The FIDO2 crypttab options are already on the correct UUID-named device
in hardware-configuration.nix; the "crypted" name only applies to
disko-provisioned hosts (rift).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The module used explicit `config = { ... }` but also had duplicate
networking.nameservers and services.resolved.domains at the top level,
causing a NixOS module evaluation error. Merged the Tailscale nameserver
into the config block and removed the duplicates.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace fragile environment.etc.crypttab.text with
boot.initrd.luks.devices for the second SSD, matching
the pattern used for the root drive.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The previous commit removed the systemd service that stripped Tailscale's
~. DNS catch-all, breaking all DNS resolution — even when Tailscale is
disconnected. Restore it as fix-tailscale-dns, which restricts tailscale0
to only route ~scylla-hammerhead.ts.net queries.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Install mciasctl, mciasgrpcctl, mcrctl, and mcproxyctl via new
configs/mcpkg.nix module. Adds flake inputs for mcias, mcr, and
mc-proxy from git.wntrmute.dev.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove implicit reliance on temp iptables rules. All externally
accessible ports are now declared in NixOS config.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Link-level DNS from DHCP and Tailscale takes priority over global
nameservers in systemd-resolved. Use domain routing (~mcp.metacircular.net)
so resolved sends only internal zone queries to rift's CoreDNS.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
rift: sysctl to allow rootless containers to bind port 53, open
firewall for DNS queries from LAN clients.
vade: point nameservers at rift (LAN + Tailscale) for internal
service resolution via CoreDNS (MCNS precursor). Falls back to
1.1.1.1/8.8.8.8 via systemd-resolved.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
