Adding straylight.

hw/orion/default.nix

@@ -2,11 +2,32 @@
 {
   imports = [
     ./hardware-configuration.nix
-    ../../configs/desktop.nix
-    ../../configs/qemu.nix
+    # orion started as a desktop with an interactive installer;
+    # the disk is already provisioned.
+    # ./disk-config.nix
     ../../configs/mcpkg.nix
+    ../../configs/mcp.nix
   ];
 
+  config = {
+    # FIDO2 LUKS unlock (matches vade setup)
+    boot.initrd.luks.devices."crypted".crypttabExtraOpts = [
+      "fido2-device=auto"
+      "token-timeout=10"
+    ];
+
+    # Allow rootless containers (Podman) to bind port 53 for CoreDNS (MCNS precursor).
+    boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 53;
+
+    # Open ports: DNS (53), mc-proxy (443, 8443, 9443), exod (8080, 9090).
+    networking.firewall.allowedTCPPorts = [ 53 443 8443 9443 8080 9090 ];
+    networking.firewall.allowedUDPPorts = [ 53 ];
+
+    # Route internal Metacircular zones to rift's own CoreDNS.
+    networking.nameservers = [ "192.168.88.181" ];
+    services.resolved.domains = [ "~mcp.metacircular.net" ];
+  };
+
   # Route internal Metacircular zones to rift's CoreDNS (MCNS precursor).
   # Uses systemd-resolved domain routing so rift handles only *.mcp.metacircular.net
   # while DHCP/Tailscale DNS handles everything else.

hw/straylight/default.nix

@@ -0,0 +1,20 @@
+{ inputs, pkgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../configs/desktop.nix
+    ../../configs/qemu.nix
+    ../../configs/mcpkg.nix
+  ];
+
+  # Route internal Metacircular zones to rift's CoreDNS (MCNS precursor).
+  # Uses systemd-resolved domain routing so rift handles only *.mcp.metacircular.net
+  # while DHCP/Tailscale DNS handles everything else.
+  networking.nameservers = [
+    "192.168.88.181"
+    "100.95.252.120"
+  ];
+  services.resolved.domains = [
+    "~mcp.metacircular.net"
+  ];
+}