zerotier module: add option to join network and open port #37949
Conversation
|
One alternative to using See zerotier/ZeroTierOne#161 as well as the |
|
@danielfullmer, yes that's much nicer. Will amend. |
|
Amended. |
| @@ -7,6 +7,16 @@ let | |||
| in | |||
| { | |||
| options.services.zerotierone.enable = mkEnableOption "ZeroTierOne"; | |||
|
|
|||
| options.services.zerotierone.joinNetwork = mkOption { | |||
| default = null; | |||
There was a problem hiding this comment.
can you make this an array? It's possible to join multiple networks at the same time.
| mkdir -p /var/lib/zerotier-one | ||
| chmod 700 /var/lib/zerotier-one | ||
| chown -R root:root /var/lib/zerotier-one | ||
| ''; | ||
| '' + optionalString (cfg.joinNetwork != null) '' | ||
| touch "/var/lib/zerotier-one/networks.d/${cfg.joinNetwork}.conf" |
There was a problem hiding this comment.
Also, the networks.d subdirectory would not exist on the first startup of zerotier. Maybe just add it to the mkdir -p above?
There was a problem hiding this comment.
Yup just noticed that too. Done.
| @@ -38,6 +49,9 @@ in | |||
| # ZeroTier does not issue DHCP leases, but some strangers might... | |||
| networking.dhcpcd.denyInterfaces = [ "zt0" ]; | |||
|
|
|||
| # ZeroTier receives UDP transmissions on port 9993 by default | |||
| networking.firewall.allowedUDPPorts = [ 9993 ]; | |||
There was a problem hiding this comment.
We do not open firewall ports by default except for ssh. I am not sure if should make an exception here.
There was a problem hiding this comment.
The ZeroTier service should have a parameter for port, so networking.firewall.allowedUDPPorts could be used at a higher level when really needed.
Motivation for this change
Open firewall port for UDP channel.
Ability to join network declaratively is useful for new hosts.
Will merge in a few days if no objections.
cc @sjmackenzie @zimbatm @roblabla @ehmry
Things done
build-use-sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)