diff --git a/clanServices/internet/default.nix b/clanServices/internet/default.nix index e198cfd20..3959886c4 100644 --- a/clanServices/internet/default.nix +++ b/clanServices/internet/default.nix @@ -32,17 +32,15 @@ }; perInstance = { - roles, - lib, + instanceName, + settings, + machine, ... }: { - exports.networking = { - # TODO add user space network support to clan-cli - peers = lib.mapAttrs (_name: machine: { - host.plain = machine.settings.host; - SSHOptions = map (_x: "-J x") machine.settings.jumphosts; - }) roles.default.machines; + + exports."internet/${instanceName}/default/${machine.name}".networking = { + hosts = [ settings.host ]; }; }; }; diff --git a/clanServices/yggdrasil/default.nix b/clanServices/yggdrasil/default.nix index 5b64e1024..8d82c9745 100644 --- a/clanServices/yggdrasil/default.nix +++ b/clanServices/yggdrasil/default.nix @@ -74,13 +74,20 @@ # TODO make it nicer @lassulus, @picnoir wants microlens # Get a list of all exported IPs from all VPN modules - exportedPeerIPs = builtins.foldl' ( - acc: e: - if e == { } then - acc - else - acc ++ (lib.flatten (builtins.filter (s: s != "") (lib.attrValues (select' "peers.*.plain" e)))) - ) [ ] (lib.attrValues (select' "instances.*.networking.?peers.*.host.?plain" exports)); + # exportedPeerIPs = builtins.foldl' ( + # acc: e: + # if e == { } then + # acc + # else + # acc ++ (lib.flatten (builtins.filter (s: s != "") (lib.attrValues (select' "peers.*.plain" e)))) + # ) [ ] (lib.attrValues (select' "*.networking.?peers.*.host.?plain" exports)); + + # exports."internet/${instanceName}/default/${machine.name}".networking = { + # hosts = [ settings.host ]; + # }; + + # exportedPeerIPs = (select' "*".networking.hosts exports); + exportedPeerIPs = lib.flatten (builtins.attrValues (select' "*.networking.hosts" exports)); # Construct a list of peers in yggdrasil format exportedPeers = lib.flatten (map mkPeers exportedPeerIPs); diff --git a/clanServices/yggdrasil/tests/vm/default.nix b/clanServices/yggdrasil/tests/vm/default.nix index 1137926d9..3c5383bfb 100644 --- a/clanServices/yggdrasil/tests/vm/default.nix +++ b/clanServices/yggdrasil/tests/vm/default.nix @@ -21,9 +21,16 @@ # Peers are set form exports of the internet service instances."internet" = { module.name = "internet"; - roles.default.machines.peer1.settings.host = "peer1"; - roles.default.machines.peer2.settings.host = "peer2"; + roles.default.machines.peer1.settings.host = "peer1-internet"; + roles.default.machines.peer2.settings.host = "peer2-internet"; }; + + instances."zerotier" = { + module.name = "zerotier"; + roles.controller.machines.peer1 = { }; + roles.peer.machines.peer2 = { }; + }; + }; }; diff --git a/clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/zerotier/zerotier-identity-secret/machines/peer1 b/clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/zerotier/zerotier-identity-secret/machines/peer1 new file mode 120000 index 000000000..3e5f3fae3 --- /dev/null +++ b/clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/zerotier/zerotier-identity-secret/machines/peer1 @@ -0,0 +1 @@ +../../../../../../sops/machines/peer1 \ No newline at end of file diff --git a/clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/zerotier/zerotier-identity-secret/secret b/clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/zerotier/zerotier-identity-secret/secret new file mode 100644 index 000000000..828d6c2d6 --- /dev/null +++ b/clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/zerotier/zerotier-identity-secret/secret @@ -0,0 +1,18 @@ +{ + "data": "ENC[AES256_GCM,data:ZkirPKTvLpV3+aMklbRIkafGCMISIRrqgFu8B0A1nQEdeqRR0bexoRuzLopuj95mqPKYHWT9ArF8zDqVW9t4UgazTgprK/coFlKk/2wO8dO2JmVcFlGZou2Hz6JVvt8xuELU350lpF+o4k1xmAqswqaRQyqgAIvVDnym/jZPj9hBZpSXr/IcUnH4cXcNv51Xt82Zvo132RoaU1warlNk1p3dr1DRHU56KtEwhkj9YxoIcS4K4BaEl9L87REXnFEBu5p8FeO1f3bp/ZFOxL7bYKROFHYhK4mIlSTVmYJg4a1CP0M7v842xm83C37Y6xgN8SltC/ld9TuxBNVhfzmHHotpBXvAbwxkCJE6ChJI,iv:M4jqMRvbjODcWGjJUMc3ys4Tra0KBwVXOVMoeXcAXuQ=,tag:irDJqWEeXlIXOv/DMZWlGQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1p8trv2dmpanl3gnzj294c4t5uysu7d6rfjncp5lmn6redyda8fns6p7kca", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVGJGWlZOb05QL3AzSzFM\nUG4vV3RFK2RjVEhVd2QzQ3pTMUl0UmFLaURnCkRORDBuK0xUM1pYSFRFZXlpK1Na\nUHp6b3pWeEl0SkF2ZERaa3gyczh0RlkKLS0tIHFoanBkS1Jhc3ovQlJFV0lCQVpY\nUEUrcmZlbkhQa0lac3pqenBXWkpDZTgKNQ6Lu4L6zHKTN4pe2T3eg7lvTeZQ2/mf\nD33YfN15W/yuOb+LzVTwSj6wPgQuSaVRlgbCm/t1adzTnUZmruWxuA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1YVMrSEkybzJpdXVHQWtP\nMzQ2QXZmQXJNL05ORDRobWZmQmdrTWtiVDJZCk9Wckg4eVJiU21BcFQ4MDhjTzlw\nVnh6b25NM3ZSNXRIQUEwd0RaSjg1MW8KLS0tICtqVWxpN09CSC9kcUdvRmw1RmRh\nOHlWQXEwYWFPY2VsM0Q0RzJyL2FWNUUK3f7t64UBdGtzxo0upCugNvA2vKUXL6gb\n0CJq4MG1s+lgFpvenRlozsaG3I8IxPHkFWuTA6OuUCCwaJqb0eT4ZA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-10-31T14:34:48Z", + "mac": "ENC[AES256_GCM,data:+mMvTo1+4f9rQm1U6td5Sx7NYeuKJQeXcTpFOooAV8wt75XX2VhX059/S3krFJ8vIsMUqQ0PqPLipCNTaTi8cxkqHfsVQEGCcALGtisk5bnHWgipnFoaO6Ao9TKkmFBcQo9za9+Z40stNIzThOHWaZonvp9KWIVj92CFic62UT8=,iv:HhVf1rhN6Ocp6Bif1oXQScJUe4ndFw3Rv/obVYDx5aA=,tag:9M5iMVcj3ore3DQtwdJuMQ==,type:str]", + "version": "3.11.0" + } +} diff --git a/clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/zerotier/zerotier-identity-secret/users/admin b/clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/zerotier/zerotier-identity-secret/users/admin new file mode 120000 index 000000000..ca714e122 --- /dev/null +++ b/clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/zerotier/zerotier-identity-secret/users/admin @@ -0,0 +1 @@ +../../../../../../sops/users/admin \ No newline at end of file diff --git a/clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/zerotier/zerotier-ip/value b/clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/zerotier/zerotier-ip/value new file mode 100644 index 000000000..4b9f68afa --- /dev/null +++ b/clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/zerotier/zerotier-ip/value @@ -0,0 +1 @@ +fd06:8020:2351:b57:2899:9306:8020:2351 \ No newline at end of file diff --git a/clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/zerotier/zerotier-network-id/value b/clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/zerotier/zerotier-network-id/value new file mode 100644 index 000000000..340f2edb8 --- /dev/null +++ b/clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/zerotier/zerotier-network-id/value @@ -0,0 +1 @@ +06802023510b5728 \ No newline at end of file diff --git a/clanServices/yggdrasil/tests/vm/vars/per-machine/peer2/zerotier/zerotier-identity-secret/machines/peer2 b/clanServices/yggdrasil/tests/vm/vars/per-machine/peer2/zerotier/zerotier-identity-secret/machines/peer2 new file mode 120000 index 000000000..6370c90d4 --- /dev/null +++ b/clanServices/yggdrasil/tests/vm/vars/per-machine/peer2/zerotier/zerotier-identity-secret/machines/peer2 @@ -0,0 +1 @@ +../../../../../../sops/machines/peer2 \ No newline at end of file diff --git a/clanServices/yggdrasil/tests/vm/vars/per-machine/peer2/zerotier/zerotier-identity-secret/secret