9921a7f9f1
Stage 4b of the clan migration. Declares a clan.inventory.instances.zerotier
instance with sunken-ship as controller and phantom-ship as peer (controller
is also listed as a peer so it joins its own network). Generates the network
ID, controller identity, and per-peer identities via `clan vars generate`;
all secrets are SOPS-encrypted to the user's age key and the per-machine
age keys.
- nixos/sops/ — clan-managed SOPS state (user + per-machine age keys).
- nixos/vars/ — shared + per-machine zerotier vars; *-identity-secret
files are SOPS-encrypted, *.value files are plain public data.
- clan.core.networking.{targetHost,buildHost} = "danny@<host>" on both
servers so `clan machines update` knows where to push and build.
- mac gets `zerotier-one` installed as a homebrew cask; authorization
on the controller happens manually by node-ID in a follow-up step.
Known rough edges (to chase in later stages):
- zerotier-inventory-autoaccept.service races zerotierone.service on
first activation (connection refused against the local API). Retrying
the unit succeeds; clan upstream bug.
- Deployment must go through `clan machines update`, not plain
nixos-rebuild, or the per-host SOPS age key isn't uploaded and
zerotier-one can't decrypt its identity.
|
||
|---|---|---|
| .. | ||
| flake-modules | ||
| home/danny | ||
| hosts | ||
| lib | ||
| modules | ||
| sops | ||
| vars | ||
| disko-server.nix | ||
| fish.nix | ||
| flake.lock | ||
| flake.nix | ||
| installer-iso.nix | ||
| neovim.nix | ||
| ollama.nix | ||
| readme.md | ||
| server-configuration-with-flakes.nix | ||
| server-install-configuration.nix | ||
| wsl.conf | ||
NixOS flake
Rebuild from dotfiles dir:
# macOS
cd ~/dotfiles/nixos && darwin-rebuild switch --flake .
# WSL
sudo nixos-rebuild switch --flake ~/dotfiles/nixos#wsl
# sunken-ship (on server)
sudo nixos-rebuild switch --flake /etc/dotfiles/nixos#sunken-ship
Server (sunken-ship)
One-time bootstrap (no git until first rebuild):
nix run --extra-experimental-features "nix-command flakes" nixpkgs#git -- clone https://github.com/DannyDannyDanny/dotfiles.git /tmp/dotfiles
sudo mv /tmp/dotfiles /etc/dotfiles
sudo nixos-rebuild switch --flake /etc/dotfiles/nixos#sunken-ship --option accept-flake-config true
If the daemon doesn't have flakes: copy server-configuration-with-flakes.nix to /etc/nixos/configuration.nix, run sudo nixos-rebuild switch, then build and switch to the flake (see server-quickstart.md for SSH keys).
SSH keys (not in repo): scp ~/.ssh/*.pub danny@server:/tmp/, then on server mkdir -p ~/.ssh; cat /tmp/*.pub >> ~/.ssh/authorized_keys. See docs/ssh-and-secrets.md.
Timer: every 15 min the server pulls and rebuilds when main changes. Config: hosts/sunken-ship.nix, hosts/sunken-ship-hardware.nix.
No git in PATH: sudo nix run nixpkgs#git -- -C /etc/dotfiles pull origin main.