aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKarel Kočí <cynerd@email.cz>2024-01-27 13:20:03 +0100
committerKarel Kočí <cynerd@email.cz>2024-01-27 13:20:03 +0100
commitc1a76b4403edcf5e2a147d68b7bbdf1c33ac95ef (patch)
tree95b00eb500c49c3358b3f736eae9cfe9165f354a
parent6b0bc35f83a14ee9f9a34e1af782f1ef4c363d6e (diff)
downloadnixos-personal-c1a76b4403edcf5e2a147d68b7bbdf1c33ac95ef.tar.gz
nixos-personal-c1a76b4403edcf5e2a147d68b7bbdf1c33ac95ef.tar.bz2
nixos-personal-c1a76b4403edcf5e2a147d68b7bbdf1c33ac95ef.zip
Rework routers to use systemd-networkd
-rw-r--r--flake.lock70
-rw-r--r--flake.nix2
-rw-r--r--nixos/configurations.nix1
-rw-r--r--nixos/machine/adm-omnia.nix68
-rw-r--r--nixos/machine/adm-omnia2.nix42
-rw-r--r--nixos/machine/spt-mox.nix43
-rw-r--r--nixos/machine/spt-mox2.nix52
-rw-r--r--nixos/machine/spt-omnia.nix67
-rw-r--r--nixos/machine/spt-omniax.nix57
-rw-r--r--nixos/modules/develop.nix1
-rw-r--r--nixos/modules/generic.nix2
-rw-r--r--nixos/modules/home-assistant.nix1
-rw-r--r--nixos/routers/default.nix1
-rw-r--r--nixos/routers/router.nix237
-rw-r--r--nixos/routers/switch.nix65
-rw-r--r--nixos/routers/wifi-adm.nix85
-rw-r--r--nixos/routers/wifi-spt.nix186
17 files changed, 580 insertions, 400 deletions
diff --git a/flake.lock b/flake.lock
index f3dbd84..09ec32f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -182,7 +182,7 @@
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
- "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
+ "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
@@ -213,11 +213,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
- "lastModified": 1705325727,
- "narHash": "sha256-1/MgywK8kH2h9GFbGbIH/rxWN+EtXF8CV75rorGJehU=",
+ "lastModified": 1706200622,
+ "narHash": "sha256-mOB5Awr2w4zzk3sZC8cIRuO3lFPS6zls6YkAVXWqy+k=",
"ref": "refs/heads/master",
- "rev": "155db0a014aa4687664fa17afb2a7d0fb2d409a4",
- "revCount": 3448,
+ "rev": "ede7f6273fc193672d80b55638da449821168cf0",
+ "revCount": 3462,
"submodules": true,
"type": "git",
"url": "https://gitlab.elektroline.cz/elektroline/flatlineng.git"
@@ -255,11 +255,11 @@
"nixpkgs": "nixpkgs_8"
},
"locked": {
- "lastModified": 1704892530,
- "narHash": "sha256-sUs/yddB+UXjxAvMiXVgoy4UidLHqPOiUlbeg0cr+Ao=",
+ "lastModified": 1705505951,
+ "narHash": "sha256-9AK1KZr0enr02k6OLfb3qODxKzkEKpNePwGrYrSiyIw=",
"ref": "refs/heads/master",
- "rev": "fc7d59911023c4cdc7d6af7e39047367e8e2b883",
- "revCount": 2395,
+ "rev": "a2a4ffd904113d3e2208843efe06f2d8914d81c0",
+ "revCount": 2399,
"submodules": true,
"type": "git",
"url": "https://github.com/silicon-heaven/libshv.git"
@@ -291,11 +291,11 @@
},
"nixos-hardware": {
"locked": {
- "lastModified": 1705312285,
- "narHash": "sha256-rd+dY+v61Y8w3u9bukO/hB55Xl4wXv4/yC8rCGVnK5U=",
+ "lastModified": 1706182238,
+ "narHash": "sha256-Ti7CerGydU7xyrP/ow85lHsOpf+XMx98kQnPoQCSi1g=",
"owner": "NixOS",
"repo": "nixos-hardware",
- "rev": "bee2202bec57e521e3bd8acd526884b9767d7fa0",
+ "rev": "f84eaffc35d1a655e84749228cde19922fcf55f1",
"type": "github"
},
"original": {
@@ -377,11 +377,11 @@
},
"nixpkgs_4": {
"locked": {
- "lastModified": 1705429789,
- "narHash": "sha256-7gQju9WiToi7wI6oahTXiqwJu2RZoV0cg8OGa9YhEvw=",
+ "lastModified": 1706184243,
+ "narHash": "sha256-osj5MPUOCau0/ASS8SnXZ/fwJOjWfrZp3/0QvG6P0Gk=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "cc3ab0e45687d15cb21663a95f5a53a05abd39e4",
+ "rev": "03cd3a6324af183a660a67a14675989934ece970",
"type": "github"
},
"original": {
@@ -420,11 +420,11 @@
},
"nixpkgs_7": {
"locked": {
- "lastModified": 1705242415,
- "narHash": "sha256-a8DRYrNrzTudvO7XHUPNJD89Wbf1ZZT0VbwCsPnHWaE=",
+ "lastModified": 1705566941,
+ "narHash": "sha256-CLNtVRDA8eUPk+bxsCCZtRO0Cp+SpHdn1nNOLoFypLs=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "ea780f3de2d169f982564128804841500e85e373",
