Skip to content

build(source-os): add mesh NixOS realization module#20

Merged
mdheller merged 6 commits intomainfrom
mesh-nixos-module-followup
Apr 17, 2026
Merged

build(source-os): add mesh NixOS realization module#20
mdheller merged 6 commits intomainfrom
mesh-nixos-module-followup

Conversation

@mdheller
Copy link
Copy Markdown
Member

Summary

Implement the first code-bearing follow-up after the merged mesh Linux estate kit.

This PR adds:

  • modules/nixos/mesh/default.nix as a real NixOS realization module for the merged mesh templates
  • profile wiring for linux-dev, linux-candidate, and linux-stable
  • tests/mesh-module-contract.nix as a flake-level contract check
  • a small flake update so the mesh module surface is part of the repo's checks and dev-shell guidance

What this does

The new module does not pretend the runtime daemons are fully packaged yet.
Instead it makes the merged Linux-facing templates Nix-realizable by:

  • generating a mesh manifest and scaffold under /etc/sourceos/mesh/
  • rendering networkd / NetworkManager templates with the configured interface, fwmarks, and route tables
  • optionally projecting those templates into active /etc manager locations when sourceos.mesh.activateTemplates = true
  • wiring explicit mesh roles into the existing dev / candidate / stable profiles

Why this shape

This is the honest next step after PR #13.
It moves the repo from static templates toward executable Linux realization without overclaiming packaged runtime readiness.

Follow-up still needed

Tracked in #15:

  • NixOS host-role wiring beyond profile defaults
  • package ownership for meshd, meshd-linkd, and meshd-exitd
  • SELinux / AppArmor confinement
  • support-matrix freeze
  • CI that evaluates or builds the NixOS module path directly

Copy link
Copy Markdown
Member Author

Follow-up to #15.

This PR implements the first code-bearing realization step after the merged mesh estate kit:

  • adds modules/nixos/mesh/default.nix
  • wires mesh roles into the dev/candidate/stable profiles
  • adds a flake contract check for the mesh module surface

Still intentionally deferred:

  • packaged runtime daemons
  • SELinux/AppArmor confinement
  • support-matrix freeze
  • deeper CI that evaluates the module path directly

@mdheller mdheller merged commit 1af6b1b into main Apr 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant