infra/nix/os/snippets/holo-zerotier.nix

{
  config,
  lib,
  ...
}: let
  cfg = config.steveej.holo-zerotier;
in {
  options.steveej.holo-zerotier = {
    enable = lib.mkEnableOption "Enable holo-zerotier";
    autostart = lib.mkOption {default = false;};
  };

  config = {
    services.zerotierone = {
      enable = cfg.enable;
      joinNetworks = [
        # moved to the service below as it's now secret
      ];
    };

    systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce []);

    systemd.services.zerotieroneSecretNetworks = {
      enable = cfg.enable;
      requiredBy = ["zerotierone.service"];
      partOf = ["zerotierone.service"];

      serviceConfig.Type = "oneshot";
      serviceConfig.RemainAfterExit = true;

      script = let
        secret = config.sops.secrets.zerotieroneNetworks;
      in ''
        # include the secret's hash to trigger a restart on change
        # ${builtins.hashString "sha256" (builtins.toJSON secret)}

        ${config.systemd.services.zerotierone.preStart}

        rm -rf /var/lib/zerotier-one/networks.d/*.conf
        for network in `grep -v '#' ${secret.path}`; do
          touch /var/lib/zerotier-one/networks.d/''${network}.conf
        done
      '';
    };

    sops.secrets.zerotieroneNetworks = {
      sopsFile = ../../../secrets/work-holo/zerotierone.txt;
      format = "binary";
    };
  };
}
feat(zerotier): make os snippet and add custom options a way to disable autostart for zerotier is beneficial to not accidentally connect on each boot while still being able to connect on demand 2024-03-01 11:21:37 +01:00			`{`
			`config,`
			`lib,`
			`...`
			`}: let`
			`cfg = config.steveej.holo-zerotier;`
			`in {`
			`options.steveej.holo-zerotier = {`
			`enable = lib.mkEnableOption "Enable holo-zerotier";`
			`autostart = lib.mkOption {default = false;};`
			`};`

			`config = {`
			`services.zerotierone = {`
			`enable = cfg.enable;`
			`joinNetworks = [`
			`# moved to the service below as it's now secret`
			`];`
			`};`

			`systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce []);`

			`systemd.services.zerotieroneSecretNetworks = {`
			`enable = cfg.enable;`
			`requiredBy = ["zerotierone.service"];`
			`partOf = ["zerotierone.service"];`

			`serviceConfig.Type = "oneshot";`
			`serviceConfig.RemainAfterExit = true;`

			`script = let`
			`secret = config.sops.secrets.zerotieroneNetworks;`
			`in ''`
			`# include the secret's hash to trigger a restart on change`
			`# ${builtins.hashString "sha256" (builtins.toJSON secret)}`

			`${config.systemd.services.zerotierone.preStart}`

			`rm -rf /var/lib/zerotier-one/networks.d/*.conf`
			for network in `grep -v '#' ${secret.path}`; do
			`touch /var/lib/zerotier-one/networks.d/''${network}.conf`
			`done`
			`'';`
			`};`

			`sops.secrets.zerotieroneNetworks = {`
			`sopsFile = ../../../secrets/work-holo/zerotierone.txt;`
			`format = "binary";`
			`};`
			`};`
			`}`