+ "rev": "b06ff4bf8f4ad900fe0c2a61fc2946edc3a84be7",
"type": "github"
},
"original": {
@@ -448,11 +448,11 @@
},
"nixpkgs_9": {
"locked": {
- "lastModified": 1705242415,
- "narHash": "sha256-a8DRYrNrzTudvO7XHUPNJD89Wbf1ZZT0VbwCsPnHWaE=",
+ "lastModified": 1705566941,
+ "narHash": "sha256-CLNtVRDA8eUPk+bxsCCZtRO0Cp+SpHdn1nNOLoFypLs=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "ea780f3de2d169f982564128804841500e85e373",
+ "rev": "b06ff4bf8f4ad900fe0c2a61fc2946edc3a84be7",
"type": "github"
},
"original": {
@@ -481,11 +481,11 @@
},
"personal-secret": {
"locked": {
- "lastModified": 1705173603,
- "narHash": "sha256-tiLrqR3MwF0JkbRpNz40whaIDUY8Yh53aWu9o3atRMw=",
+ "lastModified": 1705580312,
+ "narHash": "sha256-xUCP+q1bJkkuHBe6v1GGRTB9LtOuo77EZDaiZ4YHkFc=",
"ref": "refs/heads/master",
- "rev": "99c21ea7ead2203ead5b9d625a39efaf09affda4",
- "revCount": 82,
+ "rev": "d91936caaea514e727e5727bdedd62f2a206dcad",
+ "revCount": 83,
"type": "git",
"url": "ssh://git@cynerd.cz/nixos-personal-secret"
},
@@ -501,16 +501,15 @@
"nixpkgs": "nixpkgs_9"
},
"locked": {
- "lastModified": 1705325629,
- "narHash": "sha256-WipDjHJlxFZCZQVu+b3tLiP7PFzYvNo2+FGl/p8yMF0=",
+ "lastModified": 1705600354,
+ "narHash": "sha256-zJ0JMQe5qOIGYwZAR4B7KTow/cF+rQhyuZr/1n4sxLQ=",
"owner": "elektroline-predator",
"repo": "pyshv",
- "rev": "2f3d513d8633ee82639911b97e18389643994229",
+ "rev": "71d5af3f93e5ee8657c6695c723fab78de47cca9",
"type": "gitlab"
},
"original": {
"owner": "elektroline-predator",
- "ref": "multiple-tweaks",
"repo": "pyshv",
"type": "gitlab"
}
@@ -558,16 +557,15 @@
"pyshv": "pyshv"
},
"locked": {
- "lastModified": 1705325793,
- "narHash": "sha256-5x1ygdoN+h5aR/wxD+lwF3k/fHQJ5wYMSF/O6Qekjgk=",
+ "lastModified": 1705605949,
+ "narHash": "sha256-Iew8BK+5wPIRSef2gAgqoETDddP/aLEeTml3aX2OU4o=",
"owner": "silicon-heaven",
"repo": "shvcli",
- "rev": "f67bd6bc8d5b42b03f67c3bc76033577ac675593",
+ "rev": "acfb114fff62138fa99fbb03b2a901541ca05dfb",
"type": "github"
},
"original": {
"owner": "silicon-heaven",
- "ref": "indent-cpon",
"repo": "shvcli",
"type": "github"
}
@@ -749,11 +747,11 @@
},
"vpsadminos": {
"locked": {
- "lastModified": 1705262735,
- "narHash": "sha256-Sfb+/odQov3In5ZtTnaXgQesOIigeoTs7deKjjAFxDs=",
+ "lastModified": 1706035822,
+ "narHash": "sha256-nGpoHvn/w24VjJtRdsRvxKOSEowUXEqGxsqaFmMgl/s=",
"owner": "vpsfreecz",
"repo": "vpsadminos",
- "rev": "915fbcedfdb6eb19ab370344e5d72ba78a82bfef",
+ "rev": "b2db597146d9c7717da874712290cf9559086157",
"type": "github"
},
"original": {
diff --git a/flake.nix b/flake.nix
index b062e82..8e3c2bb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -9,7 +9,7 @@
agenix.url = "github:ryantm/agenix";
shvspy.url = "git+https://github.com/silicon-heaven/shvspy.git?submodules=1";
flatline.url = "git+https://gitlab.elektroline.cz/elektroline/flatlineng.git?submodules=1";
- shvcli.url = "github:silicon-heaven/shvcli/indent-cpon";
+ shvcli.url = "github:silicon-heaven/shvcli";
nixturris.url = "gitlab:cynerd/nixturris";
nixbigclown.url = "github:cynerd/nixbigclown";
diff --git a/nixos/configurations.nix b/nixos/configurations.nix
index 2fa2261..47f6ce2 100644
--- a/nixos/configurations.nix
+++ b/nixos/configurations.nix
@@ -114,6 +114,7 @@ in
// beagleboneSystem "gaspode"
// turrisMoxSystem "dean"
// turrisOmniaSystem "spt-omnia"
+ // turrisOmniaSystem "spt-omniax"
// turrisMoxSystem "spt-mox"
// turrisMoxSystem "spt-mox2"
// turrisOmniaSystem "adm-omnia"
diff --git a/nixos/machine/adm-omnia.nix b/nixos/machine/adm-omnia.nix
index fd6d654..088481f 100644
--- a/nixos/machine/adm-omnia.nix
+++ b/nixos/machine/adm-omnia.nix
@@ -9,7 +9,7 @@ with lib; {
cynerd = {
router = {
enable = true;
- wan = "end2"; # TODO pppoe-wan
