From eb788393e68694e7faee4355f37063023af37df7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 14 Nov 2023 11:29:43 +0100
Subject: [PATCH 1/2] update flake lock

---
 flake.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/flake.lock b/flake.lock
index a89039e1a..55ab803af 100644
--- a/flake.lock
+++ b/flake.lock
@@ -143,7 +143,7 @@
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
-          "sops-nix"
+          "nixpkgs"
         ],
         "nixpkgs-stable": []
       },

From bdc8ef63ed8aca9ace1002a1924886273bf0640c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 14 Nov 2023 12:58:15 +0100
Subject: [PATCH 2/2] add module for meshnamed

---
 checks/flake-module.nix                      |  1 +
 checks/meshnamed/default.nix                 | 21 +++++++++
 nixosModules/clanCore/flake-module.nix       |  1 +
 nixosModules/clanCore/meshnamed/default.nix  | 46 ++++++++++++++++++++
 nixosModules/clanCore/zerotier/default.nix   |  2 +
 nixosModules/clanCore/zerotier/generate.py   |  3 ++
 pkgs/clan-cli/tests/test_secrets_generate.py |  1 +
 7 files changed, 75 insertions(+)
 create mode 100644 checks/meshnamed/default.nix
 create mode 100644 nixosModules/clanCore/meshnamed/default.nix

