diff --git a/nixosModules/clanCore/secrets/default.nix b/nixosModules/clanCore/secrets/default.nix
index c991b4ad6..5079511e7 100644
--- a/nixosModules/clanCore/secrets/default.nix
+++ b/nixosModules/clanCore/secrets/default.nix
@@ -18,7 +18,8 @@
   };
 
   options.clanCore.secretsUploadDirectory = lib.mkOption {
-    type = lib.types.path;
+    type = lib.types.nullOr lib.types.path;
+    default = null;
     description = ''
       The directory where secrets are uploaded into, This is backend specific.
     '';
diff --git a/nixosModules/clanCore/zerotier/default.nix b/nixosModules/clanCore/zerotier/default.nix
index a732cb942..2d3c2bb90 100644
--- a/nixosModules/clanCore/zerotier/default.nix
+++ b/nixosModules/clanCore/zerotier/default.nix
@@ -94,16 +94,38 @@ in
       # only the controller needs to have the key in the repo, the other clients can be dynamic
       # we generate the zerotier code manually for the controller, since it's part of the bootstrap command
       clanCore.secrets.zerotier = {
+        facts.zerotier-ip = { };
+        facts.zerotier-meshname = { };
         facts.zerotier-network-id = { };
         secrets.zerotier-identity-secret = { };
         generator = ''
           export PATH=${lib.makeBinPath [ config.services.zerotierone.package pkgs.fakeroot ]}
-          ${pkgs.python3.interpreter} ${./generate-network.py} "$facts/zerotier-network-id" "$secrets/zerotier-identity-secret"
+          ${pkgs.python3.interpreter} ${./generate.py} --mode network \
+            --ip "$facts/zerotier-ip" \
+            --meshname "$facts/zerotier-meshname" \
+            --identity-secret "$secrets/zerotier-identity-secret" \
+            --network-id "$facts/zerotier-network-id"
         '';
       };
       environment.systemPackages = [ config.clanCore.clanPkgs.zerotier-members ];
     })
-    (lib.mkIf ((config.clanCore.secrets ? zerotier) && (facts.zerotier-network-id.value != null)) {
+    (lib.mkIf (config.clanCore.secretsUploadDirectory != null && !cfg.controller.enable && cfg.networkId != null) {
+      clanCore.secrets.zerotier = {
+        facts.zerotier-ip = { };
+        facts.zerotier-meshname = { };
+        secrets.zerotier-identity-secret = { };
+
+        generator = ''
+          export PATH=${lib.makeBinPath [ config.services.zerotierone.package ]}
+          ${pkgs.python3.interpreter} ${./generate.py} --mode identity \
+            --ip "$facts/zerotier-ip" \
+            --meshname "$facts/zerotier-meshname" \
+            --identity-secret "$secrets/zerotier-identity-secret" \
+            --network-id ${cfg.networkId}
+        '';
+      };
+    })
+    (lib.mkIf (cfg.controller.enable && config.clanCore.secrets ? zerotier && facts.zerotier-network-id.value != null) {
       clan.networking.zerotier.networkId = facts.zerotier-network-id.value;
       environment.etc."zerotier/network-id".text = facts.zerotier-network-id.value;
 
diff --git a/nixosModules/clanCore/zerotier/generate-network.py b/nixosModules/clanCore/zerotier/generate.py
similarity index 53%
rename from nixosModules/clanCore/zerotier/generate-network.py
rename to nixosModules/clanCore/zerotier/generate.py
index 1269cd986..4bc2ec0d0 100644
--- a/nixosModules/clanCore/zerotier/generate-network.py
+++ b/nixosModules/clanCore/zerotier/generate.py
@@ -1,11 +1,14 @@
 import argparse
+import base64
 import contextlib
+import ipaddress
 import json
 import socket
 import subprocess
 import time
 import urllib.request
 from contextlib import contextmanager
+from dataclasses import dataclass
 from pathlib import Path
 from tempfile import TemporaryDirectory
 from typing import Any, Iterator, Optional
@@ -41,12 +44,25 @@ def find_free_port() -> Optional[int]:
         return sock.getsockname()[1]
 