+ wan = "pppoe-wan";
lanIP = config.cynerd.hosts.adm.omnia;
};
wifiAP.adm = {
@@ -21,8 +21,53 @@ with lib; {
monitoring.speedtest = true;
};
+ networking.useDHCP = false;
+ systemd.network = {
+ networks = {
+ "end2" = {
+ matchConfig.Name = "end2";
+ #networkConfig = {
+ # DHCP = "ipv6";
+ # IPv6AcceptRA = "yes";
+ # DHCPPrefixDelegation = "yes";
+ #};
+ #dhcpPrefixDelegationConfig = {
+ # UplinkInterface = ":self";
+ # SubnetId = 0;
+ # Announce = "no";
+ #};
+ linkConfig.RequiredForOnline = "routable";
+ };
+ "lan-brlan" = {
+ matchConfig.Name = "lan[1-4]";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
+ };
+ "lan0-guest" = {
+ matchConfig.Name = "lan0";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
+ };
+ };
+ };
+
services.pppd = {
- enable = false;
+ enable = true;
peers."wan".config = ''
plugin pppoe.so end2
ifname pppoe-wan
@@ -38,23 +83,6 @@ with lib; {
password 02
'';
};
- #systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.device"];
-
- environment.systemPackages = [pkgs.tcpdump];
-
- networking = {
- useNetworkd = true;
- useDHCP = false;
- };
- systemd.network.networks = {
- "lan-brlan" = {
- matchConfig.Name = "lan[1-4]";
- networkConfig.Bridge = "brlan";
- };
- "lan0-brguest" = {
- matchConfig.Name = "lan0";
- networkConfig.Bridge = "brguest";
- };
- };
+ systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.device"];
};
}
diff --git a/nixos/machine/adm-omnia2.nix b/nixos/machine/adm-omnia2.nix
index 7673ecf..31aecab 100644
--- a/nixos/machine/adm-omnia2.nix
+++ b/nixos/machine/adm-omnia2.nix
@@ -7,6 +7,11 @@
with lib; {
config = {
cynerd = {
+ switch = {
+ enable = true;
+ lanAddress = "${config.cynerd.hosts.adm.omnia2}/24";
+ lanGateway = config.cynerd.hosts.adm.omnia;
+ };
wifiAP.adm = {
enable = true;
ar9287.interface = "wlp2s0";
@@ -15,28 +20,23 @@ with lib; {
};
networking = {
- vlans = {
- "brlan.guest" = {
- interface = "brlan";
- id = 2; # TODO later use 100
- };
- };
- bridges = {
- brlan.interfaces = ["end2" "lan0" "lan1" "lan2" "lan3" "lan4"];
- brguest.interfaces = ["brlan.guest"];
+ useNetworkd = true;
+ useDHCP = false;
+ };
+ systemd.network.networks = {
+ "lan-brlan" = {
+ matchConfig.Name = "lan* eth0";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
};
- interfaces.brlan.ipv4.addresses = [
- {
- address = config.cynerd.hosts.adm.omnia2;
- prefixLength = 24;
- }
- ];
- defaultGateway = config.cynerd.hosts.adm.omnia;
- nameservers = ["1.1.1.1" "8.8.8.8"];
- dhcpcd.allowInterfaces = [];
};
-
- # TODO: ubootTools build is broken!
- firmware.environment.enable = false;
};
}
diff --git a/nixos/machine/spt-mox.nix b/nixos/machine/spt-mox.nix
index accd963..452b187 100644
--- a/nixos/machine/spt-mox.nix
+++ b/nixos/machine/spt-mox.nix
@@ -9,38 +9,39 @@ with lib; {
config = {
cynerd = {
home-assistant = true;
+ switch = {
+ enable = true;
+ lanAddress = "${config.cynerd.hosts.spt.mox}/24";
+ lanGateway = config.cynerd.hosts.spt.omnia;
+ };
wifiAP.spt = {
enable = true;
qca988x = {
interface = "wls1";
+ bssids = ["04:f0:21:24:24:d2" "08:f0:21:24:24:d2"];
channel = 7;
};
};
};
networking = {
- vlans = {
- "brlan.guest" = {
- id = 2;
- interface = "brlan";
- };
- };
- bridges = {
- brlan.interfaces = ["eth0" "lan1" "lan2" "lan3" "lan4"];
- brguest.interfaces = ["brlan.guest"];
+ useNetworkd = true;
+ useDHCP = false;
+ };
+ systemd.network.networks = {
+ "lan-brlan" = {
+ matchConfig.Name = "lan* end0";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
};
- interfaces.brlan.ipv4.addresses = [
- {
- address = config.cynerd.hosts.spt.mox;
- prefixLength = 24;
- }
- ];
- defaultGateway = config.cynerd.hosts.spt.omnia;
- nameservers = ["1.1.1.1" "8.8.8.8"];
- dhcpcd.allowInterfaces = [];
};
-
- # TODO: ubootTools build is broken!
