niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/ops/ASL-AUTH-HOST ISO + Overlay Directory Layout.md
Carl Niklas Rydberg 4cba1f45eb Move host/rescue docs to ops tier
2026-01-17 09:04:19 +01:00

113 lines
3.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Perfect! Heres a **concrete directory layout blueprint** for your `asl-auth-host` ISO + overlay, ready to drop in binaries, certificates, and configuration. This integrates the concepts we discussed: domains, certificates, personal/common datasets, and the overlay structure.
---
## ASL-AUTH-HOST ISO + Overlay Directory Layout
```
/iso_root/ # Root of ISO filesystem (from debootstrap)
/bin/ # Executables
asl-auth-host # Main host binary
asl-rescue # Rescue binary
init-asl-host.sh # Init script to bootstrap datasets & services
helper-mount.sh # Optional helper scripts
/etc/
asl-auth-host/
config.yaml # Host config (domains, policies, SOPS paths)
policy.hash # Optional policy hash for offline validation
/var/lib/asl/ # ASL storage root
common/ # Courtesy/common domain data
blocks/ # Encrypted blocks or artifacts
index/ # Store index for common domain
snapshots/ # Snapshots for deterministic reconstruction
logs/ # Append-only log
personal/ # Personal domain data
blocks/ # Encrypted personal blocks
index/
snapshots/
logs/
pools/ # Placeholder directories for ZFS datasets if used
/var/lib/asl/certs/ # Certificates and DAM bundles
root-offline/ # Offline root certs
domain-authority/ # Signed DAM bundles
sops/ # Optional SOPS bundles
/var/log/ # Host logs
asl-auth-host.log
```
---
### Notes
1. **ISO Root (`/iso_root`)**
* Populated via debootstrap in Debian container. Overlay merges your binaries and directory structure.
2. **Binaries (`/bin`)**
* Place `asl-auth-host` and `asl-rescue` here.
* Init scripts can handle mounting ZFS datasets or preparing `/var/lib/asl` before starting the store.
3. **Host Configuration (`/etc/asl-auth-host`)**
* `config.yaml` contains domain IDs, policies, and SOPS bundle paths.
* `policy.hash` allows offline verification of policies before admission.
4. **ASL Storage (`/var/lib/asl`)**
* **Common**: Courtesy domain with pre-seeded blocks/artifacts.
* **Personal**: New private domain for rescued material.
* **Pools**: Reserved for mounting ZFS pools when booted.
5. **Certificates (`/var/lib/asl/certs`)**
* Offline roots for verifying DAM signatures.
* Domain authority DAM bundles received via SOPS.
6. **Logging (`/var/log`)**
* Minimal logs for host activity, index writes, and rescue operations.
---
### Optional: Overlay Sub-structure for Development
```
/overlay/
bin/
asl-auth-host
asl-rescue
init-asl-host.sh
etc/
asl-auth-host/config.yaml
asl-auth-host/policy.hash
var/
lib/
asl/
common/
personal/
pools/
certs/
log/
```
*This overlay merges into `/iso_root` during ISO build.*
---
This layout **supports bootstrapping a personal domain from scratch**, seeding the courtesy/common domain, and later integrating offline DAM bundles. It also keeps your binaries and helper scripts isolated in `/bin` and `/etc` configs clean.
---
I can also **draft an example `config.yaml` for the host** showing:
* Domain IDs
* Courtesy lease definitions
* Default SOPS bundle paths
* Snapshot/retention policies
…so your host is ready to pick up a new domain or rescued data.
Do you want me to draft that next?
Reference in a new issue View git blame Copy permalink