DEFAULTS-POLICY: every boolean ships true; incompatibility gating moves to systemd Condition*

Project-wide invariant: every boolean feature flag in the profile
(`[quadlets.enable]`, `[ai] enable_*`, etc.) ships `true`. The system
never disables a component via static config; when a component is
incompatible with the host (wrong virtualization layer, missing
required path, missing hardware), systemd `Condition*` directives in
the underlying unit short-circuit it at boot/pre-boot and the unit
silently no-ops. Operators can still set a flag to `false` to
force-disable a component even when it would otherwise run.

Profile changes (usr/share/mios/profile.toml — vendor defaults):
- [ai] enable_ollama: false → true
- [quadlets.enable] mios-ceph, mios-k3s, crowdsec-dashboard, ollama,
  cloudws-guacamole, cloudws-pxe-hub, guacamole-postgres, guacd:
  false → true (mios-ai was already true).
- Inline policy comment added to the section so future edits don't
  silently revert.

Quadlet Condition gating (etc/containers/systemd/ + usr/share/containers/systemd/):
- mios-ai.container: ConditionPathIsDirectory=/etc/mios/ai
- mios-ceph.container: ConditionPathExists=/etc/ceph/ceph.conf,
  ConditionVirtualization=!container
- mios-k3s.container: ConditionVirtualization=!wsl + !container
- cloudws-guacamole.container: After=guacamole-postgres.service,
  ConditionVirtualization=!container
- cloudws-pxe-hub.container: ConditionVirtualization=!wsl + !container
- crowdsec-dashboard.container: After=crowdsec.service,
  ConditionPathExists=/etc/crowdsec/config.yaml
- guacamole-postgres.container, guacd.container:
  ConditionVirtualization=!container
- ollama.container: no condition (CPU fallback always works);
  documented inline that operators must opt out via profile.toml to
  disable.

Doc updates:
- INDEX.md §5 (new): Defaults policy section + active gating table
  listing every condition-gated unit and the deployment scenarios
  where it skips.
- CLAUDE.md: short policy summary cross-referencing INDEX.md §5.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: mios-dev

CLAUDE.md

@@ -143,6 +143,17 @@ behavior, not "a file to add". User-installer files (`/etc/mios/*`,
 `/etc/skel/.config/mios/*`, knowledge graphs) belong in
 `mios-bootstrap.git`, not here.
 
+## Defaults policy
+
+Every boolean feature flag in the profile (`[quadlets.enable]`, `[ai]`,
+`[network]`, `[bootstrap]`) ships **`true`**. The system does NOT
+disable a component via static config. When a component is incompatible
+with the host (wrong virtualization layer, missing required path,
+missing hardware), systemd `Condition*` directives in the corresponding
+Quadlet/service short-circuit it at boot/pre-boot and the unit silently
+no-ops. Operators can still set a flag to `false` to force-disable.
+See `INDEX.md` §5 for the gating table.
+
 ## Architectural laws (from INDEX.md / .cursorrules — non-negotiable)
 
 1. **USR-OVER-ETC** — static config goes in `/usr/lib/<component>.d/`.

INDEX.md

@@ -66,7 +66,32 @@ and at runtime by `mios` CLI clients):
 | `MIOS_USER` / `MIOS_HOSTNAME` | build | Default account/hostname baked into the image (`Containerfile:26-27`). |
 | `MIOS_FLATPAKS` | build | Comma-separated Flatpak refs (`Containerfile:28`). |
 
-## 5. Global pipeline phases
+## 5. Defaults policy
+
+Every boolean feature flag in `usr/share/mios/profile.toml` and
+`/etc/mios/profile.toml` ships **`true`**. The system never disables a
+component via static config — when a component is incompatible with the
+host (wrong virtualization layer, missing required path, missing
+hardware), systemd `Condition*` directives in the corresponding
+Quadlet/service unit short-circuit it at boot/pre-boot and the unit
+silently no-ops. Operators can still set any flag to `false` to
+force-disable a component even when it would otherwise run.
+
+Active gating (referenced in `etc/containers/systemd/` and
+`usr/share/containers/systemd/`):
+
+| Unit | Condition | Skips on |
+|---|---|---|
+| `mios-ai` | `ConditionPathIsDirectory=/etc/mios/ai` | bootstrap incomplete |
+| `mios-ceph` | `ConditionPathExists=/etc/ceph/ceph.conf`, `!container` | Ceph not configured, nested |
+| `mios-k3s` | `!wsl`, `!container` | WSL2, nested containers |
+| `crowdsec-dashboard` | `ConditionPathExists=/etc/crowdsec/config.yaml` | CrowdSec not configured |
+| `cloudws-guacamole`, `guacd`, `guacamole-postgres` | `!container` | nested containers |
+| `cloudws-pxe-hub` | `!wsl`, `!container` | virtualized hosts without routable LAN |
+| `mios-gpu-{nvidia,amd,intel,status}` | `ConditionPathExists=/dev/...`, `!container`, `!wsl` (Intel) | no matching GPU device |
+| `ollama` | none | always runs (CPU fallback) |
+
+## 6. Global pipeline phases
 
 The end-to-end bootstrap → install pipeline is partitioned into five phases
 shared across both repos:
@@ -83,7 +108,7 @@ The user profile card at `etc/mios/profile.toml` (host) and
 `~/.config/mios/profile.toml` (per-user) is read in Phase-0 to seed defaults
 and re-written/staged in Phase-3.
 