- firmware.environment.enable = false;
};
}
diff --git a/nixos/machine/spt-mox2.nix b/nixos/machine/spt-mox2.nix
index 4d1a148..cf94798 100644
--- a/nixos/machine/spt-mox2.nix
+++ b/nixos/machine/spt-mox2.nix
@@ -7,45 +7,39 @@
with lib; {
config = {
cynerd = {
+ switch = {
+ enable = true;
+ lanAddress = "${config.cynerd.hosts.spt.mox2}/24";
+ lanGateway = config.cynerd.hosts.spt.omnia;
+ };
wifiAP.spt = {
enable = true;
qca988x = {
interface = "wls1";
- channel = 7;
+ bssids = ["04:f0:21:45:d3:47" "08:f0:21:45:d3:47"];
+ channel = 1;
};
};
};
- swapDevices = [
- {
- device = "/dev/disk/by-partlabel/NixTurrisSwap";
- priority = 1;
- }
- ];
-
networking = {
- vlans = {
- "brlan.guest" = {
- id = 2;
- interface = "brlan";
- };
- };
- bridges = {
- brlan.interfaces = ["eth0"];
- brguest.interfaces = ["brlan.guest"];
+ useNetworkd = true;
+ useDHCP = false;
+ };
+ systemd.network.networks = {
+ "lan-brlan" = {
+ matchConfig.Name = "end0";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
};
- interfaces.brlan.ipv4.addresses = [
- {
- address = config.cynerd.hosts.spt.mox2;
- prefixLength = 24;
- }
- ];
- defaultGateway = config.cynerd.hosts.spt.omnia;
- nameservers = ["1.1.1.1" "8.8.8.8"];
- dhcpcd.allowInterfaces = [];
};
-
- # TODO: ubootTools build is broken!
- firmware.environment.enable = false;
};
}
diff --git a/nixos/machine/spt-omnia.nix b/nixos/machine/spt-omnia.nix
index bf72a6e..15cabb6 100644
--- a/nixos/machine/spt-omnia.nix
+++ b/nixos/machine/spt-omnia.nix
@@ -14,18 +14,68 @@ with lib; {
};
wifiAP.spt = {
enable = true;
- ar9287.interface = "wlp3s0";
- qca988x.interface = "wlp2s0";
+ ar9287 = {
+ interface = "wlp3s0";
+ bssids = ["04:f0:21:23:16:64" "08:f0:21:23:16:64"];
+ channel = 13;
+ };
+ qca988x = {
+ interface = "wlp2s0";
+ bssids = ["04:f0:21:24:21:93" "08:f0:21:24:21:93"];
+ channel = 36;
+ };
};
openvpn.oldpersonal = true;
monitoring.speedtest = true;
};
- networking.vlans."end2.848" = {
- id = 848;
- interface = "end2";
+ networking.useDHCP = false;
+ systemd.network = {
+ netdevs = {
+ "end2.848" = {
+ netdevConfig = {
+ Kind = "vlan";
+ Name = "end2.848";
+ };
+ vlanConfig.Id = 848;
+ };
+ };
+ networks = {
+ "end2" = {
+ matchConfig.Name = "end2";
+ networkConfig.VLAN = ["end2.848"];
+ };
+ "end2.848" = {
+ matchConfig.Name = "end2.848";
+ networkConfig = {
+ BindCarrier = "end2";
+ #DHCP = "ipv6";
+ #IPv6AcceptRA = "yes";
+ #DHCPPrefixDelegation = "yes";
+ };
+ #dhcpPrefixDelegationConfig = {
+ # UplinkInterface = ":self";
+ # SubnetId = 0;
+ # Announce = "no";
+ #};
+ linkConfig.RequiredForOnline = "routable";
+ };
+ "lan-brlan" = {
+ matchConfig.Name = "lan*";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
+ };
+ };
};
- # TODO pppd service requires end2.848 interface
+
services.pppd = {
enable = true;
peers."wan".config = ''
@@ -43,10 +93,7 @@ with lib; {
password metronet
'';
};
-
- networking.bridges = {
- brlan.interfaces = ["lan0" "lan1" "lan2" "lan3" "lan4"];
- };
+ systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.848.device"];
services.syncthing = {
enable = true;
diff --git a/nixos/machine/spt-omniax.nix b/nixos/machine/spt-omniax.nix
new file mode 100644
index 0000000..9bdc3d3
--- /dev/null
+++ b/nixos/machine/spt-omniax.nix
@@ -0,0 +1,57 @@
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
+with lib; {
+ config = {
+ cynerd = {
+ router = {
+ enable = true;
+ wan = "end2";
+ lanIP = "192.168.2.1";
+ };
+ wifiAP.spt = {
+ enable = true;
+ ar9287.interface = "wlp3s0";
+ qca988x.interface = "wlp2s0";
+ };
+ monitoring.speedtest = true;
+ };
+
+ networking.useDHCP = false;
+ systemd.network = {
+ networks = {
+ "end2" = {
+ matchConfig.Name = "end2";
+ networkConfig = {