 
+class Identity:
+    def __init__(self, path: Path) -> None:
+        self.public = (path / "identity.public").read_text()
+        self.private = (path / "identity.secret").read_text()
+
+    def node_id(self) -> str:
+        nid = self.public.split(":")[0]
+        assert (
+            len(nid) == 10
+        ), f"node_id must be 10 characters long, got {len(nid)}: {nid}"
+        return nid
+
+
 class ZerotierController:
     def __init__(self, port: int, home: Path) -> None:
         self.port = port
         self.home = home
         self.authtoken = (home / "authtoken.secret").read_text()
-        self.secret = (home / "identity.secret").read_text()
+        self.identity = Identity(home)
 
     def _http_request(
         self,
@@ -70,10 +86,10 @@ class ZerotierController:
         return self._http_request("/status")
 
     def create_network(self, data: dict[str, Any] = {}) -> dict[str, Any]:
-        identity = (self.home / "identity.public").read_text()
-        node_id = identity.split(":")[0]
         return self._http_request(
-            f"/controller/network/{node_id}______", method="POST", data=data
+            f"/controller/network/{self.identity.node_id()}______",
+            method="POST",
+            data=data,
         )
 
     def get_network(self, id: str) -> dict[str, Any]:
@@ -118,25 +134,91 @@ def zerotier_controller() -> Iterator[ZerotierController]:
                 p.wait()
 
 
+@dataclass
+class NetworkController:
+    networkid: str
+    identity: Identity
+
+
 # TODO: allow merging more network configuration here
-def create_network() -> dict:
+def create_network_controller() -> NetworkController:
     with zerotier_controller() as controller:
         network = controller.create_network()
-        return {
-            "secret": controller.secret,
-            "networkid": network["nwid"],
-        }
+        return NetworkController(network["nwid"], controller.identity)
+
+
+def create_identity() -> Identity:
+    with TemporaryDirectory() as d:
+        tmpdir = Path(d)
+        private = tmpdir / "identity.secret"
+        public = tmpdir / "identity.public"
+        subprocess.run(["zerotier-idtool", "generate", private, public])
+        return Identity(tmpdir)
+
+
+def compute_zerotier_ip(network_id: str, identity: Identity) -> ipaddress.IPv6Address:
+    assert (
+        len(network_id) == 16
+    ), "network_id must be 16 characters long, got {network_id}"
+    nwid = int(network_id, 16)
+    node_id = int(identity.node_id(), 16)
+    addr_parts = bytearray(
+        [
+            0xFD,
+            (nwid >> 56) & 0xFF,
+            (nwid >> 48) & 0xFF,
+            (nwid >> 40) & 0xFF,
+            (nwid >> 32) & 0xFF,
+            (nwid >> 24) & 0xFF,
+            (nwid >> 16) & 0xFF,
+            (nwid >> 8) & 0xFF,
+            (nwid) & 0xFF,
+            0x99,
+            0x93,
+            (node_id >> 32) & 0xFF,
+            (node_id >> 24) & 0xFF,
+            (node_id >> 16) & 0xFF,
+            (node_id >> 8) & 0xFF,
+            (node_id) & 0xFF,
+        ]
+    )
+    return ipaddress.IPv6Address(bytes(addr_parts))
+
+
+def compute_zerotier_meshname(ip: ipaddress.IPv6Address) -> str:
+    return base64.b32encode(ip.packed)[0:26].decode("ascii").lower()
 
 
 def main() -> None:
     parser = argparse.ArgumentParser()
-    parser.add_argument("network_id")
-    parser.add_argument("identity_secret")
+    parser.add_argument(
+        "--mode", choices=["network", "identity"], required=True, type=str
+    )
+    parser.add_argument("--ip", type=Path, required=True)
+    parser.add_argument("--meshname", type=Path, required=True)
+    parser.add_argument("--identity-secret", type=Path, required=True)
+    parser.add_argument("--network-id", type=str, required=False)
     args = parser.parse_args()
 