-## 6. Cross-references
+## 7. Cross-references
 
 - Build pipeline architecture: `CLAUDE.md`, `automation/build.sh`.
 - Filesystem and hardware layout: `ARCHITECTURE.md`.

etc/containers/systemd/mios-ai.container

@@ -1,10 +1,15 @@
 # /etc/containers/systemd/mios-ai.container
 # OpenAI-compatible inference backend.
+#
+# Defaults policy: enabled by default. ConditionPathExists guards the
+# config dir; if /etc/mios/ai/ doesn't exist (incomplete bootstrap),
+# the unit no-ops at pre-boot rather than crash-looping.
 
 [Unit]
 Description=MiOS AI inference backend (OpenAI-compatible)
 After=network-online.target
 Wants=network-online.target
+ConditionPathIsDirectory=/etc/mios/ai
 
 [Container]
 Image=docker.io/localai/localai:v2.20.0

etc/containers/systemd/mios-ceph.container

@@ -10,6 +10,12 @@
 Description=MiOS Ceph Monitor (Podman-native)
 After=network-online.target
 Wants=network-online.target
+# Defaults policy: enabled by default; auto-skips on hosts that aren't
+# Ceph-configured. Ceph requires a configured cluster; without
+# /etc/ceph/ceph.conf the monitor cannot bootstrap, so skip cleanly at
+# pre-boot. Nested containers cannot run a Ceph mon.
+ConditionPathExists=/etc/ceph/ceph.conf
+ConditionVirtualization=!container
 
 [Container]
 Image=quay.io/ceph/ceph:v18

etc/containers/systemd/mios-k3s.container

@@ -17,6 +17,11 @@
 Description=MiOS K3s Service (Podman-native)
 After=network-online.target
 Wants=network-online.target
+# Defaults policy: enabled by default; auto-skips on incompatible hosts.
+# K3s needs cgroup v2, eBPF, and full kernel namespaces — none of which
+# work reliably under WSL2 or in nested containers.
+ConditionVirtualization=!wsl
+ConditionVirtualization=!container
 
 [Container]
 Image=docker.io/rancher/k3s:v1.32.1-k3s1

usr/share/containers/systemd/cloudws-guacamole.container

@@ -1,7 +1,11 @@
 [Unit]
 Description=MiOS Apache Guacamole Web
-After=network-online.target
+After=network-online.target guacamole-postgres.service
 Wants=network-online.target
+# Defaults policy: enabled by default; auto-skips when nested in another
+# container (no working network namespacing for the bridge backend).
+# guacamole-postgres must be reachable, hence After= on the DB unit.
+ConditionVirtualization=!container
 
 [Container]
 Image=docker.io/guacamole/guacamole:latest

usr/share/containers/systemd/cloudws-pxe-hub.container

@@ -2,6 +2,10 @@
 Description=MiOS PXE Boot Hub
 After=network-online.target
 Wants=network-online.target
+# Defaults policy: enabled by default; auto-skips on virtualized hosts
+# without a routable LAN (PXE requires raw DHCP/TFTP on the host network).
+ConditionVirtualization=!wsl
+ConditionVirtualization=!container
 
 [Container]
 Image=quay.io/poseidon/matchbox:latest

usr/share/containers/systemd/crowdsec-dashboard.container

@@ -1,7 +1,10 @@
 [Unit]
 Description=MiOS CrowdSec Dashboard
-After=network-online.target
+After=network-online.target crowdsec.service
 Wants=network-online.target
+# Defaults policy: enabled by default; auto-skips when CrowdSec isn't
+# configured (no /etc/crowdsec/config.yaml = no LAPI to scrape).
+ConditionPathExists=/etc/crowdsec/config.yaml
 
 [Container]
 Image=docker.io/crowdsecurity/crowdsec:latest

usr/share/containers/systemd/guacamole-postgres.container

@@ -2,6 +2,9 @@
 Description=MiOS Guacamole PostgreSQL
 After=network-online.target
 Wants=network-online.target
+# Defaults policy: enabled by default; auto-skips inside another
+# container (postgres datadir on overlayfs-on-overlayfs is unreliable).
+ConditionVirtualization=!container
 
 [Container]
 Image=docker.io/library/postgres:16

usr/share/containers/systemd/guacd.container

@@ -2,6 +2,9 @@
 Description=MiOS Apache Guacamole Daemon
 After=network-online.target
 Wants=network-online.target
+# Defaults policy: enabled by default; auto-skips inside nested
+# containers (guacd needs raw VNC/RDP socket access).
+ConditionVirtualization=!container
 
 [Container]
 Image=docker.io/guacamole/guacd:latest