clan.networking.zerotier: fix controller mode

nixosModules/clanCore/zerotier.nix

@@ -1,11 +1,52 @@
 { config, lib, pkgs, ... }:
 let
   cfg = config.clan.networking.zerotier;
+  networkConfig = {
+    authTokens = [
+      null
+    ];
+    authorizationEndpoint = "";
+    capabilities = [ ];
+    clientId = "";
+    dns = [ ];
+    enableBroadcast = true;
+    id = cfg.networkId;
+    ipAssignmentPools = [ ];
+    mtu = 2800;
+    multicastLimit = 32;
+    name = "";
+    uwid = cfg.networkId;
+    objtype = "network";
+    private = !cfg.controller.public;
+    remoteTraceLevel = 0;
+    remoteTraceTarget = null;
+    revision = 1;
+    routes = [ ];
+    rules = [
+      {
+        not = false;
+        or = false;
+        type = "ACTION_ACCEPT";
+      }
+    ];
+    rulesSource = "";
+    ssoEnabled = false;
+    tags = [ ];
+    v4AssignMode = {
+      zt = false;
+    };
+    v6AssignMode = {
+      "6plane" = false;
+      rfc4193 = true;
+      zt = false;
+    };
+  };
 in
 {
   options.clan.networking.zerotier = {
     networkId = lib.mkOption {
-      type = lib.types.str;
+      type = lib.types.nullOr lib.types.str;
+      default = null;
       description = ''
         zerotier networking id
       '';
@@ -21,80 +62,47 @@ in
       };
     };
   };
-  config = {
+  config = lib.mkMerge [
-    systemd.network.networks.zerotier = {
+    (lib.mkIf (cfg.networkId != null) {
-      matchConfig.Name = "zt*";
+      systemd.network.networks.zerotier = {
-      networkConfig = {
+        matchConfig.Name = "zt*";
-        LLMNR = true;
+        networkConfig = {
-        LLDP = true;
+          LLMNR = true;
-        MulticastDNS = true;
+          LLDP = true;
-        KeepConfiguration = "static";
+          MulticastDNS = true;
+          KeepConfiguration = "static";
+        };
+      };
+      networking.firewall.allowedUDPPorts = [ 9993 ];
+      networking.firewall.interfaces."zt+".allowedTCPPorts = [ 5353 ];
+      networking.firewall.interfaces."zt+".allowedUDPPorts = [ 5353 ];
+      services.zerotierone = {
+        enable = true;
+        joinNetworks = [ cfg.networkId ];
+      };
+    })
+    (lib.mkIf cfg.controller.enable {
+      # only the controller needs to have the key in the repo, the other clients can be dynamic
+      # we generate the zerotier code manually for the controller, since it's part of the bootstrap command
+      clanCore.secrets.zerotier = {
+        facts."zerotier.network.id" = { };
+        secrets."zerotier.identity.secret" = { };
+        generator = ''
+          TMPDIR=$(mktemp -d)
+          trap 'rm -rf "$TMPDIR"' EXIT
+          ${config.clanCore.clanPkgs.clan-cli}/bin/clan zerotier --outpath "$TMPDIR"
+          cp "$TMPDIR"/network.id "$facts"/zerotier.network.id
+          cp "$TMPDIR"/identity.secret "$secrets"/zerotier.identity.secret
+        '';
       };
-    };
-    networking.firewall.allowedUDPPorts = [ 9993 ];
-    networking.firewall.interfaces."zt+".allowedTCPPorts = [ 5353 ];
-    networking.firewall.interfaces."zt+".allowedUDPPorts = [ 5353 ];
-    services.zerotierone = {
-      enable = true;
-      joinNetworks = [ cfg.networkId ];
-    };
-  } // lib.mkIf cfg.controller.enable {
-    # only the controller needs to have the key in the repo, the other clients can be dynamic
-    # we generate the zerotier code manually for the controller, since it's part of the bootstrap command
-    clanCore.secrets.zerotier = {
-      facts."network.id" = { };
-      secrets."identity.secret" = { };
-      generator = ''
-        TMPDIR=$(mktemp -d)
-        trap 'rm -rf "$TMPDIR"' EXIT
-        ${config.clanCore.clanPkgs.clan-cli}/bin/clan zerotier --outpath "$TMPDIR"
-        cp "$TMPDIR"/network.id "$facts"/network.id
-        cp "$TMPDIR"/identity.secret "$secrets"/identity.secret
-      '';
-    };
 
-    systemd.tmpfiles.rules = [
+      systemd.services.zerotierone.serviceConfig.ExecStartPre = [
-      "L+ /var/lib/zerotierone/controller.d/network/${cfg.networkId}.json - - - - ${pkgs.writeText "net.json" (builtins.toJSON {
+        "+${pkgs.writeShellScript "init_zerotier" ''
-        authTokens = [
+          cp /etc/secrets/zerotier.identity.secret /var/lib/zerotier-one/identity.secret
-          null
+          ln -sfT ${pkgs.writeText "net.json" (builtins.toJSON networkConfig)} /var/lib/zerotier-one/controller.d/network/${cfg.networkId}.json
-        ];
+        ''}"
-        authorizationEndpoint = "";
+      ];
-        capabilities = [];
+    })
-        clientId = "";
+  ];
-        dns = [];
-        enableBroadcast = true;
-        id = cfg.networkId;
-        ipAssignmentPools = [];
-        mtu = 2800;
-        multicastLimit = 32;
-        name = "";
-        uwid = cfg.networkId;
-        objtype = "network";
-        private = true;
-        remoteTraceLevel = 0;
-        remoteTraceTarget = null;
-        revision = 1;
-        routes = [];
-        rules = [
-          {
-            not = false;
-            or = false;
-            type = "ACTION_ACCEPT";
-          }
-        ];
-        rulesSource = "";
-        ssoEnabled = false;
-        tags = [];
-        v4AssignMode = {
-          zt = false;
-        };
-        v6AssignMode = {
-          "6plane" = false;
-          rfc4193 = false;
-          zt = false;
-        };
-      })}"
-    ];
-  };
 }