BIOS boot with GRUB on /dev/xvda, MCP agent via systemd,
mc-proxy and MCNS as containers via MCP agent.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The LUKS device is named "luks-5c5e94fc-..." in hardware-configuration.nix
which already has the FIDO2 options. The "crypted" reference caused a build
error. Also fix duplicate attribute definitions and unnecessary config wrapper.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Use nixpkgs.hostPlatform module instead of deprecated system arg to lib.nixosSystem
- Rename services.logind.powerKey to services.logind.settings.Login.HandlePowerKey
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
All nodes now list 1.1.1.1 and 8.8.8.8 as fallback nameservers after
MCNS. When MCNS is down, internal names (.svc.mcp.metacircular.net)
fail but external DNS (google.com, github.com, etc.) keeps working.
Lesson from 2026-04-03 incident: without fallbacks, MCNS failure
caused total DNS blackout including external services, forcing
Tailscale to be disabled to restore any DNS resolution.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The FIDO2 crypttab options are already on the correct UUID-named device
in hardware-configuration.nix; the "crypted" name only applies to
disko-provisioned hosts (rift).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The module used explicit `config = { ... }` but also had duplicate
networking.nameservers and services.resolved.domains at the top level,
causing a NixOS module evaluation error. Merged the Tailscale nameserver
into the config block and removed the duplicates.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace fragile environment.etc.crypttab.text with
boot.initrd.luks.devices for the second SSD, matching
the pattern used for the root drive.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The previous commit removed the systemd service that stripped Tailscale's
~. DNS catch-all, breaking all DNS resolution — even when Tailscale is
disconnected. Restore it as fix-tailscale-dns, which restricts tailscale0
to only route ~scylla-hammerhead.ts.net queries.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Install mciasctl, mciasgrpcctl, mcrctl, and mcproxyctl via new
configs/mcpkg.nix module. Adds flake inputs for mcias, mcr, and
mc-proxy from git.wntrmute.dev.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove implicit reliance on temp iptables rules. All externally
accessible ports are now declared in NixOS config.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Link-level DNS from DHCP and Tailscale takes priority over global
nameservers in systemd-resolved. Use domain routing (~mcp.metacircular.net)
so resolved sends only internal zone queries to rift's CoreDNS.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
rift: sysctl to allow rootless containers to bind port 53, open
firewall for DNS queries from LAN clients.
vade: point nameservers at rift (LAN + Tailscale) for internal
service resolution via CoreDNS (MCNS precursor). Falls back to
1.1.1.1/8.8.8.8 via systemd-resolved.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
