetime); preview uses 0.5 for fast
testing.

vps-relay gets a fifth vhost (bananasimulator.dannydannydanny.me)
reverse-proxying to phantom-ship over ZeroTier. The shipyard manifest
has been pointing at this URL as a placeholder since day one — now
it's actually live.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

nixos/hosts/phantom-ship.nix

@@ -48,11 +48,11 @@ in
   };
   networking.firewall.trustedInterfaces = [ "enp0s31f6" ];
 
-  # Shelfish (:8081) and Scuttle (:8082) are reachable only over the
+  # Shelfish (:8081), Scuttle (:8082), Bananasimulator (:8083) are
-  # ZeroTier mesh — the vps-relay Caddy reverse-proxies into them. Same
+  # reachable only over the ZeroTier mesh — the vps-relay Caddy
-  # pattern as sunken-ship's bbbot. Not in global allowedTCPPorts, so
+  # reverse-proxies into them. Same pattern as sunken-ship's bbbot.
-  # the WAN side stays closed.
+  # Not in global allowedTCPPorts, so the WAN side stays closed.
-  networking.firewall.interfaces."zt+".allowedTCPPorts = [ 8081 8082 ];
+  networking.firewall.interfaces."zt+".allowedTCPPorts = [ 8081 8082 8083 ];
 
   hardware.enableRedistributableFirmware = true;  # iwlwifi (Intel 8260) + GPU + BT firmware
 
@@ -173,6 +173,7 @@ in
     "d /var/lib/openclaw/repos 0750 openclaw openclaw - -"
     "d /home/danny/.local/share/shelfish 0755 danny users - -"
     "d /home/danny/.local/share/scuttle 0755 danny users - -"
+    "d /home/danny/.local/share/bananasimulator 0755 danny users - -"
   ];
 
   # Hara Gmail MCP server (path 1: IMAP+SMTP). Replaced by an OAuth2
@@ -325,6 +326,36 @@ in
     };
   };
 
+  # Bananasimulator — the actual project at https://bananasimulator.dannydannydanny.me
+  # (was a placeholder in shipyard's apps.json for ages). You ARE a banana.
+  # Code rsync'd from ~/python-projects/26_bananasimulator/ to /home/danny/bananasimulator/
+  systemd.services.bananasimulator = let
+    pythonEnv = pkgs.python3.withPackages (ps: with ps; [
+      fastapi
+      uvicorn
+      httpx
+      python-telegram-bot
+    ]);
+  in {
+    description = "Bananasimulator FastAPI server";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    path = [ pythonEnv ];
+    environment = {
+      SHIPYARD_BOT_TOKEN_FILE = "/home/danny/.secrets/telegram-bot-token-shipyard";
+      BS_DB_PATH = "/home/danny/.local/share/bananasimulator/bananasimulator.db";
+      BS_RIPE_MIN_PER_STAGE = "2";   # 2 min/stage → 30 min to compost in production
+    };
+    serviceConfig = {
+      WorkingDirectory = "/home/danny/bananasimulator";
+      ExecStart = "${pythonEnv}/bin/python -m uvicorn server:app --host :: --port 8083";
+      Restart = "on-failure";
+      RestartSec = 10;
+      User = "danny";
+    };
+  };
+
   # Auto-rebuild service/timer + safe.directory provided by the
   # shared dotfiles-rebuild NixOS module (see nixos/modules/dotfiles-rebuild.nix).
 }

nixos/hosts/vps-relay.nix

@@ -110,6 +110,10 @@
       "scuttle.dannydannydanny.me".extraConfig = ''
         reverse_proxy http://[fdd5:53a2:de33:d269:6499:936c:48a:bbdc]:8082
       '';
+      # Bananasimulator — same backend, port 8083.
+      "bananasimulator.dannydannydanny.me".extraConfig = ''
+        reverse_proxy http://[fdd5:53a2:de33:d269:6499:936c:48a:bbdc]:8083
+      '';
     };
   };