From 0f1f0dcc78aba9a36aceb476dc961d1804cf951d Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Wed, 1 Apr 2026 12:35:13 -0700
Subject: [PATCH] Adding straylight.

---
 flake.nix                 |  1 +
 hw/orion/default.nix      | 25 +++++++++++++++++++++++--
 hw/straylight/default.nix | 20 ++++++++++++++++++++
 3 files changed, 44 insertions(+), 2 deletions(-)
 create mode 100644 hw/straylight/default.nix

diff --git a/flake.nix b/flake.nix
index 492580d..bee9821 100644
--- a/flake.nix
+++ b/flake.nix
@@ -66,6 +66,7 @@
       "orion"
       "rift"
       "sk"
+      "straylight"
       "vade"
     ] (hostName: lib.nixosSystem {
       system = "x86_64-linux";
diff --git a/hw/orion/default.nix b/hw/orion/default.nix
index b7214f0..94481c4 100644
--- a/hw/orion/default.nix
+++ b/hw/orion/default.nix
@@ -2,11 +2,32 @@
 {
   imports = [
     ./hardware-configuration.nix
-    ../../configs/desktop.nix
-    ../../configs/qemu.nix
+    # orion started as a desktop with an interactive installer;
+    # the disk is already provisioned.
+    # ./disk-config.nix
     ../../configs/mcpkg.nix
+    ../../configs/mcp.nix
   ];
 
+  config = {
+    # FIDO2 LUKS unlock (matches vade setup)
+    boot.initrd.luks.devices."crypted".crypttabExtraOpts = [
+      "fido2-device=auto"
+      "token-timeout=10"
+    ];
+
+    # Allow rootless containers (Podman) to bind port 53 for CoreDNS (MCNS precursor).
+    boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 53;
+
+    # Open ports: DNS (53), mc-proxy (443, 8443, 9443), exod (8080, 9090).
+    networking.firewall.allowedTCPPorts = [ 53 443 8443 9443 8080 9090 ];
+    networking.firewall.allowedUDPPorts = [ 53 ];
+
+    # Route internal Metacircular zones to rift's own CoreDNS.
+    networking.nameservers = [ "192.168.88.181" ];
+    services.resolved.domains = [ "~mcp.metacircular.net" ];
+  };
+
   # Route internal Metacircular zones to rift's CoreDNS (MCNS precursor).
   # Uses systemd-resolved domain routing so rift handles only *.mcp.metacircular.net
   # while DHCP/Tailscale DNS handles everything else.
diff --git a/hw/straylight/default.nix b/hw/straylight/default.nix
new file mode 100644
index 0000000..b7214f0
--- /dev/null
+++ b/hw/straylight/default.nix
@@ -0,0 +1,20 @@
+{ inputs, pkgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../configs/desktop.nix
+    ../../configs/qemu.nix
+    ../../configs/mcpkg.nix
+  ];
+
+  # Route internal Metacircular zones to rift's CoreDNS (MCNS precursor).
+  # Uses systemd-resolved domain routing so rift handles only *.mcp.metacircular.net
+  # while DHCP/Tailscale DNS handles everything else.
+  networking.nameservers = [
+    "192.168.88.181"
+    "100.95.252.120"
+  ];
+  services.resolved.domains = [
+    "~mcp.metacircular.net"
+  ];
+}