dannydannydanny/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(nix): zerotier overlay via clan inventory + mac ZT client 🕸️

Browse source 
Stage 4b of the clan migration. Declares a clan.inventory.instances.zerotier
instance with sunken-ship as controller and phantom-ship as peer (controller
is also listed as a peer so it joins its own network). Generates the network
ID, controller identity, and per-peer identities via `clan vars generate`;
all secrets are SOPS-encrypted to the user's age key and the per-machine
age keys.

- nixos/sops/ — clan-managed SOPS state (user + per-machine age keys).
- nixos/vars/ — shared + per-machine zerotier vars; *-identity-secret
  files are SOPS-encrypted, *.value files are plain public data.
- clan.core.networking.{targetHost,buildHost} = "danny@<host>" on both
  servers so `clan machines update` knows where to push and build.
- mac gets `zerotier-one` installed as a homebrew cask; authorization
  on the controller happens manually by node-ID in a follow-up step.

Known rough edges (to chase in later stages):
- zerotier-inventory-autoaccept.service races zerotierone.service on
  first activation (connection refused against the local API). Retrying
  the unit succeeds; clan upstream bug.
- Deployment must go through `clan machines update`, not plain
  nixos-rebuild, or the per-host SOPS age key isn't uploaded and
  zerotier-one can't decrypt its identity.
This commit is contained in:
DannyDannyDanny 2026-04-19 14:43:29 +02:00
parent 29ff1c9be7
commit 9921a7f9f1
23 changed files with 151 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

14
nixos/sops/secrets/sunken-ship-age.key/secret Normal file
View file

@ -0,0 +1,14 @@
{
"data": "ENC[AES256_GCM,data:Mk4Vfs0PvKI4Ynwmz+8myrFtPW1swn9PdtQoeZw0xh9aCT+o6IWstAUypuCfwSgPYkj8PFPi2yq7ysTzglBkhrThV9Zto48U2dA=,iv:jL1WHTpN3mVNQJ/ltHBFd7zMtVtRmh9RIJAnh1SiGZc=,tag:zmRAQvcg6FW1+bEvZd8D6g==,type:str]",
"sops": {
"age": [
{
"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NzV5c2FDVndUSWRnZndR\ndXI2bEY2VGRiRndNbjZscHdjL0N0eHUrV1hZCmJMRllSdjNLWS8rcnlYLy94VUcy\ndDlXeUptaGdwb2ZsMW1UZHJoeW5CZzgKLS0tIDBkeUozUDd2YWpIRTFlK3M3K2RH\naW9CMnc1ZXRmM0x4MDYwVHVLZnVpR0UKZSowubfXrUemRSFNYo8hxSaeV6/egOi6\nmtmxPICosAV5VRbf8c5Hn3XGNGfOGVwwox+GmLjzqfpVsM9f2Qm9IQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2026-04-19T12:31:44Z",
"mac": "ENC[AES256_GCM,data:SaRWT7Q7joTgG7+LBL2icBQ4k2SJdFfDcPzV3IsBIMgVFC4kQNbkVr0BlTM4mgtfH+IxE8PBQu1v/JFo6kf43njnF3mD/Yzr/EsLxwVmD9U1DTpW+mr1EBUVLfiGqnVrTj2DhMdatKB1g8jRwAlpIcsmrlnsHIKjuSj5HKRIi7Q=,iv:YVV3BMhfh1ThIiYwW4uHUmUKqkHUtCy0i0owiAngKyg=,tag:f4UaL5ZjEp3Gkd6LGiq+uw==,type:str]",
"version": "3.12.2"
}
}