dannydannydanny/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(distant-shore): add X13 Gen 2 as clan machine w/ shim+MOK secure boot

Browse source 
ThinkPad X13 Gen 2, BIOS-locked + Secure Boot enforced. Boots NixOS via
Microsoft-signed shim chain-loading MOK-signed systemd-boot + kernel
(re-signed each rebuild). WiFi via NetworkManager. Migrated from the
standalone install module into clan (zerotier/data-mesher/dm-pull-deploy).
This commit is contained in:
DannyDannyDanny 2026-06-06 16:23:09 +02:00
parent 09f191d10b
commit bbe05c971d
1 changed files with 33 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

33
flake-modules/clan.nix
View file

@ -47,6 +47,7 @@ in {
inventory.machines.sunken-ship = { }; inventory.machines.sunken-ship = { };
inventory.machines.phantom-ship = { }; inventory.machines.phantom-ship = { };
inventory.machines.vps-relay = { }; inventory.machines.vps-relay = { };
inventory.machines.distant-shore = { };
# ZeroTier mesh VPN. sunken-ship is the controller (manages network # ZeroTier mesh VPN. sunken-ship is the controller (manages network
# membership); phantom-ship is a peer. The mac joins manually as an # membership); phantom-ship is a peer. The mac joins manually as an
@ -58,6 +59,7 @@ in {
roles.peer.machines.phantom-ship = { }; roles.peer.machines.phantom-ship = { };
roles.peer.machines.sunken-ship = { }; roles.peer.machines.sunken-ship = { };
roles.peer.machines.vps-relay = { }; roles.peer.machines.vps-relay = { };
roles.peer.machines.distant-shore = { };
}; };
# data-mesher — signed-file gossip protocol over libp2p (port 7946). # data-mesher — signed-file gossip protocol over libp2p (port 7946).
@ -70,6 +72,7 @@ in {
module.input = "clan-core"; module.input = "clan-core";
roles.default.machines.sunken-ship = { }; roles.default.machines.sunken-ship = { };
roles.default.machines.phantom-ship = { }; roles.default.machines.phantom-ship = { };
roles.default.machines.distant-shore = { };
roles.bootstrap.machines.sunken-ship = { }; roles.bootstrap.machines.sunken-ship = { };
}; };
@ -87,6 +90,7 @@ in {
}; };
roles.default.machines.sunken-ship.settings.action = "switch"; roles.default.machines.sunken-ship.settings.action = "switch";
roles.default.machines.phantom-ship.settings.action = "switch"; roles.default.machines.phantom-ship.settings.action = "switch";
roles.default.machines.distant-shore.settings.action = "switch";
}; };
# `clan machines update` connection target. Priority 2000 > ZT's 900 # `clan machines update` connection target. Priority 2000 > ZT's 900
@ -111,6 +115,12 @@ in {
host = "89.167.39.251"; host = "89.167.39.251";
user = "danny"; user = "danny";
}; };
# distant-shore: LAN IP for the first update (not yet on ZT). Swap to
# its generated ZT IPv6 after it joins the mesh, like the others.
roles.default.machines.distant-shore.settings = {
host = "192.168.1.182";
user = "danny";
};
}; };
# Preserve current network / init stack (no systemd-networkd/resolved, # Preserve current network / init stack (no systemd-networkd/resolved,
@ -157,6 +167,29 @@ in {
]; ];
}; };
# distant-shore — ThinkPad X13 Gen 2, WiFi, Secure Boot via shim+MOK
# (installed standalone, then migrated into clan). targetHost is the LAN
# IP for the first `clan machines update`; switch to its ZT IPv6 once the
# mesh is up. Builds on the box itself (it has nix + internet).
machines.distant-shore = {
imports = [
{
clan.core.enableRecommendedDefaults = false;
clan.core.networking.targetHost = "danny@192.168.1.182";
clan.core.networking.buildHost = "danny@192.168.1.182";
}
clanHostsModule
../nixos/hosts/distant-shore.nix
config.flake.nixosModules.monitoring-node-exporter
inputs.home-manager.nixosModules.home-manager
(hmModule {
user = "danny";
homeDirectory = "/home/danny";
stateVersion = "25.11";
})
];
};
machines.phantom-ship = { machines.phantom-ship = {
imports = [ imports = [
{ {