Reboot!

2025-11-28 15:52:15 -06:00 · 2025-11-28 15:52:15 -06:00 · 633a9c1856
commit 633a9c1856
parent ee31bfb7f6
12 changed files with 1308 additions and 1210 deletions
--- a/meta.nix
+++ b/meta.nix
@ -0,0 +1,528 @@
+# This is a WIP *example* meta.nix file for Metanix.
+# It captures intent / semantics, not final implementation details.
+# Expect this shape to evolve as Metanix grows teeth.
+
+{
+  ##############################
+  # Global / world-level config
+  ##############################
+
+  domain = "kasear.net";
+
+  ##############################
+  # Locations, subnets, hosts
+  #
+  # Shape:
+  # locations.<location> = {
+  #   owner  = "yaro";          # optional: default owner for this location
+  #   admins = [ "ops" ];       # optional: location-wide admins
+  #   users  = [ "monitor" ];   # optional: location-relevant users
+  #
+  #   <subnet> = {
+  #     vlan = int;              # optional (e.g. cloud may omit)
+  #     dhcp = { start = 10; end = 250; };  # optional
+  #
+  #     owner  = "ops";          # optional: overrides location.owner
+  #     admins = [ "sre" ];      # optional: adds/overrides admins
+  #     users  = [ "resident" ]; # optional: extra users relevant here
+  #
+  #     hosts = {
+  #       <hostname> = {
+  #         role = "router" | "server" | "adminWorkstation" | "coreServer" | ...;
+  #         hw-address = "aa:bb:cc:dd:ee:ff"; # optional
+  #         aliases = [ "fqdn" ... ];         # optional
+  #         interface = "eno2";               # optional
+  #         dns = false;                      # optional, default true
+  #         hostId = 42;                      # optional, for special cases
+  #
+  #         # Identity hints in THIS CONTEXT ONLY:
+  #         # These drive host-context privileges & network-plane semantics.
+  #         # System-level privilege is resolved later across all hosts.
+  #         owner  = "yaro";                  # this host’s admin owner
+  #         admins = [ "ops" "sre" ];         # host-level admins
+  #         users  = [ "analytics" ];         # host-level plain users
+  #       };
+  #     };
+  #   };
+  # };
+  ##############################
+
+  locations = {
+    cloud = {
+      # cloud-level identity hints (example)
+      owner = "yaro";
+      admins = [ "ops" ];
+      users = [ "monitor" ];
+
+      dmz = {
+        hosts = {
+          eris = {
+            role = "router";
+            aliases = [ "frontend.kasear.net" ];
+            # Example: eris dmz-side is not an admin plane for anyone by default
+            users = [ "monitor" ];
+          };
+
+          deimos-cloud = {
+            role = "server";
+            interface = "wg0";
+            # Maybe this side is treated as non-admin ingress
+            users = [ "analytics" ];
+          };
+        };
+      };
+
+      infra = {
+        # infra is effectively the config plane type for this location
+        owner = "yaro";
+        admins = [ "ops" ];
+
+        hosts = {
+          metatron = {
+            role = "coreServer";
+            owner = "yaro"; # full admin plane for yaro here
+            admins = [ "ops" ];
+          };
+
+          loki-cloud = {
+            role = "adminWorkstation";
+            owner = "yaro"; # admin workstation for yaro in cloud
+            users = [ "analytics" ]; # non-admin local user still allowed
+          };
+        };
+      };
+    };
+
+    home = {
+      owner = "yaro";
+      admins = [ "ops" ];
+
+      dmz = {
+        vlan = 1;
+
+        hosts = {
+          io = {
+            role = "router";
+            aliases = [ "external.kasear.net" ];
+          };
+
+          europa-dmz = {
+            role = "router";
+          };
+
+          deimos = {
+            role = "server";
+            hw-address = "10:98:36:a0:2c:b2";
+            interface = "eno2";
+            aliases = [
+              "kasear.net"
+              "cloud.kasear.net"
+              "git.kasear.net"
+              "majike.kasear.net"
+              "media.kasear.net"
+              "minecraft.kasear.net"
+              "public.kasear.net"
+              "test.kasear.net"
+              "vault.kasear.net"
+              "vikali.kasear.net"
+              "vpn.kasear.net"
+              "www.kasear.net"
+              "yaro.kasear.net"
+            ];
+            owner = "yaro"; # home-dmz plane: yaro is owner
+            admins = [ "ops" ];
+          };
+
+          container-host = {
+            role = "containerHost";
+            dns = false;
+          };
+
+          cloud-container = { role = "server"; dns = false; };
+          default-container = { role = "server"; dns = false; };
+          foregejo-container = { role = "server"; dns = false; };
+          majike-container = { role = "server"; dns = false; };
+          media-container = { role = "server"; dns = false; };
+          vault-container = { role = "server"; dns = false; };
+          vikali-container = { role = "server"; dns = false; };
+          vpn-container = { role = "server"; dns = false; };
