aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKarel Kočí <cynerd@email.cz>2024-02-17 12:18:48 +0100
committerKarel Kočí <cynerd@email.cz>2024-02-17 12:18:48 +0100
commit9e7eca47bb3ddb6e88720cfcb28c995acbb072c1 (patch)
tree51391269780f8f7ce97284b8d79731f948756f30
parent6e3d6da59d310c50a61474824bd7a9f60a17187f (diff)
downloadnixos-personal-9e7eca47bb3ddb6e88720cfcb28c995acbb072c1.tar.gz
nixos-personal-9e7eca47bb3ddb6e88720cfcb28c995acbb072c1.tar.bz2
nixos-personal-9e7eca47bb3ddb6e88720cfcb28c995acbb072c1.zip
spt-omnia: deploy
-rw-r--r--flake.lock32
-rw-r--r--nixos/machine/spt-omnia.nix37
-rw-r--r--nixos/modules/develop.nix4
-rw-r--r--nixos/modules/generic.nix4
-rw-r--r--nixos/modules/syncthing.nix1
-rw-r--r--nixos/routers/router.nix145
6 files changed, 118 insertions, 105 deletions
diff --git a/flake.lock b/flake.lock
index 31aa83e..a88521c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -308,11 +308,11 @@
},
"nixos-hardware": {
"locked": {
- "lastModified": 1707842204,
- "narHash": "sha256-M+HAq1qWQBi/gywaMZwX0odU+Qb/XeqVeANGKRBDOwU=",
+ "lastModified": 1708091350,
+ "narHash": "sha256-o28BJYi68qqvHipT7V2jkWxDiMS1LF9nxUsou+eFUPQ=",
"owner": "NixOS",
"repo": "nixos-hardware",
- "rev": "f1b2f71c86a5b1941d20608db0b1e88a07d31303",
+ "rev": "106d3fec43bcea19cb2e061ca02531d54b542ce3",
"type": "github"
},
"original": {
@@ -426,11 +426,11 @@
},
"nixpkgs_4": {
"locked": {
- "lastModified": 1707877513,
- "narHash": "sha256-sp0w2apswd3wv0sAEF7StOGHkns3XUQaO5erhWFZWXk=",
+ "lastModified": 1708057191,
+ "narHash": "sha256-O3M5EGAeKZdEzfFIjqah0d8M44A4QCSVwvkbz4cbC2s=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "89653a03e0915e4a872788d10680e7eec92f8600",
+ "rev": "5e55f0bb65124b05d0a52e164514c03596023634",
"type": "github"
},
"original": {
@@ -440,11 +440,11 @@
},
"nixpkgs_5": {
"locked": {
- "lastModified": 1707885413,
- "narHash": "sha256-7Syfxjpmh8xBoxvLiGvKF5gNa8+U+5AeGD6/9vIRUno=",
+ "lastModified": 1708103068,
+ "narHash": "sha256-A3Itq2swJOJ9+RzcmHEA8Tpd8opWAVin3GchouNR8uk=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "4e91cd1c6859a363a34c837a50d97a9fb682fafa",
+ "rev": "607312f76ac46232b6f690748ff0383a2249af05",
"type": "github"
},
"original": {
@@ -530,11 +530,11 @@
},
"personal-secret": {
"locked": {
- "lastModified": 1707942813,
- "narHash": "sha256-P4yJViu9SAKrO0htZoBoY7G3+G6QKS3hXPYn80TesmI=",
+ "lastModified": 1708111656,
+ "narHash": "sha256-GXPsF79NePyUy4VoQIzU4gQNNcIqpvsimjV+4Mzqq+I=",
"ref": "refs/heads/master",
- "rev": "f07ae9c8bd6d9186b7cd10ad4f5bb5657128603d",
- "revCount": 87,
+ "rev": "37ce5a6415fd787fb272f52f30b4cb6a2976f096",
+ "revCount": 88,
"type": "git",
"url": "ssh://git@cynerd.cz/nixos-personal-secret"
},
@@ -812,11 +812,11 @@
},
"vpsadminos": {
"locked": {
- "lastModified": 1706035822,
- "narHash": "sha256-nGpoHvn/w24VjJtRdsRvxKOSEowUXEqGxsqaFmMgl/s=",
+ "lastModified": 1708015534,
+ "narHash": "sha256-IB+aVK43i5/+F3vAlR8UcasviCz1xSUaBC5JNXBD5RM=",
"owner": "vpsfreecz",
"repo": "vpsadminos",
- "rev": "b2db597146d9c7717da874712290cf9559086157",
+ "rev": "4f2f74ded6a6b1b9de6d45918dbe53073b9561c2",
"type": "github"
},
"original": {
diff --git a/nixos/machine/spt-omnia.nix b/nixos/machine/spt-omnia.nix
index c0a6ec2..ac4ebdf 100644
--- a/nixos/machine/spt-omnia.nix
+++ b/nixos/machine/spt-omnia.nix
@@ -3,14 +3,19 @@
lib,
pkgs,
...
