yaro/metanix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Better meta.nix.

Browse source
This commit is contained in:
Yaro Kasear 2025-11-28 19:35:18 -06:00
parent 31660782fa
commit e5326f0af6
1 changed files with 49 additions and 299 deletions
Download patch file Download diff file Expand all files Collapse all files

348
meta.nix
View file

@ -1,102 +1,36 @@
# This is a WIP *example* meta.nix file for Metanix.
# It captures intent / semantics, not final implementation details.
# Expect this shape to evolve as Metanix grows teeth.
{
##############################
# Global / world-level config
##############################
domain = "kasear.net";
##############################
# Locations, subnets, hosts
#
# Shape:
# locations.<location> = {
# owner = "yaro"; # optional: default owner for this location
# admins = [ "ops" ]; # optional: location-wide admins
# users = [ "monitor" ]; # optional: location-relevant users
#
# <subnet> = {
# vlan = int; # optional (e.g. cloud may omit)
# dhcp = { start = 10; end = 250; }; # optional
#
# owner = "ops"; # optional: overrides location.owner
# admins = [ "sre" ]; # optional: adds/overrides admins
# users = [ "resident" ]; # optional: extra users relevant here
#
# hosts = {
# <hostname> = {
# role = "router" | "server" | "adminWorkstation" | "coreServer" | ...;
# hw-address = "aa:bb:cc:dd:ee:ff"; # optional
# aliases = [ "fqdn" ... ]; # optional
# interface = "eno2"; # optional
# dns = false; # optional, default true
# hostId = 42; # optional, for special cases
#
# # Identity hints in THIS CONTEXT ONLY:
# # These drive host-context privileges & network-plane semantics.
# # System-level privilege is resolved later across all hosts.
# owner = "yaro"; # this hosts admin owner
# admins = [ "ops" "sre" ]; # host-level admins
# users = [ "analytics" ]; # host-level plain users
# };
# };
# };
# };
##############################
locations = {
cloud = {
# cloud-level identity hints (example)
owner = "yaro";
admins = [ "ops" ];
users = [ "monitor" ];
dmz = {
hosts = {
eris = {
role = "router";
aliases = [ "frontend.kasear.net" ];
# Example: eris dmz-side is not an admin plane for anyone by default
users = [ "monitor" ];
};
deimos-cloud = {
role = "server";
interface = "wg0";
# Maybe this side is treated as non-admin ingress
users = [ "analytics" ];
};
};
};
infra = {
# infra is effectively the config plane type for this location
owner = "yaro";
admins = [ "ops" ];
hosts = {
metatron = {
role = "coreServer";
owner = "yaro"; # full admin plane for yaro here
admins = [ "ops" ];
};
loki-cloud = {
role = "adminWorkstation";
owner = "yaro"; # admin workstation for yaro in cloud
users = [ "analytics" ]; # non-admin local user still allowed
};
};
};
};
home = {
owner = "yaro";
admins = [ "ops" ];
dmz = {
vlan = 1;
@ -113,7 +47,6 @@
deimos = {
role = "server";
hw-address = "10:98:36:a0:2c:b2";
interface = "eno2";
aliases = [
"kasear.net"
"cloud.kasear.net"
@ -129,8 +62,6 @@
"www.kasear.net"
"yaro.kasear.net"
];
owner = "yaro"; # home-dmz plane: yaro is owner
admins = [ "ops" ];
};
container-host = {
@ -152,7 +83,6 @@
main = {
vlan = 10;
dhcp = { start = 1; end = 250; };
hosts = {
europa = {
@ -164,8 +94,6 @@
role = "infraDevice";
hw-address = "48:a9:8a:2d:7f:34";
aliases = [ "core.kasear.net" ];
# terra as admin workstation-like infra endpoint
owner = "yaro";
};
artemis = {
@ -203,15 +131,40 @@
role = "phone";
hw-address = "80:5e:c0:de:3d:66";
};
home-main-dhcp-start = {
role = "pool";
hostId = 1;
dns = false;
};
home-main-dhcp-end = {
role = "pool";
hostId = 250;
dns = false;
};
};
};
guest = {
vlan = 20;
dhcp = { start = 1; end = 250; };
hosts = {
europa-guest = { role = "router"; };
europa-guest = {
role = "router";
};
home-guest-dhcp-start = {
role = "pool";
hostId = 1;
dns = false;
};
home-guest-dhcp-end = {
role = "pool";
hostId = 250;
dns = false;
};
};
};
@ -219,7 +172,9 @@
vlan = 30;
hosts = {
europa-iot = { role = "router"; };
europa-iot = {
role = "router";
};
phobos-iot = {
role = "server";
@ -267,15 +222,28 @@
storage = {
vlan = 40;
dhcp = { start = 1; end = 250; };
hosts = {
europa-storage = { role = "router"; };
europa-storage = {
role = "router";
};
ganymede = {
role = "nas";
aliases = [ "storage.kasear.net" ];
};
home-storage-dhcp-start = {
role = "pool";
hostId = 1;
dns = false;
};
home-storage-dhcp-end = {
role = "pool";
hostId = 250;
dns = false;
};
};
};
@ -302,226 +270,8 @@
};
};
##############################
