feat(zerotier): make os snippet and add custom options

a way to disable autostart for zerotier is beneficial to not
accidentally connect on each boot while still being able to connect on
demand

.sops.yaml

@@ -98,3 +98,9 @@ creation_rules:
       - *steveej
       age:
       - *steveej-x13s
+  - path_regex: ^secrets/work-holo/.+$
+    key_groups:
+    - pgp:
+      - *steveej
+      age:
+      - *steveej-x13s

nix/os/devices/steveej-t14/system.nix

@@ -116,43 +116,6 @@ in {
 
   hardware.ledger.enable = true;
 
-  # services.zerotierone = {
-  #   enable = false;
-  #   joinNetworks = [
-  #     # moved to the service below as it's now secret
-  #   ];
-  # };
-
-  # systemd.services.zerotieroneSecretNetworks = {
-  #   enable = false;
-  #   requiredBy = [ "zerotierone.service" ];
-  #   partOf = [ "zerotierone.service" ];
-
-  #   serviceConfig.Type = "oneshot";
-  #   serviceConfig.RemainAfterExit = true;
-
-  #   script =
-  #     let
-  #       secret = config.sops.secrets.zerotieroneNetworks;
-  #     in
-  #     ''
-  #       # include the secret's hash to trigger a restart on change
-  #       # ${builtins.hashString "sha256" (builtins.toJSON secret)}
-
-  #       ${config.systemd.services.zerotierone.preStart}
-
-  #       rm -rf /var/lib/zerotier-one/networks.d/*.conf
-  #       for network in `grep -v '#' ${secret.path}`; do
-  #         touch /var/lib/zerotier-one/networks.d/''${network}.conf
-  #       done
-  #     '';
-  # };
-
-  sops.secrets.zerotieroneNetworks = {
-    sopsFile = ../../../../secrets/zerotierone.txt;
-    format = "binary";
-  };
-
   boot.binfmt.emulatedSystems = [
     "aarch64-linux"
   ];

nix/os/devices/steveej-x13s/configuration.nix

@@ -86,6 +86,8 @@
     ../../snippets/bluetooth.nix
     ../../snippets/timezone.nix
     ../../snippets/radicale.nix
+
+    ../../snippets/holo-zerotier.nix
   ];
 
   networking.hostName = nodeName;
@@ -148,4 +150,9 @@
   virtualisation.podman.dockerCompat = true;
 
   hardware.ledger.enable = true;
+
+  steveej.holo-zerotier = {
+    enable = true;
+    autostart = false;
+  };
 }

nix/os/snippets/holo-zerotier.nix

@@ -0,0 +1,51 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.steveej.holo-zerotier;
+in {
+  options.steveej.holo-zerotier = {
+    enable = lib.mkEnableOption "Enable holo-zerotier";
+    autostart = lib.mkOption {default = false;};
+  };
+
+  config = {
+    services.zerotierone = {
+      enable = cfg.enable;
+      joinNetworks = [
+        # moved to the service below as it's now secret
+      ];
+    };
+
+    systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce []);
+
+    systemd.services.zerotieroneSecretNetworks = {
+      enable = cfg.enable;
+      requiredBy = ["zerotierone.service"];
+      partOf = ["zerotierone.service"];
+
+      serviceConfig.Type = "oneshot";
+      serviceConfig.RemainAfterExit = true;
+
+      script = let
+        secret = config.sops.secrets.zerotieroneNetworks;
+      in ''
+        # include the secret's hash to trigger a restart on change
+        # ${builtins.hashString "sha256" (builtins.toJSON secret)}
+
+        ${config.systemd.services.zerotierone.preStart}
+
+        rm -rf /var/lib/zerotier-one/networks.d/*.conf
+        for network in `grep -v '#' ${secret.path}`; do
+          touch /var/lib/zerotier-one/networks.d/''${network}.conf
+        done
+      '';
+    };
+
+    sops.secrets.zerotieroneNetworks = {
+      sopsFile = ../../../secrets/work-holo/zerotierone.txt;
+      format = "binary";
+    };
+  };
+}

