9921a7f9f1
Stage 4b of the clan migration. Declares a clan.inventory.instances.zerotier
instance with sunken-ship as controller and phantom-ship as peer (controller
is also listed as a peer so it joins its own network). Generates the network
ID, controller identity, and per-peer identities via `clan vars generate`;
all secrets are SOPS-encrypted to the user's age key and the per-machine
age keys.
- nixos/sops/ — clan-managed SOPS state (user + per-machine age keys).
- nixos/vars/ — shared + per-machine zerotier vars; *-identity-secret
files are SOPS-encrypted, *.value files are plain public data.
- clan.core.networking.{targetHost,buildHost} = "danny@<host>" on both
servers so `clan machines update` knows where to push and build.
- mac gets `zerotier-one` installed as a homebrew cask; authorization
on the controller happens manually by node-ID in a follow-up step.
Known rough edges (to chase in later stages):
- zerotier-inventory-autoaccept.service races zerotierone.service on
first activation (connection refused against the local API). Retrying
the unit succeeds; clan upstream bug.
- Deployment must go through `clan machines update`, not plain
nixos-rebuild, or the per-host SOPS age key isn't uploaded and
zerotier-one can't decrypt its identity.
18 lines
1.8 KiB
Text
18 lines
1.8 KiB
Text
{
|
|
"data": "ENC[AES256_GCM,data:g6eYxa672pfIHJ6jaTAf63ubXIJMPg08GJU2vwnF3hsCK73s5zkbFTd2GiLOZxlk641SK0bIfedABmsybG63qzFW2BOMIaUree0dlDv/u0oaRGdKCrrrrboxi6YbBncKgJLJpiAsmHZ9dsTz4bpicmj0JOBJ6f5HsD95qfy62yMOTSGZD7vdH43cXfbXxg49mKE7Ku2TL8a8awDiFc+Dqk+8QmMxr1XmF/IhYna+Amc+3OtmGGNEfoR8z7yHz13YA0CjJOe0QT2/GgRSUn5B43OkKhpR3e8mwtq6TAFRlBExt5Ccb4P09INcCA2oeAnyi0SEtwHg7KyPIDRJpEYVQ7jWAEFbNtOseBEbnibs,iv:QGNEvG0eLzVFw4lEqDYaSoUK318TRap61rqLD5Djzb0=,tag:vm73BNMMcF+0fiIkugqwxg==,type:str]",
|
|
"sops": {
|
|
"age": [
|
|
{
|
|
"recipient": "age18gtjh28qxeltg2r2tzxwl096crkqkqk8tjhersyf7mzdsddady7qs34x0m",
|
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUEJqQXNHcitJNnBEZDZW\nbFdieDFOaDFEazk4cUY5aXYrMjJabnVmWndVCjU0WmRpemNsWUMxN1N0R2dpSTla\nNzliTFFOU1o4VlBwSTJLN1krSEZ0TWMKLS0tIElyd3ovRno0Y3pGd1FFTE5VN0tM\ndTU2c25WcWN4YW15cGErSUJvYmFuRXcKKjBQln8jyOSBa1X1EJJSUg528waFL/8F\nkCpket2TGmNCvMDSai+5Iqe6X222J86uzoXsrLPl2PZaOCXD4t+gRw==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
},
|
|
{
|
|
"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
|
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSFNPWW92QkFFYURROGJG\nbTZoS0hFQk52RVNSTWJsclBYRWxIS3c3RTFZCldhQ0QvUmhlRzg5Q3lHUnBnTUtN\nWEZqbWpFOUZhMStzNldCRXdyQzlyWnMKLS0tIGV6anNjVktWamkvbkF3OUxVS1Ji\nUGMzc2FxeE5YTmdMVTRtUDNuMlFaTlkKoJcPcmoMgxVRvcLv7ejws4IJnQd+Yt7s\njqWi0q4iwGLZSLUPb8NUZpWEn0Jbji2edSpATzf67uws1TFHGAMmuA==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
}
|
|
],
|
|
"lastmodified": "2026-04-19T12:31:44Z",
|
|
"mac": "ENC[AES256_GCM,data:hjIn5hcpgQkrWFTsQ3BdmQFPKeubs90opSl06z2Dh7mzTcSqCSF3cQ/l8fj+GD2GuptEMbPczOIoiJfKNxoLDp5L4iHIou7XwFXVhhdjm8fqIMHusnZc/eQBI/H6J2fHWzJ1gxgsKlkazsY3cbWxLfqdz7vAV06SflW5/B5Hbto=,iv:BeB417C5r4uVHSKs9UzwJI+A4F9NrrpoTRn+X14sMtA=,tag:PcaaJrMXO0h6EzdKpVl9xg==,type:str]",
|
|
"version": "3.12.2"
|
|
}
|
|
}
|