Stage 4f cleanup. The flake moved from ~/dotfiles/nixos/ to ~/dotfiles/
in 88c5139; docs and install scripts hadn't been refreshed. Point all
rebuild / flake references at the new root:
- AGENTS.md, README.md, server-quickstart.md, docs/server-installer-usb.md,
docs/sunken-ship-wifi.md, nixos/readme.md — rebuild command paths.
- scripts/nixos-server-install.sh — auto-detect now looks for flake.nix
at repo root (was nixos/flake.nix).
- scripts/post-install-provision.sh — first-rebuild hint path.
`nixos/hosts/<host>-hardware.nix` and friends stay where they are —
host-specific NixOS modules still live under nixos/; only the flake
entry-points + sops/ + vars/ + lib/ + modules/ + flake-modules/ moved.
nixos/readme.md rewritten to reflect the split (flake at root, per-host
modules under nixos/).
Stage 4e, take 2. Point the clan-community input at our fork's branch
that sanitizes machine.name for data-mesher's file-name validator
(upstream PR: clan/clan-community#25). Revisit this pin once merged.
- flake.nix: clan-community.url → fork + fix branch
- flake-modules/clan.nix: re-adds meta.domain = "clan",
inventory.instances.data-mesher (sunken-ship bootstrap, both default),
inventory.instances.dm-pull-deploy (sunken-ship push, both default
action="switch"), and clanHostsModule that puts /etc/hosts entries
for <host>.clan → each machine's ZT IPv6 so libp2p multiaddr
resolution works without a clan-domain DNS server.
- Generator vars for data-mesher + dm-pull-deploy signing keys were
regenerated on sunken-ship (data-mesher isn't packaged for
aarch64-darwin, so clan vars generate runs on Linux).
Stage 4e-a of the clan migration. Set up signed-file gossip
(data-mesher, experimental, clan-core) and pull-based NixOS deploy
(dm-pull-deploy, experimental, clan-community) across both servers.
- sunken-ship is the data-mesher bootstrap node + dm-pull-deploy push
role; phantom-ship joins via /dns/sunken-ship.clan/tcp/7946/... — the
hostname resolves via /etc/hosts (clanHostsModule) to sunken-ship's
ZT IPv6 since we don't run a DNS server for the clan domain.
- Both machines run the dm-pull-deploy default role with
action="switch": they watch /var/lib/data-mesher/files/home/
dm_pull_deploy/target and nixos-rebuild switch against the pushed
git+…?rev=…&narHash=… flake ref on each change.
- Signing keys (shared + per-host status) generated via clan vars
generate, ran on sunken-ship because data-mesher isn't packaged for
aarch64-darwin.
The legacy dotfiles-rebuild timer stays installed as a fallback until
dm-pull-deploy is proven; a smart push timer on sunken-ship (calls
dm-send-deploy only when origin/main moves) comes next.
clan-cli's upload / build / copy steps each resolve the SSH target
independently. With `internet.host = "sunken-ship"` (bare hostname),
off-LAN / missing-mDNS cases broke \`clan machines update\` because the
mac couldn't resolve the hostname. Pin both the inventory internet
instance's host AND clan.core.networking.{target,build}Host to each
machine's stable ZT IPv6, so every update path works regardless of
LAN DNS state — and the mac reaches the servers the same way it does
for ssh sunken-ship-zt / phantom-ship-zt.
Stage 4d of the clan migration. Navidrome is now reachable only over
the ZeroTier mesh (port 4533 on sunken-ship's ZT IPv6 address, or via
the sunken-ship-zt SSH alias). Dropped:
- systemd.services.cloudflare-tunnel
- clan.core.vars.generators.cloudflare-tunnel
- cloudflared from environment.systemPackages
- vars/per-machine/sunken-ship/cloudflare-tunnel/
Manual follow-ups still needed on sunken-ship:
- rm /home/danny/.secrets/cloudflare-tunnel-token (old unmanaged token)
- delete the tunnel itself in the Cloudflare Zero Trust dashboard
- unlink the DNS record music.dannydannydanny.me if it was separate
clan-cli preferred the zerotier networking export (priority 900, user
defaulted to root@) over our clan.core.networking.targetHost setting,
which broke \`clan machines update\` with "Host key verification failed"
against the ZT IPv6 address as root@. Declaring an inventory.instances
.internet instance with priority 2000 makes clan-cli prefer the LAN
hostname and explicit danny@ user, so updates go over the LAN (ZT
stays available for SSH aliases and service-level use).