-}:
-with lib; {
+}: let
+ hosts = config.cynerd.hosts.spt;
+in {
config = {
cynerd = {
router = {
enable = true;
wan = "pppoe-wan";
- lanIP = config.cynerd.hosts.spt.omnia;
+ lanIP = hosts.omnia;
+ staticLeases = {
+ "a8:a1:59:10:32:c4" = hosts.errol;
+ "4c:d5:77:0d:85:d9" = hosts.binky;
+ };
};
wifiAP.spt = {
enable = true;
@@ -25,7 +30,7 @@ with lib; {
channel = 36;
};
};
- openvpn.oldpersonal = true;
+ #openvpn.oldpersonal = true;
monitoring.speedtest = true;
};
@@ -54,7 +59,7 @@ with lib; {
networkConfig = {
BindCarrier = "end2.848";
DHCP = "ipv6";
- IPv6AcceptRA = "yes";
+ IPv6AcceptRA = "no";
DHCPPrefixDelegation = "yes";
};
dhcpPrefixDelegationConfig = {
@@ -67,15 +72,15 @@ with lib; {
"lan-brlan" = {
matchConfig.Name = "lan*";
networkConfig.Bridge = "brlan";
- #bridgeVLANs = [
- # {
- # bridgeVLANConfig = {
- # EgressUntagged = 1;
- # PVID = 1;
- # };
- # }
- # {bridgeVLANConfig.VLAN = 2;}
- #];
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
};
};
};
@@ -88,7 +93,6 @@ with lib; {
lcp-echo-interval 1
lcp-echo-failure 5
lcp-echo-adaptive
- +ipv6
defaultroute
defaultroute6
usepeerdns
@@ -98,6 +102,9 @@ with lib; {
'';
};
systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.848.device"];
+ networking.firewall.extraForwardRules = ''
+ tcp flags syn tcp option maxseg size set rt mtu
+ '';
services.syncthing = {
enable = true;
diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix
index 97c54ee..3ef6ce6 100644
--- a/nixos/modules/develop.nix
+++ b/nixos/modules/develop.nix
@@ -90,7 +90,6 @@ in {
# Network
iperf3
- wireshark
inetutils
# Gtk
@@ -116,7 +115,7 @@ in {
# Images
imagemagick
];
- programs.wireshark.enable = true;
+ programs.wireshark.package = pkgs.wireshark;
documentation = {
dev.enable = true;
@@ -152,7 +151,6 @@ in {
"lxd"
"develop"
"libvirtd"
- "wireshark"
];
};
}
diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix
index a3e8dd1..33d7024 100644
--- a/nixos/modules/generic.nix
+++ b/nixos/modules/generic.nix
@@ -121,7 +121,7 @@ in {
};
cynerd = {
group = "cynerd";
- extraGroups = ["users" "wheel" "dialout" "kvm" "uucp"];
+ extraGroups = ["users" "wheel" "dialout" "kvm" "uucp" "wireshark"];
uid = 1000;
subUidRanges = [
{
@@ -155,6 +155,8 @@ in {
};
shellrc = true;
vim.defaultEditor = mkDefault true;
+
+ wireshark.enable = true;
};
security.sudo.extraRules = [
diff --git a/nixos/modules/syncthing.nix b/nixos/modules/syncthing.nix
index af6d957..b93ecdb 100644
--- a/nixos/modules/syncthing.nix
+++ b/nixos/modules/syncthing.nix
@@ -13,7 +13,6 @@
"errol"
"lipwig"
"ridcully"
- "susan"
"spt-omnia"
];
mediaDevices = [
diff --git a/nixos/routers/router.nix b/nixos/routers/router.nix
index a3fc0c1..5aa6cc6 100644
--- a/nixos/routers/router.nix
+++ b/nixos/routers/router.nix
@@ -2,8 +2,8 @@
config,
lib,
...