+ BindCarrier = "end2";
+ DHCP = "yes";
+ IPv6AcceptRA = "yes";
+ DHCPPrefixDelegation = "yes";
+ };
+ dhcpPrefixDelegationConfig = {
+ UplinkInterface = ":self";
+ SubnetId = 0;
+ Announce = "no";
+ };
+ linkConfig.RequiredForOnline = "routable";
+ };
+ "lan-brlan" = {
+ matchConfig.Name = "lan*";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
+ };
+ };
+ };
+ };
+}
diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix
index 1826e36..97c54ee 100644
--- a/nixos/modules/develop.nix
+++ b/nixos/modules/develop.nix
@@ -28,7 +28,6 @@ in {
cloc
openssl
tio
- parted
vim-vint
nodePackages.vim-language-server
ctags
diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix
index f2a0d3b..e8cc563 100644
--- a/nixos/modules/generic.nix
+++ b/nixos/modules/generic.nix
@@ -63,6 +63,7 @@ in {
usbutils
pciutils
smartmontools
+ parted
# NCurses tools
htop
@@ -92,6 +93,7 @@ in {
wakeonlan
speedtest-cli
librespeed-cli
+ termshark
lm_sensors
]
diff --git a/nixos/modules/home-assistant.nix b/nixos/modules/home-assistant.nix
index e55533e..862b31c 100644
--- a/nixos/modules/home-assistant.nix
+++ b/nixos/modules/home-assistant.nix
@@ -123,6 +123,7 @@ in {
};
systemd.services.telegraf.wants = ["mosquitto.service"];
+ #nixpkgs.config.permittedInsecurePackages = ["openssl-1.1.1w"]; # TODO
services.home-assistant = {
enable = false;
openFirewall = true;
diff --git a/nixos/routers/default.nix b/nixos/routers/default.nix
index ab64316..dfc1266 100644
--- a/nixos/routers/default.nix
+++ b/nixos/routers/default.nix
@@ -1,5 +1,6 @@
{
cynerd-router = import ./router.nix;
+ cynerd-switch = import ./switch.nix;
cynerd-wifi-adm = import ./wifi-adm.nix;
cynerd-wifi-spt = import ./wifi-spt.nix;
}
diff --git a/nixos/routers/router.nix b/nixos/routers/router.nix
index da625e4..545f109 100644
--- a/nixos/routers/router.nix
+++ b/nixos/routers/router.nix
@@ -40,33 +40,71 @@ in {
};
config = mkIf cnf.enable {
+ networking = {
+ useNetworkd = true;
+ nftables.enable = true;
+ firewall = {
+ interfaces = {
+ "lan" = {
+ allowedUDPPorts = [53 67 68];
+ allowedTCPPorts = [53];
+ };
+ "guest" = {
+ allowedUDPPorts = [53 67 68];
+ allowedTCPPorts = [53];
+ };
+ };
+ filterForward = true;
+ extraForwardRules = ''
+ iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access lan"
+ '';
+ };
+ nat = {
+ enable = true;
+ externalInterface = cnf.wan;
+ internalInterfaces = ["lan" "guest"];
+ };
+ };
+
systemd.network = {
netdevs = {
- "brlan".netdevConfig = {
- Kind = "bridge";
- Name = "brlan";
- };
- "brguest".netdevConfig = {
- Kind = "bridge";
- Name = "brguest";
+ "brlan" = {
+ netdevConfig = {
+ Kind = "bridge";
+ Name = "brlan";
+ };
+ extraConfig = ''
+ [Bridge]
+ DefaultPVID=none
+ VLANFiltering=yes
+ '';
};
- };
- networks = {
- "${cnf.wan}" = {
- matchConfig.Name = cnf.wan;
- networkConfig = {
- DHCP = "yes";
- DHCPPrefixDelegation = "yes";
+ "lan" = {
+ netdevConfig = {
+ Kind = "vlan";
+ Name = "lan";
};
- dhcpPrefixDelegationConfig = {
- UplinkInterface = ":self";
- SubnetId = 0;
- Announce = "no";
+ vlanConfig.Id = 1;
+ };
+ "guest" = {
+ netdevConfig = {
+ Kind = "vlan";
+ Name = "guest";
};
- linkConfig.RequiredForOnline = "routable";
+ vlanConfig.Id = 2;
};
+ };
+ networks = {
"brlan" = {
matchConfig.Name = "brlan";
+ networkConfig.VLAN = ["lan" "guest"];
+ bridgeVLANs = [
+ {bridgeVLANConfig.VLAN = 1;}
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
+ };
+ "lan" = {
+ matchConfig.Name = "lan";
networkConfig = {
Address = "${cnf.lanIP}/${toString cnf.lanPrefix}";
IPForward = "yes";
@@ -74,7 +112,6 @@ in {
DHCPPrefixDelegation = "yes";
IPv6SendRA = "yes";
IPv6AcceptRA = "no";
- VLAN = ["brlan.brguest"];
};
dhcpServerConfig = {
