feat(foreign-port): add WiFi-only laptop as clan machine ✨

Mirrors the distant-shore pattern: clan-managed (no standalone
flake-module), wired into zerotier/data-mesher/dm-pull-deploy with the
generated vars. WiFi via NetworkManager (PSK from /etc/secrets/nm.env);
locally-signed boot chain (shim chain-loads sbsign-signed systemd-boot
+ kernel, refreshed every nixos-rebuild). targetHost is the LAN IP for
the first push, switch to ZT IPv6 once on the mesh. buildHost =
sunken-ship to avoid self-SSH on the closure copy.

flake-modules/clan.nix

@@ -22,6 +22,7 @@ let
   phantomShipZTv6 = "fdd5:53a2:de33:d269:6499:936c:48a:bbdc";
   vpsRelayZTv6 = "fdd5:53a2:de33:d269:6499:9305:339f:2ed3";
   distantShoreZTv6 = "fdd5:53a2:de33:d269:6499:93b6:ef1a:c3b3";
+  foreignPortZTv6 = "fdd5:53a2:de33:d269:6499:9389:9b18:6c52";
 
   # Shared across both servers: /etc/hosts entries so data-mesher's
   # libp2p /dns/<machine>.clan/... bootstrap multiaddrs resolve over ZT.
@@ -31,6 +32,7 @@ let
       "${phantomShipZTv6}" = [ "phantom-ship.clan" ];
       "${vpsRelayZTv6}" = [ "vps-relay.clan" ];
       "${distantShoreZTv6}" = [ "distant-shore.clan" ];
+      "${foreignPortZTv6}" = [ "foreign-port.clan" ];
     };
   };
 in {
@@ -50,6 +52,7 @@ in {
     inventory.machines.phantom-ship = { };
     inventory.machines.vps-relay = { };
     inventory.machines.distant-shore = { };
+    inventory.machines.foreign-port = { };
 
     # ZeroTier mesh VPN. sunken-ship is the controller (manages network
     # membership); phantom-ship is a peer. The mac joins manually as an
@@ -62,6 +65,7 @@ in {
       roles.peer.machines.sunken-ship = { };
       roles.peer.machines.vps-relay = { };
       roles.peer.machines.distant-shore = { };
+      roles.peer.machines.foreign-port = { };
     };
 
     # data-mesher — signed-file gossip protocol over libp2p (port 7946).
@@ -75,6 +79,7 @@ in {
       roles.default.machines.sunken-ship = { };
       roles.default.machines.phantom-ship = { };
       roles.default.machines.distant-shore = { };
+      roles.default.machines.foreign-port = { };
       roles.bootstrap.machines.sunken-ship = { };
     };
 
@@ -93,6 +98,7 @@ in {
       roles.default.machines.sunken-ship.settings.action = "switch";
       roles.default.machines.phantom-ship.settings.action = "switch";
       roles.default.machines.distant-shore.settings.action = "switch";
+      roles.default.machines.foreign-port.settings.action = "switch";
     };
 
     # `clan machines update` connection target. Priority 2000 > ZT's 900
@@ -123,6 +129,12 @@ in {
         host = "192.168.1.182";
         user = "danny";
       };
+      # foreign-port: WiFi-only LAN IP for the first update; swap to its
+      # generated ZT IPv6 after it joins the mesh.
+      roles.default.machines.foreign-port.settings = {
+        host = "192.168.1.223";
+        user = "danny";
+      };
     };
 
     # Preserve current network / init stack (no systemd-networkd/resolved,
@@ -194,6 +206,30 @@ in {
       ];
     };
 
+    # foreign-port — WiFi-only laptop server, locally-signed boot chain
+    # (installed standalone, migrated into clan). targetHost is the LAN IP
+    # for the first `clan machines update`; switch to its ZT IPv6 once the
+    # mesh is up. buildHost = sunken-ship for the closure copy (avoids
+    # self-SSH).
+    machines.foreign-port = {
+      imports = [
+        {
+          clan.core.enableRecommendedDefaults = false;
+          clan.core.networking.targetHost = "danny@192.168.1.223";
+          clan.core.networking.buildHost = "danny@sunken-ship";
+        }
+        clanHostsModule
+        ../nixos/hosts/foreign-port.nix
+        config.flake.nixosModules.monitoring-node-exporter
+        inputs.home-manager.nixosModules.home-manager
+        (hmModule {
+          user = "danny";
+          homeDirectory = "/home/danny";
+          stateVersion = "25.11";
+        })
+      ];
+    };
+
     machines.phantom-ship = {
       imports = [
         {

