From 9921a7f9f108f2c793641b2315e8b164dcb80612 Mon Sep 17 00:00:00 2001 From: DannyDannyDanny Date: Sun, 19 Apr 2026 14:43:29 +0200 Subject: [PATCH] =?UTF-8?q?feat(nix):=20zerotier=20overlay=20via=20clan=20?= =?UTF-8?q?inventory=20+=20mac=20ZT=20client=20=F0=9F=95=B8=EF=B8=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Stage 4b of the clan migration. Declares a clan.inventory.instances.zerotier instance with sunken-ship as controller and phantom-ship as peer (controller is also listed as a peer so it joins its own network). Generates the network ID, controller identity, and per-peer identities via `clan vars generate`; all secrets are SOPS-encrypted to the user's age key and the per-machine age keys. - nixos/sops/ — clan-managed SOPS state (user + per-machine age keys). - nixos/vars/ — shared + per-machine zerotier vars; *-identity-secret files are SOPS-encrypted, *.value files are plain public data. - clan.core.networking.{targetHost,buildHost} = "danny@" on both servers so `clan machines update` knows where to push and build. - mac gets `zerotier-one` installed as a homebrew cask; authorization on the controller happens manually by node-ID in a follow-up step. Known rough edges (to chase in later stages): - zerotier-inventory-autoaccept.service races zerotierone.service on first activation (connection refused against the local API). Retrying the unit succeeds; clan upstream bug. - Deployment must go through `clan machines update`, not plain nixos-rebuild, or the per-host SOPS age key isn't uploaded and zerotier-one can't decrypt its identity. --- CLAUDE.md | 15 ++++++++++ nixos/flake-modules/clan.nix | 29 +++++++++++++++++-- nixos/hosts/daniel-macbook-air.nix | 1 + nixos/sops/machines/phantom-ship/key.json | 6 ++++ nixos/sops/machines/sunken-ship/key.json | 6 ++++ .../sops/secrets/phantom-ship-age.key/secret | 14 +++++++++ .../secrets/phantom-ship-age.key/users/danny | 1 + nixos/sops/secrets/sunken-ship-age.key/secret | 14 +++++++++ .../secrets/sunken-ship-age.key/users/danny | 1 + nixos/sops/users/danny/key.json | 6 ++++ .../machines/phantom-ship | 1 + .../zerotier/zerotier-identity-secret/secret | 18 ++++++++++++ .../zerotier-identity-secret/users/danny | 1 + .../phantom-ship/zerotier/zerotier-ip/value | 1 + .../machines/sunken-ship | 1 + .../zerotier/zerotier-identity-secret/secret | 18 ++++++++++++ .../zerotier-identity-secret/users/danny | 1 + .../sunken-ship/zerotier/zerotier-ip/value | 1 + .../zerotier/zerotier-network-id/value | 1 + .../zerotier-identity-secret/secret | 14 +++++++++ .../zerotier-identity-secret/users/danny | 1 + .../zerotier-controller/zerotier-ip/value | 1 + .../zerotier-network-id/value | 1 + 23 files changed, 151 insertions(+), 2 deletions(-) create mode 100755 nixos/sops/machines/phantom-ship/key.json create mode 100755 nixos/sops/machines/sunken-ship/key.json create mode 100644 nixos/sops/secrets/phantom-ship-age.key/secret create mode 120000 nixos/sops/secrets/phantom-ship-age.key/users/danny create mode 100644 nixos/sops/secrets/sunken-ship-age.key/secret create mode 120000 nixos/sops/secrets/sunken-ship-age.key/users/danny create