32cb3b7510
clan-cli preferred the zerotier networking export (priority 900, user defaulted to root@) over our clan.core.networking.targetHost setting, which broke \`clan machines update\` with "Host key verification failed" against the ZT IPv6 address as root@. Declaring an inventory.instances .internet instance with priority 2000 makes clan-cli prefer the LAN hostname and explicit danny@ user, so updates go over the LAN (ZT stays available for SSH aliases and service-level use).
96 lines
3.3 KiB
Nix
96 lines
3.3 KiB
Nix
# clan.lol wiring for the homelab.
|
|
#
|
|
# Declares `sunken-ship` and `phantom-ship` as clan machines. Each machine's
|
|
# `imports` list is the NixOS module set that used to live in its own
|
|
# flake-module. clan-core produces `flake.nixosConfigurations.<name>` from
|
|
# these, which is why the old per-host flake-modules were removed.
|
|
#
|
|
# The mac stays outside the clan — admin only, uses `clan machines update`
|
|
# to push to the servers.
|
|
{ config, inputs, ... }:
|
|
let
|
|
lib = inputs.nixpkgs.lib;
|
|
hmModule = { user, homeDirectory, stateVersion ? null, userImports ? [ ] }:
|
|
import ../lib/home-manager-user.nix {
|
|
inherit lib user homeDirectory stateVersion userImports;
|
|
};
|
|
in {
|
|
imports = [ inputs.clan-core.flakeModules.default ];
|
|
|
|
clan = {
|
|
meta.name = "homelab";
|
|
|
|
# Inventory machines — required for `inventory.instances` role bindings
|
|
# to resolve. Host-specific NixOS config lives under `machines.<name>`
|
|
# below.
|
|
inventory.machines.sunken-ship = { };
|
|
inventory.machines.phantom-ship = { };
|
|
|
|
# ZeroTier mesh VPN. sunken-ship is the controller (manages network
|
|
# membership); phantom-ship is a peer. The mac joins manually as an
|
|
# external ZT client and is authorized on the controller by node ID.
|
|
inventory.instances.zerotier = {
|
|
module.name = "zerotier";
|
|
module.input = "clan-core";
|
|
roles.controller.machines.sunken-ship = { };
|
|
roles.peer.machines.phantom-ship = { };
|
|
roles.peer.machines.sunken-ship = { };
|
|
};
|
|
|
|
# Direct SSH reachability on the LAN. Priority 2000 > ZT's 900, so
|
|
# `clan machines update` prefers LAN hostnames over ZT IPv6 — and uses
|
|
# the right user (ZT service defaults to root@).
|
|
inventory.instances.internet = {
|
|
module.name = "internet";
|
|
module.input = "clan-core";
|
|
roles.default.machines.sunken-ship.settings = {
|
|
host = "sunken-ship";
|
|
user = "danny";
|
|
};
|
|
roles.default.machines.phantom-ship.settings = {
|
|
host = "phantom-ship";
|
|
user = "danny";
|
|
};
|
|
};
|
|
|
|
# Preserve current network / init stack (no systemd-networkd/resolved,
|
|
# no boot.initrd.systemd, no extra debug packages). Revisit per-service
|
|
# in later stages rather than flipping this fleet-wide.
|
|
machines.sunken-ship = {
|
|
imports = [
|
|
{
|
|
clan.core.enableRecommendedDefaults = false;
|
|
clan.core.networking.targetHost = "danny@sunken-ship";
|
|
clan.core.networking.buildHost = "danny@sunken-ship";
|
|
}
|
|
../nixos/hosts/sunken-ship.nix
|
|
config.flake.nixosModules.dotfiles-rebuild
|
|
inputs.home-manager.nixosModules.home-manager
|
|
(hmModule {
|
|
user = "danny";
|
|
homeDirectory = "/home/danny";
|
|
stateVersion = "25.11";
|
|
})
|
|
];
|
|
};
|
|
|
|
machines.phantom-ship = {
|
|
imports = [
|
|
{
|
|
clan.core.enableRecommendedDefaults = false;
|
|
clan.core.networking.targetHost = "danny@phantom-ship";
|
|
clan.core.networking.buildHost = "danny@phantom-ship";
|
|
}
|
|
inputs.nix-openclaw.nixosModules.openclaw-gateway
|
|
../nixos/hosts/phantom-ship.nix
|
|
config.flake.nixosModules.dotfiles-rebuild
|
|
inputs.home-manager.nixosModules.home-manager
|
|
(hmModule {
|
|
user = "danny";
|
|
homeDirectory = "/home/danny";
|
|
stateVersion = "25.11";
|
|
})
|
|
];
|
|
};
|
|
};
|
|
}
|