From 5cf9b4428f54b3cef063285623e46d8d04452178 Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Wed, 27 Sep 2023 10:31:10 +0200
Subject: [PATCH 1/2] clanCore.secrets: facts.value can be null or str

---
 nixosModules/clanCore/secrets/default.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nixosModules/clanCore/secrets/default.nix b/nixosModules/clanCore/secrets/default.nix
index 5d0fe72e2..55463e452 100644
--- a/nixosModules/clanCore/secrets/default.nix
+++ b/nixosModules/clanCore/secrets/default.nix
@@ -93,11 +93,12 @@
                 };
                 value = lib.mkOption {
                   defaultText = lib.literalExpression "\${config.clanCore.clanDir}/\${fact.config.path}";
+                  type = lib.types.nullOr lib.types.str;
                   default =
                     if builtins.pathExists "${config.clanCore.clanDir}/${fact.config.path}" then
                       builtins.readFile "${config.clanCore.clanDir}/${fact.config.path}"
                     else
-                      "";
+                      null;
                 };
               };
             }));

From c1a124d0bf0e2da70d6bfda392186b184009a904 Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Wed, 27 Sep 2023 10:54:51 +0200
Subject: [PATCH 2/2] clan.networking.zerotier: create init script only if fact
 exists

---
 nixosModules/clanCore/zerotier/default.nix | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/nixosModules/clanCore/zerotier/default.nix b/nixosModules/clanCore/zerotier/default.nix
index fb0e2d61e..5de095d17 100644
--- a/nixosModules/clanCore/zerotier/default.nix
+++ b/nixosModules/clanCore/zerotier/default.nix
@@ -1,6 +1,7 @@
 { config, lib, pkgs, ... }:
 let
   cfg = config.clan.networking.zerotier;
+  facts = config.clanCore.secrets.zerotier.facts;
   networkConfig = {
     authTokens = [
       null
@@ -87,17 +88,19 @@ in
       };
     })
     (lib.mkIf cfg.controller.enable {
-      clan.networking.zerotier.networkId = lib.mkDefault config.clanCore.secrets.zerotier.facts."zerotier-network-id".value;
       # only the controller needs to have the key in the repo, the other clients can be dynamic
       # we generate the zerotier code manually for the controller, since it's part of the bootstrap command
       clanCore.secrets.zerotier = {
-        facts."zerotier-network-id" = { };
-        secrets."zerotier-identity-secret" = { };
+        facts.zerotier-network-id = { };
+        secrets.zerotier-identity-secret = { };
         generator = ''
           export PATH=${lib.makeBinPath [ config.services.zerotierone.package pkgs.fakeroot ]}
           ${pkgs.python3.interpreter} ${./generate-network.py} "$facts/zerotier-network-id" "$secrets/zerotier-identity-secret"
         '';
       };
+    })
+    (lib.mkIf ((config.clanCore.secrets ? zerotier) && (facts.zerotier-network-id.value != null)) {
+      clan.networking.zerotier.networkId = facts.zerotier-network-id.value;
 
       systemd.services.zerotierone.serviceConfig.ExecStartPre = [
         "+${pkgs.writeShellScript "init-zerotier" ''