feat(clan): data-mesher + dm-pull-deploy wiring 🌊

Stage 4e-a of the clan migration. Set up signed-file gossip (data-mesher, experimental, clan-core) and pull-based NixOS deploy (dm-pull-deploy, experimental, clan-community) across both servers. - sunken-ship is the data-mesher bootstrap node + dm-pull-deploy push role; phantom-ship joins via /dns/sunken-ship.clan/tcp/7946/... — the hostname resolves via /etc/hosts (clanHostsModule) to sunken-ship's ZT IPv6 since we don't run a DNS server for the clan domain. - Both machines run the dm-pull-deploy default role with action="switch": they watch /var/lib/data-mesher/files/home/ dm_pull_deploy/target and nixos-rebuild switch against the pushed git+…?rev=…&narHash=… flake ref on each change. - Signing keys (shared + per-host status) generated via clan vars generate, ran on sunken-ship because data-mesher isn't packaged for aarch64-darwin. The legacy dotfiles-rebuild timer stays installed as a fallback until dm-pull-deploy is proven; a smart push timer on sunken-ship (calls dm-send-deploy only when origin/main moves) comes next.
2026-04-20 11:38:01 +02:00 · 2026-04-20 11:38:01 +02:00 · 6846faa5f1
commit 6846faa5f1
parent 41b3d217f8
34 changed files with 334 additions and 20 deletions
--- a/vars/per-machine/sunken-ship/data-mesher-node-identity/identity.cert/machines/sunken-ship
+++ b/vars/per-machine/sunken-ship/data-mesher-node-identity/identity.cert/machines/sunken-ship
@ -0,0 +1 @@
+../../../../../../sops/machines/sunken-ship
--- a/vars/per-machine/sunken-ship/data-mesher-node-identity/identity.cert/secret
+++ b/vars/per-machine/sunken-ship/data-mesher-node-identity/identity.cert/secret
@ -0,0 +1,18 @@
+{
+	"data": "ENC[AES256_GCM,data:HUvMiGEnMxlfYnnxX5RgZlw7SdETT/4BCkU7J1LhCeXH/BBN9PcT0jqhepyQ+3ybksk2zOTbxb0uiIodeaoSUKJM+jO1OKRElwtJObAVFPYw65x4TpH2n3j8JTWyIj9OdHFh7sXYGFK92GUsSGDWoZBV++AfzKa/KHw//8Zzy4ol3dgx6JPPQjvTvKIPoTaCre43RcB013UUdO2VRdh8x27KgybtlT8HXb6lAIRpuUS2cXCfbPW4E3ayinyKjVJ2iLUsmaSGSl8SltTk5GdGAYLEVTITH0Y1GNliZ04ENNuGdHVF5VlCIpuLcon9,iv:I2NUjIU5lUe8xpPMc1bYF0sHQ1pwlOO4Gz9ox/KCnrs=,tag:iqzJpTXMUdqUyp98hM/blw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBU2ZyRjRURkNjSjcyaENQ\ncVZ5d2tKTlJVemdRaFZZUURzbEZGVFNGRlFFClY5Y29pRCtSelhlY3VlV0x6eXJx\nNmF1T1YwVjdjL3ZSaGZUK0I3cHQzc0EKLS0tIGkzVE9mcldIbWpicU5YeEZjbHVG\nQ0dJQXd1cENLeFNtaUxHM3EzTDRHSFkKeXjt+AnbcQqWTpOw3TWJTbIH+Mu0q/Du\noE3Lv8b3LcVFPb/OQz3tNvd7FftjEbH6yArcLJfKz8YcKSG6/X+H9w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zy3q73pujauyajgfqwu0pnyy8732lzwvw87tu7p2xg3xuzaujc2qh6ql77",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHeThUamlhRGVnb0pHUUQ3\nTWtwV3QvZXF6ZmRyVkRrNXg4dVgwZk96MWlNClAxMWhua29JRkpCeUNXdE14ODNv\ndk9DVVVsaTJiQ29IL1BHdERHWUhVSDAKLS0tIEg1bTRSRklaTFBhN2FLd3NIek1i\na1ZEQ1FxYzhzUmhMQmVlQjJYZ2M4MWMKhUBYaEA09xLoc0GAShctrGPFUE4YUGGk\nYW86mPh4uudivrxs6CAhH0GVB7qwVtc9EGEw8bVA2STdNnCzr0JmMg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-04-20T09:37:04Z",