UplinkInterface = cnf.wan;
@@ -89,8 +126,8 @@ in {
Announce = "yes";
};
};
- "brguest" = {
- matchConfig.Name = "brguest";
+ "guest" = {
+ matchConfig.Name = "guest";
networkConfig = {
Address = "192.168.1.1/24";
IPForward = "yes";
@@ -116,166 +153,10 @@ in {
wait-online.anyInterface = true;
};
- networking = {
- nftables.enable = true;
- firewall = {
- interfaces = {
- "brlan" = {
- allowedUDPPorts = [53 67 68];
- allowedTCPPorts = [53];
- };
- "brguest" = {
- allowedUDPPorts = [53 67 68];
- allowedTCPPorts = [53];
- };
- };
- filterForward = true;
- extraForwardRules = ''
- iifname "brguest" oifname != "${cnf.wan}" drop comment "prevent guest to access lan"
- '';
- };
- nat = {
- enable = true;
- externalInterface = cnf.wan;
- internalInterfaces = ["brlan" "brguest"];
- };
- };
-
services.resolved = {
enable = true;
dnssec = "true";
fallbackDns = ["1.1.1.1" "8.8.8.8"];
};
-
- #networking = {
- # interfaces = {
- # brlan.ipv4.addresses = [
- # {
- # address = cnf.lanIP;
- # prefixLength = cnf.lanPrefix;
- # }
- # ];
- # brguest.ipv4.addresses = [
- # {
- # address = "192.168.1.1";
- # prefixLength = 24;
- # }
- # ];
- # };
- # vlans = {
- # "brlan.guest" = {
- # interface = "brlan";
- # id = 100;
- # };
- # };
- # bridges = {
- # brlan.interfaces = [];
- # brguest.interfaces = ["brlan.guest"];
- # };
- # nat = {
- # enable = true;
- # externalInterface = cnf.wan;
- # internalInterfaces = ["brlan" "brguest"];
- # };
- # dhcpcd = {
- # allowInterfaces = [cnf.wan];
- # extraConfig = ''
- # duid
- # noipv6rs
- # waitip 6
-
- # interface ${cnf.wan}
- # ipv6rs
- # iaid 1
-
- # ia_pd 1 brlan
- # #ia_pd 1/::/64 LAN/0/64
- #toString '';
- # };
- #nameservers = ["1.1.1.1" "8.8.8.8"];
- #};
-
- #services = {
- # kea = {
- # dhcp4 = {
- # enable = true;
- # settings = {
- # lease-database = {
- # name = "/var/lib/kea/dhcp4.leases";
- # persist = true;
- # type = "memfile";
- # };
- # valid-lifetime = 4000;
- # renew-timer = 1000;
- # rebind-timer = 2000;
- # interfaces-config = {
- # interfaces = ["brlan" "brguest"];
- # service-sockets-max-retries = -1;
- # };
- # option-data = [
- # {
- # name = "domain-name-servers";
- # data = "1.1.1.1, 8.8.8.8";
- # }
- # ];
- # subnet4 = [
- # {
- # interface = "brlan";
- # subnet = "${ipv4.prefix2ip cnf.lanIP cnf.lanPrefix}/${toString cnf.lanPrefix}";
- # pools = let
- # ip_start = ipv4.ipAdd cnf.lanIP cnf.lanPrefix cnf.dynIPStart;
- # ip_end = ipv4.ipAdd cnf.lanIP cnf.lanPrefix (cnf.dynIPStart + cnf.dynIPCount);
- # in [{pool = "${ip_start} - ${ip_end}";}];
- # option-data = [
- # {
- # name = "routers";
- # data = cnf.lanIP;
- # }
- # ];
- # reservations = [
- # {
- # duid = "e4:6f:13:f3:d5:be";
- # ip-address = ipv4.ipAdd cnf.lanIP cnf.lanPrefix 60;
- # }
- # ];
- # }
- # {
- # interface = "brguest";
- # subnet = "192.168.1.0/24";
- # pools = [{pool = "192.168.1.50 - 192.168.1.254";}];
- # "option-data" = [
- # {
- # name = "routers";
- # data = "192.168.1.1";
- # }
- # ];
- # }
- # ];
- # };
- # };
- # };
- # radvd = {
- # enable = true;
- # config = ''
- # interface brlan {
- # AdvSendAdvert on;
- # MinRtrAdvInterval 3;
- # MaxRtrAdvInterval 10;
- # prefix ::/64 {
- # AdvOnLink on;
- # AdvAutonomous on;
- # AdvRouterAddr on;
- # };
- # RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {
- # };
- # };
- # '';
- # };
- # kresd = {enable = false;};
- #};
- #systemd.services.kea-dhcp4-server.after = [
- # "sys-subsystem-net-devices-brlan.device"
- # "sys-subsystem-net-devices-brguest.device"
- #];
};
}
diff --git a/nixos/routers/switch.nix b/nixos/routers/switch.nix
new file mode 100644
index 0000000..16d57bc
--- /dev/null
+++ b/nixos/routers/switch.nix
@@ -0,0 +1,65 @@
+{
+ config,
+ lib,
+ ...