+          yaro-container = { role = "server"; dns = false; };
+        };
+      };
+
+      main = {
+        vlan = 10;
+        dhcp = { start = 1; end = 250; };
+
+        hosts = {
+          europa = {
+            role = "router";
+            aliases = [ "internal.kasear.net" ];
+          };
+
+          terra = {
+            role = "infraDevice";
+            hw-address = "48:a9:8a:2d:7f:34";
+            aliases = [ "core.kasear.net" ];
+            # terra as admin workstation-like infra endpoint
+            role = "adminWorkstation";
+            owner = "yaro";
+          };
+
+          artemis = {
+            role = "infraDevice";
+            hw-address = "54:af:97:02:2f:15";
+          };
+
+          luna = {
+            role = "infraDevice";
+            hw-address = "30:23:03:48:4c:75";
+          };
+
+          phobos = {
+            role = "server";
+            hw-address = "10:98:36:a9:4a:26";
+            aliases = [
+              "pbx.kasear.net"
+              "private.kasear.net"
+            ];
+          };
+
+          printer = {
+            role = "printer";
+            hw-address = "84:25:19:60:de:1e";
+            aliases = [ "printer.kasear.net" ];
+          };
+
+          tv = {
+            role = "media";
+            hw-address = "00:18:dd:04:9b:a8";
+            aliases = [ "tv.kasear.net" ];
+          };
+
+          ip-phone = {
+            role = "phone";
+            hw-address = "80:5e:c0:de:3d:66";
+          };
+        };
+      };
+
+      guest = {
+        vlan = 20;
+        dhcp = { start = 1; end = 250; };
+
+        hosts = {
+          europa-guest = { role = "router"; };
+        };
+      };
+
+      iot = {
+        vlan = 30;
+
+        hosts = {
+          europa-iot = { role = "router"; };
+
+          phobos-iot = {
+            role = "server";
+            hw-address = "10:98:36:a9:4a:26";
+          };
+
+          kitchen-echo = {
+            role = "appliance";
+            hw-address = "50:dc:e7:80:91:55";
+          };
+
+          bedroom-echo = {
+            role = "appliance";
+            hw-address = "f8:54:b8:21:f6:83";
+          };
+
+          lab-echo = {
+            role = "appliance";
+            hw-address = "08:84:9d:74:4d:c6";
+          };
+
+          camera1 = {
+            role = "camera";
+            hw-address = "9c:8e:cd:38:95:1f";
+            aliases = [ "camera1.kasear.net" ];
+          };
+
+          camera2 = {
+            role = "camera";
+            hw-address = "9c:8e:cd:38:95:15";
+            aliases = [ "camera2.kasear.net" ];
+          };
+
+          camera2-wifi = {
+            role = "camera";
+            hw-address = "9c:8e:cd:38:9a:fd";
+          };
+
+          samsung-tv = {
+            role = "appliance";
+            hw-address = "04:e4:b6:23:81:fc";
+          };
+        };
+      };
+
+      storage = {
+        vlan = 40;
+        dhcp = { start = 1; end = 250; };
+
+        hosts = {
+          europa-storage = { role = "router"; };
+
+          ganymede = {
+            role = "nas";
+            aliases = [ "storage.kasear.net" ];
+          };
+        };
+      };
+
+      management = {
+        vlan = 70;
+
+        hosts = {
+          deimos-idrac = {
+            role = "oobMgmt";
+            hw-address = "10:98:36:a0:2c:b3";
+          };
+
+          phobos-idrac = {
+            role = "oobMgmt";
+            hw-address = "10:98:36:a9:4a:27";
+          };
+
+          ganymede-idrac = {
+            role = "oobMgmt";
+            hw-address = "14:18:77:51:4b:b5";
+          };
+        };
+      };
+    };
+  };
+
+  ##############################
+  # Systems
+  #
+  # systems.<systemName> = {
+  #   tags = [
+  #     "router"      # role-like behavior
+  #     "public"      # exposed to public internet
+  #     "upstream"    # authoritative / config-plane provider (Kea/Knot/Unbound/WG server)
+  #     "downstream"  # router profile consuming upstream config-plane
+  #   ];
+  #
+  #   # Primary/default context for this system
+  #   location = "home" | "cloud" | ...;
+  #   subnet   = "dmz" | "main" | ...;
+  #
+  #   # Hosts that represent this system in different contexts.
+  #   # Metanix will:
+  #   #   - compute per-host identity/privilege from locations
+  #   #   - then collapse them to system-level privileges using a
+  #   #     "highest privilege across hosts" rule when conflicts occur.
+  #   hosts    = [ "deimos" "deimos-cloud" ];
+  #
+  #   # Optional: system-level identity hints (mostly additive)
+  #   # owner  = "yaro";
+  #   # admins = [ "ops" ];
+  #   # users  = [ "monitor" ];
+  #
+  #   services = {
+  #     <serviceName> = {
+  #       enable = true;           # optional; presence may imply true
+  #       tags   = [ "upstream" ]; # service-specific semantics (optional)
+  #       config = { };            # free-form options for the module
+  #     };
+  #   };
+  #
+  #   resources = {
+  #     <resourceName> = {
+  #       # describes what this system provides (DNS, DHCP, WG, etc)
+  #       # Metanix will map this to actual service configs.