-    zerotier = create_network()
-    Path(args.network_id).write_text(zerotier["networkid"])
-    Path(args.identity_secret).write_text(zerotier["secret"])
+    match args.mode:
+        case "network":
+            if args.network_id is None:
+                raise ValueError("network_id parameter is required")
+            controller = create_network_controller()
+            identity = controller.identity
+            network_id = controller.networkid
+            Path(args.network_id).write_text(network_id)
+        case "identity":
+            identity = create_identity()
+            network_id = args.network_id
+        case _:
+            raise ValueError(f"unknown mode {args.mode}")
+    ip = compute_zerotier_ip(network_id, identity)
+    meshname = compute_zerotier_meshname(ip)
+
+    args.identity_secret.write_text(identity.private)
+    args.ip.write_text(ip.compressed)
+    args.meshname.write_text(meshname)
 
 
 if __name__ == "__main__":
diff --git a/pkgs/clan-cli/clan_cli/dirs.py b/pkgs/clan-cli/clan_cli/dirs.py
index 9023c6727..172d29c78 100644
--- a/pkgs/clan-cli/clan_cli/dirs.py
+++ b/pkgs/clan-cli/clan_cli/dirs.py
@@ -48,7 +48,7 @@ def user_data_dir() -> Path:
     elif sys.platform == "darwin":
         return Path(os.path.expanduser("~/Library/Application Support/"))
     else:
-        return Path(os.getenv("XDG_DATA_HOME", os.path.expanduser("~/.local/state")))
+        return Path(os.getenv("XDG_DATA_HOME", os.path.expanduser("~/.local/share")))
 
 
 def clan_data_dir() -> Path:
@@ -78,7 +78,7 @@ def clan_flakes_dir() -> Path:
 def specific_flake_dir(flake_name: FlakeName) -> Path:
     flake_dir = clan_flakes_dir() / flake_name
     if not flake_dir.exists():
-        raise ClanError(f"Flake '{flake_name}' does not exist in {flake_dir}")
+        raise ClanError(f"Flake '{flake_name}' does not exist in {clan_flakes_dir()}")
     return flake_dir
 
 
diff --git a/pkgs/clan-cli/tests/fixtures_flakes.py b/pkgs/clan-cli/tests/fixtures_flakes.py
index 80a4dab8b..cc0ce0738 100644
--- a/pkgs/clan-cli/tests/fixtures_flakes.py
+++ b/pkgs/clan-cli/tests/fixtures_flakes.py
@@ -55,7 +55,7 @@ def create_flake(
     template = Path(__file__).parent / flake_name
 
     # copy the template to a new temporary location
-    flake = temporary_home / ".local/state/clan/flake" / flake_name
+    flake = temporary_home / ".local/share/clan/flake" / flake_name
     shutil.copytree(template, flake)
 
     # lookup the requested machines in ./test_machines and include them
diff --git a/pkgs/clan-cli/tests/temporary_dir.py b/pkgs/clan-cli/tests/temporary_dir.py
index 0b16c3fc1..026998206 100644
--- a/pkgs/clan-cli/tests/temporary_dir.py
+++ b/pkgs/clan-cli/tests/temporary_dir.py
@@ -21,6 +21,7 @@ def temporary_home(monkeypatch: pytest.MonkeyPatch) -> Iterator[Path]:
     else:
         with tempfile.TemporaryDirectory(prefix="pytest-") as dirpath:
             monkeypatch.setenv("HOME", str(dirpath))
+            monkeypatch.setenv("XDG_DATA_HOME", str(Path(dirpath) / ".local/share"))
             monkeypatch.chdir(str(dirpath))
             log.debug("Temp HOME directory: %s", str(dirpath))
             yield Path(dirpath)
diff --git a/pkgs/clan-cli/tests/test_flake_api.py b/pkgs/clan-cli/tests/test_flake_api.py
index 7af7110a0..b05e057e9 100644
--- a/pkgs/clan-cli/tests/test_flake_api.py
+++ b/pkgs/clan-cli/tests/test_flake_api.py
@@ -27,7 +27,7 @@ def test_inspect_ok(api: TestClient, test_flake_with_core: FlakeForTest) -> None
     assert response.status_code == 200, "Failed to inspect vm"
     data = response.json()
     print("Data: ", data)
-    assert data.get("flake_attrs") == ["vm1"]
+    assert data.get("flake_attrs") == ["vm1", "vm2"]
 