+}:
+with lib; let
+ cnf = config.cynerd.switch;
+in {
+ options = {
+ cynerd.switch = {
+ enable = mkEnableOption "Enable switch support";
+ lanAddress = mkOption {
+ type = types.str;
+ description = "LAN IP address";
+ };
+ lanGateway = mkOption {
+ type = types.str;
+ description = "LAN IP address of the gateway";
+ };
+ };
+ };
+
+ config = mkIf cnf.enable {
+ networking = {
+ useNetworkd = true;
+ nftables.enable = true;
+ };
+
+ systemd.network = {
+ netdevs = {
+ "brlan" = {
+ netdevConfig = {
+ Kind = "bridge";
+ Name = "brlan";
+ };
+ extraConfig = ''
+ [Bridge]
+ DefaultPVID=none
+ VLANFiltering=yes
+ '';
+ };
+ };
+ networks = {
+ "brlan" = {
+ matchConfig.Name = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ PVID = 1;
+ EgressUntagged = 1;
+ };
+ }
+ ];
+ networkConfig = {
+ Address = cnf.lanAddress;
+ Gateway = cnf.lanGateway;
+ DNS = "1.1.1.1";
+ IPv6AcceptRA = "yes";
+ };
+ };
+ };
+ wait-online.anyInterface = true;
+ };
+ };
+}
diff --git a/nixos/routers/wifi-adm.nix b/nixos/routers/wifi-adm.nix
index 26a5e15..733f167 100644
--- a/nixos/routers/wifi-adm.nix
+++ b/nixos/routers/wifi-adm.nix
@@ -13,6 +13,11 @@ with lib; let
default = null;
description = "Specify interface for ${card}";
};
+ bssids = mkOption {
+ type = with types; listOf str;
+ default = [];
+ description = "BSSIDs for networks.";
+ };
channel = mkOption {
type = types.ints.positive;
default = channelDefault;
@@ -41,15 +46,15 @@ in {
};
networks = {
"${cnf.ar9287.interface}" = {
- bssid = "02:f0:21:23:2b:00";
+ bssid = elemAt cnf.ar9287.bssids 0;
ssid = "TurrisAdamkovi";
authentication = {
mode = "wpa2-sha256";
wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass";
};
};
- "${cnf.ar9287.interface}.nela" = {
- bssid = "06:f0:21:23:2b:00";
+ "${cnf.ar9287.interface}-nela" = {
+ bssid = elemAt cnf.ar9287.bssids 1;
ssid = "Nela";
authentication = {
mode = "wpa2-sha256";
@@ -57,7 +62,7 @@ in {
};
};
"${cnf.ar9287.interface}.milan" = {
- bssid = "0a:f0:21:23:2b:00";
+ bssid = elemAt cnf.ar9287.bssids 2;
ssid = "MILAN-AC";
authentication = {
mode = "wpa2-sha256";
@@ -80,15 +85,15 @@ in {
};
networks = {
"${cnf.qca988x.interface}" = {
- bssid = "04:f0:21:24:24:d2";
+ bssid = elemAt cnf.qca988x.bssids 0;
ssid = "TurrisAdamkovi";
authentication = {
mode = "wpa2-sha256";
wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass";
};
};
- "${cnf.qca988x.interface}.nela" = {
- bssid = "06:f0:21:24:24:d2";
+ "${cnf.qca988x.interface}-nela" = {
+ bssid = elemAt cnf.qca988x.bssids 1;
ssid = "Nela";
authentication = {
mode = "wpa2-sha256";
@@ -96,7 +101,7 @@ in {
};
};
"${cnf.qca988x.interface}.milan" = {
- bssid = "0a:f0:21:24:24:d2";
+ bssid = elemAt cnf.qca988x.bssids 2;
ssid = "MILAN-AC";
authentication = {
mode = "wpa2-sha256";
@@ -111,26 +116,74 @@ in {
"lan-${cnf.ar9287.interface}" = {
matchConfig.Name = cnf.ar9287.interface;
networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ ];
};
- "lan-${cnf.ar9287.interface}.nela" = {
- matchConfig.Name = "${cnf.ar9287.interface}.nela";
- networkConfig.Bridge = "brguest";
+ "lan-${cnf.ar9287.interface}-nela" = {
+ matchConfig.Name = "${cnf.ar9287.interface}-nela";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
};
"lan-${cnf.ar9287.interface}.milan" = {
matchConfig.Name = "${cnf.ar9287.interface}.milan";
- networkConfig.Bridge = "brguest";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
};
"lan-${cnf.qca988x.interface}" = {
matchConfig.Name = cnf.qca988x.interface;
networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ ];
};
- "lan-${cnf.qca988x.interface}.nela" = {
- matchConfig.Name = "${cnf.qca988x.interface}.nela";
- networkConfig.Bridge = "brguest";
+ "lan-${cnf.qca988x.interface}-nela" = {
+ matchConfig.Name = "${cnf.qca988x.interface}-nela";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
};
"lan-${cnf.qca988x.interface}.milan" = {
matchConfig.Name = "${cnf.qca988x.interface}.milan";
- networkConfig.Bridge = "brguest";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
};
};
};
diff --git a/nixos/routers/wifi-spt.nix b/nixos/routers/wifi-spt.nix
index 87cbd14..84527fd 100644
--- a/nixos/routers/wifi-spt.nix
+++ b/nixos/routers/wifi-spt.nix
@@ -13,6 +13,11 @@ with lib; let
default = null;
description = "Specify interface for ${card}";
};
+ bssids = mkOption {