mode 100755 nixos/sops/users/danny/key.json create mode 120000 nixos/vars/per-machine/phantom-ship/zerotier/zerotier-identity-secret/machines/phantom-ship create mode 100644 nixos/vars/per-machine/phantom-ship/zerotier/zerotier-identity-secret/secret create mode 120000 nixos/vars/per-machine/phantom-ship/zerotier/zerotier-identity-secret/users/danny create mode 100644 nixos/vars/per-machine/phantom-ship/zerotier/zerotier-ip/value create mode 120000 nixos/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/machines/sunken-ship create mode 100644 nixos/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/secret create mode 120000 nixos/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/users/danny create mode 100644 nixos/vars/per-machine/sunken-ship/zerotier/zerotier-ip/value create mode 100644 nixos/vars/per-machine/sunken-ship/zerotier/zerotier-network-id/value create mode 100644 nixos/vars/shared/zerotier-controller/zerotier-identity-secret/secret create mode 120000 nixos/vars/shared/zerotier-controller/zerotier-identity-secret/users/danny create mode 100644 nixos/vars/shared/zerotier-controller/zerotier-ip/value create mode 100644 nixos/vars/shared/zerotier-controller/zerotier-network-id/value diff --git a/CLAUDE.md b/CLAUDE.md index 43d0038..43ff508 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -67,6 +67,21 @@ Custom nix-darwin module at `nixos/ollama.nix` (upstream PR not yet merged). Ena Terminal colors follow **System Settings → Appearance**: `programs.alacritty` imports `~/.config/alacritty/active-colors.toml`; `scripts/alacritty-sync-system-theme.sh` copies Catppuccin latte/mocha there when the OS mode changes. **nix-darwin** `launchd.user.agents.alacritty-system-theme` polls every 30s; **fish** runs the same script on interactive startup. After changing Nix, one `darwin-rebuild switch`. Details: `assets/alacritty/README.md`. +## clan.lol + +**CLI invocation:** clan-cli is not installed globally. Run ad-hoc via: + +```bash +nix run git+https://git.clan.lol/clan/clan-core#clan-cli -- machines list \ + --flake 'path:/Users/danny/dotfiles/nixos' +``` + +**Flake path quirk:** `--flake .` and `--flake git+…` both fail from a git worktree when the flake lives in a subdir (`nixos/`). Use `--flake 'path:…/nixos'` explicitly. May not be needed from the main checkout — retest. + +**`enableRecommendedDefaults = false`:** we opted out fleet-wide because clan's defaults flip to `systemd-networkd` + `systemd-resolved` + `boot.initrd.systemd`, which breaks dnsmasq (NAT DNS on phantom-ship) and navidrome's resolv.conf bind-mount on sunken-ship. Revisit per-service in a later pass — the defaults also include handy extras (tcpdump, htop, curl, jq, nixos-facter). Option defined in `nixosModules/clanCore/defaults.nix` + `nixosModules/clanCore/networking.nix` inside the `clan-core` flake. + +**Deployment:** `dotfiles-rebuild` timer (every 15 min pull) is still the source of truth. `clan machines update` works as a push escape hatch; dm-pull-deploy replaces the timer in a later stage. + ## Shell Fish is the default shell. Bash auto-execs fish unless the parent process is already fish. Vi keybindings with fzf integration. Zoxide aliased to `cd`. diff --git a/nixos/flake-modules/clan.nix b/nixos/flake-modules/clan.nix index 4a2dd3d..56defc6 100644 --- a/nixos/flake-modules/clan.nix +++ b/nixos/flake-modules/clan.nix @@ -20,12 +20,33 @@ in { clan = { meta.name = "homelab"; + # Inventory machines — required for `inventory.instances` role bindings + # to resolve. Host-specific NixOS config lives under `machines.