secrets/work-holo/zerotierone.txt

@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:D6xhJ8RgtO3wuNQF0N9V4TlYcKahT8Rv3rHPeZH5F2Wk+V1GhZ+Bhl+D75ersKPv3vmNWlKD2lHb46LaM3Cz7gKAgcQ=,iv:BsnB+Tt+83QVdfive5+s824f3MBZSy6N3g+/raqWgGA=,tag:foQL/RYGfovt1feSlE5GAg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAydFBZWlJEdTkzWWFrVHdZ\nYVFxVEtCMS9tR3RMaFFWWnFEU2Z3dUc3dW5ZCmxTVGx2dHF6ejVVS0JQVjEwYU1X\nTE9wNmNQNWs4NlhXeEdtME5NV3FkUWMKLS0tIGJlamxpcndOTWR0b1l3b05WaXpT\nTkx3Rld2UnRPek5jNmdoWEYvbmZjVjgKirftt0yHRQj/JF6Ds6sFx6cX8pESZTy0\n+oPUdHEPAYpdii2FhDMxTPwy2ROGn5Bto1gMY38qopJ18bb1IFd4AA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-07-01T20:19:12Z",
+		"mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-03-01T10:00:58Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQf+JWW5ihksSQw2X5TkcmdHb9FyGF9dAxjrYjjDdypM1F2O\nZjq8yevk+qyxq8NCaveAl4k8U2xQdqOTiirDYD8WhleLkj+sDNJv/RNMVpWywekb\ny24LmRNHlvVEPb92OjSHWy/QPbQGBGuoAA8KKZq+5sjR6vZIdzZeV1BWAvbkdDP2\nVVh0QjneXz0tHJ9HbytRb90xA/9Oyw0RQcxMad2A3THJO0L7OchPNkaIBmCjPSnO\n9x4ysbj87dkBmmCSOOqQAZAiWsDGRdgJyoNh0RFF3q5JCWLTRfPM6+eU8vXeenR4\nHqqO9AyhjCSjA0T1+/pPXY+C1WGkqHDODDfW3KrhGdJeATWyfi1D77SA7SQMiXjW\n+j0Oo3Y0K3aJAVn62aicgBNd5fhtTS4xIXXtnBsyjStVripW326g1b9LS0IcvouL\nwfQfrKNTkpX+Rui6Upb+KYIfTlGRl99ItJd4SMBLMQ==\n=Zlg1\n-----END PGP MESSAGE-----",
+				"fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}

