Override the shared mcp.nix sandbox (PrivateDevices) on straylight so the
MCP agent can boot Nanos unikernel VMs under QEMU/KVM and manage TAP
devices for isolated networking.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add configs/mcp.nix (mcp user UID 850 + mcp-agent service) and open
firewall ports for DNS/mc-proxy/agent/master as straylight takes over
the master + MCIAS + MCNS core role from rift.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
All nodes now list 1.1.1.1 and 8.8.8.8 as fallback nameservers after
MCNS. When MCNS is down, internal names (.svc.mcp.metacircular.net)
fail but external DNS (google.com, github.com, etc.) keeps working.
Lesson from 2026-04-03 incident: without fallbacks, MCNS failure
caused total DNS blackout including external services, forcing
Tailscale to be disabled to restore any DNS resolution.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace fragile environment.etc.crypttab.text with
boot.initrd.luks.devices for the second SSD, matching
the pattern used for the root drive.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
