From bbe05c971d7a2e094ec9be6952d999b9e31c34d3 Mon Sep 17 00:00:00 2001 From: DannyDannyDanny Date: Sat, 6 Jun 2026 16:23:09 +0200 Subject: [PATCH] =?UTF-8?q?feat(distant-shore):=20add=20X13=20Gen=202=20as?= =?UTF-8?q?=20clan=20machine=20w/=20shim+MOK=20secure=20boot=20=E2=9C=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ThinkPad X13 Gen 2, BIOS-locked + Secure Boot enforced. Boots NixOS via Microsoft-signed shim chain-loading MOK-signed systemd-boot + kernel (re-signed each rebuild). WiFi via NetworkManager. Migrated from the standalone install module into clan (zerotier/data-mesher/dm-pull-deploy). --- flake-modules/clan.nix | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/flake-modules/clan.nix b/flake-modules/clan.nix index 30fe4c9..3b9b45c 100644 --- a/flake-modules/clan.nix +++ b/flake-modules/clan.nix @@ -47,6 +47,7 @@ in { inventory.machines.sunken-ship = { }; inventory.machines.phantom-ship = { }; inventory.machines.vps-relay = { }; + inventory.machines.distant-shore = { }; # ZeroTier mesh VPN. sunken-ship is the controller (manages network # membership); phantom-ship is a peer. The mac joins manually as an @@ -58,6 +59,7 @@ in { roles.peer.machines.phantom-ship = { }; roles.peer.machines.sunken-ship = { }; roles.peer.machines.vps-relay = { }; + roles.peer.machines.distant-shore = { }; }; # data-mesher — signed-file gossip protocol over libp2p (port 7946). @@ -70,6 +72,7 @@ in { module.input = "clan-core"; roles.default.machines.sunken-ship = { }; roles.default.machines.phantom-ship = { }; + roles.default.machines.distant-shore = { }; roles.bootstrap.machines.sunken-ship = { }; }; @@ -87,6 +90,7 @@ in { }; roles.default.machines.sunken-ship.settings.action = "switch"; roles.default.machines.phantom-ship.settings.action = "switch"; + roles.default.machines.distant-shore.settings.action = "switch"; }; # `clan machines update` connection target. Priority 2000 > ZT's 900 @@ -111,6 +115,12 @@ in { host = "89.167.39.251"; user = "danny"; }; + # distant-shore: LAN IP for the first update (not yet on ZT). Swap to + # its generated ZT IPv6 after it joins the mesh, like the others. + roles.default.machines.distant-shore.settings = { + host = "192.168.1.182"; + user = "danny"; + }; }; # Preserve current network / init stack (no systemd-networkd/resolved, @@ -157,6 +167,29 @@ in { ]; }; + # distant-shore — ThinkPad X13 Gen 2, WiFi, Secure Boot via shim+MOK + # (installed standalone, then migrated into clan). targetHost is the LAN + # IP for the first `clan machines update`; switch to its ZT IPv6 once the + # mesh is up. Builds on the box itself (it has nix + internet). + machines.distant-shore = { + imports = [ + { + clan.core.enableRecommendedDefaults = false; + clan.core.networking.targetHost = "danny@192.168.1.182"; + clan.core.networking.buildHost = "danny@192.168.1.182"; + } + clanHostsModule + ../nixos/hosts/distant-shore.nix + config.flake.nixosModules.monitoring-node-exporter + inputs.home-manager.nixosModules.home-manager + (hmModule { + user = "danny"; + homeDirectory = "/home/danny"; + stateVersion = "25.11"; + }) + ]; + }; + machines.phantom-ship = { imports = [ {