Home-manager now writes a drop-in at ~/.ssh/config.d/zerotier with
sunken-ship-zt and phantom-ship-zt aliases pointing at the ZT IPv6
addresses. Useful when off the LAN — the aliases route over the
ZeroTier mesh. Requires a one-time \`Include ~/.ssh/config.d/*\` at
the top of ~/.ssh/config.
Declare a clan.core.vars.generators.cloudflare-tunnel generator that
prompts for the tunnel token on first run and stores it SOPS-encrypted
under vars/per-machine/sunken-ship/cloudflare-tunnel/tunnel-token.
systemd.services.cloudflare-tunnel ExecStart now reads the decrypted
secret at runtime from \${config.clan.core.vars...path} (lives at
/run/secrets/vars/...) instead of the unmanaged
/home/danny/.secrets/cloudflare-tunnel-token file.
Stage 4c of the clan migration. The tunnel itself is slated for
retirement in 4d — ZeroTier-only access after that. Cloudflare token
was rotated during this migration; old value no longer valid.
clan-cli silently ignores the `?dir=` URL parameter when resolving a
flake source, so with the flake at nixos/flake.nix `clan machines
update` fails with "flake.nix does not exist". Move the flake tree up
so the repo root contains flake.nix, flake.lock, flake-modules/, lib/,
modules/, sops/, and vars/. Host-specific NixOS modules stay in
nixos/{hosts,home,fish.nix,neovim.nix,…}; flake-module paths updated
accordingly.
- dotfiles-rebuild flakeRef is now "${dotfilesDir}#<host>" (was
"${dotfilesDir}/nixos#<host>").
- CLAUDE.md build commands + clan section updated. nixupdate fish alias
updated. sunken-ship hostsfile comment updated.
- Existing /etc/dotfiles checkouts on the servers will pick up the new
layout on the next `dotfiles-rebuild` timer tick; the rebuild service
was pre-updated via rsync so its flakeRef matches before the pull.
Also includes 4b follow-through: zerotier identities are now live on
both servers (sunken-ship=d553a2de33 controller, phantom-ship=6c048abbdc
peer) and IPv6 ping across the ZT mesh works.
Stage 4b of the clan migration. Declares a clan.inventory.instances.zerotier
instance with sunken-ship as controller and phantom-ship as peer (controller
is also listed as a peer so it joins its own network). Generates the network
ID, controller identity, and per-peer identities via `clan vars generate`;
all secrets are SOPS-encrypted to the user's age key and the per-machine
age keys.
- nixos/sops/ — clan-managed SOPS state (user + per-machine age keys).
- nixos/vars/ — shared + per-machine zerotier vars; *-identity-secret
files are SOPS-encrypted, *.value files are plain public data.
- clan.core.networking.{targetHost,buildHost} = "danny@<host>" on both
servers so `clan machines update` knows where to push and build.
- mac gets `zerotier-one` installed as a homebrew cask; authorization
on the controller happens manually by node-ID in a follow-up step.
Known rough edges (to chase in later stages):
- zerotier-inventory-autoaccept.service races zerotierone.service on
first activation (connection refused against the local API). Retrying
the unit succeeds; clan upstream bug.
- Deployment must go through `clan machines update`, not plain
nixos-rebuild, or the per-host SOPS age key isn't uploaded and
zerotier-one can't decrypt its identity.
Stage 4a of the dendritic + clan migration. Both servers now live under
clan.machines (via nixos/flake-modules/clan.nix) and clan-core generates
their nixosConfigurations for us; the previous per-host flake-modules
are removed.
Notes:
- clan.core.enableRecommendedDefaults = false on both machines so we
keep the existing dhcpcd / non-networkd / non-resolved stack. Services
like dnsmasq, navidrome, and the existing wireless setup break with
the clan defaults on.
- dotfiles-rebuild timer is untouched (safety net). Replacing it with
clan machines update / dm-pull-deploy comes in 4e.
- mac stays outside the clan as admin only.
Verified: `clan machines list --flake path:…/nixos` returns both hosts;
both servers rebuild cleanly and all services (navidrome, cloudflare-
tunnel, fitness-bot, dnsmasq, openclaw-gateway, sshd) stay active.
