|
|
|
|
@@ -1,15 +1,14 @@
|
|
|
|
|
<!--
|
|
|
|
|
Sync Impact Report
|
|
|
|
|
- Version change: template -> 1.0.0
|
|
|
|
|
- Version change: 1.0.0 -> 1.1.0
|
|
|
|
|
- Modified principles:
|
|
|
|
|
- Template Principle 1 -> I. Constitution Authority
|
|
|
|
|
- Template Principle 2 -> II. Module and Host Boundaries
|
|
|
|
|
- Template Principle 3 -> III. Host-Local Firewall Ownership
|
|
|
|
|
- III. Host-Local Firewall Ownership -> III. Host-Local Network Ownership
|
|
|
|
|
- Template Principle 4 -> IV. Nix Structure and Ordering
|
|
|
|
|
- Template Principle 5 -> V. Secure Host and Secrets Discipline
|
|
|
|
|
- Added sections:
|
|
|
|
|
- Repository Constraints
|
|
|
|
|
- Delivery Workflow
|
|
|
|
|
- None
|
|
|
|
|
- Removed sections:
|
|
|
|
|
- None
|
|
|
|
|
- Templates requiring updates:
|
|
|
|
|
@@ -41,13 +40,14 @@ factory helpers belong under `modules/factories/`; repo-wide shared options
|
|
|
|
|
belong under `modules/modules.nix` or the relevant shared module. New behavior
|
|
|
|
|
MUST NOT be placed in an unrelated host or module file for convenience.
|
|
|
|
|
|
|
|
|
|
### III. Host-Local Firewall Ownership
|
|
|
|
|
Any host that contains firewall rules MUST keep firewall-related logic in
|
|
|
|
|
`hosts/<name>/firewall.nix`. Host `configuration.nix` files MAY import that
|
|
|
|
|
file, but MUST NOT become the long-term home for firewall rule definitions,
|
|
|
|
|
NAT rules, nftables tables, forward-port rules, or other firewall-specific
|
|
|
|
|
logic. Firewall changes in specs, plans, and task lists MUST reference the
|
|
|
|
|
host-local `firewall.nix` path explicitly.
|
|
|
|
|
### III. Host-Local Network Ownership
|
|
|
|
|
Any host that owns host-local networking behavior MUST keep that logic in
|
|
|
|
|
`hosts/<name>/network.nix`. Host `configuration.nix` files MAY import that
|
|
|
|
|
file, but MUST NOT become the long-term home for host-specific firewall rules,
|
|
|
|
|
NAT rules, nftables tables, forward-port rules, WireGuard interface
|
|
|
|
|
configuration, policy-routing services, or other host-local networking logic.
|
|
|
|
|
Networking changes in specs, plans, and task lists MUST reference the
|
|
|
|
|
host-local `network.nix` path explicitly.
|
|
|
|
|
|
|
|
|
|
### IV. Nix Structure and Ordering
|
|
|
|
|
Nix code MUST preserve grouped parents when they have multiple children and
|
|
|
|
|
@@ -67,24 +67,25 @@ gating, and host-local boundaries.
|
|
|
|
|
## Repository Constraints
|
|
|
|
|
|
|
|
|
|
- Host definitions live in `hosts/<name>/configuration.nix` with optional
|
|
|
|
|
imports such as `hosts/<name>/firewall.nix` and `hosts/<name>/toggles.nix`.
|
|
|
|
|
imports such as `hosts/<name>/network.nix` and `hosts/<name>/toggles.nix`.
|
|
|
|
|
- Module categories remain `apps`, `dev`, `scripts`, `servers`, `services`,
|
|
|
|
|
`shell`, `websites`, `network`, `users`, and `nix`, with feature directories
|
|
|
|
|
preferred over new flat modules.
|
|
|
|
|
- Service ports intrinsic to a server module SHOULD live with that module;
|
|
|
|
|
miscellaneous shared ports SHOULD live in `my.ports`.
|
|
|
|
|
- Firewall rules, NAT, nftables tables, and forward-port declarations for a
|
|
|
|
|
host MUST be reviewed as one unit inside that host's `firewall.nix`.
|
|
|
|
|
- Host-local firewall rules, NAT, nftables tables, WireGuard interfaces, and
|
|
|
|
|
policy-routing services MUST be reviewed as one unit inside that host's
|
|
|
|
|
`network.nix`.
|
|
|
|
|
|
|
|
|
|
## Delivery Workflow
|
|
|
|
|
|
|
|
|
|
- Every plan MUST include a constitution check that validates module ownership,
|
|
|
|
|
host ownership, secure-host impact, and whether firewall work belongs in
|
|
|
|
|
`hosts/<name>/firewall.nix`.
|
|
|
|
|
host ownership, secure-host impact, and whether networking work belongs in
|
|
|
|
|
`hosts/<name>/network.nix`.
|
|
|
|
|
- Every spec that changes networking or exposure MUST state which host owns the
|
|
|
|
|
change and which firewall file is affected.
|
|
|
|
|
- Every task list that includes firewall work MUST name the concrete
|
|
|
|
|
`hosts/<name>/firewall.nix` path.
|
|
|
|
|
change and which host-local network file is affected.
|
|
|
|
|
- Every task list that includes networking work MUST name the concrete
|
|
|
|
|
`hosts/<name>/network.nix` path.
|
|
|
|
|
- Runtime guidance docs that describe repository structure MUST be updated when
|
|
|
|
|
host boundary rules change.
|
|
|
|
|
|
|
|
|
|
@@ -98,4 +99,4 @@ principles or materially expanded rules, PATCH for clarifications that do not
|
|
|
|
|
change required behavior. Compliance review is mandatory for every plan, spec,
|
|
|
|
|
and tasks artifact that claims alignment with this constitution.
|
|
|
|
|
|
|
|
|
|
**Version**: 1.0.0 | **Ratified**: 2026-04-01 | **Last Amended**: 2026-04-01
|
|
|
|
|
**Version**: 1.1.0 | **Ratified**: 2026-04-01 | **Last Amended**: 2026-04-02
|
|
|
|
|
|
Danilo Reyes