+ type = with types; listOf str;
+ default = [];
+ description = "BSSIDs for networks.";
+ };
channel = mkOption {
type = types.ints.positive;
default = channelDefault;
@@ -31,83 +36,130 @@ in {
config = mkIf cnf.enable {
services.hostapd = {
enable = true;
- radios = {
- "${cnf.ar9287.interface}" = mkIf (cnf.ar9287.interface != null) {
- countryCode = "CZ";
- inherit (cnf.ar9287) channel;
- wifi4 = {
- enable = true;
- inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities;
- };
- networks = {
- "${cnf.ar9287.interface}" = {
- bssid = "02:f0:21:23:2b:00";
- ssid = "TurrisRules";
- authentication = {
- mode = "wpa2-sha256";
- wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass";
- };
+ radios =
+ mkIf (cnf.ar9287.interface != null) {
+ "${cnf.ar9287.interface}" = {
+ countryCode = "CZ";
+ inherit (cnf.ar9287) channel;
+ wifi4 = {
+ enable = true;
+ inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities;
};
- "${cnf.ar9287.interface}.guest" = {
- bssid = "0a:f0:21:23:2b:00";
- ssid = "Kocovi";
- authentication = {
- mode = "wpa2-sha256";
- wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass";
+ networks = {
+ "${cnf.ar9287.interface}" = {
+ bssid = elemAt cnf.ar9287.bssids 0;
+ ssid = "TurrisRules";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass";
+ };
+ };
+ "${cnf.ar9287.interface}.guest" = {
+ bssid = elemAt cnf.ar9287.bssids 1;
+ ssid = "Kocovi";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass";
+ };
};
};
};
- };
- "${cnf.qca988x.interface}" = mkIf (cnf.qca988x.interface != null) {
- countryCode = "CZ";
- inherit (cnf.qca988x) channel;
- band = "5g";
- wifi4 = {
- enable = true;
- inherit (hostapd.qualcomAtherosQCA988x.wifi4) capabilities;
- };
- wifi5 = {
- enable = true;
- inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities;
- };
- networks = {
- "${cnf.qca988x.interface}" = {
- bssid = "04:f0:21:24:24:d2";
- ssid = "TurrisRules5";
- authentication = {
- mode = "wpa2-sha256";
- wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass";
- };
+ }
+ // mkIf (cnf.qca988x.interface != null) {
+ "${cnf.qca988x.interface}" = let
+ is2g = cnf.qca988x.channel <= 14;
+ in {
+ countryCode = "CZ";
+ inherit (cnf.qca988x) channel;
+ band =
+ if is2g
+ then "2g"
+ else "5g";
+ wifi4 = {
+ enable = true;
+ inherit (hostapd.qualcomAtherosQCA988x.wifi4) capabilities;
+ };
+ wifi5 = {
+ enable = !is2g;
+ inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities;
};
- "${cnf.qca988x.interface}.guest" = {
- bssid = "0a:f0:21:24:24:d2";
- ssid = "Kocovi";
- authentication = {
- mode = "wpa2-sha256";
- wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass";
+ networks = {
+ "${cnf.qca988x.interface}" = {
+ bssid = elemAt cnf.qca988x.bssids 0;
+ ssid = "TurrisRules${
+ if is2g
+ then ""
+ else "5"
+ }";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass";
+ };
+ };
+ "${cnf.qca988x.interface}.guest" = {
+ bssid = elemAt cnf.qca988x.bssids 1;
+ ssid = "Kocovi";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass";
+ };
};
};
};
};
- };
};
- systemd.network.networks = {
- "lan-${cnf.ar9287.interface}" = {
- matchConfig.Name = cnf.ar9287.interface;
- networkConfig.Bridge = "brlan";
- };
- "lan-${cnf.ar9287.interface}.guest" = {
- matchConfig.Name = "${cnf.ar9287.interface}.guest";
- networkConfig.Bridge = "brguest";
- };
- "lan-${cnf.qca988x.interface}" = {
- matchConfig.Name = cnf.qca988x.interface;
- networkConfig.Bridge = "brlan";
- };
- "lan-${cnf.qca988x.interface}.guest" = {
- matchConfig.Name = "${cnf.qca988x.interface}.guest";
- networkConfig.Bridge = "brguest";
+ systemd.network.networks =
+ mkIf (cnf.ar9287.interface != null) {
+ "lan-${cnf.ar9287.interface}" = {
+ matchConfig.Name = cnf.ar9287.interface;
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ ];
+ };
+ "lan-${cnf.ar9287.interface}-guest" = {
+ matchConfig.Name = "${cnf.ar9287.interface}.guest";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
+ };
+ }
+ // mkIf (cnf.qca988x.interface != null) {
+ "lan-${cnf.qca988x.interface}" = {
+ matchConfig.Name = cnf.qca988x.interface;
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ ];
+ };
+ "lan-${cnf.qca988x.interface}-guest" = {
+ matchConfig.Name = "${cnf.qca988x.interface}.guest";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
+ };
};
- };
};
}