Merge pull request 'also encrypt secret for the machine itself' (#372) from Mic92-main into main

nixosModules/clanCore/zerotier/default.nix

@@ -79,9 +79,10 @@ in
           KeepConfiguration = "static";
         };
       };
-      networking.firewall.allowedUDPPorts = [ 9993 ];
+      networking.firewall.interfaces."zt+".allowedTCPPorts = [ 5353 ]; # mdns
-      networking.firewall.interfaces."zt+".allowedTCPPorts = [ 5353 ];
+      networking.firewall.interfaces."zt+".allowedUDPPorts = [ 5353 ]; # mdns
-      networking.firewall.interfaces."zt+".allowedUDPPorts = [ 5353 ];
+      networking.networkmanager.unmanaged = [ "interface-name:zt*" ];
+
       services.zerotierone = {
         enable = true;
         joinNetworks = [ cfg.networkId ];

pkgs/clan-cli/clan_cli/secrets/sops_generate.py

@@ -64,6 +64,7 @@ export secrets={shlex.quote(str(secrets_dir))}
             encrypt_secret(
                 sops_secrets_folder() / f"{machine_name}-{secret['name']}",
                 secret_file.read_text(),
+                add_machines=[machine_name],
             )
         for fact in secret_options["facts"].values():
             fact_file = facts_dir / fact["name"]

pkgs/clan-cli/tests/test_secrets_generate.py

@@ -40,3 +40,11 @@ def test_upload_secret(
     cli.run(["secrets", "generate", "vm1"])
     assert age_key.lstat().st_mtime_ns == age_key_mtime
     assert identity_secret.lstat().st_mtime_ns == secret1_mtime
+
+    machine_path = (
+        sops_secrets_folder()
+        .joinpath("vm1-zerotier-identity-secret")
+        .joinpath("machines")
+        .joinpath("vm1")
+    )
+    assert machine_path.exists()