feat(nix): zerotier overlay via clan inventory + mac ZT client 🕸️
Stage 4b of the clan migration. Declares a clan.inventory.instances.zerotier
instance with sunken-ship as controller and phantom-ship as peer (controller
is also listed as a peer so it joins its own network). Generates the network
ID, controller identity, and per-peer identities via `clan vars generate`;
all secrets are SOPS-encrypted to the user's age key and the per-machine
age keys.
- nixos/sops/ — clan-managed SOPS state (user + per-machine age keys).
- nixos/vars/ — shared + per-machine zerotier vars; *-identity-secret
files are SOPS-encrypted, *.value files are plain public data.
- clan.core.networking.{targetHost,buildHost} = "danny@<host>" on both
servers so `clan machines update` knows where to push and build.
- mac gets `zerotier-one` installed as a homebrew cask; authorization
on the controller happens manually by node-ID in a follow-up step.
Known rough edges (to chase in later stages):
- zerotier-inventory-autoaccept.service races zerotierone.service on
first activation (connection refused against the local API). Retrying
the unit succeeds; clan upstream bug.
- Deployment must go through `clan machines update`, not plain
nixos-rebuild, or the per-host SOPS age key isn't uploaded and
zerotier-one can't decrypt its identity.
This commit is contained in:
DannyDannyDanny
parent
29ff1c9be7
commit
9921a7f9f1
23 changed files with 151 additions and 2 deletions
6
nixos/sops/machines/sunken-ship/key.json
Executable file
6
nixos/sops/machines/sunken-ship/key.json
Executable file
|
|
@ -0,0 +1,6 @@
|
|||
[
|
||||
{
|
||||
"publickey": "age1zy3q73pujauyajgfqwu0pnyy8732lzwvw87tu7p2xg3xuzaujc2qh6ql77",
|
||||
"type": "age"
|
||||
}
|
||||
]
|
||||
Loading…
Add table
Add a link
Reference in a new issue