feat: add zerotier extension to Talos

Makefile

@@ -103,6 +103,7 @@ TARGETS += v4l-uvc-drivers
 TARGETS += vmtoolsd-guest-agent
 TARGETS += wasmedge
 TARGETS += xen-guest-agent
+TARGETS += zerotier
 TARGETS += zfs
 NONFREE_TARGETS = nonfree-kmod-nvidia-lts
 NONFREE_TARGETS += nonfree-kmod-nvidia-production
@@ -249,4 +250,3 @@ release-notes: $(ARTIFACTS)
 conformance:
 	@docker pull $(CONFORMANCE_IMAGE)
 	@docker run --rm -it -v $(PWD):/src -w /src $(CONFORMANCE_IMAGE) enforce
-

network/vars.yaml

@@ -6,3 +6,5 @@ LLDPD_VERSION: 1.0.19
 CLOUDFLARED_VERSION: 2024.12.1
 # renovate: datasource=github-releases extractVersion=^v(?<version>.*)$ depName=slackhq/nebula
 NEBULA_VERSION: 1.9.5
+# renovate: datasource=github-releases depName=zerotier/ZeroTierOne
+ZEROTIER_VERSION: 1.14.2

network/zerotier/README.md

@@ -0,0 +1,60 @@
+# ZeroTier
+
+Adds https://zerotier.com network interfaces as system extensions.
+This means you can access your Talos nodes from machines you have configured
+with ZeroTier, creating a secure overlay network.
+
+## Installation
+
+See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).
+
+## Usage
+
+Configure the extension via `ExtensionServiceConfig` document.
+
+```yaml
+---
+apiVersion: v1alpha1
+kind: ExtensionServiceConfig
+name: zerotier
+environment:
+  - ZEROTIER_NETWORK=<your network id>
+```
+
+Then apply the patch to your node's MachineConfigs
+
+```bash
+talosctl patch mc -p @zerotier-config.yaml
+```
+
+You can then verify that it is in place with the following command
+
+```bash
+talosctl get extensionserviceconfigs
+
+NODE          NAMESPACE   TYPE                     ID         VERSION
+mynode        runtime     ExtensionServiceConfig   zerotier   1
+```
+
+## Configuration
+
+The extension can be configured through environment variables:
+
+- `ZEROTIER_NETWORK`: The network ID to join (required)
+- `ZEROTIER_IDENTITY_SECRET`: Optional pre-existing identity to use (format: "address:0:public:private")
+
+### Using an existing identity
+
+If you want to maintain the same ZeroTier identity across rebuilds or different nodes, you can specify an existing identity:
+
+```yaml
+---
+apiVersion: v1alpha1
+kind: ExtensionServiceConfig
+name: zerotier
+environment:
+  - ZEROTIER_NETWORK=<your network id>
+  - ZEROTIER_IDENTITY_SECRET=<identity string>
+```
+
+If no identity is provided, a new one will be generated automatically. (You may need to authorize this node in your Zerotier network according to your network policies before it will recieve an IP address).

network/zerotier/manifest.yaml

@@ -0,0 +1,10 @@
+version: v1alpha1
+metadata:
+  name: zerotier
+  version: "$VERSION"
+  author: Hive Technologies
+  description: |
+    Connect your Talos cluster into a zerotier network
+  compatibility:
+    talos:
+      version: ">= v1.8.0"

network/zerotier/pkg.yaml

@@ -0,0 +1,47 @@
+name: zerotier
+variant: scratch
+shell: /bin/sh
+dependencies:
+  - stage: base
+  - stage: zerotier-wrapper
+steps:
+  - 
+    sources:
+      - url: https://github.com/zerotier/ZeroTierOne/archive/refs/tags/{{ .ZEROTIER_VERSION }}.tar.gz
+        destination: zerotier.tar.gz
+        sha256: c2f64339fccf5148a7af089b896678d655fbfccac52ddce7714314a59d7bddbb
+        sha512: 9d022afcf81543d6ee938219a3712da846fe895b0fd65cfd6ec8ed173f0e208516031b6d2303ab42fd21806d9ba5ff6fdb0d850a0cbb32b268d53accb093cdf5
+    env:
+      CXXFLAGS: '-Os -fstack-protector -std=c++17 -pthread'
+      LDFLAGS: '-static'
+    prepare:
+      - |
+        sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
+      - |
+        tar -xzvf zerotier.tar.gz --strip-components=1
+    build:
+      - |
+        sed -i '2i #include <cmath>' ext/prometheus-cpp-lite-1.0/core/include/prometheus/text_serializer.h
+        make ONE_THREAD=1 ZT_SSO_SUPPORTED=0 STATIC=1 -j $(nproc)
+    install:
+      - |
+        mkdir -p /rootfs/usr/local/lib/containers/zerotier/usr/local/bin/
+        cp -pr zerotier-one /rootfs/usr/local/lib/containers/zerotier/usr/local/bin/
+        cp -pr /rootfs/usr/local/bin/zerotier-wrapper /rootfs/usr/local/lib/containers/zerotier/usr/local/bin/
+        chmod +x /rootfs/usr/local/lib/containers/zerotier/usr/local/bin/zerotier-*
+      - |
+        mkdir -p /rootfs/usr/local/etc/containers/zerotier/usr/local/etc/zerotier/state
+        cp /pkg/zerotier.yaml /rootfs/usr/local/etc/containers/
+    test:
+      - |
+        mkdir -p /extensions-validator-rootfs
+        cp -r /rootfs/ /extensions-validator-rootfs/rootfs
+        cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
+        /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+      - |
+        [[ $(/rootfs/usr/local/lib/containers/zerotier/usr/local/bin/zerotier-one -v) == *{{ .ZEROTIER_VERSION }}* ]]
+finalize:
+  - from: /rootfs
+    to: /rootfs
+  - from: /pkg/manifest.yaml
+    to: /