secrets/zerotierone.txt

@@ -1,58 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:D6xhJ8RgtO3wuNQF0N9V4TlYcKahT8Rv3rHPeZH5F2Wk+V1GhZ+Bhl+D75ersKPv3vmNWlKD2lHb46LaM3Cz7gKAgcQ=,iv:BsnB+Tt+83QVdfive5+s824f3MBZSy6N3g+/raqWgGA=,tag:foQL/RYGfovt1feSlE5GAg==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBva2lYMFY1V1piNlBpUURv\naWh3dHpaQXdqdzRCU2JIcHExbkhwZzhXd0JnCkFTMG5wVDNQVzNVUmo1cUh1TWtF\naHVTcGRpSDNxa1NHVDZvZWFpREdOcVEKLS0tIFVJSTdiZFBwTlJEMFowYnJqdjFr\nWDdKM2FGM0dQS1NZOTlZUGlOa2srV2cKr/EwcrbOw9vjmFp7OsEF6y0KxACs8NPM\nRYMKhnzd/6VFY5aK79V6JuMSOLaMT+AbQODg+R/iA3TNLev22Jfcvw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOWsvenhWdC9ENVlXTXZi\ndWtJWWZUZGMyTzduMzFvK2M1NmFLZ1JwVFNFCkpTMDh6eWhwV0Fya0syRDhuWDlK\nV1lBbGNDbXUvNHB5MGMrS3R0b043YnMKLS0tIExXNXlsaUhsTUxGZGY5U2VRNXJr\nNjZmTU80QVZ1blFKd2dGandsVm42blEK/3uqLhxS16HU67wA0T0Y9uqb2WJI6dII\ndCktjLZcKKyGB+UXNyzDiRgMR4OKIvB0MjLIql2SZKt53OpkpytAbQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWlErYU5pUHJRdXlCRmZS\nNWlWalFDb0xFZFlrbkdXMG0zYXl1UjhmNUQwCmNCcWZPME8yOGcycnVRWXJxeFo3\nTHFuWHY5aXRxZERNU3duSzRsaFIreWMKLS0tIDRyWmFzeGN2YU9LNW9IWUZNWkVJ\nOTlYTlNteEU0REhmd3ovbGQ4Z09FakkKliCyJsTqsUD5t2vOfTigqA7WObfNCcsd\nt1Fs8vf/1tReWqF8V0f97lD2APgfqgg0hqWFcKkiGYBRWEJvBAj8Lw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRT0xzWEtNRHl3bFBZRGl2\nTlkyaWRGTHcxcDVqa012VUk1ZUVjREF2bGlJCmRBNkdzRmsxT2dFemJ6NFAxV1g5\nV2p2c09VKzNVSTJ0V2lheWNwMFlMdk0KLS0tIDZWMTBtaWZjcmRYMnhjY3VudlUz\nem10U1FzZ3p2VzZrRXZyRDFUTy92dkUKcM0Nh1/rQ/aoXHJ16QjZ0daxyaOIyzyx\nXbWDj0opTiYweKrL93P8MSQr8V5i2zVcxP7Gw/fZsWlCs26nBeK1xQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ZVdzS2lONzg0eGJUei9X\nem9Nc1FhTm5XampHVjJieHJjOUczR09VNTFjCjBkejNlY0I3dEhYbzYvaTBsMDd5\ndjc0alpKNWF6YTVOczltTFRueWZBYXcKLS0tIFJTSThncVdhajhaNmdZTjRNQVFB\nTi93ejQ2bUsrVXl0eDRkbFE5UlhKUzQKg/cJKYzhq1YIBvvNx/N4F258WUnrmNMs\n2MnxrLk9a67AGciCynEMO02dpUXPWxgUkTSqOjRkkcA20x5Rpn4e6w==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLRUliYTB2MG1zUVU0ZWFM\nNUNEMUdha3ZSZ2dkYmZuVk96VjlUTVpWNkI0ClIyUFBZWFppTzJwbHhJaFhXWTBM\nT0pvVklqbE00aW9GMG4wWnFkZkNoQVkKLS0tIExoeTBBcjlsUkZyQkNrUW1zdXU2\nUytDNk9YOXNtU3hLUzdFQnlzQ1lJSjgK+64AJTx4ZjT4njl0Gr4Hk3ykljRTgaqO\nuOjLz/9Qy2rM3BcJzajhCU1pU4f1A0qDQRjoYj5+M9qW/NMbZt6Ujw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWjJsQVpGQXhLdkh0UGtp\nUkZKa0hRblFHaHpVZm9MNnA2SnBIYVdLUDE4Cmkvbmx1aVBVMVFjdlBjU2JTNlVa\nYTQwdUF0ZHhzRGFIY2RUS1JmOVhCWE0KLS0tIGd0eHNOUmJ3T21jQ0QvRHlnOWRw\ndXBIVFdRQld3RmR3VWhpRS9XLy93ZzgKIcCl3r4Q+p1GqeMQmTQFDOhGDN1KE1Fl\npdx6QOkhZSVAux3YcbWNex7nDju5Meqhyhfe5l4YLJKnM5gs3efFcQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArazhNT3QzWFpXNTFmWVkr\nTklLei9RN1M1R0pVVTBZTUJkTDVvbzdWbG5zCmx0RVgwbG5IZXNvZUFkaWNzRW10\nKzdNTDZyaGZVNDg0MXR6aGpVQ3FOSEUKLS0tIHB2WnNHZStodXZJTElBV0ljWExy\nbFo2Q3RMRm5BNm1zcnNhdzRYbk5CcWMKsdK8OIVKidayA0LU1NF2pjHjTirVQ/MA\nS4yGouebH4YbFkHDpHbttv572Iw1mbZK0EVIbiJuYoGudb1w60ROIA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUU090RWZqSnpSaGFWcmVM\nQlRWckdLMk5Kd2E0dFVnSzZEcXBPNmkyTkVZCnNtekhvcUhYZG1RS0ZINVBNMU9L\nSHFqNlMxODdRbm5MOEw3UG9VM2NlVUUKLS0tIE5acnhENFNwR3JMc0s3N2g4dFBs\nR0FuSi94d3RUNFVWQ01uM3UyZW1tRDAKfIVF6+PE2iMC3m81wPoqH9LqL3MsK1WV\nslE4l1m04UL315vdAyPm3k9b+vkTGD4Fmeywsto7Am92/JCanlT7+g==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2023-07-01T20:19:12Z",
-		"mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]",
-		"pgp": [
-			{
-				"created_at": "2024-01-24T22:48:30Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQf9H8VPhApFkYZi72afxgtHIqclNN4BPuSEhYQYR0m2tvm+\nj0sa3ehI6frkH8KxCtgXgaVB+74yWe+JeVnWRZUk1nIm+q0kuN+0Kn5+YQW0iYuv\n3z34VCw938Gebz57BLaWZTcns3xur+Ug3a+fjyjsKW7w90aP2Q7V2qp9AgxxsN1U\nl9Z1RXHlIUS1CGqA8py2mIkgvlK0WHiYRXsqdRvJh1jdUvzkJjYSpgz4Kj7pyyte\nvXIB4HckW6Fjn6Nlfeyzt6Ka9NziX7EAFlBs/8U8QvkX8AizCxuTwwB9n5rbRxb3\nDjXbgckkkKHc2nEx3xSRe7vh1cfQhTU/TNTuZI3GcNJeAVD89dwR7hhkqFzkanw+\n3hVV1mbDNIDA2fCfxiDLvBDYq8jhaMosAIrwO5TcXEm1PeEuRx1mDEjHsthwmOad\nEJNSBWKGzd13r23WlPRjdeCUF0YSnNFbhM0rwLlLdA==\n=5GJ1\n-----END PGP MESSAGE-----",
-				"fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B"
-			}
-		],
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.7.3"
-	}
-}