feat(clan): add vps-relay + strip bbbot cloudflared 🚢

Stage 4.5: declare a Hetzner-hosted reverse-proxy VPS as a clan machine. - nixos/hosts/vps-relay.nix: Debian→NixOS cx23 in hel1. Caddy at public 80/443 reverse-proxies navidrome.dannydannydanny.me and bbbot.dannydannydanny.me over ZT to sunken-ship. - nixos/disko-cloud.nix: simple GPT + ext4 root, no LUKS — cloud provider has physical disk anyway and there's no operator at boot. - flake-modules/clan.nix: register vps-relay as an inventory machine, zerotier peer, internet networking target at its clan-generated ZT IPv6, and add vps-relay.clan to clanHostsModule /etc/hosts. - sunken-ship fitness-bot: drop pkgs.cloudflared from PATH + set WEBAPP_URL=https://bbbot.dannydannydanny.me. Paired with the bbbot upstream patch (start.py honors env WEBAPP_URL and skips cloudflared when set) — once the 15-min fitness-bot-pull timer pulls that change, bbbot will stop churning trycloudflare.com URLs. Vars (zerotier identity/ip + sops machine key) generated on sunken-ship because clan's hermetic sandbox on macOS fails to run the zerotier identity generator (same workaround as for data-mesher earlier). VPS install flow: Hetzner-created Debian box, then `clan machines install vps-relay --target-host root@<public-ipv4>` reinstalls to NixOS; subsequent updates go over ZT.
2026-04-24 13:43:21 +02:00 · 2026-04-24 13:43:21 +02:00 · 47fc658523
commit 47fc658523
parent b0c8664f5c
11 changed files with 187 additions and 1 deletions
--- a/sops/machines/vps-relay/key.json
+++ b/sops/machines/vps-relay/key.json
@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1mlljsdpqf054p4nav9s855rtd5szwyl9av8w2lvg86j59cdtugxqylcn6k",
+    "type": "age"
+  }
+]
--- a/sops/secrets/vps-relay-age.key/secret
+++ b/sops/secrets/vps-relay-age.key/secret
@ -0,0 +1,14 @@
+{
+	"data": "ENC[AES256_GCM,data:+Cd3Hxr5KzX6J/74M2IZ6VOE6KEDsK8NoVyTleSB7UdsDWWGAS+mgdNZTiVBJEIBx+cmMKMcNj2rNu6T4Z2OCvqH/o6GBAhKBmM=,iv:RllA6vH/qWsx08gTEi5Nl4VkvoeI00Bw56IwPp1TOLk=,tag:PdQJpm0oaYZUZvc1y9Cmcw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSmVLKzl3akVZNlE0QWJr\namc0T3NPb0pzM2hvR3VlSEo2TDJ6VDJOQmhBCnJOTkZaOVM2RXpTOEdYUEtWTUht\nS0ZmNDVoVDJzajYxRDVWVFVkTkJLbkUKLS0tICsrUGx0Q2FmZk04NHBVb2wvaU1p\nSktZNVl5bUtKZEJLWm1kYm9wSFl5ZXMKEb+0fq1idxA4mpJAxt3DUWX8kYp8HwYN\nwUQ7SFAlj3k611jfVFwRYdqJZQLYQ0iVbEwy5BfJw4tnqZFeaEBueA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-04-24T11:41:47Z",
+		"mac": "ENC[AES256_GCM,data:AjAgVpuV7QvCh1E4AvTSP+Oxg/M1at8X08s76C9OxmdCR0Evd67Hb5TaPkujhtX87Qs9IHoOK6yY+aQv2exLXWt6U4uRzapsVIpcofdyA7EUF2q0UaykrqtKLGYW3IY8fXL4XwMMFJ+wmThmwKnJVJO8hUug8AceA83/QVYNccM=,iv:JuxpYvmTROZPv7zawPQ/NpfbWAQqwRfBRp+zhNQnm5I=,tag:v6IMgQTbPP+XEeCSrpVTxg==,type:str]",
+		"version": "3.12.2"
+	}
+}
--- a/sops/secrets/vps-relay-age.key/users/danny
+++ b/sops/secrets/vps-relay-age.key/users/danny
@ -0,0 +1 @@
+../../../users/danny