nixos/disko-foreign-port.nix

@@ -0,0 +1,36 @@
+# Declarative disk layout for distant-shore. UEFI/systemd-boot, no
+# encryption: it's a headless, WiFi-only server that must reboot
+# unattended (clan dm-pull-deploy), so a LUKS passphrase prompt at boot
+# would hang it. Mirrors sunken-ship's plain-ext4 choice. Device is wiped
+# + repartitioned at install time by clan/nixos-anywhere.
+{
+  disko.devices = {
+    disk.main = {
+      type = "disk";
+      device = "/dev/nvme0n1";
+      content = {
+        type = "gpt";
+        partitions = {
+          ESP = {
+            size = "512M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+              mountOptions = [ "fmask=0022" "dmask=0022" ];
+            };
+          };
+          root = {
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          };
+        };
+      };
+    };
+  };
+}

nixos/hosts/foreign-port-hardware.nix

@@ -0,0 +1,18 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

nixos/hosts/foreign-port.nix

@@ -0,0 +1,111 @@
+# NixOS laptop server. WiFi-only, headless, unattended auto-rebuild via
+# clan dm-pull-deploy. No LUKS (mirrors sunken-ship) so reboots don't
+# block on a passphrase.
+#
+# Blank-slate server for now — no application services. Give it a purpose
+# later (just add services here and let dm-pull-deploy roll it out).
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./foreign-port-hardware.nix
+    ../disko-foreign-port.nix
+  ];
+
+  boot.loader.systemd-boot.enable = true;
+  # Firmware-locked Secure Boot: we can't enrol our own keys into the
+  # firmware key DB, so a vendor-signed shim is the firmware-booted binary
+  # and chain-loads a locally-signed systemd-boot + kernel. The NVRAM
+  # entry points at shim; bootctl is kept away from EFI variables so
+  # rebuilds don't clobber the entry.
+  boot.loader.efi.canTouchEfiVariables = false;
+  boot.loader.efi.efiSysMountPoint = "/boot";  # matches disko ESP mountpoint
+
+  # --- Locally-signed boot chain --------------------------------------------
+  # On every bootloader install: re-sign systemd-boot and every kernel
+  # image, refresh the shim binary on the ESP, and place the helper binary
+  # beside it. Re-runs on each nixos-rebuild so auto-deployed generations
+  # stay bootable. Signing material lives in /etc/secrets, never the repo.
+  boot.loader.systemd-boot.extraInstallCommands = ''
+    # NixOS's bootloader-install systemd unit runs with a minimal PATH that
+    # doesn't include coreutils, so use absolute paths for cp/mv.
+    KEY=/etc/secrets/MOK.key
+    CRT=/etc/secrets/MOK.crt
+    sb() { ${pkgs.sbsigntool}/bin/sbsign --key "$KEY" --cert "$CRT" --output "$2" "$1"; }
+    # systemd-boot -> shim's chain-load target
+    sb /boot/EFI/systemd/systemd-bootx64.efi /boot/EFI/BOOT/grubx64.efi
+    # shim is the firmware-booted binary; helper binary sits beside it
+    ${pkgs.coreutils}/bin/cp -f /etc/secrets/shimx64.efi /boot/EFI/BOOT/BOOTX64.EFI
+    ${pkgs.coreutils}/bin/cp -f /etc/secrets/mmx64.efi  /boot/EFI/BOOT/mmx64.efi
+    # sign each kernel (skip if already signed; leave initrds untouched)
+    for k in /boot/EFI/nixos/*bzImage.efi; do
+      [ -e "$k" ] || continue
+      if ! ${pkgs.sbsigntool}/bin/sbverify --cert "$CRT" "$k" >/dev/null 2>&1; then
