diff --git a/modules/web01/default.nix b/modules/web01/default.nix index 84f76f9..655ff7c 100644 --- a/modules/web01/default.nix +++ b/modules/web01/default.nix @@ -8,8 +8,6 @@ ./homepage.nix ./postfix.nix ./jobs.nix - ../zerotier - ../zerotier/ctrl.nix ../dev.nix ]; diff --git a/modules/zerotier/README.md b/modules/zerotier/README.md deleted file mode 100644 index 2760560..0000000 --- a/modules/zerotier/README.md +++ /dev/null @@ -1,8 +0,0 @@ -# zerotier controller & client config -These modules implement a simple bash based controller (./ctrl.nix) and -the config to join the VPN. External people who want to join just have to copy -./default.nix into their configuration and rebuild switch. - -The configured network uses only ipv6 addresses, they are distributed by 6plane. -Which gives every host a /80. -Reference: https://gist.github.com/laduke/fa1e9a68a79d9038ab117ad0ab69927a diff --git a/modules/zerotier/ctrl.nix b/modules/zerotier/ctrl.nix deleted file mode 100644 index 3782521..0000000 --- a/modules/zerotier/ctrl.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - environment.systemPackages = [ - (pkgs.writers.writeDashBin "zt-init" '' - set -efux - NODEID=$(cat /var/lib/zerotier-one/identity.public | cut -d: -f1) - NEW_NET=$(${pkgs.curl}/bin/curl -X POST "http://localhost:9993/controller/network/''${NODEID}______" -H "X-ZT1-AUTH: $(sudo cat /var/lib/zerotier-one/authtoken.secret)" -d {}) - '') - (pkgs.writers.writeDashBin "zt-network-edit" '' - set -efux - TMP_NET_CONFIG=$(mktemp) - trap 'rm -f "$TMP_NET_CONFIG"' EXIT - NETWORK_ID=''${NETWORK_ID:-$(zerotier-cli listnetworks -j | jq -r '.[0] | .id')} - ${pkgs.curl}/bin/curl "http://localhost:9993/controller/network/''${NETWORK_ID}" -H "X-ZT1-AUTH: $(sudo cat /var/lib/zerotier-one/authtoken.secret)" -d {} > "$TMP_NET_CONFIG" - $EDITOR "$TMP_NET_CONFIG" - ${pkgs.curl}/bin/curl "http://localhost:9993/controller/network/''${NETWORK_ID}" -H "X-ZT1-AUTH: $(sudo cat /var/lib/zerotier-one/authtoken.secret)" -d @"$TMP_NET_CONFIG" - '') - (pkgs.writers.writeDashBin "zt-member-ls" '' - set -eu - NETWORK_ID=''${NETWORK_ID:-$(zerotier-cli listnetworks -j | jq -r '.[0] | .id')} - cat /var/lib/zerotier-one/controller.d/network/$NETWORK_ID/member/* | jq -s - '') - (pkgs.writers.writeDashBin "zt-member-auth" '' - set -efux - MEMBER_ID=$1 - if ! printf '%s' $MEMBER_ID | grep -q '^[0-9a-f]\{10\}$'; then - echo '$MEMBER_ID is not a valid member id' - exit 1 - fi - URL='http://localhost:9993/controller/' - TOKEN=''${TOKEN:-$(cat /var/lib/zerotier-one/authtoken.secret)} - NETWORK_ID=''${NETWORK_ID:-$(zerotier-cli listnetworks -j | jq -r '.[0] | .id')} - - curl -fSs -H "X-ZT1-AUTH: $TOKEN" "$URL/network/$NETWORK_ID/member/$MEMBER_ID" -d '{"authorized": true}' - '') - ]; -} diff --git a/modules/zerotier/default.nix b/modules/zerotier/default.nix deleted file mode 100644 index fc3a1b3..0000000 --- a/modules/zerotier/default.