-}:
-with lib; let
+}: let
+ inherit (lib) mkOption types mkIf mapAttrsToList;
cnf = config.cynerd.router;
in {
options = {
@@ -36,6 +36,14 @@ in {
default = 24;
description = "LAN IP network prefix length";
};
+ staticLeases = mkOption {
+ type = with types; attrsOf str;
+ default = {};
+ example = ''
+ {"xx:xx:xx:xx:xx:xx" = "10.8.1.30";}
+ '';
+ description = "Mapping of MAC address to IP address";
+ };
};
};
@@ -44,25 +52,21 @@ in {
useNetworkd = true;
nftables.enable = true;
firewall = {
+ logRefusedConnections = false;
interfaces = {
- "brlan" = {
- allowedUDPPorts = [53 67 68];
- allowedTCPPorts = [53];
- };
- #"guest" = {
- # allowedUDPPorts = [53 67 68];
- # allowedTCPPorts = [53];
- #};
+ "home" = {allowedUDPPorts = [67 68];};
+ "guest" = {allowedUDPPorts = [67 68];};
};
+ rejectPackets = true;
filterForward = true;
- #extraForwardRules = ''
- # iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access brlan"
- #'';
+ extraForwardRules = ''
+ iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access other networks"
+ '';
};
nat = {
enable = true;
externalInterface = cnf.wan;
- internalInterfaces = ["brlan"];
+ internalInterfaces = ["home" "guest"];
};
};
@@ -73,43 +77,38 @@ in {
Kind = "bridge";
Name = "brlan";
};
- #extraConfig = ''
- # [Bridge]
- # DefaultPVID=none
- # VLANFiltering=yes
- #'';
+ extraConfig = ''
+ [Bridge]
+ DefaultPVID=none
+ VLANFiltering=yes
+ '';
+ };
+ "home" = {
+ netdevConfig = {
+ Kind = "vlan";
+ Name = "home";
+ };
+ vlanConfig.Id = 1;
+ };
+ "guest" = {
+ netdevConfig = {
+ Kind = "vlan";
+ Name = "guest";
+ };
+ vlanConfig.Id = 2;
};
- #"home" = {
- # netdevConfig = {
- # Kind = "vlan";
- # Name = "home";
- # };
- # vlanConfig.Id = 1;
- #};
- #"guest" = {
- # netdevConfig = {
- # Kind = "vlan";
- # Name = "guest";
- # };
- # vlanConfig.Id = 2;
- #};
};
networks = {
"brlan" = {
matchConfig.Name = "brlan";
- #networkConfig.VLAN = ["home"];
- #bridgeVLANs = [
- # {
- # bridgeVLANConfig = {
- # EgressUntagged = 1;
- # PVID = 1;
- # };
- # }
- # {bridgeVLANConfig.VLAN = 2;}
- #];
- #};
- #"home" = {
- #matchConfig.Name = "home";
+ networkConfig.VLAN = ["home" "guest"];
+ bridgeVLANs = [
+ {bridgeVLANConfig.VLAN = 1;}
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
+ };
+ "home" = {
+ matchConfig.Name = "home";
networkConfig = {
Address = "${cnf.lanIP}/${toString cnf.lanPrefix}";
IPForward = "yes";
@@ -125,35 +124,43 @@ in {
EmitDNS = "yes";
DNS = "1.1.1.1";
};
+ dhcpServerStaticLeases =
+ mapAttrsToList (n: v: {
+ dhcpServerStaticLeaseConfig = {
+ MACAddress = n;
+ Address = v;
+ };
+ })
+ cnf.staticLeases;
dhcpPrefixDelegationConfig = {
UplinkInterface = cnf.wan;
SubnetId = 1;
Announce = "yes";
};
};
- #"guest" = {
- # matchConfig.Name = "guest";
- # networkConfig = {
- # Address = "192.168.1.1/24";
- # IPForward = "yes";
- # DHCPServer = "yes";
- # DHCPPrefixDelegation = "yes";
- # IPv6SendRA = "yes";
- # IPv6AcceptRA = "no";
- # };
- # dhcpServerConfig = {
- # UplinkInterface = cnf.wan;
- # PoolOffset = cnf.dynIPStart;
- # PoolSize = cnf.dynIPCount;
- # EmitDNS = "yes";
- # DNS = "1.1.1.1";
- # };
- # dhcpPrefixDelegationConfig = {
- # UplinkInterface = cnf.wan;
- # SubnetId = 2;
- # Announce = "yes";
- # };
- #};
+ "guest" = {
+ matchConfig.Name = "guest";
+ networkConfig = {
+ Address = "192.168.1.1/24";
+ IPForward = "yes";
+ DHCPServer = "yes";
+ DHCPPrefixDelegation = "yes";
+ IPv6SendRA = "yes";
+ IPv6AcceptRA = "no";
+ };
+ dhcpServerConfig = {
+ UplinkInterface = cnf.wan;
+ PoolOffset = cnf.dynIPStart;
+ PoolSize = cnf.dynIPCount;
+ EmitDNS = "yes";
+ DNS = "1.1.1.1";
+ };
+ dhcpPrefixDelegationConfig = {
+ UplinkInterface = cnf.wan;
+ SubnetId = 2;
+ Announce = "yes";
+ };
+ };
};
wait-online.anyInterface = true;
};