+        ${pkgs.sbsigntool}/bin/sbsign --key "$KEY" --cert "$CRT" --output "$k.tmp" "$k" \
+          && ${pkgs.coreutils}/bin/mv -f "$k.tmp" "$k"
+      fi
+    done
+  '';
+
+  networking.hostName = "foreign-port";
+  # WiFi via NetworkManager. The wpa_supplicant stack hit two issues on this
+  # box: (1) it strips CAP_CHOWN so wpa couldn't create its ctrl_interface,
+  # and (2) dhcpcd didn't grab a lease after the (late) association at boot,
+  # needing a manual restart — fatal for an unattended headless server. NM
+  # handles association + DHCP atomically and connected first-try here.
+  # The PSK stays out of the repo: it's substituted from /etc/secrets/nm.env
+  # ($PSK_INTENO) into the declared profile at activation.
+  networking.networkmanager.enable = true;
+  networking.networkmanager.ensureProfiles.environmentFiles = [ "/etc/secrets/nm.env" ];
+  networking.networkmanager.ensureProfiles.profiles."Inteno-89FE-5GHz" = {
+    connection = { id = "Inteno-89FE-5GHz"; type = "wifi"; autoconnect = true; };
+    wifi = { ssid = "Inteno-89FE-5GHz"; mode = "infrastructure"; };
+    wifi-security = { key-mgmt = "wpa-psk"; psk = "$PSK_INTENO"; };
+    ipv4.method = "auto";
+    ipv6.method = "auto";
+  };
+  hardware.enableRedistributableFirmware = true;  # WiFi firmware blobs
+  time.timeZone = "Europe/Copenhagen";
+
+  # It's a laptop acting as a server: keep running with the lid shut.
+  services.logind.settings.Login.HandleLidSwitch = "ignore";
+  services.logind.settings.Login.HandleLidSwitchExternalPower = "ignore";
+
+  # Reduce screen burn-in / power: blank the TTY after a minute.
+  boot.kernelParams = [ "consoleblank=60" ];
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  programs.nix-ld.enable = true;  # run dynamically linked binaries (e.g. Claude Code remote CLI)
+  nix.settings.trusted-users = [ "root" "danny" ];
+  system.stateVersion = "25.11";
+
+  users.users.danny = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" "video" "audio" ];
+    openssh.authorizedKeys.keys = [
+      # Mac admin / fleet key (~/.ssh/id_ed25519_sunken_ship) — the key the
+      # Mac uses to reach the fleet; clan machines update relies on it.
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKW/akfIiVU5o63YrTAJVZhMj7kXfYHOnXDtlpVFW7pf danny@mac-admin"
+      # TODO: add a per-host key (~/.ssh/id_ed25519_foreign_port) for
+      # plain `ssh foreign-port`. Generate when convenient.
+      # sunken-ship (dm-pull-deploy push node) — reach foreign-port over ZT.
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9t4YAaoHvVouqp+qyFOq8o3SAtXMiAmjF6J0ldyx4g danny@sunken-ship"
+    ];
+  };
+  users.users.root.openssh.authorizedKeys.keys =
+    config.users.users.danny.openssh.authorizedKeys.keys;
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+    };
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  # mokutil + sbsigntool — manage the shim trust chain and inspect signed
+  # bootloader/kernel images when debugging.
+  environment.systemPackages = with pkgs; [ git mokutil sbsigntool ];
+}

sops/machines/foreign-port/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1lwl2z6ymqjshknr79277qnr7hvffcc8n7qdqt98sz3t709a5yutq8d7gka",
+    "type": "age"
+  }
+]