` + # below. + inventory.machines.sunken-ship = { }; + inventory.machines.phantom-ship = { }; + + # ZeroTier mesh VPN. sunken-ship is the controller (manages network + # membership); phantom-ship is a peer. The mac joins manually as an + # external ZT client and is authorized on the controller by node ID. + inventory.instances.zerotier = { + module.name = "zerotier"; + module.input = "clan-core"; + roles.controller.machines.sunken-ship = { }; + roles.peer.machines.phantom-ship = { }; + roles.peer.machines.sunken-ship = { }; + }; + # Preserve current network / init stack (no systemd-networkd/resolved, # no boot.initrd.systemd, no extra debug packages). Revisit per-service # in later stages rather than flipping this fleet-wide. machines.sunken-ship = { imports = [ - { clan.core.enableRecommendedDefaults = false; } + { + clan.core.enableRecommendedDefaults = false; + clan.core.networking.targetHost = "danny@sunken-ship"; + clan.core.networking.buildHost = "danny@sunken-ship"; + } ../hosts/sunken-ship.nix config.flake.nixosModules.dotfiles-rebuild inputs.home-manager.nixosModules.home-manager @@ -39,7 +60,11 @@ in { machines.phantom-ship = { imports = [ - { clan.core.enableRecommendedDefaults = false; } + { + clan.core.enableRecommendedDefaults = false; + clan.core.networking.targetHost = "danny@phantom-ship"; + clan.core.networking.buildHost = "danny@phantom-ship"; + } inputs.nix-openclaw.nixosModules.openclaw-gateway ../hosts/phantom-ship.nix config.flake.nixosModules.dotfiles-rebuild diff --git a/nixos/hosts/daniel-macbook-air.nix b/nixos/hosts/daniel-macbook-air.nix index a05ff6a..97f02c4 100644 --- a/nixos/hosts/daniel-macbook-air.nix +++ b/nixos/hosts/daniel-macbook-air.nix @@ -40,6 +40,7 @@ in { "google-chrome" "disk-inventory-x" # Apple Silicon uses Homebrew; nixpkgs package is x86_64-darwin only. "qflipper" # Flipper Zero firmware updater GUI + "zerotier-one" # Clan homelab overlay — authorize on sunken-ship controller # "uhk-agent" # Ultimate Hacking Keyboard configuration — removed, nixpkgs marks x86_64-linux only TODO ]; onActivation.cleanup = "zap"; diff --git a/nixos/sops/machines/phantom-ship/key.json b/nixos/sops/machines/phantom-ship/key.json new file mode 100755 index 0000000..1f3c1f0 --- /dev/null +++ b/nixos/sops/machines/phantom-ship/key.json @@ -0,0 +1,6 @@ +[ + { + "publickey": "age18gtjh28qxeltg2r2tzxwl096crkqkqk8tjhersyf7mzdsddady7qs34x0m", + "type": "age" + } +] \ No newline at end of file diff --git a/nixos/sops/machines/sunken-ship/key.json b/nixos/sops/machines/sunken-ship/key.json new file mode 100755 index 0000000..95be23b --- /dev/null +++ b/nixos/sops/machines/sunken-ship/key.json @@ -0,0 +1,6 @@ +[ + { + "publickey": "age1zy3q73pujauyajgfqwu0pnyy8732lzwvw87tu7p2xg3xuzaujc2qh6ql77", + "type": "age" + } +] \ No newline at end of file diff --git a/nixos/sops/secrets/phantom-ship-age.key/secret b/nixos/sops/secrets/phantom-ship-age.key/secret new file mode 100644 index 0000000..eab510b --- /dev/null +++ b/nixos/sops/secrets/phantom-ship-age.key/secret @@ -0,0 +1,14 @@ +{ + "data": "ENC[AES256_GCM,data:43IKkW3YpbpEtECD3kXV4zWF6hB39knoWwqy5BGCqvYWSPccKIwwLD3ctCy3SeH806AatvE8Bl2dvHFvP++xtvFtw5PaHdnenn8=,iv:j7ODs5O0rbwD0LWkkv9BEk6O9ySl+uhCiEVa+GkRE3k=,tag:Bk/PkQjOvul8pP7hoh2cwQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaVlVQ3pvRmpLaVB3WWtl\nYjBIdDBJK0VKeS90eE5YeFhFRnBPak5YckFZCkl5RkVMV3JxL0pSVkM4cjhRaUE3\nK24vSWM0YnFWeXNjc3ZSWDRBb1ZDeWsKLS0tIENabmsxVUl0UGZzN1pncWswTVdM\nWDBVTVMrYzJHUklKSVVjYXBBM2RuajgKCvrGjfjujmqq2lsbNAb8d1xUhv+es2uX\nydcfnqbFRF4pjrku41iRaOolWrZHDvl+PnMslk8bclZG23UKYbSkbA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-04-19T12:31:43Z", + "mac": "ENC[AES256_GCM,data:7/Z1Up1DZUgNMCuuBh2pnfTH3Ih6824yJqD1+w9clqgkSrFtKL6v5oo5EV4TF2FDJcrYQtbbAWQoEgJXfCKXfIYOPBIChfoQEG5N5XxNe57bklkipOMWJBm7448qBhLgy3yJQqAVFkQw6uHTuDrcngRFW5D3xHkCSilHC/xau9U=,iv:WL98Dcuxojg6BQ5tLOuhXYCfFHVXqpIBr680uriPXz0=,tag:FCl6wkBiLJUyMu1RnOqeIw==,type:str]", + "version": "3.12.2" + } +} diff --git a/nixos/sops/secrets/phantom-ship-age.key/users/danny b/nixos/sops/secrets/phantom-ship-age.key/users/danny new file mode 120000 index 0000000..215639b --- /dev/null +++ b/nixos/sops/secrets/phantom-ship-age.key/users/danny @@ -0,0 +1 @@ +../../../users/danny \ No newline at end of file diff --git a/nixos/sops/secrets/sunken-ship-age.key/secret b/nixos/sops/secrets/sunken-ship-age.key/secret new file mode 100644 index 0000000..bd9cc49 --- /dev/null +++ b/nixos/sops/secrets/sunken-ship-age.key/secret @@ -0,0 +1,14 @@ +{ + "data": "ENC[AES256_GCM,data:Mk4Vfs0PvKI4Ynwmz+8myrFtPW1swn9PdtQoeZw0xh9aCT+o6IWstAUypuCfwSgPYkj8PFPi2yq7ysTzglBkhrThV9Zto48U2dA=,iv:jL1WHTpN3mVNQJ/ltHBFd7zMtVtRmh9RIJAnh1SiGZc=,tag:zmRAQvcg6FW1+bEvZd8D6g==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NzV5c2FDVndUSWRnZndR\ndXI2bEY2VGRiRndNbjZscHdjL0N0eHUrV1hZCmJMRllSdjNLWS8rcnlYLy94VUcy\ndDlXeUptaGdwb2ZsMW1UZHJoeW5CZzgKLS0tIDBkeUozUDd2YWpIRTFlK3M3K2RH\naW9CMnc1ZXRmM0x4MDYwVHVLZnVpR0UKZSowubfXrUemRSFNYo8hxSaeV6/egOi6\nmtmxPICosAV5VRbf8c5Hn3XGNGfOGVwwox+GmLjzqfpVsM9f2Qm9IQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-04-19T12:31:44Z", + "mac": "ENC[AES256_GCM,data:SaRWT7Q7joTgG7+LBL2icBQ4k2SJdFfDcPzV3IsBIMgVFC4kQNbkVr0BlTM4mgtfH+IxE8PBQu1v/JFo6kf43njnF3mD/Yzr/EsLxwVmD9U1DTpW+mr1EBUVLfiGqnVrTj2DhMdatKB1g8jRwAlpIcsmrlnsHIKjuSj5HKRIi7Q=,iv:YVV3BMhfh1ThIiYwW4uHUmUKqkHUtCy0i0owiAngKyg=,tag:f4UaL5ZjEp3Gkd6LGiq+uw==,type:str]", + "version": "3.12.2" + } +} diff --git a/nixos/sops/secrets/sunken-ship-age.key/users/danny b/nixos/sops/secrets/sunken-ship-age.key/users/danny new file mode 120000 index 0000000..215639b --- /dev/null +++ b/nixos/sops/secrets/sunken-ship-age.key/users/danny @@ -0,0 +1 @@ +../../../users/danny \ No newline at end of file diff --git a/nixos/sops/users/danny/key.json