New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
zerotier module: add option to join network and open port #37949
Conversation
One alternative to using See zerotier/ZeroTierOne#161 as well as the |
@danielfullmer, yes that's much nicer. Will amend. |
Amended. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cool idea, I just have one comment.
@@ -7,6 +7,16 @@ let | |||
in | |||
{ | |||
options.services.zerotierone.enable = mkEnableOption "ZeroTierOne"; | |||
|
|||
options.services.zerotierone.joinNetwork = mkOption { | |||
default = null; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you make this an array? It's possible to join multiple networks at the same time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
mkdir -p /var/lib/zerotier-one | ||
chmod 700 /var/lib/zerotier-one | ||
chown -R root:root /var/lib/zerotier-one | ||
''; | ||
'' + optionalString (cfg.joinNetwork != null) '' | ||
touch "/var/lib/zerotier-one/networks.d/${cfg.joinNetwork}.conf" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, the networks.d
subdirectory would not exist on the first startup of zerotier. Maybe just add it to the mkdir -p
above?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup just noticed that too. Done.
@@ -38,6 +49,9 @@ in | |||
# ZeroTier does not issue DHCP leases, but some strangers might... | |||
networking.dhcpcd.denyInterfaces = [ "zt0" ]; | |||
|
|||
# ZeroTier receives UDP transmissions on port 9993 by default | |||
networking.firewall.allowedUDPPorts = [ 9993 ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We do not open firewall ports by default except for ssh. I am not sure if should make an exception here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ZeroTier service should have a parameter for port, so networking.firewall.allowedUDPPorts
could be used at a higher level when really needed.
Motivation for this change
Open firewall port for UDP channel.
Ability to join network declaratively is useful for new hosts.
Will merge in a few days if no objections.
cc @sjmackenzie @zimbatm @roblabla @ehmry
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)