fix(network): unify mios-ai + mios-cockpit-link onto mios.network (KISS)

Kabuki94 · claude · Kabuki94 · commit 7bec206d31e9 · 2026-05-04T20:51:35.000-04:00
Audit caught two stragglers:
  * mios-ai.container         -- was on the default podman bridge
  * mios-cockpit-link.container -- was on the default podman bridge

Every other Quadlet was already on `mios.network` (10.89.0.0/24
bridge defined in etc/containers/systemd/mios.network). Adding
`Network=mios.network` to these two completes the unification:

  * One bridge, one subnet, one gateway -- no segmentation, no
    inter-network NAT hops, no DNS-resolver gymnastics.
  * netavark + aardvark-dns give container-name DNS for free, so
    sibling Quadlets reach each other at e.g. http://mios-ai:8080/v1
    or http://mios-forge:3000 without bouncing through host loopback.
  * PublishPort directives still map to the host so external clients
    (browser, podman-desktop, the operator's bash shell) keep the
    same access surface they had before.

Network compute overhead: one bridge interface + one veth pair per
container, exactly what we had already. Adding two more containers
to the same bridge costs nothing measurable.

mios-aichat (Distrobox) intentionally stays on host netns
(unshare_netns=false in distrobox.ini) -- different surface, by
design, so it can reach host services at localhost:* without going
through this bridge.

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/etc/containers/systemd/mios-ai.container b/etc/containers/systemd/mios-ai.container
@@ -14,6 +14,12 @@ ConditionPathIsDirectory=/etc/mios/ai
 [Container]
 Image=docker.io/localai/localai:latest
 ContainerName=mios-ai
+# Single MiOS internal network so sibling Quadlets (mios-forge,
+# mios-aichat, mios-mcp, ollama, etc.) reach LocalAI by container name
+# at http://mios-ai:8080/v1 without going through host loopback. Keeps
+# the network surface KISS: one bridge, all services on it. PublishPort
+# below still maps to the host so external clients can reach :8080.
+Network=mios.network
 PublishPort=8080:8080
 # LocalAI v4 layout: /build/models is canonical (matches MODELS_PATH /
 # upstream Containerfile WORKDIR), but /data/{outputs,collections} is
diff --git a/etc/containers/systemd/mios-cockpit-link.container b/etc/containers/systemd/mios-cockpit-link.container
@@ -43,6 +43,12 @@ ConditionVirtualization=!container
 [Container]
 Image=docker.io/alpine/socat:latest
 ContainerName=mios-cockpit-link
+# Single MiOS internal network -- KISS, every Quadlet on the same
+# bridge so sibling lookups by container name work without host-
+# loopback gymnastics. The host.containers.internal hop below is
+# still needed because cockpit-ws runs as a HOST service, not a
+# Quadlet -- it doesn't have a sibling-name on this bridge.
+Network=mios.network
 # Forward 19090 (container, bound 0.0.0.0) -> host:9090 (cockpit).
 # host.containers.internal is Podman's documented loopback-to-host
 # alias (mirrors Docker's host.docker.internal); falls back to the