sops/secrets/foreign-port-age.key/secret

@@ -0,0 +1,14 @@
+{
+	"data": "ENC[AES256_GCM,data:MH/ib8WAbzucbm2dhhoo6ESSSLKtKMWmjUwtpAOZhU7KyhOoechpJRSkBBmFV4LzbSP1qeaFbid6USJBnRsxkoz6XvhMzP0kzS0=,iv:9sPwc/JIlo5mzxelNzLCB26k2f+n2C9tB8Y/HEdPvHw=,tag:hJBhzTMsTWd9PDydS4aosg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6L2JGejlzQlhiNFhES1lT\nNTZsNFFMT1NzZEV0T28rNDA3STJ1UXNRcUZFCkxoenpFYWJicHpGVDhtMUdwNXBo\nS29EazVsRGFST2ZodDJMTkxQN2I1RjAKLS0tIFpib0RoOTJ6bkU0b1F6NnRaV3lF\nVHhvYjNOUUtMbGF5ejdaVk5WdGt2d1kKNU5JR1nIYPQLALUM3wRO945Sk6GLxJpn\nTVmVUEgXcwHcSij10a/cQOyPXNNnsfIC+WJFMJcjHfsjBnwS5W/Bgw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-06-07T19:41:18Z",
+		"mac": "ENC[AES256_GCM,data:mVobAhXUhbs49+g0bXfi4TjPG667F7pM8Kk518a7kRZ/HtN2kLYcSyl3XpspTosAs4x3QbFQUbFCgsBgqx+gS6xlw3OAJXM3iG2fNu2qoj9Q7viAEHoWVHwT+ftjA0qVTUf0BDD1r4ow6BNhe6kQy5bQqVu0MhjDfsK9BNTXAu4=,iv:aFHo3bQKgr1XSnwGUajkSFa4UftTWdZbPtXY05N7qOM=,tag:VymYJf4XFLaEGvxQmvF6rA==,type:str]",
+		"version": "3.12.2"
+	}
+}

sops/secrets/foreign-port-age.key/users/danny

@@ -0,0 +1 @@
+../../../users/danny

vars/per-machine/foreign-port/data-mesher-node-identity/identity.cert/machines/foreign-port

@@ -0,0 +1 @@
+../../../../../../sops/machines/foreign-port

vars/per-machine/foreign-port/data-mesher-node-identity/identity.cert/secret

@@ -0,0 +1,18 @@
+{
+	"data": "ENC[AES256_GCM,data:wnNPCB0+f3dcxMW1/pcFZFauUVYTC1mfWoWBV2EJmyRzZS3Uux5Un3R/GbYQeDSFZDLzLH+zCZFaxq3mpb3NGTTUzF8vnGMk/OnjlolA8OjAfiODI0mahTiQA7WcWSk1hkkZ15Ri1o+uyumx9hmvJU3dIsKIJe7AizCzwP5bHg1jgRhG2wPKKyIDWKoh4JTlR6SxK6/tOaUPx2gb2ddz2Lk56Xdw7GCbb/9I9D6sRwxdWMCoWFKdTllLsdsD48b8Jfq4ewD+LudYEtiVByk5SpyOjQoAmMLYaGlD+nxFgZz53hePRIXnp0fL0pm4,iv:fA607yxD/yHJatEiGh1SVGDcqKxB+EFeyCUQeF/Z5hA=,tag:glaq+MBCp6ptKqDsw4RM/Q==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MklDUkpWbEdFcFgxTVJZ\ndEs1OTJtZFhVaEsyb2pobGlUOGhtcTY4RWpVCjFDV3lqRmNGclZMbTR3UXlhcjJv\nVEY1Tjk1YWR4Tmt0SmgvR3laZnNIRUkKLS0tIHB1TURnYmVzZW4xSERMR0ZrRXl5\nbWVJbW1keGkyUkhuQXE0MEFTaXFsS1EKHlsS3FDr9RuMBRU5r4T3bCZWZn38V3k+\nfLUfuZK2IF+xyD7kEiBuATB57wwfd8RzZ1lBwz4fD4jlb+fz0BXoJQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1lwl2z6ymqjshknr79277qnr7hvffcc8n7qdqt98sz3t709a5yutq8d7gka",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TnNqc284WkZqdXNLVFBU\nRTJndEFmNjY0Q1YyUnRPLy9jWllpSy9ZaFNFCkFkNmpYenQ2dk1Fb2dRZTNvM0Jl\nemNqUmdjQmpJQUF4M3ZNRmo4UEhXOHcKLS0tIFp4OTZJTGR1algxTEVWemdkQTB5\nME4xTTdlelN6bXJiTGRSM1VSWG5vZUEKOYc71rLx7RTq4DR6ZggrtgllK58sYJ6h\ngw156OTQl3fKWxlrKDd1l4o72M1qmfAIQ1z5YJJ+CfNPk/iMz/R3rQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-06-07T19:41:18Z",
+		"mac": "ENC[AES256_GCM,data:AkcOoNTxMNkpF0SrwFlNujBrB8fxL1diu+mGq/kbsiWIj6UqvVD+dimDSvTgVqvnU4HF7/7b9zKriC6SbG42Kz8zScFv7m3idD2tHr+7SE/iR7CowDQs70CRMo1b85wLq8WAxhfQb93NHdum6I2biNVIf0ZXs1+kZ2iNBxtjqfQ=,iv:kWOCWCe953ekq0n0HLe3S2JprIBnBe9QXwIzDFyQMH8=,tag:tLz7VZwj7RrbpJ7QTrBqcg==,type:str]",
+		"version": "3.12.2"
+	}
+}

