kyle/imladris
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
284 Commits 1 Branch 0 Tags
c394eec89f2ccc43c25b2177d2132c73233c9924
Commit Graph

284 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Kyle Isom
c394eec89f adding mc tooling 2026-03-26 22:59:09 -07:00
Kyle Isom
c0e0cefad3 Fix MCP flake URL: use git+https to match other inputs 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-26 22:53:06 -07:00
Kyle Isom
60ee30045b Update README. 2026-03-26 22:51:49 -07:00
Kyle Isom
baf09e8b1f Add MCP to Nix packages and wire agent to Nix-managed binary 
- Add mcp flake input (git+ssh://git@git.wntrmute.dev/mc/mcp.git)
- Add mcp CLI to mcpkg.nix system packages (installed on all machines)
- Update mcp.nix to use Nix-managed mcp-agent binary path instead of
  hardcoded /usr/local/bin/mcp-agent

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-26 22:48:40 -07:00
Kyle Isom
67ced96f4d update lector 2026-03-26 21:59:37 -07:00
Kyle Isom
a1c59deb0b Disable Tailscale DNS management on vade to fix DNS timeout 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-26 21:54:00 -07:00
Kyle Isom
c0d16c97e0 revert dns bugs 2026-03-26 21:38:05 -07:00
Kyle Isom
8c9d8f4ff5 Fix DNS: restore Tailscale catch-all removal service 
The previous commit removed the systemd service that stripped Tailscale's
~. DNS catch-all, breaking all DNS resolution — even when Tailscale is
disconnected. Restore it as fix-tailscale-dns, which restricts tailscale0
to only route ~scylla-hammerhead.ts.net queries.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-26 21:32:15 -07:00
Kyle Isom
0e54bd5fe7 Use /etc/hosts for internal Metacircular names (Tailscale DNS workaround) 2026-03-26 15:41:30 -07:00
Kyle Isom
ad3b6b949b Fix: add pkgs to vade module arguments 2026-03-26 15:37:53 -07:00
Kyle Isom
c8b271d6b9 Fix DNS routing: override Tailscale catch-all for mcp.metacircular.net 2026-03-26 15:35:47 -07:00
Kyle Isom
e7d244c606 Disable ProtectHome for mcp-agent (blocks /run/user for podman) 2026-03-26 14:40:54 -07:00
Kyle Isom
7f0a978e86 Relax mcp-agent sandbox for rootless podman compatibility 2026-03-26 14:34:50 -07:00
Kyle Isom
bac757c22e Allow mcp-agent access to /run/user for rootless podman 2026-03-26 14:31:33 -07:00
Kyle Isom
57cab0c88a Pin mcp UID, fix XDG_RUNTIME_DIR for podman access 2026-03-26 14:08:57 -07:00
Kyle Isom
71e6907a3c Add PATH to mcp-agent service for podman access 2026-03-26 14:04:52 -07:00
Kyle Isom
f0f15fccb0 Add mcp-agent systemd service to NixOS config 2026-03-26 13:30:06 -07:00
Kyle Isom
417870a85b Add mcp.nix: MCP agent system user with rootless podman 2026-03-26 13:02:25 -07:00
Kyle Isom
276cfc48a9 Add mcp system user for MCP agent 2026-03-26 13:01:33 -07:00
Kyle Isom
1914ee39fd Add plugdev group for FIDO2 device access. 
The u2f udev rules set GROUP=plugdev on hidraw devices, but the
group didn't exist. Create it and add kyle to it so FIDO2 keys
are accessible without relying on logind uaccess ACLs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-26 12:54:42 -07:00
Kyle Isom
184c237335 Use libfido2 udev rules for universal FIDO2 device access. 
Replace vendor-specific hidraw rule (3434) with libfido2 udev
package which covers all FIDO2 devices. Fixes FIDO2 key visibility
on orion.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-26 12:36:41 -07:00
Kyle Isom
28100fc74d switch to sgard-fido2 2026-03-26 12:19:46 -07:00
Kyle Isom
