Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Container-first infrastructure (flakes-qbvb)
StatusTodo
TypeEpic
Prioritynormal
SubtasksMigrate container IPs to new scheme (flakes-cjao)
Drop nixos-unified, use raw flake-parts (flakes-dght)
Declarative incus fleet management (flakes-ihxf)
Fix CA cert injection to be declarative (flakes-krtw)
Containerize OneCLI (flakes-t9u2)
Setup SearXNG search for agents (flakes-woco)
Container-to-host network isolation (flakes-x821)

Migrate services to containers, isolate host, restructure Nix config.

IP Scheme

10.100.0.1       host (bridge)
10.100.0.2+      infra containers
  .002           onecli
  .003           searxng
10.100.0.100+    agent containers
  .100           yolo
  .101           spacebot
  .102           hermes
10.100.0.200+    scratch
  .200           ubuntu

Architecture

  • Host becomes thin bridge: Caddy ingress, dnsmasq, SOPS secrets, onecli-seeder
  • OneCLI moves to its own container
  • SearXNG in its own container
  • Container→host traffic blocked (except DHCP/DNS) via nftables
  • Container↔container unrestricted on bridge
  • Secret flow: Host SOPS → seeder calls OneCLI API at .002 → pushes proxy-auth/CA to agent containers
  • CA cert injection made declarative via security.pki.certificateFiles
  • Drop nixos-unified for raw flake-parts (separate host/container config namespaces)