terraform module for handling zerotier host address assignments

.sops.yaml

@@ -26,3 +26,7 @@ creation_rules:
       - *admin_m32
       age:
       - *host_nova
+  - path_regex: terraform/[^/]+.yml$
+    key_groups:
+    - pgp:
+      - *admin_m32

devShells/flake-module.nix

@@ -22,7 +22,7 @@
         pkgs.gnused
         pkgs.sops
         pkgs.jq
-        pkgs.terraform
+        pkgs.opentofu
       ] ++ pkgs.lib.optional (pkgs.stdenv.isLinux) pkgs.mkpasswd;
 
       shellHook = ''

hosts/nova.nix

@@ -26,5 +26,19 @@
     };
   };
 
+  conf.network.zerotier = {
+    enable = true;
+    networks = {
+      "35c192ce9b255366" = {
+        memberId = "1a284bc36f";
+        ipAssignments = [ "172.16.7.40" ];
+      };
+      "233ccaac27077fe3" = {
+        memberId = "1a284bc36f";
+        ipAssignments = [ "10.127.0.3" ];
+      };
+    };
+  };
+
   system.stateVersion = "24.05";
 }

hosts/phoenix.nix

@@ -42,5 +42,19 @@
     };
   };
 
+  conf.network.zerotier = {
+    enable = true;
+    networks = {
+      "35c192ce9b255366" = {
+        memberId = "ca4124f7f8";
+        ipAssignments = [ "172.16.7.66" ];
+      };
+      "233ccaac27077fe3" = {
+        memberId = "ca4124f7f8";
+        ipAssignments = [ "10.127.0.66" ];
+      };
+    };
+  };
+
   system.stateVersion = "22.11";
 }

modules/networking/zerotier.nix

@@ -1,12 +1,43 @@
-{ lib, ... }: {
-  services.zerotierone = {
-    enable = true;
-    joinNetworks = [
-      "35c192ce9b255366"
-      "233ccaac27077fe3"
-    ];
+{ lib, config, ... }:
+with lib;
+let cfg = config.conf.network.zerotier;
+in {
+  options = {
+    conf.network.zerotier = {
+      enable = mkEnableOption "conf zerotier module";
+      networks = mkOption {
+        description = "Configuration values for networks";
+        default = { };
+        type = types.attrsOf (types.submodule {
+          options = {
+            autoAssignAddr =
+              mkEnableOption "host IPv4/6 address auto assignment";
+
+            memberId = mkOption {
+              type = types.str;
+              description =
+                "Member id of the host NOTE: this does not set the member id";
+              default = "";
+            };
+
+            ipAssignments = mkOption {
+              type = types.listOf types.str;
+              description = "List of static addresses to assign to the host";
+            };
+          };
+        });
+      };
+
+    };
   };
 
-  nixpkgs.config.allowUnfreePredicate = pkg:
-    builtins.elem (lib.getName pkg) [ "zerotierone" ];
+  config = {
+    services.zerotierone = {
+      enable = cfg.enable;
+      joinNetworks = attrNames cfg.networks;
+    };
+
+    nixpkgs.config.allowUnfreePredicate = pkg:
+      builtins.elem (lib.getName pkg) [ "zerotierone" ];
+  };
 }

terraform/.gitignore

@@ -0,0 +1,3 @@
+*/.terraform/
+*/plan/
+*/terraform.tfstate

terraform/zerotier.yml

@@ -0,0 +1,26 @@
+zerotier_central_token: ENC[AES256_GCM,data:H1ZmDC+Z/8v91TvfUyco2m04IbhscvU7Vv1/9caBt/w=,iv:UT5hcfOW7auzkeK14JkR/f7TWzPWrI1oCR6HQ5Iz+XY=,tag:ZZIGOr+a0ye2PKAxn/vdVA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2025-02-08T19:11:20Z"
+    mac: ENC[AES256_GCM,data:RUXlT7WGl4VgpqhlipBucJEmg5xVOjVhK+g82zU2Z+YVr+KEO1MbVDIV1rJzFeYZUAYHufveZc/QElTCT8zv9uKnf6160tQYyCfAQbkqAJVaaamzJUmSAjvHRla/XiHrrpkBEY6XjWTjb+NVojemaqLIJ72eq81bBNED+rcV1Co=,iv:qNUc8ZDfcPqDrAIfMHb0CDjjBjYibsKrGqK+1MkuZak=,tag:nOlI7HIUsdJDQvP50rRzfA==,type:str]
+    pgp:
+        - created_at: "2025-02-08T19:07:34Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hMID6JCQHzRaiu8SBCMEAUMOAZpQDM00rWVMmZyyXGTtfT2P5tDeVJDzMRuLsJM7
+            ATN7HOpAup7TNFaNd39o4BDAb+pmkJO9i0bj9bLWwfetACMkhFHYZbRNgx29HzZq
+            u6y//h3t8GRvHpuToCtrUUiA5vDJ5pmyKgpETtoOqZisXajjM1mSG4E17bQkhyZ7
+            YNMXMIEK+LnkIvv/AWRBT6LD0xYlSZbnRyCovG6Sz8fHfNK00LiDfguXEcWx1eQM
+            mH95INJeAWClF70rg1vdhcf9gB9GG6qOp6nUBkzYe3lyjo92PceCwcpUCueJG3sI
+            qqD1e47pazkgyDH5rhIZsonmZZJp6TaXTyK2rewDsqwo5hQJ0JA9nfX+Fi9nhpWy
+            Iul9nw==
+            =RyOP
+            -----END PGP MESSAGE-----
+          fp: DE0FE946DDA34B3BD1F92D59E017B967AC29E321
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

terraform/zerotier/apply.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+export TF_VAR_host_netconfigurations=$(nix eval --json  .#nixosConfigurations --apply "builtins.mapAttrs (name: value: value.config.conf.network.zerotier.networks)")
+tofu plan -out plan
+tofu apply plan

terraform/zerotier/main.tf

@@ -0,0 +1,15 @@
+variable "host_netconfigurations" {
+  type = string
+}
+
+locals {
+  network_configs = flatten([for host, config in jsondecode(var.host_netconfigurations) : [for networkId, netconf in config : merge(netconf, { "networkId" = networkId, "host" = host })] if config != {}])
+}
+
+resource "zerotier_member" "host" {
+  for_each       = { for config in local.network_configs : "${config.memberId}-${config.networkId}" => config }
+  name           = each.value.host
+  member_id      = each.value.memberId
+  network_id     = each.value.networkId
+  ip_assignments = each.value.ipAssignments
+}

terraform/zerotier/providers.tf

@@ -0,0 +1,19 @@
+terraform {
+  required_providers {
+    zerotier = {
+      source  = "zerotier/zerotier"
+      version = "1.6.0"
+    }
+
+    sops = {
+      source = "carlpett/sops"
+    }
+  }
+}
+
+provider "sops" {}
+
+provider "zerotier" {
+  zerotier_central_token = data.sops_file.zerotier.data["zerotier_central_token"]
+}
+

terraform/zerotier/secrets.tf

@@ -0,0 +1,3 @@
+data "sops_file" "zerotier" {
+  source_file = "../zerotier.yml"
+}