niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/ops/legacy/ASL-AUTH-HOST ISO + Overlay Directory Layout.md
Carl Niklas Rydberg 74efedf62c Rework ops specs
2026-01-17 09:21:47 +01:00

3.6 KiB
Raw Blame History

Perfect! Heres a concrete directory layout blueprint for your asl-auth-host ISO + overlay, ready to drop in binaries, certificates, and configuration. This integrates the concepts we discussed: domains, certificates, personal/common datasets, and the overlay structure.

ASL-AUTH-HOST ISO + Overlay Directory Layout

/iso_root/                  # Root of ISO filesystem (from debootstrap)
/bin/                       # Executables
    asl-auth-host            # Main host binary
    asl-rescue               # Rescue binary
    init-asl-host.sh         # Init script to bootstrap datasets & services
    helper-mount.sh          # Optional helper scripts
/etc/
    asl-auth-host/
        config.yaml          # Host config (domains, policies, SOPS paths)
        policy.hash          # Optional policy hash for offline validation
/var/lib/asl/               # ASL storage root
    common/                 # Courtesy/common domain data
        blocks/             # Encrypted blocks or artifacts
        index/              # Store index for common domain
        snapshots/          # Snapshots for deterministic reconstruction
        logs/               # Append-only log
    personal/               # Personal domain data
        blocks/             # Encrypted personal blocks
        index/
        snapshots/
        logs/
    pools/                  # Placeholder directories for ZFS datasets if used
/var/lib/asl/certs/         # Certificates and DAM bundles
    root-offline/           # Offline root certs
    domain-authority/       # Signed DAM bundles
    sops/                   # Optional SOPS bundles
/var/log/                   # Host logs
    asl-auth-host.log

Notes

  1. ISO Root (/iso_root)

    • Populated via debootstrap in Debian container. Overlay merges your binaries and directory structure.

  2. Binaries (/bin)

    • Place asl-auth-host and asl-rescue here.
    • Init scripts can handle mounting ZFS datasets or preparing /var/lib/asl before starting the store.

  3. Host Configuration (/etc/asl-auth-host)

    • config.yaml contains domain IDs, policies, and SOPS bundle paths.
    • policy.hash allows offline verification of policies before admission.

  4. ASL Storage (/var/lib/asl)

    • Common: Courtesy domain with pre-seeded blocks/artifacts.
    • Personal: New private domain for rescued material.
    • Pools: Reserved for mounting ZFS pools when booted.

  5. Certificates (/var/lib/asl/certs)

    • Offline roots for verifying DAM signatures.
    • Domain authority DAM bundles received via SOPS.

  6. Logging (/var/log)

    • Minimal logs for host activity, index writes, and rescue operations.

Optional: Overlay Sub-structure for Development

/overlay/
    bin/
        asl-auth-host
        asl-rescue
        init-asl-host.sh
    etc/
        asl-auth-host/config.yaml
        asl-auth-host/policy.hash
    var/
        lib/
            asl/
                common/
                personal/
                pools/
                certs/
        log/

This overlay merges into /iso_root during ISO build.

This layout supports bootstrapping a personal domain from scratch, seeding the courtesy/common domain, and later integrating offline DAM bundles. It also keeps your binaries and helper scripts isolated in /bin and /etc configs clean.

I can also draft an example config.yaml for the host showing:

  • Domain IDs
  • Courtesy lease definitions
  • Default SOPS bundle paths
  • Snapshot/retention policies

…so your host is ready to pick up a new domain or rescued data.

Do you want me to draft that next?