From e5326f0af6f1279970d7416ec237cdf46dce7504 Mon Sep 17 00:00:00 2001 From: Yaro Kasear Date: Fri, 28 Nov 2025 19:35:18 -0600 Subject: [PATCH] Better meta.nix. --- meta.nix | 348 ++++++++----------------------------------------------- 1 file changed, 49 insertions(+), 299 deletions(-) diff --git a/meta.nix b/meta.nix index 745bec0..9957a74 100644 --- a/meta.nix +++ b/meta.nix @@ -1,102 +1,36 @@ -# This is a WIP *example* meta.nix file for Metanix. -# It captures intent / semantics, not final implementation details. -# Expect this shape to evolve as Metanix grows teeth. - { - ############################## - # Global / world-level config - ############################## - domain = "kasear.net"; - ############################## - # Locations, subnets, hosts - # - # Shape: - # locations. = { - # owner = "yaro"; # optional: default owner for this location - # admins = [ "ops" ]; # optional: location-wide admins - # users = [ "monitor" ]; # optional: location-relevant users - # - # = { - # vlan = int; # optional (e.g. cloud may omit) - # dhcp = { start = 10; end = 250; }; # optional - # - # owner = "ops"; # optional: overrides location.owner - # admins = [ "sre" ]; # optional: adds/overrides admins - # users = [ "resident" ]; # optional: extra users relevant here - # - # hosts = { - # = { - # role = "router" | "server" | "adminWorkstation" | "coreServer" | ...; - # hw-address = "aa:bb:cc:dd:ee:ff"; # optional - # aliases = [ "fqdn" ... ]; # optional - # interface = "eno2"; # optional - # dns = false; # optional, default true - # hostId = 42; # optional, for special cases - # - # # Identity hints in THIS CONTEXT ONLY: - # # These drive host-context privileges & network-plane semantics. - # # System-level privilege is resolved later across all hosts. - # owner = "yaro"; # this host’s admin owner - # admins = [ "ops" "sre" ]; # host-level admins - # users = [ "analytics" ]; # host-level plain users - # }; - # }; - # }; - # }; - ############################## - locations = { cloud = { - # cloud-level identity hints (example) owner = "yaro"; - admins = [ "ops" ]; - users = [ "monitor" ]; - dmz = { hosts = { eris = { role = "router"; aliases = [ "frontend.kasear.net" ]; - # Example: eris dmz-side is not an admin plane for anyone by default - users = [ "monitor" ]; }; deimos-cloud = { role = "server"; - interface = "wg0"; - # Maybe this side is treated as non-admin ingress - users = [ "analytics" ]; }; }; }; infra = { - # infra is effectively the config plane type for this location - owner = "yaro"; - admins = [ "ops" ]; - hosts = { metatron = { role = "coreServer"; - owner = "yaro"; # full admin plane for yaro here - admins = [ "ops" ]; }; loki-cloud = { role = "adminWorkstation"; - owner = "yaro"; # admin workstation for yaro in cloud - users = [ "analytics" ]; # non-admin local user still allowed }; }; }; }; home = { - owner = "yaro"; - admins = [ "ops" ]; - dmz = { vlan = 1; @@ -113,7 +47,6 @@ deimos = { role = "server"; hw-address = "10:98:36:a0:2c:b2"; - interface = "eno2"; aliases = [ "kasear.net" "cloud.kasear.net" @@ -129,8 +62,6 @@ "www.kasear.net" "yaro.kasear.net" ]; - owner = "yaro"; # home-dmz plane: yaro is owner - admins = [ "ops" ]; }; container-host = { @@ -152,7 +83,6 @@ main = { vlan = 10; - dhcp = { start = 1; end = 250; }; hosts = { europa = { @@ -164,8 +94,6 @@ role = "infraDevice"; hw-address = "48:a9:8a:2d:7f:34"; aliases = [ "core.kasear.net" ]; - # terra as admin workstation-like infra endpoint - owner = "yaro"; }; artemis = { @@ -203,15 +131,40 @@ role = "phone"; hw-address = "80:5e:c0:de:3d:66"; }; + + home-main-dhcp-start = { + role = "pool"; + hostId = 1; + dns = false; + }; + + home-main-dhcp-end = { + role = "pool"; + hostId = 250; + dns = false; + }; }; }; guest = { vlan = 20; - dhcp = { start = 1; end = 250; }; hosts = { - europa-guest = { role = "router"; }; + europa-guest = { + role = "router"; + }; + + home-guest-dhcp-start = { + role = "pool"; + hostId = 1; + dns = false; + }; + + home-guest-dhcp-end = { + role = "pool"; + hostId = 250; + dns = false; + }; }; }; @@ -219,7 +172,9 @@ vlan = 30; hosts = { - europa-iot = { role = "router"; }; + europa-iot = { + role = "router"; + }; phobos-iot = { role = "server"; @@ -267,15 +222,28 @@ storage = { vlan = 40; - dhcp = { start = 1; end = 250; }; hosts = { - europa-storage = { role = "router"; }; + europa-storage = { + role = "router"; + }; ganymede = { role = "nas"; aliases = [ "storage.kasear.net" ]; }; + + home-storage-dhcp-start = { + role = "pool"; + hostId = 1; + dns = false; + }; + + home-storage-dhcp-end = { + role = "pool"; + hostId = 250; + dns = false; + }; }; }; @@ -302,226 +270,8 @@ }; }; - ############################## - # Systems - # - # systems. = { - # tags = [ - # "router" # role-like behavior - # "public" # exposed to public internet - # "upstream" # authoritative / config-plane provider (Kea/Knot/Unbound/WG server) - # "downstream" # router profile consuming upstream config-plane - # ]; - # - # # Primary/default context for this system - # location = "home" | "cloud" | ...; - # subnet = "dmz" | "main" | ...; - # - # # Hosts that represent this system in different contexts. - # # Metanix will: - # # - compute per-host identity/privilege from locations - # # - then collapse them to system-level privileges using a - # # "highest privilege across hosts" rule when conflicts occur. - # hosts = [ "deimos" "deimos-cloud" ]; - # - # # Optional: system-level identity hints (mostly additive) - # # owner = "yaro"; - # # admins = [ "ops" ]; - # # users = [ "monitor" ]; - # - # services = { - # = { - # enable = true; # optional; presence may imply true - # tags = [ "upstream" ]; # service-specific semantics (optional) - # config = { }; # free-form options for the module - # }; - # }; - # - # resources = { - # = { - # # describes what this system provides (DNS, DHCP, WG, etc) - # # Metanix will map this to actual service configs. - # }; - # }; - # - # consumers = { - # = { - # provider = "phobos" | "frontend.kasear.net" | "1.1.1.1" | "metatron"; - # }; - # }; - # - # configuration = ./systems/.../default.nix; # local NixOS config hook - # }; - ############################## - - systems = { - eris = { - tags = [ "router" "public" /* "downstream" */ ]; - location = "cloud"; - subnet = "dmz"; - hosts = [ "eris" ]; - - services = { - # Example: public-facing Unbound, could act as upstream resolver - unbound = { - enable = true; - tags = [ "upstream" ]; - config = { }; - }; - - wireguard = { - enable = true; - config = { }; - }; - }; - - resources = { - dns = { }; - wireguard = { }; - }; - - consumers = { - # Example: eris itself might delegate recursion to some other system - # or upstream; here we override the global default to "metatron". - dns = { provider = "metatron"; }; - }; - - configuration = ./systems/x86_64-linux/eris/default.nix; - }; - - deimos = { - tags = [ "server" "public" ]; - location = "home"; - subnet = "dmz"; - hosts = [ "deimos" "deimos-cloud" ]; - - services = { - # enable is optional; presence in this attrset implies enable = true by default. - headscale = { enable = true; config = { }; }; - nginx-proxy = { enable = true; config = { }; }; - nginx = { enable = true; config = { }; }; - httpd = { enable = false; config = { }; }; # explicit disable - nextcloud = { enable = true; config = { }; }; - jellyfin = { enable = true; config = { }; }; - foregejo = { enable = true; config = { }; }; - vaultwarden = { enable = true; config = { }; }; - }; - - resources = { - # logical resources provided by this system - web = { }; - media = { }; - git = { }; - auth = { }; - }; - - consumers = { - dns = { provider = "eris"; }; # use eris as DNS - dhcp = { provider = "phobos"; }; # explicit, even if matches default - }; - - configuration = ./systems/x86_64-linux/deimos/default.nix; - }; - }; - - ############################## - # Global resource consumers - # - # Defaults that apply if systems..consumers..provider - # is not specified. - ############################## - - consumers = { - dhcp = { - provider = "phobos"; - }; - - dns = { - provider = "1.1.1.1"; - }; - - wireguard = { - provider = "frontend.kasear.net"; - }; - }; - - ############################## - # Policy layer (identities, ACL, shared configs) - # - # Intended shape: - # - # policy = { - # users = { - # yaro = { uid = 10010; groups = [ "admins" ]; ... }; - # ops = { uid = 10011; groups = [ "ops" ]; ... }; - # }; - # - # groups = { - # admins = { gid = 20010; members = [ "yaro" ]; }; - # ops = { gid = 20011; members = [ "ops" ]; }; - # }; - # - # globals = { - # # Global identities that tend to exist everywhere. - # owner = [ "root-overlord" ]; # potential global owners - # admins = [ "sre" ]; # global admins - # users = [ "monitor" ]; # global plain users - # }; - # - # configurations = { - # firefoxProfile = { - # targets = { - # users = [ "devs" ]; - # groups = [ "desktopUsers" ]; - # # systems / locations / subnets could also be targeted - # }; - # - # module = ./policy/firefox.nix; # NixOS/home-manager module - # options = { - # extensions = [ "uBlockOrigin" "multi-account-containers" ]; - # homepage = "https://intranet.kasear.net"; - # }; - # }; - # - # extraHosts = { - # targets = { - # systems = [ "deimos" "metatron" ]; - # }; - # - # module = ./policy/extra-hosts.nix; - # options = { - # hosts = { - # "special.internal" = "203.0.113.7"; - # }; - # }; - # }; - # }; - # - # acl = { - # "storage-access" = { - # principals = [ "admins" "mediaClients" ]; - # resources = [ "ganymede" ]; - # capabilities = [ "mount-nfs" "read-media" ]; - # }; - # - # "cloud-admin" = { - # principals = [ "yaro" "admins" ]; - # resources = [ "location:cloud" ]; - # capabilities = [ "ssh" "sudo" "manage-services" ]; - # }; - # }; - # }; - ############################## - - policy = { - users = { }; - groups = { }; - globals = { - owner = [ ]; - admins = [ ]; - users = [ ]; - }; - configurations = { }; - acl = { }; - }; + # You can add these later if you want to match the bigger design: + # systems = { }; + # consumers = { }; + # policy = { }; }