feat(zerotier): make os snippet and add custom options

a way to disable autostart for zerotier is beneficial to not accidentally connect on each boot while still being able to connect on demand
2024-03-01 11:21:37 +01:00 · 2024-03-01 11:21:37 +01:00 · e01290317a
commit e01290317a
parent c13b460ee9
6 changed files with 90 additions and 95 deletions
--- a/nix/os/snippets/holo-zerotier.nix
+++ b/nix/os/snippets/holo-zerotier.nix
@ -0,0 +1,51 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.steveej.holo-zerotier;
+in {
+  options.steveej.holo-zerotier = {
+    enable = lib.mkEnableOption "Enable holo-zerotier";
+    autostart = lib.mkOption {default = false;};
+  };
+
+  config = {
+    services.zerotierone = {
+      enable = cfg.enable;
+      joinNetworks = [
+        # moved to the service below as it's now secret
+      ];
+    };
+
+    systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce []);
+
+    systemd.services.zerotieroneSecretNetworks = {
+      enable = cfg.enable;
+      requiredBy = ["zerotierone.service"];
+      partOf = ["zerotierone.service"];
+
+      serviceConfig.Type = "oneshot";
+      serviceConfig.RemainAfterExit = true;
+
+      script = let
+        secret = config.sops.secrets.zerotieroneNetworks;
+      in ''
+        # include the secret's hash to trigger a restart on change
+        # ${builtins.hashString "sha256" (builtins.toJSON secret)}
+
+        ${config.systemd.services.zerotierone.preStart}
+
+        rm -rf /var/lib/zerotier-one/networks.d/*.conf
+        for network in `grep -v '#' ${secret.path}`; do
+          touch /var/lib/zerotier-one/networks.d/''${network}.conf
+        done
+      '';
+    };
+
+    sops.secrets.zerotieroneNetworks = {
+      sopsFile = ../../../secrets/work-holo/zerotierone.txt;
+      format = "binary";
+    };
+  };
+}