vars/per-machine/foreign-port/data-mesher-node-identity/identity.cert/users/danny

@@ -0,0 +1 @@
+../../../../../../sops/users/danny

vars/per-machine/foreign-port/data-mesher-node-identity/identity.key/machines/foreign-port

@@ -0,0 +1 @@
+../../../../../../sops/machines/foreign-port

vars/per-machine/foreign-port/data-mesher-node-identity/identity.key/secret

@@ -0,0 +1,18 @@
+{
+	"data": "ENC[AES256_GCM,data:1Hq98rN3U+8DcxIFJpYkvv31gUpSm0WBjfZxivYn7/ZkH6zbJ57fzeU+9PH9SRF6QBuekZKZNIBup3fteI5VqQ/moEyQE9aSvnqGCrkcamDwDQfN5GwKX+rb7W96atESRm/VqhgDWC2KTc3892515gBPpkDG+nc=,iv:tAlghG1jpDPcYgTvEzAlnB2upAetl8mz8IIQercHe4k=,tag:mz3fvVlKolg5JzrjhBNPaw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlaEk2Z1NMZnVtNlJPdXgw\nTWNaTFBCRXo3T2JRUEY2Q2hBY0xpMVV6ckE0ClJOVUpKNDZTcEhGS2RzQm1tSjNp\ndmxQWjl5aHord0RUMHRvTlhyMkVqc1UKLS0tIHlDRXlReUgzZVdLcE9kMFhsTDRq\nOGxpZE9KcUR0VEhyOE9VUkVUVlIyRlEKsnU17famN/qr2M8BdvVpRl5bSWseegrZ\nnB9yljvm+pxsE55xM1WyguNfUwXtHj0YTiVgBl5PIUolj3/J8R76sg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1lwl2z6ymqjshknr79277qnr7hvffcc8n7qdqt98sz3t709a5yutq8d7gka",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTGdDVlB0RGlTcng3M3pE\nNzEvNFpBUzF0aDJDaUJFTFFGWlB3bEVVdHhFClZOZGNDanlMTkxIMk9lbzVGRzAv\nZG93NUFFL3NIM3Z0TlhucFlMTTYwc3MKLS0tIFFQcTIwekNEM0k0MElGZys2QldS\nMDZpRVk5OVNZYVVWSWJDTFZqVFdiRWcKgwuwZgKhKx1PiQwH2CgMoCl0WUQR5Rv9\nx4mpZgkoD5pkEx896117CyAy2BRzrDWo+4SsjEijSMlDynYsbxLReA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-06-07T19:41:18Z",
+		"mac": "ENC[AES256_GCM,data:DX9+9MH8ZPtc6sPbYSc+54soAIXJWWEoEWBZdbJ6gT5RhVdzUjMHuEbmb9eMcb+nVu4KSUCoXiJOT9XActSU2dcTNIIiLX1lqpw0aWRS2sAWM+Go4hT4/P98z/0vcsdN/uQOBl3cDlygqKhN9GSoPfJTMT+QTSZsVjxwYxW1pPM=,iv:B9RiMMX+yS1Y+3E1ifTJI30pvLrah5SCPwW6CZKZGNU=,tag:MA007hv+nMIMutOdl5ewkQ==,type:str]",
+		"version": "3.12.2"
+	}
+}