Telegram bot hub that lists mini-apps and collects feedback via ForceReply.
Code deployed via rsync to /home/danny/shipyard/; token at
~danny/.secrets/telegram-bot-token-shipyard.
Claude Code Channels replaces OpenClaw for the @HarakatBot Telegram
bridge. Uses claude.ai subscription auth via long-lived OAuth token
at /etc/claude-channels/env — sidesteps the API rate limits OpenClaw
was hitting.
Runs as danny since plugin + pairing state lives in ~/.claude.
Wraps claude in script(1) because claude needs a PTY for its
interactive session mode.
OpenClaw service disabled but config kept for easy rollback during
validation. Will be fully removed once Channels is proven stable.
Her workspace (SOUL/MEMORY/IDENTITY/etc) is preserved in
vimwiki/openclaw/workspace/.
- Add import-tree input; flake.nix now auto-loads every file under
./flake-modules so new hosts/features drop in without editing flake.nix.
- Extract the duplicated dotfiles-rebuild service, timer, and
safe.directory wiring into nixos/modules/dotfiles-rebuild.nix, exposed
via flake.nixosModules.dotfiles-rebuild.
- sunken-ship and phantom-ship now pull it in from their flake-modules;
hostname-specific flakeRef is derived from config.networking.hostName.
The dotfiles-rebuild service runs as root, but /etc/dotfiles is owned
by `danny`. The GIT_CONFIG_* env vars in the service unit only affect
the git CLI — nix/libgit2 reads safe.directory from /etc/gitconfig.
After a recent nixpkgs bump libgit2 now enforces this strictly, so the
service was failing to evaluate the flake.
Enable programs.git and set programs.git.config.safe.directory =
[ dotfilesDir ] on both sunken-ship and phantom-ship so the trust is
persistent and Nix-managed.
Extract the per-host home-manager block (useGlobalPkgs, useUserPackages,
backupFileExtension, users.<name> with username/homeDirectory/optional
stateVersion/optional imports) into nixos/lib/home-manager-user.nix.
Each flake-module now imports it with its per-host parameters, removing
~40 lines of boilerplate across the four hosts.
- Convert flake.nix to flake-parts.lib.mkFlake; split each host into
its own module under nixos/flake-modules/.
- Replace zen-browser specialArgs plumbing with a nixpkgs overlay so
home.nix can just reference pkgs.zen-browser.
Claude Code Channels will replace OpenClaw for the Telegram bot.
Channels uses claude.ai subscription auth instead of pay-as-you-go
API, sidestepping the rate limits Hara has been hitting.
nixos-rebuild was failing with "fsType accessed but has no value
defined" on newer nixpkgs. Bind mounts need fsType=none explicitly.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New fitness-bot-pull service + timer, modeled on dotfiles-rebuild.
Checks origin/main for new commits, pulls + restarts the service if
the HEAD moved. Offset by 7 min from dotfiles-rebuild to avoid
overlap.
Code now lives at github.com/DannyDannyDanny/bigbiggerbiggestbot
(cloned to /home/danny/tg_fitness_bot). workouts.db is gitignored
so it's preserved across pulls.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Exposes navidrome via music.dannydannydanny.me.
Bypasses CGNAT — no port forwarding needed.
Token stored outside repo at ~/.secrets/cloudflare-tunnel-token.
- programs.neovim.extraLuaConfig renamed to initLua in nixpkgs unstable
- uhk-agent is x86_64-linux only, removed from darwin home config;
macOS: download .dmg from ultimatehackingkeyboard.com
- Enable Wake-on-LAN (magic packet) on rusty-anchor enp2s0 via systemd service
- Add vt-theme script to rusty-anchor: switches between Catppuccin Latte/Mocha
- Theme state persisted in /etc/vt-theme, applied on login via profile.d
- alacritty-sync-system-theme.sh now SSHes to rusty-anchor and pushes the
macOS light/dark change (best-effort, non-blocking, skips if unchanged)
- Add wakeonlan to phantom-ship packages (wakeonlan 00:16:cb:87:20:ba)
Adds git and nodejs to openclaw-gateway service PATH. Configures a
git credential helper that reads a fine-grained PAT from
/etc/openclaw/github-token. Creates /var/lib/openclaw/repos for
repo clones.
