Host-only 10.99.0.0/24 bridge with no uplink/NAT; firewall drops VM
traffic leaving the bridge so unikernel VMs can reach only the gateway
(mc-proxy). Implements Phase 2 mandatory-mediation networking.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Override the shared mcp.nix sandbox (PrivateDevices) on straylight so the
MCP agent can boot Nanos unikernel VMs under QEMU/KVM and manage TAP
devices for isolated networking.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add configs/mcp.nix (mcp user UID 850 + mcp-agent service) and open
firewall ports for DNS/mc-proxy/agent/master as straylight takes over
the master + MCIAS + MCNS core role from rift.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
BIOS boot with GRUB on /dev/xvda, MCP agent via systemd,
mc-proxy and MCNS as containers via MCP agent.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The LUKS device is named "luks-5c5e94fc-..." in hardware-configuration.nix
which already has the FIDO2 options. The "crypted" reference caused a build
error. Also fix duplicate attribute definitions and unnecessary config wrapper.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New root CA cert issued during Metacrypt vault rebuild. Same key
usage (Certificate Sign, CRL Sign), new validity period (2026-2046).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Same key, added CRL Sign to key usage extensions. Distributed to
all nodes and NixOS system trust store.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Use nixpkgs.hostPlatform module instead of deprecated system arg to lib.nixosSystem
- Rename services.logind.powerKey to services.logind.settings.Login.HandlePowerKey
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rootless podman deeply caches the UID in storage, subuid mappings,
and systemd sessions. Changing it destroys all container state.
Reference: log/2026-04-03-uid-incident.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
All nodes now list 1.1.1.1 and 8.8.8.8 as fallback nameservers after
MCNS. When MCNS is down, internal names (.svc.mcp.metacircular.net)
fail but external DNS (google.com, github.com, etc.) keeps working.
Lesson from 2026-04-03 incident: without fallbacks, MCNS failure
caused total DNS blackout including external services, forcing
Tailscale to be disabled to restore any DNS resolution.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
UID 995 conflicted with sshd on orion. Pin to 850 (the 800-899 range
is unused on all nodes and well below NixOS auto-assign range).
Pin GID to 850 as well for consistency.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
UID 995 conflicted with sshd on orion. Let NixOS auto-assign the UID
for the mcp system user. Use systemd's %U specifier for XDG_RUNTIME_DIR
instead of the hardcoded UID.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The FIDO2 crypttab options are already on the correct UUID-named device
in hardware-configuration.nix; the "crypted" name only applies to
disko-provisioned hosts (rift).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The module used explicit `config = { ... }` but also had duplicate
networking.nameservers and services.resolved.domains at the top level,
causing a NixOS module evaluation error. Merged the Tailscale nameserver
into the config block and removed the duplicates.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The master runs as an MCP-managed container, deployed via
mcp deploy mcp-master --direct. The systemd unit was a temporary
bootstrap mechanism.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Runs the MCP v2 master as a systemd service on rift. Uses
ConditionPathExists so the unit is a no-op on worker nodes
(like orion) that import mcp.nix but don't have the binary.
Starts after mcp-agent.service. Security hardened like the agent
but with ProtectHome=true (master doesn't need /run/user).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace fragile environment.etc.crypttab.text with
boot.initrd.luks.devices for the second SSD, matching
the pattern used for the root drive.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