diff --git a/checks/flake-module.nix b/checks/flake-module.nix
index a100503cb..7f2e370fd 100644
--- a/checks/flake-module.nix
+++ b/checks/flake-module.nix
@@ -16,6 +16,7 @@
           secrets = import ./secrets nixosTestArgs;
           container = import ./container nixosTestArgs;
           deltachat = import ./deltachat nixosTestArgs;
+          meshnamed = import ./meshnamed nixosTestArgs;
         };
         schemaTests = pkgs.callPackages ./schemas.nix {
           inherit self;
diff --git a/checks/meshnamed/default.nix b/checks/meshnamed/default.nix
new file mode 100644
index 000000000..d5c8d5555
--- /dev/null
+++ b/checks/meshnamed/default.nix
@@ -0,0 +1,21 @@
+(import ../lib/container-test.nix) ({ pkgs, ... }: {
+  name = "meshnamed";
+
+  nodes.machine = { self, ... }: {
+    imports = [
+      self.nixosModules.clanCore
+      {
+        clanCore.machineName = "machine";
+        clan.networking.meshnamed.networks.vpn.subnet = "fd43:7def:4b50:28d0:4e99:9347:3035:17ef/88";
+        clanCore.clanDir = ./.;
+      }
+    ];
+  };
+  testScript = ''
+    start_all()
+    machine.wait_for_unit("meshnamed")
+    out = machine.succeed("${pkgs.dnsutils}/bin/dig -p 53535 AAAA foo.7vbx332lkaunatuzsndtanix54.vpn @localhost +short")
+    print(out)
+    assert out.strip() == "fd43:7def:4b50:28d0:4e99:9347:3035:17ef"
+  '';
+})
diff --git a/nixosModules/clanCore/flake-module.nix b/nixosModules/clanCore/flake-module.nix
index 2d5b1930e..c50a20f4d 100644
--- a/nixosModules/clanCore/flake-module.nix
+++ b/nixosModules/clanCore/flake-module.nix
@@ -4,6 +4,7 @@
       ../clanImports
       ./secrets
       ./zerotier
+      ./meshnamed
       ./networking.nix
       inputs.sops-nix.nixosModules.sops
       # just some example options. Can be removed later
diff --git a/nixosModules/clanCore/meshnamed/default.nix b/nixosModules/clanCore/meshnamed/default.nix
new file mode 100644
index 000000000..d6df4ddee
--- /dev/null
+++ b/nixosModules/clanCore/meshnamed/default.nix
@@ -0,0 +1,46 @@
+{ config, lib, pkgs, ... }:
+{
+  options.clan.networking.meshnamed = {
+    enable = (lib.mkEnableOption "meshnamed") // {
+      default = config.clan.networking.meshnamed.networks != { };
+    };
+    networks = lib.mkOption {
+      default = { };
+      type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
+        options = {
+          name = lib.mkOption {
+            default = name;
+            type = lib.types.str;
+            example = "my-network";
+            description = lib.mdDoc ''
+              The name of the network.
+            '';
+          };
+          subnet = lib.mkOption {
+            type = lib.types.str;
+            example = "fd43:7def:4b50:28d0:4e99:9347:3035:17ef/88";
+            description = lib.mdDoc ''
+              The subnet to use for the mesh network.
+            '';
+          };
+        };
+      }));
+    };
+  };
+  config = lib.mkIf config.clan.networking.meshnamed.enable {
+    systemd.services.meshnamed =
+      let
+        networks = lib.concatMapStringsSep "," (network: "${network.name}=${network.subnet}")
+          (builtins.attrValues config.clan.networking.meshnamed.networks);
+      in
+      {
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ];
+        serviceConfig = {
+          Type = "simple";
+          ExecStart = "${pkgs.callPackage ../../../pkgs/meshname/default.nix { }}/bin/meshnamed -networks ${networks}";
+          DynamicUser = true;
+        };
+      };
+  };
+}
diff --git a/nixosModules/clanCore/zerotier/default.nix b/nixosModules/clanCore/zerotier/default.nix
index 2d3c2bb90..0b91e498c 100644
--- a/nixosModules/clanCore/zerotier/default.nix
+++ b/nixosModules/clanCore/zerotier/default.nix
@@ -97,11 +97,13 @@ in
         facts.zerotier-ip = { };
         facts.zerotier-meshname = { };
         facts.zerotier-network-id = { };
+        facts.zerotier-subnet = { };
         secrets.zerotier-identity-secret = { };
         generator = ''
           export PATH=${lib.makeBinPath [ config.services.zerotierone.package pkgs.fakeroot ]}
           ${pkgs.python3.interpreter} ${./generate.py} --mode network \
             --ip "$facts/zerotier-ip" \
+            --subnet "$facts/zerotier-subnet" \
             --meshname "$facts/zerotier-meshname" \
             --identity-secret "$secrets/zerotier-identity-secret" \
             --network-id "$facts/zerotier-network-id"
diff --git a/nixosModules/clanCore/zerotier/generate.py b/nixosModules/clanCore/zerotier/generate.py
index 4bc2ec0d0..128c156a9 100644
--- a/nixosModules/clanCore/zerotier/generate.py
+++ b/nixosModules/clanCore/zerotier/generate.py
@@ -195,6 +195,7 @@ def main() -> None:
         "--mode", choices=["network", "identity"], required=True, type=str
     )
     parser.add_argument("--ip", type=Path, required=True)
+    parser.add_argument("--subnet", type=Path)
     parser.add_argument("--meshname", type=Path, required=True)
     parser.add_argument("--identity-secret", type=Path, required=True)
     parser.add_argument("--network-id", type=str, required=False)
@@ -218,6 +219,8 @@ def main() -> None:
 
     args.identity_secret.write_text(identity.private)
     args.ip.write_text(ip.compressed)
+    if args.subnet is not None:
+        args.subnet.write_text(ipaddress.ip_network(ip).compressed)
     args.meshname.write_text(meshname)
 
 
diff --git a/pkgs/clan-cli/tests/test_secrets_generate.py b/pkgs/clan-cli/tests/test_secrets_generate.py
index fbba4ae6f..9857174b8 100644
--- a/pkgs/clan-cli/tests/test_secrets_generate.py
+++ b/pkgs/clan-cli/tests/test_secrets_generate.py
@@ -36,6 +36,7 @@ def test_generate_secret(
     cli.run(["--flake", str(test_flake_with_core.path), "secrets", "generate", "vm1"])
     has_secret(test_flake_with_core.path, "vm1-age.key")
     has_secret(test_flake_with_core.path, "vm1-zerotier-identity-secret")
+    has_secret(test_flake_with_core.path, "vm1-zerotier-subnet")
     network_id = machine_get_fact(
         test_flake_with_core.name, "vm1", "zerotier-network-id"
     )