network/zerotier/vars.yaml

@@ -0,0 +1 @@
+VERSION: "{{ .ZEROTIER_VERSION }}"

network/zerotier/zerotier-wrapper/go.mod

@@ -0,0 +1,5 @@
+module zerotier-wrapper
+
+go 1.23.0
+
+require golang.org/x/sys v0.30.0

network/zerotier/zerotier-wrapper/go.sum

@@ -0,0 +1,2 @@
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

network/zerotier/zerotier-wrapper/main.go

@@ -0,0 +1,163 @@
+package main
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"golang.org/x/sys/unix"
+)
+
+const (
+	zerotierPath    = "/var/lib/zerotier-one"
+	identityPath    = "/var/lib/zerotier-one/identity.secret"
+	identityPubPath = "/var/lib/zerotier-one/identity.public"
+	zerotierBinPath = "/usr/local/bin/zerotier-one"
+)
+
+func main() {
+	log.Printf("zerotier-wrapper: initializing...")
+
+	// Ensure the ZeroTier state directory exists.
+	if err := os.MkdirAll(zerotierPath, 0755); err != nil {
+		log.Fatalf("failed to create state directory: %v", err)
+	}
+
+	// Ensure identity configuration.
+	identitySource, err := ensureIdentity()
+	if err != nil {
+		log.Fatalf("identity configuration failed: %v", err)
+	}
+	log.Printf("identity configured (source: %s)", identitySource)
+
+	// If ZEROTIER_NETWORK env var is set, join the network.
+	if network := os.Getenv("ZEROTIER_NETWORK"); network != "" {
+		log.Printf("joining network %s", network)
+		if err := joinNetwork(network); err != nil {
+			log.Fatalf("failed to join network: %v", err)
+		}
+		log.Printf("joined network %s", network)
+	}
+
+	// Start zerotier-one process.
+	if err := unix.Exec(zerotierBinPath, []string{zerotierBinPath, "-U", zerotierPath}, os.Environ()); err != nil {
+		log.Fatalf("error executing zerotier-one: %v", err)
+	}
+}
+
+// ensureIdentity checks for an existing identity file, validates it if found,
+// or else uses the identity from the ZEROTIER_IDENTITY_SECRET environment variable (after validation)
+// or generates a new one using "zerotier-one -i generate".
+func ensureIdentity() (string, error) {
+	// If the identity file exists, validate its contents.
+	if _, err := os.Stat(identityPath); err == nil {
+		data, err := os.ReadFile(identityPath)
+		if err != nil {
+			return "", fmt.Errorf("failed to read existing identity: %w", err)
+		}
+		identity := strings.TrimSpace(string(data))
+		log.Printf("found existing identity at %s, validating...", identityPath)
+		if err := validateIdentity(identity); err != nil {
+			return "", fmt.Errorf("existing identity failed validation: %w", err)
+		}
+		log.Printf("existing identity validated")
+		return "existing", nil
+	} else if !errors.Is(err, os.ErrNotExist) {
+		return "", fmt.Errorf("failed to stat identity file: %w", err)
+	}
+
+	// Check for identity in environment.
+	if identity := os.Getenv("ZEROTIER_IDENTITY_SECRET"); identity != "" {
+		log.Printf("found identity in ZEROTIER_IDENTITY_SECRET environment variable, validating...")
+		if err := validateIdentity(identity); err != nil {
+			return "", fmt.Errorf("environment identity invalid: %w", err)
+		}
+		log.Printf("environment identity validated")
+		if err := writeIdentity(identity); err != nil {
+			return "", fmt.Errorf("failed to write identity from environment: %w", err)
+		}
+		return "environment", nil
+	}
+
+	// Generate a new identity using "zerotier-one -i generate".
+	log.Printf("generating new identity using zerotier-one -i generate")
+	cmd := exec.Command(zerotierBinPath, "-i", "generate")
+	var out bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return "", fmt.Errorf("failed to generate identity: %w", err)
+	}
+	identity := strings.TrimSpace(out.String())
+	if err := validateIdentity(identity); err != nil {
+		return "", fmt.Errorf("generated identity failed validation: %w", err)
+	}