vars/per-machine/foreign-port/data-mesher-node-identity/identity.key/users/danny

@@ -0,0 +1 @@
+../../../../../../sops/users/danny

vars/per-machine/foreign-port/data-mesher-node-identity/identity.pub/value

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAZqy+mwYOfJy3GSHfeC80TFn1c0kYte5zzzbwrP8xww0=
+-----END PUBLIC KEY-----

vars/per-machine/foreign-port/data-mesher-node-identity/peer.id/value

@@ -0,0 +1 @@
+12D3KooWGjAXheQGEfy13JQJP8pSrwcivxoXw5ijRzesfXVDFuyW

vars/per-machine/foreign-port/dm-pull-deploy-status-key/signing.key/machines/foreign-port

@@ -0,0 +1 @@
+../../../../../../sops/machines/foreign-port

vars/per-machine/foreign-port/dm-pull-deploy-status-key/signing.key/secret

@@ -0,0 +1,18 @@
+{
+	"data": "ENC[AES256_GCM,data:dDO6hu8prxHvoP41Oxky0mGGbrwqcCcrrkg0tbr/Sv8K16gNoQaX2wvaRDExOmt0BZkv5Oe8p5pvKudmm5JN0AS7oaPexW0lE+vFJ+zrRpq01c5BbCYZ0SuuafJ3VmRS/dlYU0/SZ4MyK3eijLzX3rGHPOi3b0g=,iv:hbh49ExGMYyshxcus/5sTIs/ZcOL9pod/3H/oHG1Qs8=,tag:fjHnl2uunGEU0i2FtgZB+g==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNTlkTWVleld5K3Q5Vklm\nMlphdVduQ0RKY0pEVGdVTm5scHRWR0lNVjAwClV4V3drQnFLUkhpUVk1ZElGcFM1\ncit3UTdURExTRDVjVW1ZdklTZzRINDAKLS0tIHFMYnNycmh1Y0h4OC9UNUtHUmMw\nVXdpVk9QWHlBYmtCS3FOam9SWnRFZG8KDnggBRH/wSh1tfiCGOn1sF/Fdfxkf1us\n7Lzxexrmh+lllns/KY2of9L2HUgDavp+ju/5QVFfT7O3SuSTB6aoow==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1lwl2z6ymqjshknr79277qnr7hvffcc8n7qdqt98sz3t709a5yutq8d7gka",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5eVpNUmV5QlllaXlPaGgr\ndXZYMURzT3I4UWxWSHBSbnAyZVNsOWNaZ2xJClhkRmZ2ejBYVCtkTVBZZE82YXE5\nWkdZWFJFM0lVQXFFYm5rYnRVZDFEdlkKLS0tIHZ5OUgzcFRLZnFWK3pDUUtWUUJj\nWFF4Zk5IeDl5VFNQWlVsTk1lQWlLQmMKJzaOm0cwOshmwoO+eHovf6i6mGkezjIP\ncXJlDaJyxfPKJxc36XlJ5KT9c4RqTX7WFOifHoKRh4EN58KnvtFj+A==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-06-07T19:41:18Z",
+		"mac": "ENC[AES256_GCM,data:UX7265pubBBssugQk4pZsQH5WedsmnqFa77bJQZwu2ixNUTkO9VfR8r9CUiugDOmbDj9Y7TJtoN4JR+v6hBmDOnjHO5w0WO5dONNJebGmO+pGU7r/K6WwSGi5nPANiYjGuHqYZwq7PJe8ZCF/vu/ZI8q7iJijw6xGWuGHaP/Gvw=,iv:Ezo1z5n+pHPdhjh9l+HvmsgElEwJR4eoMPtZKdDhHAI=,tag:57yLRXReSRz098sDxyiQZQ==,type:str]",
+		"version": "3.12.2"
+	}
+}

vars/per-machine/foreign-port/dm-pull-deploy-status-key/signing.key/users/danny

@@ -0,0 +1 @@
+../../../../../../sops/users/danny

vars/per-machine/foreign-port/dm-pull-deploy-status-key/signing.pub/value

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEA6xYjcIT5B5NDduIARf2EAoE+vsnZK+NWcyiI0fQc0Fg=
+-----END PUBLIC KEY-----

vars/per-machine/foreign-port/zerotier/zerotier-identity-secret/machines/foreign-port