 
 @pytest.mark.impure
diff --git a/pkgs/clan-cli/tests/test_flake_with_core/flake.nix b/pkgs/clan-cli/tests/test_flake_with_core/flake.nix
index 07ab01d83..a501c8975 100644
--- a/pkgs/clan-cli/tests/test_flake_with_core/flake.nix
+++ b/pkgs/clan-cli/tests/test_flake_with_core/flake.nix
@@ -31,6 +31,13 @@
               '';
             };
           };
+          vm2 = { lib, ... }: {
+            clan.networking.deploymentAddress = "__CLAN_DEPLOYMENT_ADDRESS__";
+            system.stateVersion = lib.version;
+            sops.age.keyFile = "__CLAN_SOPS_KEY_PATH__";
+            clanCore.secretsUploadDirectory = "__CLAN_SOPS_KEY_DIR__";
+            clan.networking.zerotier.networkId = "82b44b162ec6c013";
+          };
         };
       };
     in
diff --git a/pkgs/clan-cli/tests/test_secrets_generate.py b/pkgs/clan-cli/tests/test_secrets_generate.py
index 78bf1d607..fbba4ae6f 100644
--- a/pkgs/clan-cli/tests/test_secrets_generate.py
+++ b/pkgs/clan-cli/tests/test_secrets_generate.py
@@ -1,3 +1,4 @@
+import ipaddress
 from typing import TYPE_CHECKING
 
 import pytest
@@ -39,16 +40,9 @@ def test_generate_secret(
         test_flake_with_core.name, "vm1", "zerotier-network-id"
     )
     assert len(network_id) == 16
-    age_key = (
-        sops_secrets_folder(test_flake_with_core.path)
-        .joinpath("vm1-age.key")
-        .joinpath("secret")
-    )
-    identity_secret = (
-        sops_secrets_folder(test_flake_with_core.path)
-        .joinpath("vm1-zerotier-identity-secret")
-        .joinpath("secret")
-    )
+    secrets_folder = sops_secrets_folder(test_flake_with_core.path)
+    age_key = secrets_folder / "vm1-age.key" / "secret"
+    identity_secret = secrets_folder / "vm1-zerotier-identity-secret" / "secret"
     age_key_mtime = age_key.lstat().st_mtime_ns
     secret1_mtime = identity_secret.lstat().st_mtime_ns
 
@@ -57,10 +51,14 @@ def test_generate_secret(
     assert age_key.lstat().st_mtime_ns == age_key_mtime
     assert identity_secret.lstat().st_mtime_ns == secret1_mtime
 
-    machine_path = (
-        sops_secrets_folder(test_flake_with_core.path)
-        .joinpath("vm1-zerotier-identity-secret")
-        .joinpath("machines")
-        .joinpath("vm1")
-    )
-    assert machine_path.exists()
+    assert (
+        secrets_folder / "vm1-zerotier-identity-secret" / "machines" / "vm1"
+    ).exists()
+
+    cli.run(["secrets", "generate", "vm2"])
+    assert has_secret(test_flake_with_core.path, "vm2-age.key")
+    assert has_secret(test_flake_with_core.path, "vm2-zerotier-identity-secret")
+    ip = machine_get_fact(test_flake_with_core.name, "vm1", "zerotier-ip")
+    assert ipaddress.IPv6Address(ip).is_private
+    meshname = machine_get_fact(test_flake_with_core.name, "vm1", "zerotier-meshname")
+    assert len(meshname) == 26