Perfect! Here’s an example `config.yaml` for your `asl-auth-host`. This integrates domains, courtesy leases, snapshots, and SOPS bundle paths in a way that your host can start in “ready-for-pickup” mode or perform a rescue.

---

## `/etc/asl-auth-host/config.yaml`

```yaml
# ASL-AUTH-HOST Configuration
# Defines domains, policies, and SOPS bundles for bootstrap or rescue

host:
  name: "asl-auth-host-01"
  version: "0.1"
  mode: "rescue"   # modes: "rescue" | "admission" | "normal"

domains:
  common:
    id: "00000000-0000-0000-0000-000000000001"   # Courtesy/common domain
    type: "courtesy"
    description: "Shared courtesy domain for new users or bootstrapped material"
    path: "/var/lib/asl/common"
    snapshot_retention: 30d
    allowed_operations:
      - read
      - write
      - append
    courtesy_lease: 7d   # Default grace period for newcomers
  personal:
    id: "00000000-0000-0000-0000-000000000002"   # Personal private domain
    type: "private"
    description: "Private domain for rescued material or user-owned data"
    path: "/var/lib/asl/personal"
    snapshot_retention: 90d
    allowed_operations:
      - read
      - write
      - append
      - seal
      - gc

certificates:
  root_offline_path: "/var/lib/asl/certs/root-offline"
  domain_authority_path: "/var/lib/asl/certs/domain-authority"
  sops_bundle_path: "/var/lib/asl/certs/sops"

policy:
  hash_file: "/etc/asl-auth-host/policy.hash"
  description: "Offline policy hash used to verify compliance before admission or rescue"

logging:
  path: "/var/log/asl-auth-host.log"
  level: "INFO"

store:
  type: "zfs"   # or "posix"
  pools:
    - name: "common_pool"
      mount_point: "/var/lib/asl/common"
    - name: "personal_pool"
      mount_point: "/var/lib/asl/personal"
  enable_snapshotting: true
  snapshot_prefix: "asl_snap"

# Optional hooks for init scripts
hooks:
  pre_start: "/bin/init-asl-host.sh"
  post_start: "/bin/helper-mount.sh"
```

---

### Notes:

1. **`host.mode`**:

   * `"rescue"` → SystemRescue boot with ready-for-pickup for old material.
   * `"admission"` → Host expects to receive a DAM and SOPS bundle for new personal domain.
   * `"normal"` → Standard operation with personal domain active.

2. **Domains**:

   * **Common**: Courtesy domain, short-term leases for newcomers.
   * **Personal**: Private domain, snapshots and sealing enabled.

3. **Certificates**:

   * Paths to offline root certs, DAM bundles, and SOPS bundles.

4. **Policy hash**:

   * Offline verification ensures host doesn’t act on incompatible policies.

5. **Store config**:

   * Can be POSIX or ZFS-based.
   * Supports snapshotting for deterministic recovery.

6. **Hooks**:

   * Allows you to initialize ZFS pools, mount overlays, or start ASL binaries.

---

This config gives you a **bootable, ready-for-pickup SystemRescue node** that can handle:

* Receiving old data
* Creating your personal domain
* Storing material safely in courtesy/common domain
* Verifying offline DAM bundles before admission

---

I can also **draft the accompanying init script (`init-asl-host.sh`)** that reads this config, sets up domains, mounts pools, and prepares the store for immediate rescue or admission.

Do you want me to do that next?