feat(clan): data-mesher + dm-pull-deploy wiring 🌊

Stage 4e-a of the clan migration. Set up signed-file gossip (data-mesher, experimental, clan-core) and pull-based NixOS deploy (dm-pull-deploy, experimental, clan-community) across both servers. - sunken-ship is the data-mesher bootstrap node + dm-pull-deploy push role; phantom-ship joins via /dns/sunken-ship.clan/tcp/7946/... — the hostname resolves via /etc/hosts (clanHostsModule) to sunken-ship's ZT IPv6 since we don't run a DNS server for the clan domain. - Both machines run the dm-pull-deploy default role with action="switch": they watch /var/lib/data-mesher/files/home/ dm_pull_deploy/target and nixos-rebuild switch against the pushed git+…?rev=…&narHash=… flake ref on each change. - Signing keys (shared + per-host status) generated via clan vars generate, ran on sunken-ship because data-mesher isn't packaged for aarch64-darwin. The legacy dotfiles-rebuild timer stays installed as a fallback until dm-pull-deploy is proven; a smart push timer on sunken-ship (calls dm-send-deploy only when origin/main moves) comes next.
2026-04-20 11:38:01 +02:00 · 2026-04-20 11:38:01 +02:00 · 6846faa5f1
commit 6846faa5f1
parent 41b3d217f8
34 changed files with 334 additions and 20 deletions
--- a/vars/per-machine/phantom-ship/data-mesher-node-identity/identity.key/machines/phantom-ship
+++ b/vars/per-machine/phantom-ship/data-mesher-node-identity/identity.key/machines/phantom-ship
@ -0,0 +1 @@
+../../../../../../sops/machines/phantom-ship
--- a/vars/per-machine/phantom-ship/data-mesher-node-identity/identity.key/secret
+++ b/vars/per-machine/phantom-ship/data-mesher-node-identity/identity.key/secret
@ -0,0 +1,18 @@
+{
+	"data": "ENC[AES256_GCM,data:Ow1yORsXj8qjXIs/ZXMVQDAQtz2Kfy5lBanVJDm6Ucs/S5ka3Gw6N1DYt+mDQ8Luh3i1uwMs0WcYH6pMZYG/01WhtywsiHbyoCZe9LlpHxHTzpCJgeCkMolMjIOHA6R/axyReEZomGQsPiF16MOwmvDhh2UbMns=,iv:mmAUWG9VxYMpsaFKWO6+BE3VxcV8qGeBJjNJtaHqHAQ=,tag:LIIYmL+nhea0tKa96k0VDw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age18gtjh28qxeltg2r2tzxwl096crkqkqk8tjhersyf7mzdsddady7qs34x0m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1TG4xcWlvWGpvWk1ZUm1O\nZkRpcy9RWmlSUGR2UUZxeTJEdUxOSmczMW1VCi9FZHNHQU5aWEtkUGM2TnVZZ1pN\nU1lmL3hBbGpFa2d6SkZHMEtIa0lhWWsKLS0tIDdIMXI5V0dwUVVpMnhoSWp4dklG\nOEpzTldzODU1MEprcmhvSE5VbXpCZVkK4G0YIl+gST/RLXrYZGM6j4x4h0hJrOzy\nAvqSHDhxyGIdUCka0NxIe/soNLgzf1CrF0eYGQLP+LX742ml2TQqbQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0bCtFbGh5UkNUQTQ1MGpT\nbjIrM0xVRXB5NjUxMmtlTnplOUlVRjdXNVZJCnppNzVpZFJndllhZDY0NFB1S3JB\nZU5ReUc5OGpUTGxpcndiYStobUZrS2sKLS0tIGV1azFRQWI0OVZhS3pFUmlqOWVR\nOHM4eEsyQmJsa0x3MVUzVllBSXNvb00K4MklrqgKvLwmaEQ4LU7Q6nJGA504s9dY\n6Db1Hgqd1Tx4lHhlxCcTnA9MKC330r/9yPjvYuvPtDaVFOQK+cZaOQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-04-20T09:37:04Z",
+		"mac": "ENC[AES256_GCM,data:qhFvYR+paGi8CE8cSGHOVHRThvhcC5KD13p2W8x6lmQpXepeI++FzJAX6s8sSc+XCOBMcH4fr4CmgH0+9cowj0H6qRzhuRDt/nt7VJil8UhTZCXk/ATPqugOLYUTTKzcxeJJ+A5MdRkfCO7pX89DtF/Ktb82zhSL7JrGOmpgVgc=,iv:BI06oxGHGJkGXoV8WItRHFOCFtp14WzBfjl9SvXlmy0=,tag:H2wt1ySmLgMIkxaz5FMJgw==,type:str]",
+		"version": "3.12.2"
+	}
+}
--- a/vars/per-machine/phantom-ship/data-mesher-node-identity/identity.key/users/danny
+++ b/vars/per-machine/phantom-ship/data-mesher-node-identity/identity.key/users/danny
@ -0,0 +1 @@
+../../../../../../sops/users/danny
				`@ -0,0 +1 @@`
				`../../../../../../sops/machines/phantom-ship`