yaro/metanix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
metanix/meta.nix
Yaro Kasear 31660782fa Testing fine so far.
2025-11-28 19:13:21 -06:00

527 lines
14 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# This is a WIP *example* meta.nix file for Metanix.
# It captures intent / semantics, not final implementation details.
# Expect this shape to evolve as Metanix grows teeth.
{
##############################
# Global / world-level config
##############################
domain = "kasear.net";
##############################
# Locations, subnets, hosts
#
# Shape:
# locations.<location> = {
# owner = "yaro"; # optional: default owner for this location
# admins = [ "ops" ]; # optional: location-wide admins
# users = [ "monitor" ]; # optional: location-relevant users
#
# <subnet> = {
# vlan = int; # optional (e.g. cloud may omit)
# dhcp = { start = 10; end = 250; }; # optional
#
# owner = "ops"; # optional: overrides location.owner
# admins = [ "sre" ]; # optional: adds/overrides admins
# users = [ "resident" ]; # optional: extra users relevant here
#
# hosts = {
# <hostname> = {
# role = "router" | "server" | "adminWorkstation" | "coreServer" | ...;
# hw-address = "aa:bb:cc:dd:ee:ff"; # optional
# aliases = [ "fqdn" ... ]; # optional
# interface = "eno2"; # optional
# dns = false; # optional, default true
# hostId = 42; # optional, for special cases
#
# # Identity hints in THIS CONTEXT ONLY:
# # These drive host-context privileges & network-plane semantics.
# # System-level privilege is resolved later across all hosts.
# owner = "yaro"; # this hosts admin owner
# admins = [ "ops" "sre" ]; # host-level admins
# users = [ "analytics" ]; # host-level plain users
# };
# };
# };
# };
##############################
locations = {
cloud = {
# cloud-level identity hints (example)
owner = "yaro";
admins = [ "ops" ];
users = [ "monitor" ];
dmz = {
hosts = {
eris = {
role = "router";
aliases = [ "frontend.kasear.net" ];
# Example: eris dmz-side is not an admin plane for anyone by default
users = [ "monitor" ];
};
deimos-cloud = {
role = "server";
interface = "wg0";
# Maybe this side is treated as non-admin ingress
users = [ "analytics" ];
};
};
};
infra = {
# infra is effectively the config plane type for this location
owner = "yaro";
admins = [ "ops" ];
hosts = {
metatron = {
role = "coreServer";
owner = "yaro"; # full admin plane for yaro here
admins = [ "ops" ];
};
loki-cloud = {
role = "adminWorkstation";
owner = "yaro"; # admin workstation for yaro in cloud
users = [ "analytics" ]; # non-admin local user still allowed
};
};
};
};
home = {
owner = "yaro";
admins = [ "ops" ];
dmz = {
vlan = 1;
hosts = {
io = {
role = "router";
aliases = [ "external.kasear.net" ];
};
europa-dmz = {
role = "router";
};
deimos = {
role = "server";
hw-address = "10:98:36:a0:2c:b2";
interface = "eno2";
aliases = [
"kasear.net"
"cloud.kasear.net"
"git.kasear.net"
