Zerotier Mesh VPN Service for secure P2P networking between machines
inventory.instances = {
zerotier = {
module = {
name = "zerotier";
input = "clan-core";
};
roles.peer.tags.all = { };
roles.controller.machines.jon = { };
roles.moon.machines.sara.settings.stableEndpoints = [ "77.52.165.46" ];
};The input should be named according to your flake input.
All machines will be peers and connected to the zerotier network.
Jon is the controller machine, which will will accept other machines into the network.
Sara is a moon and sets the stableEndpoint setting with a publicly reachable IP, the moon is optional.
This guide explains how to set up and manage a ZeroTier VPN for a clan network. Each VPN requires a single controller and can support multiple peers and optional moons for better connectivity.
The Controller manages network membership and is responsible for admitting new peers. When a new node is added to the clan, the controller must be updated to ensure it has the latest member list.
Moons act as relay nodes, providing direct connectivity to peers via their public IP addresses. They enable devices that are not publicly reachable to join the VPN by routing through these nodes.
Peers are standard nodes in the VPN. They connect to other peers, moons, and the controller as needed.
The zerotier service has the following roles:
controller roleExtra machines by their zerotier ip that the zerotier controller should accept. These could be external machines.
Type: list of string
Default:
[ ]''
[ "fd5d:bbe3:cbc5:fe6b:f699:935d:bbe3:cbc5" ]
''Declared in: clanServices/zerotier/default.nix
moon roleMake this machine a moon. Other machines can join this moon by adding this moon in their config. It will be reachable under the given stable endpoints.
Type: list of string
''
[ "1.2.3.4" "10.0.0.3/9993" "2001:abcd:abcd::3/9993" ]
''Declared in: clanServices/zerotier/default.nix
peer role has no configuration