The module used explicit `config = { ... }` but also had duplicate
networking.nameservers and services.resolved.domains at the top level,
causing a NixOS module evaluation error. Merged the Tailscale nameserver
into the config block and removed the duplicates.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The master runs as an MCP-managed container, deployed via
mcp deploy mcp-master --direct. The systemd unit was a temporary
bootstrap mechanism.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Runs the MCP v2 master as a systemd service on rift. Uses
ConditionPathExists so the unit is a no-op on worker nodes
(like orion) that import mcp.nix but don't have the binary.
Starts after mcp-agent.service. Security hardened like the agent
but with ProtectHome=true (master doesn't need /run/user).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace fragile environment.etc.crypttab.text with
boot.initrd.luks.devices for the second SSD, matching
the pattern used for the root drive.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The agent binary is now managed by the operator (scp + install to
/srv/mcp/mcp-agent), not by the Nix flake. This allows agent upgrades
without a full NixOS rebuild.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Podman/skopeo don't use the system CA bundle for registry TLS — they
use /etc/containers/certs.d/<host:port>/ca.crt. Add the WNTRMUTE CA
there so podman push/pull to MCR works without --tls-verify=false.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