"majike.kasear.net"
"media.kasear.net"
"minecraft.kasear.net"
"public.kasear.net"
"test.kasear.net"
"vault.kasear.net"
"vikali.kasear.net"
"vpn.kasear.net"
"www.kasear.net"
"yaro.kasear.net"
];
owner = "yaro"; # home-dmz plane: yaro is owner
admins = [ "ops" ];
};
container-host = {
role = "containerHost";
dns = false;
};
cloud-container = { role = "server"; dns = false; };
default-container = { role = "server"; dns = false; };
foregejo-container = { role = "server"; dns = false; };
majike-container = { role = "server"; dns = false; };
media-container = { role = "server"; dns = false; };
vault-container = { role = "server"; dns = false; };
vikali-container = { role = "server"; dns = false; };
vpn-container = { role = "server"; dns = false; };
yaro-container = { role = "server"; dns = false; };
};
};
main = {
vlan = 10;
dhcp = { start = 1; end = 250; };
hosts = {
europa = {
role = "router";
aliases = [ "internal.kasear.net" ];
};
terra = {
role = "infraDevice";
hw-address = "48:a9:8a:2d:7f:34";
aliases = [ "core.kasear.net" ];
# terra as admin workstation-like infra endpoint
owner = "yaro";
};
artemis = {
role = "infraDevice";
hw-address = "54:af:97:02:2f:15";
};
luna = {
role = "infraDevice";
hw-address = "30:23:03:48:4c:75";
};
phobos = {
role = "server";
hw-address = "10:98:36:a9:4a:26";
aliases = [
"pbx.kasear.net"
"private.kasear.net"
];
};
printer = {
role = "printer";
hw-address = "84:25:19:60:de:1e";
aliases = [ "printer.kasear.net" ];
};
tv = {
role = "media";
hw-address = "00:18:dd:04:9b:a8";
aliases = [ "tv.kasear.net" ];
};
ip-phone = {
role = "phone";
hw-address = "80:5e:c0:de:3d:66";
};
};
};
guest = {
vlan = 20;
dhcp = { start = 1; end = 250; };
hosts = {
europa-guest = { role = "router"; };
};
};
iot = {
vlan = 30;
hosts = {
europa-iot = { role = "router"; };
phobos-iot = {
role = "server";
hw-address = "10:98:36:a9:4a:26";
};
kitchen-echo = {
role = "appliance";
hw-address = "50:dc:e7:80:91:55";
};
bedroom-echo = {
role = "appliance";
hw-address = "f8:54:b8:21:f6:83";
};
lab-echo = {
role = "appliance";
hw-address = "08:84:9d:74:4d:c6";
};
camera1 = {
role = "camera";
hw-address = "9c:8e:cd:38:95:1f";
aliases = [ "camera1.kasear.net" ];
};
camera2 = {
role = "camera";
hw-address = "9c:8e:cd:38:95:15";
aliases = [ "camera2.kasear.net" ];
};
camera2-wifi = {
role = "camera";
hw-address = "9c:8e:cd:38:9a:fd";
};
samsung-tv = {
role = "appliance";
hw-address = "04:e4:b6:23:81:fc";
};
};
};
storage = {
vlan = 40;
dhcp = { start = 1; end = 250; };
hosts = {
europa-storage = { role = "router"; };
ganymede = {
role = "nas";
aliases = [ "storage.kasear.net" ];
};
};
};
management = {
vlan = 70;
hosts = {
deimos-idrac = {
role = "oobMgmt";
hw-address = "10:98:36:a0:2c:b3";
};
phobos-idrac = {
role = "oobMgmt";
hw-address = "10:98:36:a9:4a:27";
};
ganymede-idrac = {
role = "oobMgmt";
hw-address = "14:18:77:51:4b:b5";
};
};
};
};
};
