declared network.nix
This commit is contained in:
Danilo Reyes
@@ -1,15 +1,14 @@
|
||||
<!--
|
||||
Sync Impact Report
|
||||
- Version change: template -> 1.0.0
|
||||
- Version change: 1.0.0 -> 1.1.0
|
||||
- Modified principles:
|
||||
- Template Principle 1 -> I. Constitution Authority
|
||||
- Template Principle 2 -> II. Module and Host Boundaries
|
||||
- Template Principle 3 -> III. Host-Local Firewall Ownership
|
||||
- III. Host-Local Firewall Ownership -> III. Host-Local Network Ownership
|
||||
- Template Principle 4 -> IV. Nix Structure and Ordering
|
||||
- Template Principle 5 -> V. Secure Host and Secrets Discipline
|
||||
- Added sections:
|
||||
- Repository Constraints
|
||||
- Delivery Workflow
|
||||
- None
|
||||
- Removed sections:
|
||||
- None
|
||||
- Templates requiring updates:
|
||||
@@ -41,13 +40,14 @@ factory helpers belong under `modules/factories/`; repo-wide shared options
|
||||
belong under `modules/modules.nix` or the relevant shared module. New behavior
|
||||
MUST NOT be placed in an unrelated host or module file for convenience.
|
||||
|
||||
### III. Host-Local Firewall Ownership
|
||||
Any host that contains firewall rules MUST keep firewall-related logic in
|
||||
`hosts/<name>/firewall.nix`. Host `configuration.nix` files MAY import that
|
||||
file, but MUST NOT become the long-term home for firewall rule definitions,
|
||||
NAT rules, nftables tables, forward-port rules, or other firewall-specific
|
||||
logic. Firewall changes in specs, plans, and task lists MUST reference the
|
||||
host-local `firewall.nix` path explicitly.
|
||||
### III. Host-Local Network Ownership
|
||||
Any host that owns host-local networking behavior MUST keep that logic in
|
||||
`hosts/<name>/network.nix`. Host `configuration.nix` files MAY import that
|
||||
file, but MUST NOT become the long-term home for host-specific firewall rules,
|
||||
NAT rules, nftables tables, forward-port rules, WireGuard interface
|
||||
configuration, policy-routing services, or other host-local networking logic.
|
||||
Networking changes in specs, plans, and task lists MUST reference the
|
||||
host-local `network.nix` path explicitly.
|
||||
|
||||
### IV. Nix Structure and Ordering
|
||||
Nix code MUST preserve grouped parents when they have multiple children and
|
||||
@@ -67,24 +67,25 @@ gating, and host-local boundaries.
|
||||
## Repository Constraints
|
||||
|
||||
- Host definitions live in `hosts/<name>/configuration.nix` with optional
|
||||
imports such as `hosts/<name>/firewall.nix` and `hosts/<name>/toggles.nix`.
|
||||
imports such as `hosts/<name>/network.nix` and `hosts/<name>/toggles.nix`.
|
||||
- Module categories remain `apps`, `dev`, `scripts`, `servers`, `services`,
|
||||
`shell`, `websites`, `network`, `users`, and `nix`, with feature directories
|
||||
preferred over new flat modules.
|
||||
- Service ports intrinsic to a server module SHOULD live with that module;
|
||||
miscellaneous shared ports SHOULD live in `my.ports`.
|
||||
- Firewall rules, NAT, nftables tables, and forward-port declarations for a
|
||||
host MUST be reviewed as one unit inside that host's `firewall.nix`.
|
||||
- Host-local firewall rules, NAT, nftables tables, WireGuard interfaces, and
|
||||
policy-routing services MUST be reviewed as one unit inside that host's
|
||||
`network.nix`.
|
||||
|
||||
## Delivery Workflow
|
||||
|
||||
- Every plan MUST include a constitution check that validates module ownership,
|
||||
host ownership, secure-host impact, and whether firewall work belongs in
|
||||
`hosts/<name>/firewall.nix`.
|
||||
host ownership, secure-host impact, and whether networking work belongs in
|
||||
`hosts/<name>/network.nix`.
|
||||
- Every spec that changes networking or exposure MUST state which host owns the
|
||||
change and which firewall file is affected.
|
||||
- Every task list that includes firewall work MUST name the concrete
|
||||
`hosts/<name>/firewall.nix` path.
|
||||
change and which host-local network file is affected.
|
||||
- Every task list that includes networking work MUST name the concrete
|
||||
`hosts/<name>/network.nix` path.
|
||||
- Runtime guidance docs that describe repository structure MUST be updated when
|
||||
host boundary rules change.
|
||||
|
||||
@@ -98,4 +99,4 @@ principles or materially expanded rules, PATCH for clarifications that do not
|
||||
change required behavior. Compliance review is mandatory for every plan, spec,
|
||||
and tasks artifact that claims alignment with this constitution.
|
||||
|
||||
**Version**: 1.0.0 | **Ratified**: 2026-04-01 | **Last Amended**: 2026-04-01
|
||||
**Version**: 1.1.0 | **Ratified**: 2026-04-01 | **Last Amended**: 2026-04-02
|
||||
|
||||
Reference in New Issue
Block a user