b/nixos/sops/users/danny/key.json new file mode 100755 index 0000000..dad414d --- /dev/null +++ b/nixos/sops/users/danny/key.json @@ -0,0 +1,6 @@ +[ + { + "publickey": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28", + "type": "age" + } +] \ No newline at end of file diff --git a/nixos/vars/per-machine/phantom-ship/zerotier/zerotier-identity-secret/machines/phantom-ship b/nixos/vars/per-machine/phantom-ship/zerotier/zerotier-identity-secret/machines/phantom-ship new file mode 120000 index 0000000..18e1a3f --- /dev/null +++ b/nixos/vars/per-machine/phantom-ship/zerotier/zerotier-identity-secret/machines/phantom-ship @@ -0,0 +1 @@ +../../../../../../sops/machines/phantom-ship \ No newline at end of file diff --git a/nixos/vars/per-machine/phantom-ship/zerotier/zerotier-identity-secret/secret b/nixos/vars/per-machine/phantom-ship/zerotier/zerotier-identity-secret/secret new file mode 100644 index 0000000..f0b0b9c --- /dev/null +++ b/nixos/vars/per-machine/phantom-ship/zerotier/zerotier-identity-secret/secret @@ -0,0 +1,18 @@ +{ + "data": "ENC[AES256_GCM,data:g6eYxa672pfIHJ6jaTAf63ubXIJMPg08GJU2vwnF3hsCK73s5zkbFTd2GiLOZxlk641SK0bIfedABmsybG63qzFW2BOMIaUree0dlDv/u0oaRGdKCrrrrboxi6YbBncKgJLJpiAsmHZ9dsTz4bpicmj0JOBJ6f5HsD95qfy62yMOTSGZD7vdH43cXfbXxg49mKE7Ku2TL8a8awDiFc+Dqk+8QmMxr1XmF/IhYna+Amc+3OtmGGNEfoR8z7yHz13YA0CjJOe0QT2/GgRSUn5B43OkKhpR3e8mwtq6TAFRlBExt5Ccb4P09INcCA2oeAnyi0SEtwHg7KyPIDRJpEYVQ7jWAEFbNtOseBEbnibs,iv:QGNEvG0eLzVFw4lEqDYaSoUK318TRap61rqLD5Djzb0=,tag:vm73BNMMcF+0fiIkugqwxg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age18gtjh28qxeltg2r2tzxwl096crkqkqk8tjhersyf7mzdsddady7qs34x0m", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUEJqQXNHcitJNnBEZDZW\nbFdieDFOaDFEazk4cUY5aXYrMjJabnVmWndVCjU0WmRpemNsWUMxN1N0R2dpSTla\nNzliTFFOU1o4VlBwSTJLN1krSEZ0TWMKLS0tIElyd3ovRno0Y3pGd1FFTE5VN0tM\ndTU2c25WcWN4YW15cGErSUJvYmFuRXcKKjBQln8jyOSBa1X1EJJSUg528waFL/8F\nkCpket2TGmNCvMDSai+5Iqe6X222J86uzoXsrLPl2PZaOCXD4t+gRw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSFNPWW92QkFFYURROGJG\nbTZoS0hFQk52RVNSTWJsclBYRWxIS3c3RTFZCldhQ0QvUmhlRzg5Q3lHUnBnTUtN\nWEZqbWpFOUZhMStzNldCRXdyQzlyWnMKLS0tIGV6anNjVktWamkvbkF3OUxVS1Ji\nUGMzc2FxeE5YTmdMVTRtUDNuMlFaTlkKoJcPcmoMgxVRvcLv7ejws4IJnQd+Yt7s\njqWi0q4iwGLZSLUPb8NUZpWEn0Jbji2edSpATzf67uws1TFHGAMmuA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-04-19T12:31:44Z", + "mac": "ENC[AES256_GCM,data:hjIn5hcpgQkrWFTsQ3BdmQFPKeubs90opSl06z2Dh7mzTcSqCSF3cQ/l8fj+GD2GuptEMbPczOIoiJfKNxoLDp5L4iHIou7XwFXVhhdjm8fqIMHusnZc/eQBI/H6J2fHWzJ1gxgsKlkazsY3cbWxLfqdz7vAV06SflW5/B5Hbto=,iv:BeB417C5r4uVHSKs9UzwJI+A4F9NrrpoTRn+X14sMtA=,tag:PcaaJrMXO0h6EzdKpVl9xg==,type:str]", + "version": "3.12.2" + } +} diff --git a/nixos/vars/per-machine/phantom-ship/zerotier/zerotier-identity-secret/users/danny b/nixos/vars/per-machine/phantom-ship/zerotier/zerotier-identity-secret/users/danny new file mode 120000 index 0000000..48e5c60 --- /dev/null +++ b/nixos/vars/per-machine/phantom-ship/zerotier/zerotier-identity-secret/users/danny @@ -0,0 +1 @@ +../../../../../../sops/users/danny \ No newline at end of file diff --git a/nixos/vars/per-machine/phantom-ship/zerotier/zerotier-ip/value