search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.38k stars 13.6k forks source link

Configure Zerotier devicemap #332165

Open jeslinmx opened 1 month ago

jeslinmx commented 1 month ago

Describe the bug

Zerotier networks can be joined declaratively, but the name of the interfaces created seem to be non-deducible from the network ID (and maybe non-deterministic?). This makes it challenging to address the Zerotier interface in other parts of config, such as networking.firewall.interfaces.<name>.allowedTCPPortRanges.

There exists a mechanism to provide a key=value mapping of network IDs to interface names at /var/lib/zerotier-one/devicemap, although I can't seem to find any official documentation on this, only forum, GH, and SE posts referencing this functionality.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Join networks using services.zerotierone.joinNetworks.
  2. Try to reference the created interface in networking.firewall.interfaces.<name>.
  3. Be sad that there isn't a declarative way to obtain the interface name.

Expected behavior

Perhaps there should be either a services.zerotierone.devicemap attrset option, or more intuitively the joinNetworks option could be extended to allow <network-id>=<interface-name> entries which behave as a <network-id> entry currently does, while also adding <network-id>=<interface-name> to /var/lib/zerotier-one/devicemap.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Add any other context about the problem here.

Notify maintainers

@sjmackenzie @zimbatm @ehmry @obadz @danielfullmer

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

 - system: `"x86_64-linux"`
 - host os: `Linux 6.6.40, NixOS, 24.05 (Uakari), 24.05.20240716.2af21f1`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.5`
 - nixpkgs: `/nix/store/fannjg1hnhs76s8sin8dnddiqnwv6dky-source`

Add a :+1: reaction to issues you find important.

danielfullmer commented 1 month ago

the name of the interfaces created seem to be non-deducible from the network ID (and maybe non-deterministic?)

There's actually a mapping from the network ID to the interface name as defined in the zerotier code under osdep/LinuxEthernetTap.cpp. It's deterministic except for the unlikely case of a name collision with another interface.

In case it's of interest to you, I had previously replicated this same logic in Nix in my personal configs, mostly for fun to see if I could do the hex math in Nix. See the ifrname function from: https://github.com/danielfullmer/nixos-config/blob/05222bb666808b3330f060f49c044161e4e24b0d/profiles/zerotier.nix#L2-L43