docs: init new structure

2025-09-15 14:39:22 +02:00
parent 39eb13eebb
commit 86c4555bc0
7 changed files with 158 additions and 74 deletions
--- a/docs/site/guides/networking/mesh-vpn.md
+++ b/docs/site/guides/networking/mesh-vpn.md
@@ -0,0 +1,149 @@
+
+This guide provides detailed instructions for configuring
+[ZeroTier VPN](https://zerotier.com) within Clan. Follow the
+outlined steps to set up a machine as a VPN controller (`<CONTROLLER>`) and to
+include a new machine into the VPN.
+
+## Concept
+
+By default all machines within one clan are connected via a chosen network technology.
+
+```{.no-copy}
+Clan
+    Node A
+    <-> (zerotier / mycelium / ...)
+    Node B
+```
+
+This guide shows you how to configure `zerotier` through clan's `Inventory` System.
+
+## The Controller
+
+The controller is the initial entrypoint for new machines into the vpn.
+It will sign the id's of new machines.
+Once id's are signed, the controller's continuous operation is not essential.
+A good controller choice is nevertheless a machine that can always be reached for updates - so that new peers can be added to the network.
+
+For the purpose of this guide we have two machines:
+
+- The `controller` machine, which will be the zerotier controller.
+- The `new_machine` machine, which is the machine we want to add to the vpn network.
+
+## Configure the Service
+
+```nix {.nix title="flake.nix" hl_lines="19-25"}
+{
+  inputs.clan-core.url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz";
+  inputs.nixpkgs.follows = "clan-core/nixpkgs";
+
+  outputs =
+    { self, clan-core, ... }:
+    let
+      # Sometimes this attribute set is defined in clan.nix
+      clan = clan-core.lib.clan {
+        inherit self;
+
+        meta.name = "myclan";
+
+        inventory.machines = {
+          controller = {};
+          new_machine = {};
+        };
+
+        inventory.instances = {
+          zerotier = {
+            # Assign the controller machine to the role "controller"
+            roles.controller.machines."controller" = {};
+
+            # All clan machines are zerotier peers
+            roles.peer.tags."all" = {};
+          };
+        };
+      };
+    in
+    {
+      inherit (clan) nixosConfigurations nixosModules clanInternals;
+
+      # elided for brevity
+    };
+}
+```
+
+## Apply the Configuration
+
+Update the `controller` machine first:
+
+```bash
+clan machines update controller
+```
+
+Then update all other peers:
+
+```bash
+clan machines update
+```
+
+### Verify Connection
+
+On the `new_machine` run:
+
+```bash
+$ sudo zerotier-cli info
+```
+
+The status should be "ONLINE":
+
+```{.console, .no-copy}
+200 info d2c71971db 1.12.1 ONLINE
+```
+
+## Further
+
+Currently you can only use **Zerotier** as networking technology because this is the first network stack we aim to support.
+In the future we plan to add additional network technologies like tinc, head/tailscale, yggdrassil and mycelium.
+
+We chose zerotier because in our tests it was a straight forwards solution to bootstrap.
+It allows you to selfhost a controller and the controller doesn't need to be globally reachable.
+Which made it a good fit for starting the project.
+
+## Debugging
+
+### Retrieve the ZeroTier ID
+
+In the repo:
+
+```console
+$ clan vars list <machineName>
+```
+
+```{.console, .no-copy}
+$ clan vars list controller
+# ... elided
+zerotier/zerotier-identity-secret: ********
+zerotier/zerotier-ip: fd0a:b849:2928:1234:c99:930a:a959:2928
+zerotier/zerotier-network-id: 0aa959282834000c
+```
+
+On the machine:
+
+```bash
+$ sudo zerotier-cli info
+```
+
+#### Manually Authorize a Machine on the Controller
+
+=== "with ZerotierIP"
+
+      ```bash
+      $ sudo zerotier-members allow --member-ip <IP>
+      ```
+
+      Substitute `<IP>` with the ZeroTier IP obtained previously.
+
+=== "with ZerotierID"
+
+      ```bash
+      $ sudo zerotier-members allow <ID>
+      ```
+
+      Substitute `<ID>` with the ZeroTier ID obtained previously.
--- a/docs/site/guides/networking/networking.md
+++ b/docs/site/guides/networking/networking.md
@@ -0,0 +1,184 @@
+# Connecting to Your Machines
+
+Clan provides automatic networking with fallback mechanisms to reliably connect to your machines.
+
+## Option 1: Automatic Networking with Fallback (Recommended)
+
+Clan's networking module automatically manages connections through various network technologies with intelligent fallback. When you run `clan ssh` or `clan machines update`, Clan tries each configured network by priority until one succeeds.