+	if err := writeIdentity(identity); err != nil {
+		return "", fmt.Errorf("failed to write generated identity: %w", err)
+	}
+	return "generated", nil
+}
+
+// validateIdentity runs "zerotier-one -i validate <identity>" to ensure the identity is valid.
+func validateIdentity(identity string) error {
+	cmd := exec.Command(zerotierBinPath, "-i", "validate", identity)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("identity validation failed: %w", err)
+	}
+	return nil
+}
+
+// writeIdentity writes the complete identity string (all four parts) to identity.secret,
+// while writing only the first three parts (separated by ':') to identity.public.
+func writeIdentity(identity string) error {
+	parts := strings.Split(identity, ":")
+	if len(parts) != 4 {
+		return fmt.Errorf("invalid identity format: expected 4 parts, got %d", len(parts))
+	}
+
+	// Write the secret identity file with the full identity.
+	if err := os.WriteFile(identityPath, []byte(identity), 0600); err != nil {
+		return fmt.Errorf("failed to write secret identity: %w", err)
+	}
+	log.Printf("wrote secret identity to %s", identityPath)
+
+	// Write the public identity file with only the first 3 parts.
+	public := strings.Join(parts[:3], ":")
+	if err := os.WriteFile(identityPubPath, []byte(public), 0644); err != nil {
+		return fmt.Errorf("failed to write public identity: %w", err)
+	}
+	log.Printf("wrote public identity to %s", identityPubPath)
+
+	return nil
+}
+
+// joinNetwork creates a config file for the relevant network if it doesn't already exist.
+// This is typically done while the service is running via `zerotier-one -q join <network>`,
+// however this just creates an empty file with the network name, so we do that instead.
+func joinNetwork(network string) error {
+	networkConfDir := filepath.Join(zerotierPath, "networks.d")
+	if err := os.MkdirAll(networkConfDir, 0755); err != nil {
+		return fmt.Errorf("failed to create networks.d directory: %w", err)
+	}
+	networkConfFile := filepath.Join(networkConfDir, network+".conf")
+
+	file, err := os.OpenFile(networkConfFile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0644)
+	if err != nil {
+		if os.IsExist(err) {
+			log.Printf("network configuration file %s already exists", networkConfFile)
+			return nil
+		}
+		return fmt.Errorf("failed to create network conf file: %w", err)
+	}
+	defer file.Close()
+
+	log.Printf("created network configuration file %s", networkConfFile)
+	return nil
+}

network/zerotier/zerotier-wrapper/pkg.yaml

@@ -0,0 +1,29 @@
+name: zerotier-wrapper
+variant: scratch
+shell: /bin/bash
+dependencies:
+  - stage: base
+steps:
+  - env:
+      GOPATH: /tmp/go
+  - cachePaths:
+      - /.cache/go-build
+      - /tmp/go/pkg
+  - network: default
+    prepare:
+      - |
+        cp -r /pkg/* .
+      - |
+        go mod download
+  - network: none
+    build:
+    - |
+      CGO_ENABLED=0 go build -o zerotier-wrapper main.go
+    install:
+    - |
+      mkdir -p /rootfs/usr/local/bin
+
+      cp zerotier-wrapper /rootfs/usr/local/bin/zerotier-wrapper
+finalize:
+  - from: /rootfs
+    to: /rootfs

network/zerotier/zerotier.yaml

@@ -0,0 +1,29 @@
+name: zerotier
+depends:
+  - service: cri
+  - network:
+    - addresses
+    - connectivity
+    - etcfiles
+  - configuration: true
+container:
+  entrypoint: /usr/local/bin/zerotier-wrapper
+  security:
+    writeableRootfs: false
+    writeableSysfs: true
+  mounts:
+  # Zerotier needs to write to this to create the interfaces
+  - source: /dev/net/tun
+    destination: /dev/net/tun
+    type: bind
+    options:
+      - bind
+      - rw
+  # Zerotier state
+  - source: /var/lib/zerotier-one
+    destination: /var/lib/zerotier-one
+    type: bind
+    options:
+      - bind
+      - rw
+restart: always