id: T024 name: NixOS Packaging + Flake goal: Package all 8 platform components for NixOS deployment with reproducible builds status: pending priority: P0 owner: peerA (strategy) + peerB (implementation) created: 2025-12-09 depends_on: [T023] context: | MVP-Beta achieved: E2E tenant path validated. Next milestone: Deployment packaging for production use. Components to package: - chainfire (cluster KVS) - flaredb (DBaaS) - iam (authentication/authorization) - plasmavmc (VM infrastructure) - novanet (overlay networking) - flashdns (DNS) - fiberlb (load balancer) - lightningstor (object storage) NixOS provides: - Reproducible builds - Declarative configuration - Atomic upgrades/rollbacks - systemd service management acceptance: - All 8 components build via Nix flake - NixOS modules for each service - systemd unit files with proper dependencies - Configuration options exposed via NixOS module system - Development shell with all build dependencies - CI/CD integration (GitHub Actions with Nix) - Basic bare-metal bootstrap guide steps: - step: S1 name: Flake Foundation done: flake.nix with Rust toolchain, all 8 packages buildable status: complete owner: peerB priority: P0 outputs: - path: flake.nix note: Nix flake (278L) with devShell + all 8 packages notes: | Implemented: 1. flake.nix at repo root (278 lines) 2. Rust toolchain via oxalica/rust-overlay (stable.latest) 3. All 8 cargo workspaces buildable via rustPlatform 4. devShell drop-in replacement for shell.nix 5. Apps output for `nix run .#` Key dependencies included: - protobuf (PROTOC env var) - openssl + pkg-config - clang/libclang (LIBCLANG_PATH env var) - rocksdb (ROCKSDB_LIB_DIR env var) - rustToolchain with rust-src + rust-analyzer Packages defined: - chainfire-server, flaredb-server, iam-server, plasmavmc-server - novanet-server, flashdns-server, fiberlb-server, lightningstor-server - default: all 8 servers combined Usage: - `nix develop` (devShell) - `nix build .#` (build specific server) - `nix run .#` (run server directly) - step: S2 name: Service Packages done: Individual Nix packages for each service binary status: complete owner: peerB priority: P0 outputs: - path: flake.nix note: Enhanced buildRustWorkspace with doCheck, meta blocks notes: | Implemented: 1. Enhanced buildRustWorkspace helper function with: - doCheck = true (enables cargo test during build) - cargoTestFlags for per-crate testing - meta blocks with description, homepage, license, maintainers, platforms 2. Added descriptions for all 8 packages: - chainfire-server: "Distributed key-value store with Raft consensus and gossip protocol" - flaredb-server: "Distributed time-series database with Raft consensus for metrics and events" - iam-server: "Identity and access management service with RBAC and multi-tenant support" - plasmavmc-server: "Virtual machine control plane for managing compute instances" - novanet-server: "Software-defined networking controller with OVN integration" - flashdns-server: "High-performance DNS server with pattern-based reverse DNS" - fiberlb-server: "Layer 4/7 load balancer for distributing traffic across services" - lightningstor-server: "Distributed block storage service for persistent volumes" 3. Runtime dependencies verified (rocksdb, openssl in buildInputs) 4. Build-time dependencies complete (protobuf, pkg-config, clang in nativeBuildInputs) Each package now: - Builds from workspace via rustPlatform.buildRustPackage - Includes all runtime dependencies (rocksdb, openssl) - Runs cargo test in check phase (doCheck = true) - Has proper metadata (description, license Apache-2.0, platforms linux) - Supports per-crate testing via cargoTestFlags - step: S3 name: NixOS Modules done: NixOS modules for each service with options status: complete owner: peerB priority: P0 outputs: - path: nix/modules/ note: 8 NixOS modules (646L total) + aggregator - path: flake.nix note: Updated to export nixosModules + overlay (302L) notes: | Implemented: 1. 8 NixOS modules in nix/modules/: chainfire (87L), flaredb (82L), iam (76L), plasmavmc (76L), novanet (76L), flashdns (85L), fiberlb (76L), lightningstor (76L) 2. default.nix aggregator (12L) importing all modules 3. flake.nix exports: nixosModules.default + nixosModules.plasmacloud 4. overlays.default for package injection into nixpkgs Each module includes: - services..enable - services..port (+ raftPort/gossipPort for chainfire/flaredb, dnsPort for flashdns) - services..dataDir - services..settings (freeform) - services..package (overrideable) - systemd service with proper ordering (after + requires) - User/group creation - StateDirectory management (0750 permissions) - Security hardening (NoNewPrivileges, PrivateTmp, ProtectSystem, ProtectHome) Service dependencies implemented: - chainfire: no deps - flaredb: requires chainfire.service - iam: requires flaredb.service - plasmavmc, novanet, flashdns, fiberlb, lightningstor: require iam.service + flaredb.service Usage: ```nix { inputs.plasmacloud.url = "github:yourorg/plasmacloud"; nixpkgs.overlays = [ inputs.plasmacloud.overlays.default ]; imports = [ inputs.plasmacloud.nixosModules.default ]; services.chainfire.enable = true; services.flaredb.enable = true; services.iam.enable = true; } ``` - step: S4 name: Configuration Templates done: Example NixOS configurations for common deployments status: pending owner: peerB priority: P1 notes: | Example configurations: 1. Single-node development (all services on one machine) 2. 3-node cluster (HA chainfire + services) 3. Minimal (just iam + flaredb for testing) Each includes: - imports for all required modules - Networking (firewall rules) - Storage paths - Inter-service configuration - step: S5 name: CI/CD Integration done: GitHub Actions workflow using Nix status: pending owner: peerB priority: P1 notes: | GitHub Actions with Nix: 1. nix flake check (all packages build) 2. nix flake test (all tests pass) 3. Cache via cachix or GitHub cache 4. Matrix: x86_64-linux, aarch64-linux (if feasible) Replaces/augments existing cargo-based CI. - step: S6 name: Bare-Metal Bootstrap Guide done: Documentation for deploying to bare metal status: complete owner: peerB priority: P1 outputs: - path: docs/deployment/bare-metal.md note: Comprehensive deployment guide (480L) notes: | Implemented: 1. Complete NixOS installation guide with disk partitioning 2. Repository setup and flake verification 3. Single-node configuration for all 8 services 4. Deployment via nixos-rebuild switch 5. Health checks for all services with expected responses 6. Troubleshooting section (dependencies, permissions, ports, firewall) 7. Multi-node scaling patterns (Core+Workers, Service Separation) 8. Example configs for 3-node HA and worker nodes 9. Load balancing and monitoring hints Guide structure: - Prerequisites (hardware, network requirements) - NixOS installation (bootable USB, partitioning, base config) - Repository setup (clone, verify flake) - Configuration (single-node with all services) - Deployment (test, apply, monitor) - Verification (systemctl status, health checks, logs) - Troubleshooting (common issues and solutions) - Multi-Node Scaling (architecture patterns, examples) - Next steps (HA, monitoring, backup) Target achieved: User can deploy from zero to running platform following step-by-step guide. blockers: [] evidence: [] notes: | Priority within T024: - P0: S1 (Flake), S2 (Packages), S3 (Modules) — Core packaging - P1: S4 (Templates), S5 (CI/CD), S6 (Bootstrap) — Production readiness This unlocks production deployment capability. Success = platform deployable via `nixos-rebuild switch`. Post-T024: T025 K8s hosting or T023 S3/S4/S5 full stack.