dannydannydanny/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(clan): data-mesher + dm-pull-deploy wiring 🌊

Browse source 
Stage 4e-a of the clan migration. Set up signed-file gossip
(data-mesher, experimental, clan-core) and pull-based NixOS deploy
(dm-pull-deploy, experimental, clan-community) across both servers.

- sunken-ship is the data-mesher bootstrap node + dm-pull-deploy push
  role; phantom-ship joins via /dns/sunken-ship.clan/tcp/7946/... — the
  hostname resolves via /etc/hosts (clanHostsModule) to sunken-ship's
  ZT IPv6 since we don't run a DNS server for the clan domain.
- Both machines run the dm-pull-deploy default role with
  action="switch": they watch /var/lib/data-mesher/files/home/
  dm_pull_deploy/target and nixos-rebuild switch against the pushed
  git+…?rev=…&narHash=… flake ref on each change.
- Signing keys (shared + per-host status) generated via clan vars
  generate, ran on sunken-ship because data-mesher isn't packaged for
  aarch64-darwin.

The legacy dotfiles-rebuild timer stays installed as a fallback until
dm-pull-deploy is proven; a smart push timer on sunken-ship (calls
dm-send-deploy only when origin/main moves) comes next.
This commit is contained in:
DannyDannyDanny 2026-04-20 11:38:01 +02:00
parent 41b3d217f8
commit 6846faa5f1
34 changed files with 334 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

1
vars/per-machine/phantom-ship/dm-pull-deploy-status-key/signing.key/machines/phantom-ship Symbolic link
View file

@ -0,0 +1 @@
../../../../../../sops/machines/phantom-ship

18
vars/per-machine/phantom-ship/dm-pull-deploy-status-key/signing.key/secret Normal file
View file

@ -0,0 +1,18 @@
{
"data": "ENC[AES256_GCM,data:NoDGZvrn0A4hniARvQW53R+yI0CsvuUsrcHHe9iUIhtKp4JKiRjxEds+gsn8s2diVtgy7F6RPnm8KBTtXzRSs3EQPDDrZXdSC/4a+5va1mC98GVN1UqWRsH3dpF53eOHOQfWudFMQ1HKVp7eDoAZYmskjKmM71A=,iv:jeVDsZIKjqQx3+uzcZ5fF4cUinC2AHcz0tntp7CB5CY=,tag:kMwkWj2DhopOd127Q6ukWg==,type:str]",
"sops": {
"age": [
{
"recipient": "age18gtjh28qxeltg2r2tzxwl096crkqkqk8tjhersyf7mzdsddady7qs34x0m",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhWXFDRVZWQmRtNXkvZWxT\ndVdsZG1Bay9DdnlEK2hYZEVVNDc3a1BjSVU0Cm9rUjh4czRFZmNyRk9lcHFqSG5I\nQzdtdzROODA2dlBUSG5tODlqUFZsdE0KLS0tIE1ZQVFQTGNaTGVXRldPRmQwMUNL\nR1QzWEZyZk0rNDM0NjdJakowRXU1cTgKrwsFYYz/MVt9RNs/ck+md6/OKFjudvHp\nvEmOMkLRYvZL/Mi9mkwOebDj/kyi+aOW8d9C50OoDpNGy3x32UtQ3g==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwN3hTbjNscUdzTlJiR2xU\ncW9RWEFucktjSFZWdlRDeVVUUlQ0NDJWckdNCmc1YWw1dUFqQzM4eFlFVzJWbWxO\neGlTVlRCY1JtVXVhbyswYkxJd3ZCL2cKLS0tIGFzSXJ2THdpWm9UNElHWXNSeWhV\ndmlFYm44bGtEMG5sSUtwYUpqajlEZTgKR3cpnBggPo8/vwalbI76VUIa9QsNvdQV\nli2iEcP6ClbYFPYh3/EJ5gV0GBfFMO44gaynSVApR5hdDo/ev0ErDg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2026-04-20T09:37:03Z",
"mac": "ENC[AES256_GCM,data:jH2O5iyuTsy/ankCXKx2aEDfT/uwbPrcGZbjj1gGxL2cxxKdaMKKlFUfKY4Zgn5On4sQHSuPtV//XYiGqNh0v0G+6DGPAb7g6WiRYsuM4DSARZYRwhAQMOx9TWDURuOi0REx6htvc/Jl9lA+1pP/9MqoO1zsWC4WCnMxG3mxfD0=,iv:264mkPVu4f9hSY11Ab8MnueSq7LnF9rpBwrWOLlwLM4=,tag:PaxqOpw4qYSiSDk1c1Jt4A==,type:str]",
"version": "3.12.2"
}
}

1
vars/per-machine/phantom-ship/dm-pull-deploy-status-key/signing.key/users/danny Symbolic link
View file

@ -0,0 +1 @@
../../../../../../sops/users/danny

3
vars/per-machine/phantom-ship/dm-pull-deploy-status-key/signing.pub/value Normal file
View file

@ -0,0 +1,3 @@
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAfA9rDsTSGAz7dDC3pOFMA+LPj08SjxMIc5BU4q5/in0=
-----END PUBLIC KEY-----