From e01290317aa62cea0d0a6733ac5dc6b8c7baa26d Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 1 Mar 2024 11:21:37 +0100 Subject: [PATCH] feat(zerotier): make os snippet and add custom options a way to disable autostart for zerotier is beneficial to not accidentally connect on each boot while still being able to connect on demand --- .sops.yaml | 6 ++ nix/os/devices/steveej-t14/system.nix | 37 ------------ nix/os/devices/steveej-x13s/configuration.nix | 7 +++ nix/os/snippets/holo-zerotier.nix | 51 ++++++++++++++++ secrets/work-holo/zerotierone.txt | 26 +++++++++ secrets/zerotierone.txt | 58 ------------------- 6 files changed, 90 insertions(+), 95 deletions(-) create mode 100644 nix/os/snippets/holo-zerotier.nix create mode 100644 secrets/work-holo/zerotierone.txt delete mode 100644 secrets/zerotierone.txt diff --git a/.sops.yaml b/.sops.yaml index d003e1b..2eac4bd 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -98,3 +98,9 @@ creation_rules: - *steveej age: - *steveej-x13s + - path_regex: ^secrets/work-holo/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-x13s diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index 4d43885..04fb60a 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -116,43 +116,6 @@ in { hardware.ledger.enable = true; - # services.zerotierone = { - # enable = false; - # joinNetworks = [ - # # moved to the service below as it's now secret - # ]; - # }; - - # systemd.services.zerotieroneSecretNetworks = { - # enable = false; - # requiredBy = [ "zerotierone.service" ]; - # partOf = [ "zerotierone.service" ]; - - # serviceConfig.Type = "oneshot"; - # serviceConfig.RemainAfterExit = true; - - # script = - # let - # secret = config.sops.secrets.zerotieroneNetworks; - # in - # '' - # # include the secret's hash to trigger a restart on change - # # ${builtins.hashString "sha256" (builtins.toJSON secret)} - - # ${config.systemd.services.zerotierone.preStart} - - # rm -rf /var/lib/zerotier-one/networks.d/*.conf - # for network in `grep -v '#' ${secret.path}`; do - # touch /var/lib/zerotier-one/networks.d/''${network}.conf - # done - # ''; - # }; - - sops.secrets.zerotieroneNetworks = { - sopsFile = ../../../../secrets/zerotierone.txt; - format = "binary"; - }; - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix index 6d90f3d..37331ff 100644 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -86,6 +86,8 @@ ../../snippets/bluetooth.nix ../../snippets/timezone.nix ../../snippets/radicale.nix + + ../../snippets/holo-zerotier.nix ]; networking.hostName = nodeName; @@ -148,4 +150,9 @@ virtualisation.podman.dockerCompat = true; hardware.ledger.enable = true; + + steveej.holo-zerotier = { + enable = true; + autostart = false; + }; } diff --git a/nix/os/snippets/holo-zerotier.nix b/nix/os/snippets/holo-zerotier.nix new file mode 100644 index 0000000..dc02fdc --- /dev/null +++ b/nix/os/snippets/holo-zerotier.nix @@ -0,0 +1,51 @@ +{ + config, + lib, + ... +}: let + cfg = config.steveej.holo-zerotier; +in { + options.steveej.holo-zerotier = { + enable = lib.mkEnableOption "Enable holo-zerotier"; + autostart = lib.mkOption {default = false;}; + }; + + config = { + services.zerotierone = { + enable = cfg.enable; + joinNetworks = [ + # moved to the service below as it's now secret + ]; + }; + + systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce []); + + systemd.services.zerotieroneSecretNetworks = { + enable = cfg.enable; + requiredBy = ["zerotierone.service"]; + partOf = ["zerotierone.service"]; + + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + + script = let + secret = config.sops.secrets.zerotieroneNetworks; + in '' + # include the secret's hash to trigger a restart on change + # ${builtins.hashString "sha256" (builtins.toJSON secret)} + + ${config.systemd.services.zerotierone.preStart} + + rm -rf /var/lib/zerotier-one/networks.d/*.conf + for network in `grep -v '#' ${secret.path}`; do + touch /var/lib/zerotier-one/networks.d/''${network}.conf + done + ''; + }; + + sops.secrets.zerotieroneNetworks = { + sopsFile = ../../../secrets/work-holo/zerotierone.txt; + format = "binary"; + }; + }; +} diff --git a/secrets/work-holo/zerotierone.txt b/secrets/work-holo/zerotierone.txt new file mode 100644 index 0000000..a092cde --- /dev/null +++ b/secrets/work-holo/zerotierone.txt @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:D6xhJ8RgtO3wuNQF0N9V4TlYcKahT8Rv3rHPeZH5F2Wk+V1GhZ+Bhl+D75ersKPv3vmNWlKD2lHb46LaM3Cz7gKAgcQ=,iv:BsnB+Tt+83QVdfive5+s824f3MBZSy6N3g+/raqWgGA=,tag:foQL/RYGfovt1feSlE5GAg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAydFBZWlJEdTkzWWFrVHdZ\nYVFxVEtCMS9tR3RMaFFWWnFEU2Z3dUc3dW5ZCmxTVGx2dHF6ejVVS0JQVjEwYU1X\nTE9wNmNQNWs4NlhXeEdtME5NV3FkUWMKLS0tIGJlamxpcndOTWR0b1l3b05WaXpT\nTkx3Rld2UnRPek5jNmdoWEYvbmZjVjgKirftt0yHRQj/JF6Ds6sFx6cX8pESZTy0\n+oPUdHEPAYpdii2FhDMxTPwy2ROGn5Bto1gMY38qopJ18bb1IFd4AA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-07-01T20:19:12Z", + "mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]", + "pgp": [ + { + "created_at": "2024-03-01T10:00:58Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQf+JWW5ihksSQw2X5TkcmdHb9FyGF9dAxjrYjjDdypM1F2O\nZjq8yevk+qyxq8NCaveAl4k8U2xQdqOTiirDYD8WhleLkj+sDNJv/RNMVpWywekb\ny24LmRNHlvVEPb92OjSHWy/QPbQGBGuoAA8KKZq+5sjR6vZIdzZeV1BWAvbkdDP2\nVVh0QjneXz0tHJ9HbytRb90xA/9Oyw0RQcxMad2A3THJO0L7OchPNkaIBmCjPSnO\n9x4ysbj87dkBmmCSOOqQAZAiWsDGRdgJyoNh0RFF3q5JCWLTRfPM6+eU8vXeenR4\nHqqO9AyhjCSjA0T1+/pPXY+C1WGkqHDODDfW3KrhGdJeATWyfi1D77SA7SQMiXjW\n+j0Oo3Y0K3aJAVn62aicgBNd5fhtTS4xIXXtnBsyjStVripW326g1b9LS0IcvouL\nwfQfrKNTkpX+Rui6Upb+KYIfTlGRl99ItJd4SMBLMQ==\n=Zlg1\n-----END PGP MESSAGE-----", + "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/secrets/zerotierone.txt b/secrets/zerotierone.txt deleted file mode 100644 index 9059ac3..0000000 --- a/secrets/zerotierone.txt +++ /dev/null @@ -1,58 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:D6xhJ8RgtO3wuNQF0N9V4TlYcKahT8Rv3rHPeZH5F2Wk+V1GhZ+Bhl+D75ersKPv3vmNWlKD2lHb46LaM3Cz7gKAgcQ=,iv:BsnB+Tt+83QVdfive5+s824f3MBZSy6N3g+/raqWgGA=,tag:foQL/RYGfovt1feSlE5GAg==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBva2lYMFY1V1piNlBpUURv\naWh3dHpaQXdqdzRCU2JIcHExbkhwZzhXd0JnCkFTMG5wVDNQVzNVUmo1cUh1TWtF\naHVTcGRpSDNxa1NHVDZvZWFpREdOcVEKLS0tIFVJSTdiZFBwTlJEMFowYnJqdjFr\nWDdKM2FGM0dQS1NZOTlZUGlOa2srV2cKr/EwcrbOw9vjmFp7OsEF6y0KxACs8NPM\nRYMKhnzd/6VFY5aK79V6JuMSOLaMT+AbQODg+R/iA3TNLev22Jfcvw==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOWsvenhWdC9ENVlXTXZi\ndWtJWWZUZGMyTzduMzFvK2M1NmFLZ1JwVFNFCkpTMDh6eWhwV0Fya0syRDhuWDlK\nV1lBbGNDbXUvNHB5MGMrS3R0b043YnMKLS0tIExXNXlsaUhsTUxGZGY5U2VRNXJr\nNjZmTU80QVZ1blFKd2dGandsVm42blEK/3uqLhxS16HU67wA0T0Y9uqb2WJI6dII\ndCktjLZcKKyGB+UXNyzDiRgMR4OKIvB0MjLIql2SZKt53OpkpytAbQ==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWlErYU5pUHJRdXlCRmZS\nNWlWalFDb0xFZFlrbkdXMG0zYXl1UjhmNUQwCmNCcWZPME8yOGcycnVRWXJxeFo3\nTHFuWHY5aXRxZERNU3duSzRsaFIreWMKLS0tIDRyWmFzeGN2YU9LNW9IWUZNWkVJ\nOTlYTlNteEU0REhmd3ovbGQ4Z09FakkKliCyJsTqsUD5t2vOfTigqA7WObfNCcsd\nt1Fs8vf/1tReWqF8V0f97lD2APgfqgg0hqWFcKkiGYBRWEJvBAj8Lw==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRT0xzWEtNRHl3bFBZRGl2\nTlkyaWRGTHcxcDVqa012VUk1ZUVjREF2bGlJCmRBNkdzRmsxT2dFemJ6NFAxV1g5\nV2p2c09VKzNVSTJ0V2lheWNwMFlMdk0KLS0tIDZWMTBtaWZjcmRYMnhjY3VudlUz\nem10U1FzZ3p2VzZrRXZyRDFUTy92dkUKcM0Nh1/rQ/aoXHJ16QjZ0daxyaOIyzyx\nXbWDj0opTiYweKrL93P8MSQr8V5i2zVcxP7Gw/fZsWlCs26nBeK1xQ==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ZVdzS2lONzg0eGJUei9X\nem9Nc1FhTm5XampHVjJieHJjOUczR09VNTFjCjBkejNlY0I3dEhYbzYvaTBsMDd5\ndjc0alpKNWF6YTVOczltTFRueWZBYXcKLS0tIFJTSThncVdhajhaNmdZTjRNQVFB\nTi93ejQ2bUsrVXl0eDRkbFE5UlhKUzQKg/cJKYzhq1YIBvvNx/N4F258WUnrmNMs\n2MnxrLk9a67AGciCynEMO02dpUXPWxgUkTSqOjRkkcA20x5Rpn4e6w==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLRUliYTB2MG1zUVU0ZWFM\nNUNEMUdha3ZSZ2dkYmZuVk96VjlUTVpWNkI0ClIyUFBZWFppTzJwbHhJaFhXWTBM\nT0pvVklqbE00aW9GMG4wWnFkZkNoQVkKLS0tIExoeTBBcjlsUkZyQkNrUW1zdXU2\nUytDNk9YOXNtU3hLUzdFQnlzQ1lJSjgK+64AJTx4ZjT4njl0Gr4Hk3ykljRTgaqO\nuOjLz/9Qy2rM3BcJzajhCU1pU4f1A0qDQRjoYj5+M9qW/NMbZt6Ujw==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWjJsQVpGQXhLdkh0UGtp\nUkZKa0hRblFHaHpVZm9MNnA2SnBIYVdLUDE4Cmkvbmx1aVBVMVFjdlBjU2JTNlVa\nYTQwdUF0ZHhzRGFIY2RUS1JmOVhCWE0KLS0tIGd0eHNOUmJ3T21jQ0QvRHlnOWRw\ndXBIVFdRQld3RmR3VWhpRS9XLy93ZzgKIcCl3r4Q+p1GqeMQmTQFDOhGDN1KE1Fl\npdx6QOkhZSVAux3YcbWNex7nDju5Meqhyhfe5l4YLJKnM5gs3efFcQ==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArazhNT3QzWFpXNTFmWVkr\nTklLei9RN1M1R0pVVTBZTUJkTDVvbzdWbG5zCmx0RVgwbG5IZXNvZUFkaWNzRW10\nKzdNTDZyaGZVNDg0MXR6aGpVQ3FOSEUKLS0tIHB2WnNHZStodXZJTElBV0ljWExy\nbFo2Q3RMRm5BNm1zcnNhdzRYbk5CcWMKsdK8OIVKidayA0LU1NF2pjHjTirVQ/MA\nS4yGouebH4YbFkHDpHbttv572Iw1mbZK0EVIbiJuYoGudb1w60ROIA==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUU090RWZqSnpSaGFWcmVM\nQlRWckdLMk5Kd2E0dFVnSzZEcXBPNmkyTkVZCnNtekhvcUhYZG1RS0ZINVBNMU9L\nSHFqNlMxODdRbm5MOEw3UG9VM2NlVUUKLS0tIE5acnhENFNwR3JMc0s3N2g4dFBs\nR0FuSi94d3RUNFVWQ01uM3UyZW1tRDAKfIVF6+PE2iMC3m81wPoqH9LqL3MsK1WV\nslE4l1m04UL315vdAyPm3k9b+vkTGD4Fmeywsto7Am92/JCanlT7+g==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2023-07-01T20:19:12Z", - "mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]", - "pgp": [ - { - "created_at": "2024-01-24T22:48:30Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQf9H8VPhApFkYZi72afxgtHIqclNN4BPuSEhYQYR0m2tvm+\nj0sa3ehI6frkH8KxCtgXgaVB+74yWe+JeVnWRZUk1nIm+q0kuN+0Kn5+YQW0iYuv\n3z34VCw938Gebz57BLaWZTcns3xur+Ug3a+fjyjsKW7w90aP2Q7V2qp9AgxxsN1U\nl9Z1RXHlIUS1CGqA8py2mIkgvlK0WHiYRXsqdRvJh1jdUvzkJjYSpgz4Kj7pyyte\nvXIB4HckW6Fjn6Nlfeyzt6Ka9NziX7EAFlBs/8U8QvkX8AizCxuTwwB9n5rbRxb3\nDjXbgckkkKHc2nEx3xSRe7vh1cfQhTU/TNTuZI3GcNJeAVD89dwR7hhkqFzkanw+\n3hVV1mbDNIDA2fCfxiDLvBDYq8jhaMosAIrwO5TcXEm1PeEuRx1mDEjHsthwmOad\nEJNSBWKGzd13r23WlPRjdeCUF0YSnNFbhM0rwLlLdA==\n=5GJ1\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" - } -} \ No newline at end of file