1e1618e5bd update sgard 2026-03-26 12:00:44 -07:00
Kyle Isom
44afdeedd0 update sgard 2026-03-26 11:28:15 -07:00
Kyle Isom
a977a1dd1d update sgard 2026-03-26 11:15:49 -07:00
Kyle Isom
f9057084ff update sgard 2026-03-26 10:16:11 -07:00
Kyle Isom
170c4ab67d orion: route mcp.metacircular.net zone to rift via resolved 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-26 09:04:37 -07:00
Kyle Isom
0d1fe5536f Enable fido2 luks on orion/rift. 2026-03-26 08:56:02 -07:00
Kyle Isom
7be8a4c5e6 orion/rift -> systemd initrd 
Allows for FIDO2 LUKS unlock.
 2026-03-26 08:48:53 -07:00
Kyle Isom
45293e60ed update mcdeploy 2026-03-26 00:58:46 -07:00
Kyle Isom
fa0c7b1510 Add mcdeploy to flake inputs and system packages 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-26 00:33:36 -07:00
Kyle Isom
4b0067641d iw 2026-03-25 23:27:04 -07:00
Kyle Isom
56621710dd update rift dns resolver 2026-03-25 22:51:34 -07:00
Kyle Isom
4163d2525a flake updates 2026-03-25 22:04:53 -07:00
Kyle Isom
693875b10e compute 2026-03-25 21:59:30 -07:00
Kyle Isom
79c6fea4ae update sgard 2026-03-25 21:55:20 -07:00
Kyle Isom
112036889e nix flake update 2026-03-25 21:38:06 -07:00
Kyle Isom
796cde1d2f don't gc if rebuild fails 2026-03-25 21:36:34 -07:00
Kyle Isom
a53eb42316 protobuffing 2026-03-25 21:32:21 -07:00
Kyle Isom
146393e881 update sgard 2026-03-25 21:30:30 -07:00
Kyle Isom
f8a53f6f63 protoc 2026-03-25 21:27:15 -07:00
Kyle Isom
71702dfb06 Add metacircular control programs to rift, orion, and vade 
Install mciasctl, mciasgrpcctl, mcrctl, and mcproxyctl via new
configs/mcpkg.nix module. Adds flake inputs for mcias, mcr, and
mc-proxy from git.wntrmute.dev.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-25 21:11:25 -07:00
Kyle Isom
9680c31a7b adding cert flake 2026-03-25 20:22:59 -07:00
Kyle Isom
ea335dbe57 add cert 2026-03-25 20:21:24 -07:00
Kyle Isom
a09dd925ac rift: open firewall for mc-proxy (443, 8443, 9443) and exod (8080, 9090) 
Remove implicit reliance on temp iptables rules. All externally
accessible ports are now declared in NixOS config.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-25 19:51:38 -07:00
Kyle Isom
87be4e34d3 Add WNTRMUTE issuing CA to system trust store 
All NixOS machines now trust the Metacircular platform CA. This
allows curl, browsers, and Go services to verify TLS certificates
issued by Metacrypt without --insecure or custom CA flags.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-25 19:30:24 -07:00
Kyle Isom
73be02eaae vade: route mcp.metacircular.net zone to rift via resolved 
Link-level DNS from DHCP and Tailscale takes priority over global
nameservers in systemd-resolved. Use domain routing (~mcp.metacircular.net)
so resolved sends only internal zone queries to rift's CoreDNS.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-25 19:22:35 -07:00
Kyle Isom
0268a0c721 Disable exo flake input (broken flake.nix upstream) 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-25 19:20:59 -07:00
Kyle Isom
eecb3973b1 rift: allow port 53 for CoreDNS, vade: use rift as DNS 
rift: sysctl to allow rootless containers to bind port 53, open
firewall for DNS queries from LAN clients.

vade: point nameservers at rift (LAN + Tailscale) for internal
service resolution via CoreDNS (MCNS precursor). Falls back to
1.1.1.1/8.8.8.8 via systemd-resolved.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-25 19:19:02 -07:00
Kyle Isom
b49b7ca2e3 let's get exo working 2026-03-25 17:07:09 -07:00