# Systems
#
# systems.<systemName> = {
# tags = [
# "router" # role-like behavior
# "public" # exposed to public internet
# "upstream" # authoritative / config-plane provider (Kea/Knot/Unbound/WG server)
# "downstream" # router profile consuming upstream config-plane
# ];
#
# # Primary/default context for this system
# location = "home" | "cloud" | ...;
# subnet = "dmz" | "main" | ...;
#
# # Hosts that represent this system in different contexts.
# # Metanix will:
# # - compute per-host identity/privilege from locations
# # - then collapse them to system-level privileges using a
# # "highest privilege across hosts" rule when conflicts occur.
# hosts = [ "deimos" "deimos-cloud" ];
#
# # Optional: system-level identity hints (mostly additive)
# # owner = "yaro";
# # admins = [ "ops" ];
# # users = [ "monitor" ];
#
# services = {
# <serviceName> = {
# enable = true; # optional; presence may imply true
# tags = [ "upstream" ]; # service-specific semantics (optional)
# config = { }; # free-form options for the module
# };
# };
#
# resources = {
# <resourceName> = {
# # describes what this system provides (DNS, DHCP, WG, etc)
# # Metanix will map this to actual service configs.
# };
# };
#
# consumers = {
# <resourceName> = {
# provider = "phobos" | "frontend.kasear.net" | "1.1.1.1" | "metatron";
# };
# };
#
# configuration = ./systems/.../default.nix; # local NixOS config hook
# };
##############################
systems = {
eris = {
tags = [ "router" "public" /* "downstream" */ ];
location = "cloud";
subnet = "dmz";
hosts = [ "eris" ];
services = {
# Example: public-facing Unbound, could act as upstream resolver
unbound = {
enable = true;
tags = [ "upstream" ];
config = { };
};
wireguard = {
enable = true;
config = { };
};
};
resources = {
dns = { };
wireguard = { };
};
consumers = {
# Example: eris itself might delegate recursion to some other system
# or upstream; here we override the global default to "metatron".
dns = { provider = "metatron"; };
};
configuration = ./systems/x86_64-linux/eris/default.nix;
};
deimos = {
tags = [ "server" "public" ];
location = "home";
subnet = "dmz";
hosts = [ "deimos" "deimos-cloud" ];
services = {
# enable is optional; presence in this attrset implies enable = true by default.
headscale = { enable = true; config = { }; };
nginx-proxy = { enable = true; config = { }; };
nginx = { enable = true; config = { }; };
httpd = { enable = false; config = { }; }; # explicit disable
nextcloud = { enable = true; config = { }; };
jellyfin = { enable = true; config = { }; };
foregejo = { enable = true; config = { }; };
vaultwarden = { enable = true; config = { }; };
};
resources = {
# logical resources provided by this system
web = { };
media = { };
git = { };
auth = { };
};
consumers = {
dns = { provider = "eris"; }; # use eris as DNS
dhcp = { provider = "phobos"; }; # explicit, even if matches default
};
configuration = ./systems/x86_64-linux/deimos/default.nix;
};
};
##############################
# Global resource consumers
#
# Defaults that apply if systems.<name>.consumers.<res>.provider
# is not specified.
##############################
consumers = {
dhcp = {
provider = "phobos";
};
dns = {
provider = "1.1.1.1";
};
wireguard = {
provider = "frontend.kasear.net";
};
};
##############################
# Policy layer (identities, ACL, shared configs)
#
# Intended shape:
#
# policy = {
# users = {
# yaro = { uid = 10010; groups = [ "admins" ]; ... };
# ops = { uid = 10011; groups = [ "ops" ]; ... };
# };
#
# groups = {
# admins = { gid = 20010; members = [ "yaro" ]; };
# ops = { gid = 20011; members = [ "ops" ]; };
# };
#
# globals = {
# # Global identities that tend to exist everywhere.
# owner = [ "root-overlord" ]; # potential global owners
# admins = [ "sre" ]; # global admins
# users = [ "monitor" ]; # global plain users
# };
#
# configurations = {
# firefoxProfile = {
# targets = {
# users = [ "devs" ];
# groups = [ "desktopUsers" ];
# # systems / locations / subnets could also be targeted
# };
#
# module = ./policy/firefox.nix; # NixOS/home-manager module
# options = {
# extensions = [ "uBlockOrigin" "multi-account-containers" ];
# homepage = "https://intranet.kasear.net";
# };
# };
#
# extraHosts = {
# targets = {
# systems = [ "deimos" "metatron" ];
# };
#
# module = ./policy/extra-hosts.nix;
# options = {
# hosts = {
# "special.internal" = "203.0.113.7";
# };
# };
# };
# };
#
# acl = {
# "storage-access" = {
# principals = [ "admins" "mediaClients" ];
# resources = [ "ganymede" ];
# capabilities = [ "mount-nfs" "read-media" ];
# };
#
# "cloud-admin" = {
# principals = [ "yaro" "admins" ];
# resources = [ "location:cloud" ];
# capabilities = [ "ssh" "sudo" "manage-services" ];
# };
# };
# };
##############################
policy = {
users = { };
groups = { };
globals = {
owner = [ ];
admins = [ ];
users = [ ];
};
configurations = { };
acl = { };
};
# You can add these later if you want to match the bigger design:
# systems = { };
# consumers = { };
# policy = { };
}