+  #     };
+  #   };
+  #
+  #   consumers = {
+  #     <resourceName> = {
+  #       provider = "phobos" | "frontend.kasear.net" | "1.1.1.1" | "metatron";
+  #     };
+  #   };
+  #
+  #   configuration = ./systems/.../default.nix;  # local NixOS config hook
+  # };
+  ##############################
+
+  systems = {
+    eris = {
+      tags = [ "router" "public" /* "downstream" */ ];
+      location = "cloud";
+      subnet = "dmz";
+      hosts = [ "eris" ];
+
+      services = {
+        # Example: public-facing Unbound, could act as upstream resolver
+        unbound = {
+          enable = true;
+          tags = [ "upstream" ];
+          config = { };
+        };
+
+        wireguard = {
+          enable = true;
+          config = { };
+        };
+      };
+
+      resources = {
+        dns = { };
+        wireguard = { };
+      };
+
+      consumers = {
+        # Example: eris itself might delegate recursion to some other system
+        # or upstream; here we override the global default to "metatron".
+        dns = { provider = "metatron"; };
+      };
+
+      configuration = ./systems/x86_64-linux/eris/default.nix;
+    };
+
+    deimos = {
+      tags = [ "server" "public" ];
+      location = "home";
+      subnet = "dmz";
+      hosts = [ "deimos" "deimos-cloud" ];
+
+      services = {
+        # enable is optional; presence in this attrset implies enable = true by default.
+        headscale = { enable = true; config = { }; };
+        nginx-proxy = { enable = true; config = { }; };
+        nginx = { enable = true; config = { }; };
+        httpd = { enable = false; config = { }; }; # explicit disable
+        nextcloud = { enable = true; config = { }; };
+        jellyfin = { enable = true; config = { }; };
+        foregejo = { enable = true; config = { }; };
+        vaultwarden = { enable = true; config = { }; };
+      };
+
+      resources = {
+        # logical resources provided by this system
+        web = { };
+        media = { };
+        git = { };
+        auth = { };
+      };
+
+      consumers = {
+        dns = { provider = "eris"; }; # use eris as DNS
+        dhcp = { provider = "phobos"; }; # explicit, even if matches default
+      };
+
+      configuration = ./systems/x86_64-linux/deimos/default.nix;
+    };
+  };
+
+  ##############################
+  # Global resource consumers
+  #
+  # Defaults that apply if systems.<name>.consumers.<res>.provider
+  # is not specified.
+  ##############################
+
+  consumers = {
+    dhcp = {
+      provider = "phobos";
+    };
+
+    dns = {
+      provider = "1.1.1.1";
+    };
+
+    wireguard = {
+      provider = "frontend.kasear.net";
+    };
+  };
+
+  ##############################
+  # Policy layer (identities, ACL, shared configs)
+  #
+  # Intended shape:
+  #
+  # policy = {
+  #   users = {
+  #     yaro = { uid = 10010; groups = [ "admins" ]; ... };
+  #     ops  = { uid = 10011; groups = [ "ops" ];    ... };
+  #   };
+  #
+  #   groups = {
+  #     admins = { gid = 20010; members = [ "yaro" ]; };
+  #     ops    = { gid = 20011; members = [ "ops" ];  };
+  #   };
+  #
+  #   globals = {
+  #     # Global identities that tend to exist everywhere.
+  #     owner  = [ "root-overlord" ];  # potential global owners
+  #     admins = [ "sre" ];            # global admins
+  #     users  = [ "monitor" ];        # global plain users
+  #   };
+  #
+  #   configurations = {
+  #     firefoxProfile = {
+  #       targets = {
+  #         users  = [ "devs" ];
+  #         groups = [ "desktopUsers" ];
+  #         # systems / locations / subnets could also be targeted
+  #       };
+  #
+  #       module = ./policy/firefox.nix;    # NixOS/home-manager module
+  #       options = {
+  #         extensions = [ "uBlockOrigin" "multi-account-containers" ];
+  #         homepage   = "https://intranet.kasear.net";
+  #       };
+  #     };
+  #
+  #     extraHosts = {
+  #       targets = {
+  #         systems = [ "deimos" "metatron" ];
+  #       };
+  #
+  #       module = ./policy/extra-hosts.nix;
+  #       options = {
+  #         hosts = {
+  #           "special.internal" = "203.0.113.7";
+  #         };
+  #       };
+  #     };
+  #   };
+  #
+  #   acl = {
+  #     "storage-access" = {
+  #       principals = [ "admins" "mediaClients" ];
+  #       resources  = [ "ganymede" ];
+  #       capabilities = [ "mount-nfs" "read-media" ];
+  #     };
+  #
+  #     "cloud-admin" = {
+  #       principals = [ "yaro" "admins" ];
+  #       resources  = [ "location:cloud" ];
+  #       capabilities = [ "ssh" "sudo" "manage-services" ];
+  #     };
+  #   };
+  # };
+  ##############################
+
+  policy = {
+    users = { };
+    groups = { };
+    globals = {
+      owner = [ ];
+      admins = [ ];
+      users = [ ];
+    };
+    configurations = { };
+    acl = { };
+  };
+}