+		"mac": "ENC[AES256_GCM,data:yvwDLQ1unefwvtlad7/QBqKnWIsU3hALVB3ia6vYl5wnaRZgycE1IHrDLrHVV20ANAAs1gRKcZYUAAKLYKo4SqduBJgVSf3Hjk9t5VRjcBvRRFizwFbBa4rtWZMBrJS0cV99me6FoLioFLA+zGonRmmkiCEbWbBvSZdf1J04ixw=,iv:mD42aLv2IY8Dvt9qfTBQKH2ZHeI4537tRMlA8AXdyVk=,tag:Up/RwgH+fsJIpwPFzM6B9g==,type:str]",
+		"version": "3.12.2"
+	}
+}
--- a/vars/per-machine/sunken-ship/data-mesher-node-identity/identity.cert/users/danny
+++ b/vars/per-machine/sunken-ship/data-mesher-node-identity/identity.cert/users/danny
@ -0,0 +1 @@
+../../../../../../sops/users/danny
--- a/vars/per-machine/sunken-ship/data-mesher-node-identity/identity.key/machines/sunken-ship
+++ b/vars/per-machine/sunken-ship/data-mesher-node-identity/identity.key/machines/sunken-ship
@ -0,0 +1 @@
+../../../../../../sops/machines/sunken-ship
--- a/vars/per-machine/sunken-ship/data-mesher-node-identity/identity.key/secret
+++ b/vars/per-machine/sunken-ship/data-mesher-node-identity/identity.key/secret
@ -0,0 +1,18 @@
+{
+	"data": "ENC[AES256_GCM,data:AlD+xw5DFrH8VwsNXqRgX/bdU2+bD1BbMSNMl+h6MloEFgMWGBt0kypqpq3LXj/p9Vtqr7rCy9N4wNAazWpQHGpA3Dv3Oka0S9xK6ghWJJWqDy1NiKkQR6a459jO7GiOzF5EGAfSp5fa4EDk/0LkIE/jkhg1ckg=,iv:+1Nsq644xQaXRIFMGfa6hv/T68YaVdNG7Aj/clKJy/o=,tag:YPpAcKkoxc6PRYxCJDcm/Q==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmVE15YnlYcFdQSnlxYWpi\nNmtHQ3JlZmltOHBRaC9iRlpUVDRiY0NHUGxzCjhrVU9jT29vRlFmeWJTNCt3VjR0\nVHFLNUVRS0k4eExrSHRPYmlZRHZkWncKLS0tIEFQSnUwWUxzbzY0TFREaWlPdUti\nVW1GTWpoVUxwdE9VT0h1Mm8wQ2JhaFEKkfS+cJVZ3aKJi+N4N76yilDJqutMLBKZ\nfaSHFyGwOkk9kS6pf53g6GHKmakJJa9KMVGF+d2FFLgnX0XX0H9qig==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zy3q73pujauyajgfqwu0pnyy8732lzwvw87tu7p2xg3xuzaujc2qh6ql77",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQVlkR080UmhuVHg0RlFP\nQ3phcisvY00zNTJZUFdLWUJ0ekZWRXFVRkNFCjdUc0U5ZEx3aU5ET2pIdkJzK050\nTEMzMlF4Zm9KNWR1RWY5TXBVZi9saWcKLS0tIDBHZWJWQUxoUU5BRkYvL1l0elV4\ndi90SWdkRDc1akV3ZGdiOHBhc3ppTXcKKs7RUx4WTNdEOL0J0aMZiiUD4xpnJQFC\n+Vj/6GQJmeenB1znvWZbgMUKDRhufzzg1gd8oDbjfaI1H6UP1MilNw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-04-20T09:37:04Z",
+		"mac": "ENC[AES256_GCM,data:44xy2P1es6SKe4s2aUo1MpwSlRH262TEp+TTRpOyB0ANAunJI5ViN0Db2aHaqq0aPSiYkquIvKeqzzX9pHYqZX9Dmr37PEvoCILP5wbarO5XRCc2N53vuarEfH6xyNQCoGNw2aujpqm5ero1jJbDkYlMu2dmrAtm7y4mazcjM7s=,iv:iGzaXP7DrsEXoyntt0e/f8/M998QG9hN1Vx4C92cshU=,tag:SDm2jnXPy/gN5woNWMRcPA==,type:str]",
+		"version": "3.12.2"
+	}
+}
--- a/vars/per-machine/sunken-ship/data-mesher-node-identity/identity.key/users/danny
+++ b/vars/per-machine/sunken-ship/data-mesher-node-identity/identity.key/users/danny
@ -0,0 +1 @@
+../../../../../../sops/users/danny
--- a/vars/per-machine/sunken-ship/data-mesher-node-identity/identity.pub/value
+++ b/vars/per-machine/sunken-ship/data-mesher-node-identity/identity.pub/value
@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAzYp9wRD7TpiZHYECCoYgMBdaYJWV31zbhN9u0xmRJIQ=
+-----END PUBLIC KEY-----
--- a/vars/per-machine/sunken-ship/data-mesher-node-identity/peer.id/value
+++ b/vars/per-machine/sunken-ship/data-mesher-node-identity/peer.id/value
@ -0,0 +1 @@
+12D3KooWPeiEFGKFd58Q6CTbVyCmD5RMXJk7RtcuZfpsshYDxpmy
				`@ -0,0 +1 @@`
				`12D3KooWPeiEFGKFd58Q6CTbVyCmD5RMXJk7RtcuZfpsshYDxpmy`