# This is a WIP *example* meta.nix file for Metanix. # It captures intent / semantics, not final implementation details. # Expect this shape to evolve as Metanix grows teeth. { ############################## # Global / world-level config ############################## domain = "kasear.net"; ############################## # Locations, subnets, hosts # # Shape: # locations. = { # owner = "yaro"; # optional: default owner for this location # admins = [ "ops" ]; # optional: location-wide admins # users = [ "monitor" ]; # optional: location-relevant users # # = { # vlan = int; # optional (e.g. cloud may omit) # dhcp = { start = 10; end = 250; }; # optional # # owner = "ops"; # optional: overrides location.owner # admins = [ "sre" ]; # optional: adds/overrides admins # users = [ "resident" ]; # optional: extra users relevant here # # hosts = { # = { # role = "router" | "server" | "adminWorkstation" | "coreServer" | ...; # hw-address = "aa:bb:cc:dd:ee:ff"; # optional # aliases = [ "fqdn" ... ]; # optional # interface = "eno2"; # optional # dns = false; # optional, default true # hostId = 42; # optional, for special cases # # # Identity hints in THIS CONTEXT ONLY: # # These drive host-context privileges & network-plane semantics. # # System-level privilege is resolved later across all hosts. # owner = "yaro"; # this host’s admin owner # admins = [ "ops" "sre" ]; # host-level admins # users = [ "analytics" ]; # host-level plain users # }; # }; # }; # }; ############################## locations = { cloud = { # cloud-level identity hints (example) owner = "yaro"; admins = [ "ops" ]; users = [ "monitor" ]; dmz = { hosts = { eris = { role = "router"; aliases = [ "frontend.kasear.net" ]; # Example: eris dmz-side is not an admin plane for anyone by default users = [ "monitor" ]; }; deimos-cloud = { role = "server"; interface = "wg0"; # Maybe this side is treated as non-admin ingress users = [ "analytics" ]; }; }; }; infra = { # infra is effectively the config plane type for this location owner = "yaro"; admins = [ "ops" ]; hosts = { metatron = { role = "coreServer"; owner = "yaro"; # full admin plane for yaro here admins = [ "ops" ]; }; loki-cloud = { role = "adminWorkstation"; owner = "yaro"; # admin workstation for yaro in cloud users = [ "analytics" ]; # non-admin local user still allowed }; }; }; }; home = { owner = "yaro"; admins = [ "ops" ]; dmz = { vlan = 1; hosts = { io = { role = "router"; aliases = [ "external.kasear.net" ]; }; europa-dmz = { role = "router"; }; deimos = { role = "server"; hw-address = "10:98:36:a0:2c:b2"; interface = "eno2"; aliases = [ "kasear.net" "cloud.kasear.net" "git.kasear.net" "majike.kasear.net" "media.kasear.net" "minecraft.kasear.net" "public.kasear.net" "test.kasear.net" "vault.kasear.net" "vikali.kasear.net" "vpn.kasear.net" "www.kasear.net" "yaro.kasear.net" ]; owner = "yaro"; # home-dmz plane: yaro is owner admins = [ "ops" ]; }; container-host = { role = "containerHost"; dns = false; }; cloud-container = { role = "server"; dns = false; }; default-container = { role = "server"; dns = false; }; foregejo-container = { role = "server"; dns = false; }; majike-container = { role = "server"; dns = false; }; media-container = { role = "server"; dns = false; }; vault-container = { role = "server"; dns = false; }; vikali-container = { role = "server"; dns = false; }; vpn-container = { role = "server"; dns = false; }; yaro-container = { role = "server"; dns = false; }; }; }; main = { vlan = 10; dhcp = { start = 1; end = 250; }; hosts = { europa = { role = "router"; aliases = [ "internal.kasear.net" ]; }; terra = { role = "infraDevice"; hw-address = "48:a9:8a:2d:7f:34"; aliases = [ "core.kasear.net" ]; # terra as admin workstation-like infra endpoint owner = "yaro"; }; artemis = { role = "infraDevice"; hw-address = "54:af:97:02:2f:15"; }; luna = { role = "infraDevice"; hw-address = "30:23:03:48:4c:75"; }; phobos = { role = "server"; hw-address = "10:98:36:a9:4a:26"; aliases = [ "pbx.kasear.net" "private.kasear.net" ]; }; printer = { role = "printer"; hw-address = "84:25:19:60:de:1e"; aliases = [ "printer.kasear.net" ]; }; tv = { role = "media"; hw-address = "00:18:dd:04:9b:a8"; aliases = [ "tv.kasear.net" ]; }; ip-phone = { role = "phone"; hw-address = "80:5e:c0:de:3d:66"; }; }; }; guest = { vlan = 20; dhcp = { start = 1; end = 250; }; hosts = { europa-guest = { role = "router"; }; }; }; iot = { vlan = 30; hosts = { europa-iot = { role = "router"; }; phobos-iot = { role = "server"; hw-address = "10:98:36:a9:4a:26"; }; kitchen-echo = { role = "appliance"; hw-address = "50:dc:e7:80:91:55"; }; bedroom-echo = { role = "appliance"; hw-address = "f8:54:b8:21:f6:83"; }; lab-echo = { role = "appliance"; hw-address = "08:84:9d:74:4d:c6"; }; camera1 = { role = "camera"; hw-address = "9c:8e:cd:38:95:1f"; aliases = [ "camera1.kasear.net" ]; }; camera2 = { role = "camera"; hw-address = "9c:8e:cd:38:95:15"; aliases = [ "camera2.kasear.net" ]; }; camera2-wifi = { role = "camera"; hw-address = "9c:8e:cd:38:9a:fd"; }; samsung-tv = { role = "appliance"; hw-address = "04:e4:b6:23:81:fc"; }; }; }; storage = { vlan = 40; dhcp = { start = 1; end = 250; }; hosts = { europa-storage = { role = "router"; }; ganymede = { role = "nas"; aliases = [ "storage.kasear.net" ]; }; }; }; management = { vlan = 70; hosts = { deimos-idrac = { role = "oobMgmt"; hw-address = "10:98:36:a0:2c:b3"; }; phobos-idrac = { role = "oobMgmt"; hw-address = "10:98:36:a9:4a:27"; }; ganymede-idrac = { role = "oobMgmt"; hw-address = "14:18:77:51:4b:b5"; }; }; }; }; }; ############################## # Systems # # systems. = { # tags = [ # "router" # role-like behavior # "public" # exposed to public internet # "upstream" # authoritative / config-plane provider (Kea/Knot/Unbound/WG server) # "downstream" # router profile consuming upstream config-plane # ]; # # # Primary/default context for this system # location = "home" | "cloud" | ...; # subnet = "dmz" | "main" | ...; # # # Hosts that represent this system in different contexts. # # Metanix will: # # - compute per-host identity/privilege from locations # # - then collapse them to system-level privileges using a # # "highest privilege across hosts" rule when conflicts occur. # hosts = [ "deimos" "deimos-cloud" ]; # # # Optional: system-level identity hints (mostly additive) # # owner = "yaro"; # # admins = [ "ops" ]; # # users = [ "monitor" ]; # # services = { # = { # enable = true; # optional; presence may imply true # tags = [ "upstream" ]; # service-specific semantics (optional) # config = { }; # free-form options for the module # }; # }; # # resources = { # = { # # describes what this system provides (DNS, DHCP, WG, etc) # # Metanix will map this to actual service configs. # }; # }; # # consumers = { # = { # provider = "phobos" | "frontend.kasear.net" | "1.1.1.1" | "metatron"; # }; # }; # # configuration = ./systems/.../default.nix; # local NixOS config hook # }; ############################## systems = { eris = { tags = [ "router" "public" /* "downstream" */ ]; location = "cloud"; subnet = "dmz"; hosts = [ "eris" ]; services = { # Example: public-facing Unbound, could act as upstream resolver unbound = { enable = true; tags = [ "upstream" ]; config = { }; }; wireguard = { enable = true; config = { }; }; }; resources = { dns = { }; wireguard = { }; }; consumers = { # Example: eris itself might delegate recursion to some other system # or upstream; here we override the global default to "metatron". dns = { provider = "metatron"; }; }; configuration = ./systems/x86_64-linux/eris/default.nix; }; deimos = { tags = [ "server" "public" ]; location = "home"; subnet = "dmz"; hosts = [ "deimos" "deimos-cloud" ]; services = { # enable is optional; presence in this attrset implies enable = true by default. headscale = { enable = true; config = { }; }; nginx-proxy = { enable = true; config = { }; }; nginx = { enable = true; config = { }; }; httpd = { enable = false; config = { }; }; # explicit disable nextcloud = { enable = true; config = { }; }; jellyfin = { enable = true; config = { }; }; foregejo = { enable = true; config = { }; }; vaultwarden = { enable = true; config = { }; }; }; resources = { # logical resources provided by this system web = { }; media = { }; git = { }; auth = { }; }; consumers = { dns = { provider = "eris"; }; # use eris as DNS dhcp = { provider = "phobos"; }; # explicit, even if matches default }; configuration = ./systems/x86_64-linux/deimos/default.nix; }; }; ############################## # Global resource consumers # # Defaults that apply if systems..consumers..provider # is not specified. ############################## consumers = { dhcp = { provider = "phobos"; }; dns = { provider = "1.1.1.1"; }; wireguard = { provider = "frontend.kasear.net"; }; }; ############################## # Policy layer (identities, ACL, shared configs) # # Intended shape: # # policy = { # users = { # yaro = { uid = 10010; groups = [ "admins" ]; ... }; # ops = { uid = 10011; groups = [ "ops" ]; ... }; # }; # # groups = { # admins = { gid = 20010; members = [ "yaro" ]; }; # ops = { gid = 20011; members = [ "ops" ]; }; # }; # # globals = { # # Global identities that tend to exist everywhere. # owner = [ "root-overlord" ]; # potential global owners # admins = [ "sre" ]; # global admins # users = [ "monitor" ]; # global plain users # }; # # configurations = { # firefoxProfile = { # targets = { # users = [ "devs" ]; # groups = [ "desktopUsers" ]; # # systems / locations / subnets could also be targeted # }; # # module = ./policy/firefox.nix; # NixOS/home-manager module # options = { # extensions = [ "uBlockOrigin" "multi-account-containers" ]; # homepage = "https://intranet.kasear.net"; # }; # }; # # extraHosts = { # targets = { # systems = [ "deimos" "metatron" ]; # }; # # module = ./policy/extra-hosts.nix; # options = { # hosts = { # "special.internal" = "203.0.113.7"; # }; # }; # }; # }; # # acl = { # "storage-access" = { # principals = [ "admins" "mediaClients" ]; # resources = [ "ganymede" ]; # capabilities = [ "mount-nfs" "read-media" ]; # }; # # "cloud-admin" = { # principals = [ "yaro" "admins" ]; # resources = [ "location:cloud" ]; # capabilities = [ "ssh" "sudo" "manage-services" ]; # }; # }; # }; ############################## policy = { users = { }; groups = { }; globals = { owner = [ ]; admins = [ ]; users = [ ]; }; configurations = { }; acl = { }; }; }