dannydannydanny/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
dotfiles/nixos/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/secret
DannyDannyDanny 9921a7f9f1 feat(nix): zerotier overlay via clan inventory + mac ZT client 🕸️ 
Stage 4b of the clan migration. Declares a clan.inventory.instances.zerotier
instance with sunken-ship as controller and phantom-ship as peer (controller
is also listed as a peer so it joins its own network). Generates the network
ID, controller identity, and per-peer identities via `clan vars generate`;
all secrets are SOPS-encrypted to the user's age key and the per-machine
age keys.

- nixos/sops/ — clan-managed SOPS state (user + per-machine age keys).
- nixos/vars/ — shared + per-machine zerotier vars; *-identity-secret
  files are SOPS-encrypted, *.value files are plain public data.
- clan.core.networking.{targetHost,buildHost} = "danny@<host>" on both
  servers so `clan machines update` knows where to push and build.
- mac gets `zerotier-one` installed as a homebrew cask; authorization
  on the controller happens manually by node-ID in a follow-up step.

Known rough edges (to chase in later stages):
- zerotier-inventory-autoaccept.service races zerotierone.service on
  first activation (connection refused against the local API). Retrying
  the unit succeeds; clan upstream bug.
- Deployment must go through `clan machines update`, not plain
  nixos-rebuild, or the per-host SOPS age key isn't uploaded and
  zerotier-one can't decrypt its identity.
2026-04-19 14:43:29 +02:00

18 lines
1.8 KiB
Text
Raw Blame History

{
"data": "ENC[AES256_GCM,data:6WHKA76dLKWJnGpNp45EAwf4gvHnoccXbGz1bCH5EYN/7o0zcl8KziabKjG+hY4BlG7CsNPCOVr2bWAVkWBjTQVoYNwaBNsQ2DF15E0/qxqCYUXKUNoZ5xkWvrcNbVCyEdDAZX9abpAyLenlOMRLFNaWlOsKVr44uG9j75KyMc8NNl4UvCjuBEdAvNLOhEOWuQaRJc73IJAet7pWxP7HkwkihR4+GVIft1UygNYmcThPr2A1+DdNf+IsCNJTR+FL2l3OupCIBawSR6/L/cjyBt1YvIu6fCSYs82r63+W2RKlIzpvoyupEH2vteSgiaLNQ8/j114f4MCZjSgJ3y8SKloZAQTPpsobsnHhYNUS,iv:oji4lQxeXdrvoERb/EtXJEC0LNqn4qBewxM2/rD1FfY=,tag:XQBCSwHw2MFiI4qRdX4klw==,type:str]",
"sops": {
"age": [
{
"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZmhNdTVjSG91RGpyMnlv\nY2x0azE3YTZhTDlzTGZOUXdvbEJhTmNqbzFZCmZPWWtOZG52V1NLVFRlODA2N1dB\neCtsWXg5Q3I3MTJKWlJkeTBwOG00aUUKLS0tIDBnRFRrcXJ5SnZEUTN3REs5VTZH\nNlN3MTJ6aWdpMHVkTDJ5MVRuUTVEak0Kw8VPmgp0XiIVlADbjQjHqxdK31kAAAf0\nN/VCLirEK+DOzXJIkMguL7K9Xe7HyIOvtkJGBE2et1mia1pXkxClqA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1zy3q73pujauyajgfqwu0pnyy8732lzwvw87tu7p2xg3xuzaujc2qh6ql77",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQL1NLbFlWdk5TQXNUSUFF\nNTFqQk01RzI0WUJrdklBSlBGbkJYU0N2Qnl3CnRDakRiamtMREJLQkhTN1VPWEtz\neFlWVTlmU2NPWTVxdGtHVzROS1ZmV3MKLS0tIEJsVTRZMy9pWTNTK2k1aklXeGY3\nODZGMy9TQytYOG9kbExnMVg1bEFOYUkKwa9MG/IXjaXjB/wxR5xBYN9CtpQHP7pj\nyDBTqa68JQHcUkFgtxBojjumWWADkHO+LmExPSP8Q7Jk+raR2JawXw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2026-04-19T12:31:44Z",
"mac": "ENC[AES256_GCM,data:/GMdb0AGXxWFr9nBFwyRD9iiqXloZu4zTsrDINpfdvGVzp4bQgny2KqHeCtUj2yaPrtEq9dXlLKdgMMlfiXx9b6I1A9AUM/DGle6ZCWyY07598/kNsFL4+2Fr/Xp3wcwVpxDpo2590jb1yT+8FSXzyy6oKjLOCBKixKq70U9bwo=,iv:OyShn5yuTDOhSSSF1AfVOFktFdk6vVVsemMOg2XhjrY=,tag:F7bTHCyhrMG6VyVcYNAVHA==,type:str]",
"version": "3.12.2"
}
}
Reference in a new issue View git blame Copy permalink