b/clanServices/yggdrasil/tests/vm/vars/per-machine/peer2/zerotier/zerotier-identity-secret/secret new file mode 100644 index 000000000..46c050afd --- /dev/null +++ b/clanServices/yggdrasil/tests/vm/vars/per-machine/peer2/zerotier/zerotier-identity-secret/secret @@ -0,0 +1,18 @@ +{ + "data": "ENC[AES256_GCM,data:gzHNCz/yRXD9sXRvqpGC18ZUF1JLvpBO44klfRjl6WzCPHLrC9Mp6cGFa+U3CZL2i/0JGKOtQGH+82Ra6oAkOiWEcSRN/xmAmcZaoVPTnvZ2tF7vvlRfR5hq+p/ZQw4+Y4V1TIuYj2dLNrVIIGYmWSabqI0mgVTTjyRsDJSB4YgqGTYismvZ9QXICSDxwROIrC2xl0Xx+MYWhxR1PVJ3B1HbJ8KEQCuBVq46Wki/INe0bD+ODlxCv9GCGPgaNjMwACOwQXo5WGP9zSDq2HEkTeg5YUmX1o1G6LwkG2fY/Hr5XMiLGU6G0remP/WbCOoLRXdB/Luevg/rTlQ/dNDawPARsbZZSjLmk/BHUOUJ,iv:zPeIyZi2ckbEcbX4FFhyN3ryWf4eoRu4XIafeAje28E=,tag:8/Vn0m+/wMGY706fYX55Vg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age107mprppm3r9u7f26e6t5mhtdny0h5ugfmfjy8kac2tw9nrh9a3ksex0xca", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDYlU4cG1KYXZodFJYYXNo\ndjhNbUFzNEhySzI2NmduR0EwOUhENFRZN3o4CmtSNG5ObkM2bDJXaXk1QlFVWURK\nV1lRa1VVV0hNZlh0eVJpVHFqU3FXMzgKLS0tIFhtUjZnZVdMczNFVUMrL2Q0b1Rz\nRFlzTUFXVWZwM2gwRW1LTzd0a2lhQTAKHyakwS8kB4Gg4Vjs3PJsbF3VHzJjAbOR\nR+y6op3zPjQpr5QfsRn4MoES/ViGDPZWLYxXUSMctGVDxIfgdZxP9A==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1dHBaY015Q2J2NlRyRGEy\nRGtRcm1YckhYSm5mbU5GaGFaTjhRa1UraWpRCnFWSDBSYURFS21QYUYxVXdKdGVi\nY1hiN3c3eTlJUWo2dXZXUk9TN3g3ZVkKLS0tIGJneUlaMU1KeVVBcXN5L3FIMjNP\nYkpWTVA3d2k1a3Y5Yk9kUUF3SFo2V2sKGLQYVmX8HnDqX5K/tdbfgYnpVmaTArIY\nuhw+CtrXmEHhksZqgGCcjEoCz7cDMzMA42kVdqh/OfFzJNxrRfJjPA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-10-31T14:59:28Z", + "mac": "ENC[AES256_GCM,data:MWpzOKUYXkmw2DX6YsN5pPIF9Y6GZ4rPnwq3uaOnFm40SOXPN2/JXSL7E9bGgaBeboUbChNwiGmBBRQX+7d2Te/NoItJAPw4YJTtquA+Rb7+sgPUoL6kYP7YZfjw1Z2hi61YMYXZH0/q4tBx6SNukt7o/uRYLu2LjyO09251uO4=,iv:YVXr5u2xwVEOlG+xYguAO1ZsCXvMx6rhXBV24CkFPv8=,tag:AOK4Pi2YYx4w0je9gALDLw==,type:str]", + "version": "3.11.0" + } +} diff --git a/clanServices/yggdrasil/tests/vm/vars/per-machine/peer2/zerotier/zerotier-identity-secret/users/admin b/clanServices/yggdrasil/tests/vm/vars/per-machine/peer2/zerotier/zerotier-identity-secret/users/admin new file mode 120000 index 000000000..ca714e122 --- /dev/null +++ b/clanServices/yggdrasil/tests/vm/vars/per-machine/peer2/zerotier/zerotier-identity-secret/users/admin @@ -0,0 +1 @@ +../../../../../../sops/users/admin \ No newline at end of file diff --git a/clanServices/yggdrasil/tests/vm/vars/per-machine/peer2/zerotier/zerotier-ip/value b/clanServices/yggdrasil/tests/vm/vars/per-machine/peer2/zerotier/zerotier-ip/value new file mode 100644 index 000000000..04b5c8661 --- /dev/null +++ b/clanServices/yggdrasil/tests/vm/vars/per-machine/peer2/zerotier/zerotier-ip/value @@ -0,0 +1 @@ +fd06:8020:2351:b57:2899:9340:7f3b:e1b3 \ No newline at end of file diff --git a/clanServices/zerotier/default.nix b/clanServices/zerotier/default.nix index 770023f4b..b5b11902c 100644 --- a/clanServices/zerotier/default.nix +++ b/clanServices/zerotier/default.nix @@ -1,5 +1,6 @@ { clanLib, + directory, ... }: { @@ -16,21 +17,23 @@ instanceName, roles, lib, + machine, ... }: { - exports.networking = { - priority = lib.mkDefault 900; - # TODO add user space network support to clan-cli - module = "clan_lib.network.zerotier"; - peers = lib.mapAttrs (name: _machine: { - host.var = { - machine = name; + + exports."internet/${instanceName}/peer/${machine.name}".networking = { + hosts = lib.flatten [ + (clanLib.vars.getPublicValue { + flake = directory; + machine = machine.name; generator = "zerotier"; file = "zerotier-ip"; - }; - }) roles.peer.machines; + # default = throw "kaputt"; + }) + ]; }; + nixosModule = { config, diff --git a/modules/clan/top-level-interface.nix b/modules/clan/top-level-interface.nix index 7290158c6..4a4c16a7e 100644 --- a/modules/clan/top-level-interface.nix +++ b/modules/clan/top-level-interface.nix @@ -118,84 +118,86 @@ in visible = false; type = types.deferredModule; default = { - options.networking = lib.mkOption { - default = null; - type = lib.types.nullOr ( - lib.types.submodule { - options = { - priority = lib.mkOption { - type = lib.types.int; - default = 1000; - description = '' - priority with which this network should be tried. - higher priority means it gets used earlier in the chain - ''; - }; - module = lib.mkOption { - # type = lib.types.enum [ - # "clan_lib.network.direct" - # "clan_lib.network.tor" - # ]; - type = lib.types.str; - default = "clan_lib.network.direct"; - description = '' - the technology this network uses to connect to the target - This is used for userspace networking with socks proxies. - ''; - }; - # should we call this machines? hosts? - peers = lib.mkOption { - # - type = lib.types.attrsOf ( - lib.types.submodule ( - { name, ... }: - { - options = { - name = lib.mkOption { - type = lib.types.str; - default = name; - }; - SSHOptions = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; - }; - host = lib.mkOption { - description = ''''; - type = lib.types.attrTag { - plain = lib.mkOption { - type = lib.types.str; - description = '' - a plain value, which can be read directly from the config - ''; - }; - var = lib.mkOption { - type = lib.types.submodule { - options = { - machine = lib.mkOption { - type = lib.types.str; - example = "jon"; - }; - generator = lib.mkOption { - type = lib.types.str; - example = "tor-ssh"; - }; - file = lib.mkOption { - type = lib.types.str; - example = "hostname"; - }; - }; - }; - }; - }; - }; - }; - } - ) - ); - }; - }; - } - ); + options.networking = { + + priority = lib.mkOption { + type = lib.types.int; + default = 1000; + description = '' + priority with which this network should be tried. + higher priority means it gets used earlier in the chain + ''; + }; + module = lib.mkOption { + # type = lib.types.enum [ + # "clan_lib.network.direct" + # "clan_lib.network.tor" + # ]; + type = lib.types.str; + default = "clan_lib.network.direct"; + description = '' + the technology this network uses to connect to the target + This is used for userspace networking with socks proxies. + ''; + }; + # should we call this machines? hosts? + + hosts = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + }; + + # peers = lib.mkOption { + # + # # + # type = lib.types.attrsOf ( + # lib.types.submodule ( + # { name, ... }: + # { + # options = { + # name = lib.mkOption { + # type = lib.types.str; + # default = name; + # }; + # SSHOptions = lib.mkOption { + # type = lib.types.listOf lib.types.str; + # default = [ ]; + # }; + # + # host = lib.mkOption { + # description = ''''; + # type = lib.types.attrTag { + # plain = lib.mkOption { + # type = lib.types.str; + # description = '' + # a plain value, which can be read directly from the config + # ''; + # }; + # var = lib.mkOption { + # type = lib.types.submodule { + # options = { + # machine = lib.mkOption { + # type = lib.types.str; + # example = "jon"; + # }; + # generator = lib.mkOption { + # type = lib.types.str; + # example = "tor-ssh"; + # }; + # file = lib.mkOption { + # type = lib.types.str; + # example = "hostname"; + # }; + # }; + # }; + # }; + # }; + # }; + # }; + # } + # ) + # ); + # }; }; }; description = ''