feat(clan): add vps-relay + strip bbbot cloudflared 🚢

Stage 4.5: declare a Hetzner-hosted reverse-proxy VPS as a clan machine. - nixos/hosts/vps-relay.nix: Debian→NixOS cx23 in hel1. Caddy at public 80/443 reverse-proxies navidrome.dannydannydanny.me and bbbot.dannydannydanny.me over ZT to sunken-ship. - nixos/disko-cloud.nix: simple GPT + ext4 root, no LUKS — cloud provider has physical disk anyway and there's no operator at boot. - flake-modules/clan.nix: register vps-relay as an inventory machine, zerotier peer, internet networking target at its clan-generated ZT IPv6, and add vps-relay.clan to clanHostsModule /etc/hosts. - sunken-ship fitness-bot: drop pkgs.cloudflared from PATH + set WEBAPP_URL=https://bbbot.dannydannydanny.me. Paired with the bbbot upstream patch (start.py honors env WEBAPP_URL and skips cloudflared when set) — once the 15-min fitness-bot-pull timer pulls that change, bbbot will stop churning trycloudflare.com URLs. Vars (zerotier identity/ip + sops machine key) generated on sunken-ship because clan's hermetic sandbox on macOS fails to run the zerotier identity generator (same workaround as for data-mesher earlier). VPS install flow: Hetzner-created Debian box, then `clan machines install vps-relay --target-host root@<public-ipv4>` reinstalls to NixOS; subsequent updates go over ZT.
2026-04-24 13:43:21 +02:00 · 2026-04-24 13:43:21 +02:00 · 47fc658523
commit 47fc658523
parent b0c8664f5c
11 changed files with 187 additions and 1 deletions
--- a/vars/per-machine/vps-relay/zerotier/zerotier-identity-secret/secret
+++ b/vars/per-machine/vps-relay/zerotier/zerotier-identity-secret/secret
@ -0,0 +1,18 @@
+{
+	"data": "ENC[AES256_GCM,data:pKvAwWARYI+t2dx3E90ime8VWT1LlTaHtkfCbwPzus7GNpOPKDXzhh3aVICSy0FOlonKBuKB35DLialWGb6rLI9T5ITIh+DJj6ijoxjSWJrWmZg2Du7xq89ZtV23HpNfuJnhnF4Wo3/WNDS+vnIynJSS9lx9NXe64Nd52NGSEufHM2HHkWIIgGR7Vgs0EoGxmxrDcxQ21MA2uOMKAYwCWmDJsRO6iXy+t01tTwFjUDg8203GtQjQaR99lY0GLrJybraaowa2bn0gyJvpnFt/zQ7kHNV6jPbdNj4wo4OwZ5JHA3zO5Ep6ePUQm7g8cjVD83eV8HZ/1Hb7LF4S4628CYwydaxHmHJsdbvVz7I1,iv:ydc0gUdniYXGeW4WkQypkWz8C0yZ0GcA2srYWgV165U=,tag:Q06ScyNT7zatscjJqje+lQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBESE1Nd000SEovTFJQQlhH\ndFBPTmJsK3ZObG9NR0ppWUxqbkhrVmk1eFRNCnlXTUNTejFPZEdmVEROSGZSNmh2\ncEM0NG92Q01MODNZSDFOdE9MMlpmak0KLS0tIHFneDMyMFhMZm1GNDdRYmFmZU5n\nOTRuZTFhaEJxREZ3UkpVSUZqazJ5MUUK4hKiYzkoNhsxYqK0fDP7zweQLFet4WMD\nnQVUYpQIGjxK1fQEImGMybIwGRjIxfsYI51GI7qTkwUAPaLxXUjs+Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mlljsdpqf054p4nav9s855rtd5szwyl9av8w2lvg86j59cdtugxqylcn6k",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxVVJGN3NjQUN3aXRQaVlr\nd1Biei9mV3ZiTWRYRUxyRnhhcHlINjd1RDI0ClZETXJ0V1l6NGViVk43Y3NxSUYz\nZ3JtcDAzcXNZMnNXanl5cEVYaHRLVDAKLS0tIDVIZ2tiblNpVTlnVGJtbloyd3I1\nalZETWRvSVRRM3o2WnBmbGpFalNEQlEK3FkoqpSRrlce/4wFOdF26tUCeY8g1RD2\npYvz/giE8ULnWxYfG2HOTMQkUyUjYFiY0JPJT7oGyhQs4QmkVwhBWg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-04-24T11:41:47Z",
+		"mac": "ENC[AES256_GCM,data:RlbV4iY8ekGfe4I53Zn8nGaAou8D+jUYW4DXi8EfwdDTiSM3+szyMe8YNMbetM0jiPe2sAVqxTMgkLe99G5lZwZBY6pOrlBljiMPtvHb0NseRr9cnMUySfX9QAhEyD62bWCQyp33jCK7bJjAtmEATnIslYePQCJhmf0OEMO95NI=,iv:XK939qjL9wwZqrJaywnfBziuY6LFI+fAH3d4rNIbdRs=,tag:uhDWeOkpyHom3/5wtEaHrw==,type:str]",
+		"version": "3.12.2"
+	}
+}