b/nixos/vars/per-machine/phantom-ship/zerotier/zerotier-ip/value new file mode 100644 index 0000000..a8786e8 --- /dev/null +++ b/nixos/vars/per-machine/phantom-ship/zerotier/zerotier-ip/value @@ -0,0 +1 @@ +fdd5:53a2:de33:d269:6499:936c:48a:bbdc \ No newline at end of file diff --git a/nixos/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/machines/sunken-ship b/nixos/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/machines/sunken-ship new file mode 120000 index 0000000..94c85c7 --- /dev/null +++ b/nixos/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/machines/sunken-ship @@ -0,0 +1 @@ +../../../../../../sops/machines/sunken-ship \ No newline at end of file diff --git a/nixos/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/secret b/nixos/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/secret new file mode 100644 index 0000000..c76e315 --- /dev/null +++ b/nixos/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/secret @@ -0,0 +1,18 @@ +{ + "data": "ENC[AES256_GCM,data:6WHKA76dLKWJnGpNp45EAwf4gvHnoccXbGz1bCH5EYN/7o0zcl8KziabKjG+hY4BlG7CsNPCOVr2bWAVkWBjTQVoYNwaBNsQ2DF15E0/qxqCYUXKUNoZ5xkWvrcNbVCyEdDAZX9abpAyLenlOMRLFNaWlOsKVr44uG9j75KyMc8NNl4UvCjuBEdAvNLOhEOWuQaRJc73IJAet7pWxP7HkwkihR4+GVIft1UygNYmcThPr2A1+DdNf+IsCNJTR+FL2l3OupCIBawSR6/L/cjyBt1YvIu6fCSYs82r63+W2RKlIzpvoyupEH2vteSgiaLNQ8/j114f4MCZjSgJ3y8SKloZAQTPpsobsnHhYNUS,iv:oji4lQxeXdrvoERb/EtXJEC0LNqn4qBewxM2/rD1FfY=,tag:XQBCSwHw2MFiI4qRdX4klw==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZmhNdTVjSG91RGpyMnlv\nY2x0azE3YTZhTDlzTGZOUXdvbEJhTmNqbzFZCmZPWWtOZG52V1NLVFRlODA2N1dB\neCtsWXg5Q3I3MTJKWlJkeTBwOG00aUUKLS0tIDBnRFRrcXJ5SnZEUTN3REs5VTZH\nNlN3MTJ6aWdpMHVkTDJ5MVRuUTVEak0Kw8VPmgp0XiIVlADbjQjHqxdK31kAAAf0\nN/VCLirEK+DOzXJIkMguL7K9Xe7HyIOvtkJGBE2et1mia1pXkxClqA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1zy3q73pujauyajgfqwu0pnyy8732lzwvw87tu7p2xg3xuzaujc2qh6ql77", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQL1NLbFlWdk5TQXNUSUFF\nNTFqQk01RzI0WUJrdklBSlBGbkJYU0N2Qnl3CnRDakRiamtMREJLQkhTN1VPWEtz\neFlWVTlmU2NPWTVxdGtHVzROS1ZmV3MKLS0tIEJsVTRZMy9pWTNTK2k1aklXeGY3\nODZGMy9TQytYOG9kbExnMVg1bEFOYUkKwa9MG/IXjaXjB/wxR5xBYN9CtpQHP7pj\nyDBTqa68JQHcUkFgtxBojjumWWADkHO+LmExPSP8Q7Jk+raR2JawXw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-04-19T12:31:44Z", + "mac": "ENC[AES256_GCM,data:/GMdb0AGXxWFr9nBFwyRD9iiqXloZu4zTsrDINpfdvGVzp4bQgny2KqHeCtUj2yaPrtEq9dXlLKdgMMlfiXx9b6I1A9AUM/DGle6ZCWyY07598/kNsFL4+2Fr/Xp3wcwVpxDpo2590jb1yT+8FSXzyy6oKjLOCBKixKq70U9bwo=,iv:OyShn5yuTDOhSSSF1AfVOFktFdk6vVVsemMOg2XhjrY=,tag:F7bTHCyhrMG6VyVcYNAVHA==,type:str]", + "version": "3.12.2" + } +} diff --git a/nixos/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/users/danny b/nixos/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/users/danny new file mode 120000 index 0000000..48e5c60 --- /dev/null +++ b/nixos/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/users/danny @@ -0,0 +1 @@ +../../../../../../sops/users/danny \ No newline at end of file diff --git a/nixos/vars/per-machine/sunken-ship/zerotier/zerotier-ip/value b/nixos/vars/per-machine/sunken-ship/zerotier/zerotier-ip/value