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ lib, pkgs, ... }: -{ - networking.firewall.allowedTCPPorts = [ - 9993 - 993 # zt-tcp-proxy - ]; - networking.firewall.allowedUDPPorts = [ 9993 ]; - networking.firewall.interfaces."zt+".allowedTCPPorts = [ 5353 ]; - networking.firewall.interfaces."zt+".allowedUDPPorts = [ 5353 ]; - - # Note avahi was super slow. systemd-resolved worked much faster for mdns - systemd.network.networks.zerotier = { - matchConfig.Name = "zt*"; - networkConfig = { - LLMNR = true; - LLDP = true; - MulticastDNS = true; - KeepConfiguration = "static"; - }; - }; - - systemd.services.zt-tcp-proxy = { - wantedBy = [ "multi-user.target" ]; - after = [ "zerotier-one.service" ]; - serviceConfig = { - Type = "simple"; - # imap port - ExecStart = "${pkgs.callPackage ../../pkgs/zerotier-tcp-proxy.nix { - zerotierProxyPort = 993; - }}/bin/zerotier-tcp-proxy"; - Restart = "always"; - RestartSec = 5; - DynamicUser = true; - User = "zt-tcp-proxy"; - Group = "zt-tcp-proxy"; - AmbientCapabilities = "CAP_NET_BIND_SERVICE"; - }; - }; - - services.zerotierone = { - enable = true; - joinNetworks = [ "33d87fa6bd93423e" ]; - }; - nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "zerotierone" ]; -} diff --git a/pkgs/zerotier-tcp-proxy.nix b/pkgs/zerotier-tcp-proxy.nix deleted file mode 100644 index bba8179..0000000 --- a/pkgs/zerotier-tcp-proxy.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ stdenv, fetchFromGitHub, fetchpatch, zerotierProxyPort ? 443 }: -stdenv.mkDerivation { - name = "zerotier-tcp-proxy"; - src = fetchFromGitHub { - owner = "zerotier"; - repo = "ZeroTierOne"; - rev = "008a768f15763aa4b1c73434cdc517b6b4e3f997"; - hash = "sha256-BX589KbO+6eoyUo7UUDEL7pyIgpUE25deax+dmvGGG4="; - }; - patches = [ - (fetchpatch { - url = "https://github.com/zerotier/ZeroTierOne/commit/dd2006d494e85a41d8b818b37460e7cf458a2aee.patch"; - hash = "sha256-nuao04pDha7h62RHviUZYx21p6bNOyiU78kBBq2o2Rs="; - }) - ]; - buildPhase = '' - pushd tcp-proxy - sed -i -e "s/ZT_TCP_PROXY_TCP_PORT.*443/ZT_TCP_PROXY_TCP_PORT ${toString zerotierProxyPort}/g" tcp-proxy.cpp - cat tcp-proxy.cpp - make -j $NIX_BUILD_CORES CXX=$CXX - popd - ''; - installPhase = '' - install -D -m 755 tcp-proxy/tcp-proxy $out/bin/zerotier-tcp-proxy - ''; -} diff --git a/pkgs/zt-tcp-relay.nix b/pkgs/zt-tcp-relay.nix deleted file mode 100644 index 84ad860..0000000 --- a/pkgs/zt-tcp-relay.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ lib -, rustPlatform -, fetchFromGitHub -, fetchpatch -}: - -rustPlatform.buildRustPackage { - pname = "zt-tcp-relay"; - version = "unstable-2022-08-02"; - - src = fetchFromGitHub { - owner = "alexander-akhmetov"; - repo = "zt-tcp-relay"; - rev = "2d4541d77807d57d5c303a1babfabf7f445e3946"; - hash = "sha256-6CkVvBRMsyAPBdkDBM1REJjM+3vs+ws/qCmQOfFInMw="; - }; - - patches = [ - # https://github.com/alexander-akhmetov/zt-tcp-relay/pull/19 - (fetchpatch { - url = "https://github.com/alexander-akhmetov/zt-tcp-relay/commit/69f0a4f1f210dcd7a305036d4737d9a29215824d.patch"; - hash = "sha256-kqZS9IjwEggLE6CQFaacL2TyTUn0PQCz1TPdoZdDrk0="; - }) - ]; - - cargoHash = "sha256-MDygbJRi1aT4hfI7b2hwhYJ4UJyR1DehDAHDgbDZ35g="; - - meta = { - description = "ZeroTier One TCP relay"; - homepage = "https://github.com/alexander-akhmetov/zt-tcp-relay"; - }; -}