diff --git a/nixosModules/clanCore/zerotier/default.nix b/nixosModules/clanCore/zerotier/default.nix index 5de095d..113fed6 100644 --- a/nixosModules/clanCore/zerotier/default.nix +++ b/nixosModules/clanCore/zerotier/default.nix @@ -79,9 +79,10 @@ in KeepConfiguration = "static"; }; }; - networking.firewall.allowedUDPPorts = [ 9993 ]; - networking.firewall.interfaces."zt+".allowedTCPPorts = [ 5353 ]; - networking.firewall.interfaces."zt+".allowedUDPPorts = [ 5353 ]; + networking.firewall.interfaces."zt+".allowedTCPPorts = [ 5353 ]; # mdns + networking.firewall.interfaces."zt+".allowedUDPPorts = [ 5353 ]; # mdns + networking.networkmanager.unmanaged = [ "interface-name:zt*" ]; + services.zerotierone = { enable = true; joinNetworks = [ cfg.networkId ]; diff --git a/pkgs/clan-cli/clan_cli/secrets/sops_generate.py b/pkgs/clan-cli/clan_cli/secrets/sops_generate.py index f93c6a8..1f9384f 100644 --- a/pkgs/clan-cli/clan_cli/secrets/sops_generate.py +++ b/pkgs/clan-cli/clan_cli/secrets/sops_generate.py @@ -64,6 +64,7 @@ export secrets={shlex.quote(str(secrets_dir))} encrypt_secret( sops_secrets_folder() / f"{machine_name}-{secret['name']}", secret_file.read_text(), + add_machines=[machine_name], ) for fact in secret_options["facts"].values(): fact_file = facts_dir / fact["name"] diff --git a/pkgs/clan-cli/tests/test_secrets_generate.py b/pkgs/clan-cli/tests/test_secrets_generate.py index 142bea1..44b6aa9 100644 --- a/pkgs/clan-cli/tests/test_secrets_generate.py +++ b/pkgs/clan-cli/tests/test_secrets_generate.py @@ -40,3 +40,11 @@ def test_upload_secret( cli.run(["secrets", "generate", "vm1"]) assert age_key.lstat().st_mtime_ns == age_key_mtime assert identity_secret.lstat().st_mtime_ns == secret1_mtime + + machine_path = ( + sops_secrets_folder() + .joinpath("vm1-zerotier-identity-secret") + .joinpath("machines") + .joinpath("vm1") + ) + assert machine_path.exists()