new file mode 100644 index 0000000..ba105d8 --- /dev/null +++ b/nixos/vars/per-machine/sunken-ship/zerotier/zerotier-ip/value @@ -0,0 +1 @@ +fdd5:53a2:de33:d269:6499:93d5:53a2:de33 \ No newline at end of file diff --git a/nixos/vars/per-machine/sunken-ship/zerotier/zerotier-network-id/value b/nixos/vars/per-machine/sunken-ship/zerotier/zerotier-network-id/value new file mode 100644 index 0000000..874c577 --- /dev/null +++ b/nixos/vars/per-machine/sunken-ship/zerotier/zerotier-network-id/value @@ -0,0 +1 @@ +d553a2de33d26964 \ No newline at end of file diff --git a/nixos/vars/shared/zerotier-controller/zerotier-identity-secret/secret b/nixos/vars/shared/zerotier-controller/zerotier-identity-secret/secret new file mode 100644 index 0000000..5b55168 --- /dev/null +++ b/nixos/vars/shared/zerotier-controller/zerotier-identity-secret/secret @@ -0,0 +1,14 @@ +{ + "data": "ENC[AES256_GCM,data:NO63/4R06iLMuhWl5r6bWnVs9lt3i+yJlzWGV4ZiTqdxLHZdK/RO1cfdrfFr/YsYIrBzIYv1GghzmAjqg3InJsW5hEyYxddPdwxgowmHw44c8jOlCEvcMNuLw+Dh1njX6+mPcO6yPnSFeF3O72l/S4PYuesWUAnVSi4KcvDBsYSAITJkSEbNi8+63QVLPbumCVK/ZmGFWy59fepUe+0hA+IlCQBxKEFpku1bIpDfOlkOkaG9kyH0X3TNuvT5R785q5SBaIr9kez1GpcYtGlY4Mio1zemt9oYxzq7f6i1Ca4i5COUFq0TKtjU87T1fg6fEQ3cA28i57IWu7PMxPoV2Mpnwldg3BiCqGvbNMb3,iv:EcOrTwgJSuuP9suOzA+ZHwOHkX4fqYh77gTtV/W9DAQ=,tag:MSpfI+z5/rM0+cxUfEAAKg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNZ2xTdFlaU2JJVFdhM3Rq\nNmFQMEd4NWdwd3RKQUI4dXAxNk0rWnZkRWhnCmFFRXNrUGlRbWpUOXFuU3Z0QndV\nS2NUV2NPVldpWGFPS0NPRm1NNFVSWlUKLS0tIEFhNHE1YndxUXVJbUVDSWU2Qkt5\najI4ajNPN0F3Qmt4Tzhkd3hKY0xpSkEKgaguLuJhrnbPWqeTMFeJD8UET0be46sV\nZNQLyYcINE3mnAQNMGzWFnZ986IrPBI/L/Nsqxni6El764nN6A7hig==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-04-19T12:31:43Z", + "mac": "ENC[AES256_GCM,data:5vmwAXCxmSWh9HZWZGZfFglyDRdrRKiZOnPQrYCzMBYP5hMD9t8sW3xpnmD/2pz5eqP0rIZTE8SCXK4OIJNJ9YJdoRUPDNyTQ5LDIMLbHEcAQrAk3jYN7HnXCa9AUe2nPRQi0KsI0VbxTwIDthqwZSrQAQMZ8m4FYFoBV5tZVpA=,iv:UomaST+33fy6txRq2DpPs+6YUZsvpjC5nwHMfc3ik60=,tag:mQOig05Un2S7UV9nNPKEeQ==,type:str]", + "version": "3.12.2" + } +} diff --git a/nixos/vars/shared/zerotier-controller/zerotier-identity-secret/users/danny b/nixos/vars/shared/zerotier-controller/zerotier-identity-secret/users/danny new file mode 120000 index 0000000..dcece98 --- /dev/null +++ b/nixos/vars/shared/zerotier-controller/zerotier-identity-secret/users/danny @@ -0,0 +1 @@ +../../../../../sops/users/danny \ No newline at end of file diff --git a/nixos/vars/shared/zerotier-controller/zerotier-ip/value b/nixos/vars/shared/zerotier-controller/zerotier-ip/value new file mode 100644 index 0000000..ba105d8 --- /dev/null +++ b/nixos/vars/shared/zerotier-controller/zerotier-ip/value @@ -0,0 +1 @@ +fdd5:53a2:de33:d269:6499:93d5:53a2:de33 \ No newline at end of file diff --git a/nixos/vars/shared/zerotier-controller/zerotier-network-id/value b/nixos/vars/shared/zerotier-controller/zerotier-network-id/value new file mode 100644 index 0000000..874c577 --- /dev/null +++ b/nixos/vars/shared/zerotier-controller/zerotier-network-id/value @@ -0,0 +1 @@ +d553a2de33d26964 \ No newline at end of file