##############################
# Systems
#
# systems.<systemName> = {
# tags = [
# "router" # role-like behavior
# "public" # exposed to public internet
# "upstream" # authoritative / config-plane provider (Kea/Knot/Unbound/WG server)
# "downstream" # router profile consuming upstream config-plane
# ];
#
# # Primary/default context for this system
# location = "home" | "cloud" | ...;
# subnet = "dmz" | "main" | ...;
#
# # Hosts that represent this system in different contexts.
# # Metanix will:
# # - compute per-host identity/privilege from locations
# # - then collapse them to system-level privileges using a
# # "highest privilege across hosts" rule when conflicts occur.
# hosts = [ "deimos" "deimos-cloud" ];
#
# # Optional: system-level identity hints (mostly additive)
# # owner = "yaro";
# # admins = [ "ops" ];
# # users = [ "monitor" ];
#
# services = {
# <serviceName> = {
# enable = true; # optional; presence may imply true
# tags = [ "upstream" ]; # service-specific semantics (optional)
# config = { }; # free-form options for the module
# };
# };
#
# resources = {
# <resourceName> = {
# # describes what this system provides (DNS, DHCP, WG, etc)
# # Metanix will map this to actual service configs.
# };
# };
#
# consumers = {
# <resourceName> = {
# provider = "phobos" | "frontend.kasear.net" | "1.1.1.1" | "metatron";
# };
# };
#
# configuration = ./systems/.../default.nix; # local NixOS config hook
# };
##############################
systems = {
eris = {
tags = [ "router" "public" /* "downstream" */ ];
location = "cloud";
subnet = "dmz";
hosts = [ "eris" ];
services = {
# Example: public-facing Unbound, could act as upstream resolver
unbound = {
enable = true;
tags = [ "upstream" ];
config = { };
};
wireguard = {
enable = true;
config = { };
};
};
resources = {
dns = { };
wireguard = { };
};
consumers = {
# Example: eris itself might delegate recursion to some other system
# or upstream; here we override the global default to "metatron".
dns = { provider = "metatron"; };
};
configuration = ./systems/x86_64-linux/eris/default.nix;
};
deimos = {
tags = [ "server" "public" ];
location = "home";
subnet = "dmz";
hosts = [ "deimos" "deimos-cloud" ];
services = {
# enable is optional; presence in this attrset implies enable = true by default.
headscale = { enable = true; config = { }; };
nginx-proxy = { enable = true; config = { }; };
nginx = { enable = true; config = { }; };
httpd = { enable = false; config = { }; }; # explicit disable
nextcloud = { enable = true; config = { }; };
jellyfin = { enable = true; config = { }; };
foregejo = { enable = true; config = { }; };
vaultwarden = { enable = true; config = { }; };
};
resources = {
# logical resources provided by this system
web = { };
media = { };
git = { };
auth = { };
};
consumers = {
dns = { provider = "eris"; }; # use eris as DNS
dhcp = { provider = "phobos"; }; # explicit, even if matches default
};
configuration = ./systems/x86_64-linux/deimos/default.nix;
};
};
##############################
# Global resource consumers
#
# Defaults that apply if systems.<name>.consumers.<res>.provider
# is not specified.
##############################
consumers = {
dhcp = {
provider = "phobos";
};
dns = {
provider = "1.1.1.1";
};
wireguard = {
provider = "frontend.kasear.net";
};
};
##############################
# Policy layer (identities, ACL, shared configs)
#
# Intended shape:
#
# policy = {
# users = {
# yaro = { uid = 10010; groups = [ "admins" ]; ... };
# ops = { uid = 10011; groups = [ "ops" ]; ... };
# };
#
# groups = {
# admins = { gid = 20010; members = [ "yaro" ]; };
# ops = { gid = 20011; members = [ "ops" ]; };
# };
#
# globals = {
# # Global identities that tend to exist everywhere.
# owner = [ "root-overlord" ]; # potential global owners
# admins = [ "sre" ]; # global admins
# users = [ "monitor" ]; # global plain users
# };
#
# configurations = {
# firefoxProfile = {
# targets = {
# users = [ "devs" ];
# groups = [ "desktopUsers" ];
# # systems / locations / subnets could also be targeted
# };
#
# module = ./policy/firefox.nix; # NixOS/home-manager module
# options = {
# extensions = [ "uBlockOrigin" "multi-account-containers" ];
# homepage = "https://intranet.kasear.net";
# };
# };
#
# extraHosts = {
# targets = {
# systems = [ "deimos" "metatron" ];
# };
#
# module = ./policy/extra-hosts.nix;
# options = {
# hosts = {
# "special.internal" = "203.0.113.7";
# };
# };
# };
# };
#
# acl = {
# "storage-access" = {
# principals = [ "admins" "mediaClients" ];
# resources = [ "ganymede" ];
# capabilities = [ "mount-nfs" "read-media" ];
# };
#
# "cloud-admin" = {
# principals = [ "yaro" "admins" ];
# resources = [ "location:cloud" ];
# capabilities = [ "ssh" "sudo" "manage-services" ];
# };
# };
# };
##############################
policy = {
users = { };
groups = { };
globals = {
owner = [ ];
admins = [ ];
users = [ ];
};
configurations = { };
acl = { };
};
}
Reference in a new issue View git blame Copy permalink