@@ -0,0 +1 @@
+../../../../../../sops/machines/foreign-port

vars/per-machine/foreign-port/zerotier/zerotier-identity-secret/secret

@@ -0,0 +1,18 @@
+{
+	"data": "ENC[AES256_GCM,data:PO0Thn6D7kcIGWr7MwmS8H58+9JYSDDGQZlx28B7T6noXTA6tWqMJlqY4aMn1dXJ1CKAqV4q5VZpd/kP9KQvSL4DRnRrFteRe0C+k/mlLfwsWVqLGFY7eqoG1QTZwc4w8cw3FB7R0YUfxRlHq3mIyrbf+8POX2Rq2r5L5GNWVkGTKZOPRtNawPxTrUgfVM4B9ksc1vtTZeWn1GymSwevnt4KPX/8efFAgIclTUHh+Eh+F9xSU9efnkT+Phsh3QLf+3+UHiXQXlpMgwuKrvBJdHWLxJz/3aTpU2+nByqv0IANhGhR8ut0EbFXr8Zr1pIYrt4mWCAyYJvnwxR6iljQ1zyhI0GXUNAHJPQ7wRYq,iv:yDOBYu2+HK/KfS/hbR5QgOi2QHp9RzGPiKxojQX2s8c=,tag:q6s6LemFyoFBEq+ojd4D6A==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1bEkwSUhxR0JQR2psZ3Uy\nUlFpWi93NTBhZ0s0TlpkQ2VkVUdDWHIyNmhFClBhVFBnb1h0c2o2cm9OODZpZWMy\nQTB2YmxnWmN5Ylo4M1JHMVVVdklWeWMKLS0tIDBSY2NQdmRTZnA1QUtnaHloUFJJ\nb0VvZGlwSko0UitTa2t6TDZ4bnhsSWMKt5awUoFdny/Qg5krgUAzHeqIoIhprPmF\nBNleiSJdAvSsK53a7CT2rGInnl3dcrtpkEWluK7WJlFTJBdekMwQuA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1lwl2z6ymqjshknr79277qnr7hvffcc8n7qdqt98sz3t709a5yutq8d7gka",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TFZjRjk4Wm8vcEcxN0ZP\na05yd282UmR3NllXM2MyeUpSb0VuWURvTHp3CmJzL0cwcU5WWGJuME1KcmtxSFVw\nL1lFdzg3Z2t4TXBiaWduZ2tSZXc3bjAKLS0tIEp6NWpIMlhoSEtvQ3IyNXJNVnE1\nb1lSczR2eG1JY1NScnkyNWMxWWN0aWcKrnfv9dGrWpmBjt8u+FdtwojU5hLDyV/Z\n6vgaW35SvFYLYR53Zo18MPkYbqGcaNldyr68qbYMLxqVdQUJwv3LSg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-06-07T19:41:19Z",
+		"mac": "ENC[AES256_GCM,data:joT4cUsVDxTVJqF9OJyETkC0lxQ6sT3XonBIjy80/PZ6cs7lcEyboWWSVuBcG+CTPzcUv1uXmdNjUBNc/TDdF8P0vEGnMBgmNRnSrxb0OwENW+c08GOB+c4AJev58H+V1wmzmyr9NJAKxpvQaE/cWIS1wS7c5QdiKAj8HsYd2ns=,iv:H2xSAU0jTH0bKS+P5W+FwbOtzl/Wb5xTfirkZMmtPq8=,tag:o+b9ESO3d8XnIU/bcH09zw==,type:str]",
+		"version": "3.12.2"
+	}
+}

vars/per-machine/foreign-port/zerotier/zerotier-identity-secret/users/danny

@@ -0,0 +1 @@
+../../../../../../sops/users/danny

vars/per-machine/foreign-port/zerotier/zerotier-ip/value

@@ -0,0 +1 @@
+fdd5:53a2:de33:d269:6499:9389:9b18:6c52