From 417870a85b825bbcf9e1af55d969c9351687aa59 Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Thu, 26 Mar 2026 13:02:25 -0700
Subject: [PATCH] Add mcp.nix: MCP agent system user with rootless podman

---
 configs/mcp.nix | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 configs/mcp.nix

diff --git a/configs/mcp.nix b/configs/mcp.nix
new file mode 100644
index 0000000..be2ad00
--- /dev/null
+++ b/configs/mcp.nix
@@ -0,0 +1,21 @@
+# MCP (Metacircular Control Plane) agent user and configuration.
+#
+# Creates a dedicated 'mcp' system user with rootless podman support.
+# The agent runs as this user and manages containers for all platform
+# services via /srv/.
+{ pkgs, ... }:
+
+{
+  users.users.mcp = {
+    isSystemUser = true;
+    group = "mcp";
+    home = "/srv/mcp";
+    shell = pkgs.shadow; # nologin equivalent
+    subUidRanges = [{ startUid = 100000; count = 65536; }];
+    subGidRanges = [{ startGid = 100000; count = 65536; }];
+    # Lingering enables user services (podman) to run without an active login session.
+    linger = true;
+  };
+
+  users.groups.mcp = {};
+}