+
+### Basic Setup with Internet Service
+
+For machines with public IPs or DNS names, use the `internet` service to configure direct SSH while keeping fallback options:
+
+```{.nix title="flake.nix" hl_lines="7-10 14-16"}
+{
+  outputs = { self, clan-core, ... }:
+    let
+      clan = clan-core.lib.clan {
+        inventory.instances = {
+          # Direct SSH with fallback support
+          internet = {
+            roles.default.machines.server1 = {
+              settings.host = "server1.example.com";
+            };
+            roles.default.machines.server2 = {
+              settings.host = "192.168.1.100";
+            };
+          };
+
+          # Fallback: Secure connections via Tor
+          tor = {
+            roles.server.tags.nixos = { };
+          };
+        };
+      };
+    in
+    {
+      inherit (clan.config) nixosConfigurations;
+    };
+}
+```
+
+### Advanced Setup with Multiple Networks
+
+```{.nix title="flake.nix" hl_lines="7-10 13-16 19-21"}
+{
+  outputs = { self, clan-core, ... }:
+    let
+      clan = clan-core.lib.clan {
+        inventory.instances = {
+          # Priority 1: Try direct connection first
+          internet = {
+            roles.default.machines.publicserver = {
+              settings.host = "public.example.com";
+            };
+          };
+
+          # Priority 2: VPN for internal machines
+          zerotier = {
+            roles.controller.machines."controller" = { };
+            roles.peer.tags.nixos = { };
+          };
+
+          # Priority 3: Tor as universal fallback
+          tor = {
+            roles.server.tags.nixos = { };
+          };
+        };
+      };
+    in
+    {
+      inherit (clan.config) nixosConfigurations;
+    };
+}
+```
+
+### How It Works
+
+Clan automatically tries networks in order of priority:
+1. Direct internet connections (if configured)
+2. VPN networks (ZeroTier, Tailscale, etc.)
+3. Tor hidden services
+4. Any other configured networks
+
+If one network fails, Clan automatically tries the next.
+
+### Useful Commands
+
+```bash
+# View all configured networks and their status
+clan network list
+
+# Test connectivity through all networks
+clan network ping machine1
+
+# Show complete network topology
+clan network overview
+```
+
+## Option 2: Manual targetHost (Bypasses Fallback!)
+
+!!! warning
+    Setting `targetHost` directly **disables all automatic networking and fallback**. Only use this if you need complete control and don't want Clan's intelligent connection management.
+
+### Using Inventory (For Static Addresses)
+
+Use inventory-level `targetHost` when the address is **static** and doesn't depend on NixOS configuration:
+
+```{.nix title="flake.nix" hl_lines="8"}
+{
+  outputs = { self, clan-core, ... }:
+    let
+      clan = clan-core.lib.clan {
+        inventory.machines.server = {
+          # WARNING: This bypasses all networking modules!
+          # Use for: Static IPs, DNS names, known hostnames
+          deploy.targetHost = "root@192.168.1.100";
+        };
+      };
+    in
+    {
+      inherit (clan.config) nixosConfigurations;
+    };
+}
+```
+
+**When to use inventory-level:**
+- Static IP addresses: `"root@192.168.1.100"`
+- DNS names: `"user@server.example.com"`
+- Any address that doesn't change based on machine configuration
+
+### Using NixOS Configuration (For Dynamic Addresses)
+
+Use machine-level `targetHost` when you need to **interpolate values from the NixOS configuration**:
+
+```{.nix title="flake.nix" hl_lines="7"}
+{
+  outputs = { self, clan-core, ... }:
+    let
+      clan = clan-core.lib.clan {
+        machines.server = { config, ... }: {
+          # WARNING: This also bypasses all networking modules!
+          # REQUIRED for: Addresses that depend on NixOS config
+          clan.core.networking.targetHost = "root@${config.networking.hostName}.local";
+        };
+      };
+    in
+    {
+      inherit (clan.config) nixosConfigurations;
+    };
+}
+```
+
+**When to use machine-level (NixOS config):**
+- Using hostName from config: `"root@${config.networking.hostName}.local"`
+- Building from multiple config values: `"${config.users.users.deploy.name}@${config.networking.hostName}"`
+- Any address that depends on evaluated NixOS configuration
+
+!!! info "Key Difference"
+    **Inventory-level** (`deploy.targetHost`) is evaluated immediately and works with static strings.
+    **Machine-level** (`clan.core.networking.targetHost`) is evaluated after NixOS configuration and can access `config.*` values.
+
+## Quick Decision Guide
+
+| Scenario | Recommended Approach | Why |
+|----------|---------------------|-----|
+| Public servers | `internet` service | Keeps fallback options |
+| Mixed infrastructure | Multiple networks | Automatic failover |
+| Machines behind NAT | ZeroTier/Tor | NAT traversal with fallback |
+| Testing/debugging | Manual targetHost | Full control, no magic |
+| Single static machine | Manual targetHost | Simple, no overhead |
+
+## Command-Line Override
+
+The `--target-host` flag bypasses ALL networking configuration:
+
+```bash
+# Emergency access - ignores all networking config
+clan machines update server --target-host root@backup-ip.com
+
+# Direct SSH - no fallback attempted
+clan ssh laptop --target-host user@10.0.0.5
+```
+
+Use this for debugging or emergency access when automatic networking isn't working.