diff options
| author | Karel Kočí <cynerd@email.cz> | 2023-01-23 21:23:23 +0100 |
|---|---|---|
| committer | Karel Kočí <cynerd@email.cz> | 2023-01-23 21:23:23 +0100 |
| commit | 89a605727649bb4599af04681e40a19bf24e69a4 (patch) | |
| tree | 1f8ab6de3825c5c1f88f90c9b08a1d223e47e7d0 /nixos/routers | |
| parent | d965ae516e238dde8f22234859b81a5a25b7f726 (diff) | |
| download | nixos-personal-89a605727649bb4599af04681e40a19bf24e69a4.tar.gz nixos-personal-89a605727649bb4599af04681e40a19bf24e69a4.tar.bz2 nixos-personal-89a605727649bb4599af04681e40a19bf24e69a4.zip | |
nixos: improve wifi configuration
Diffstat (limited to 'nixos/routers')
| -rw-r--r-- | nixos/routers/default.nix | 5 | ||||
| -rw-r--r-- | nixos/routers/router.nix | 124 | ||||
| -rw-r--r-- | nixos/routers/wifi-adm.nix | 97 | ||||
| -rw-r--r-- | nixos/routers/wifi-spt.nix | 83 |
4 files changed, 309 insertions, 0 deletions
diff --git a/nixos/routers/default.nix b/nixos/routers/default.nix new file mode 100644 index 0000000..ab64316 --- /dev/null +++ b/nixos/routers/default.nix @@ -0,0 +1,5 @@ +{ + cynerd-router = import ./router.nix; + cynerd-wifi-adm = import ./wifi-adm.nix; + cynerd-wifi-spt = import ./wifi-spt.nix; +} diff --git a/nixos/routers/router.nix b/nixos/routers/router.nix new file mode 100644 index 0000000..f5c8668 --- /dev/null +++ b/nixos/routers/router.nix @@ -0,0 +1,124 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cnf = config.cynerd.router; +in { + options = { + cynerd.router = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable router support"; + }; + wan = mkOption { + type = types.str; + description = "Interface for the router's WAN"; + }; + lanIP = mkOption { + type = types.str; + description = "LAN IP address"; + }; + dynIPStart = mkOption { + type = types.ints.between 0 256; + default = 100; + description = "Offset for the dynamic IPv4 addresses"; + }; + dynIPCount = mkOption { + type = types.ints.between 0 256; + default = 100; + description = "Number of dynamically assigned IPv4 addresses"; + }; + lanPrefix = mkOption { + type = types.ints.between 0 32; + default = 24; + description = "LAN IP network prefix length"; + }; + }; + }; + + config = mkIf cnf.enable { + networking = { + interfaces = { + brlan.ipv4.addresses = [ + { + address = cnf.lanIP; + prefixLength = cnf.lanPrefix; + } + ]; + brguest.ipv4.addresses = [ + { + address = "192.168.1.1"; + prefixLength = 24; + } + ]; + }; + vlans = { + "brlan.guest" = { + interface = "brlan"; + id = 100; + }; + }; + bridges = { + brlan.interfaces = []; + brguest.interfaces = ["brlan.guest"]; + }; + nat = { + enable = true; + externalInterface = cnf.wan; + internalInterfaces = ["brlan" "brguest"]; + }; + dhcpcd.allowInterfaces = [cnf.wan]; + nameservers = ["1.1.1.1" "8.8.8.8"]; + }; + + services.dhcpd4 = { + enable = true; + authoritative = true; + interfaces = ["brlan" "brguest"]; + extraConfig = '' + option domain-name-servers 1.1.1.1, 8.8.8.8; + subnet ${ipv4.prefix2ip cnf.lanIP cnf.lanPrefix} netmask ${ipv4.prefix2netmask cnf.lanPrefix} { + range ${ + ipv4.ipAdd cnf.lanIP cnf.lanPrefix cnf.dynIPStart + } ${ + ipv4.ipAdd cnf.lanIP cnf.lanPrefix (cnf.dynIPStart + cnf.dynIPCount) + }; + option routers ${cnf.lanIP}; + option subnet-mask ${ipv4.prefix2netmask cnf.lanPrefix}; + option broadcast-address ${ipv4.prefix2broadcast cnf.lanIP cnf.lanPrefix}; + } + subnet 192.168.1.0 netmask 255.255.255.0 { + range 192.168.1.50 192.168.1.254; + option routers 192.168.1.1; + option subnet-mask 255.255.255.0; + option broadcast-address 192.168.1.255; + } + ''; + }; + + services.dhcpd6 = { + # TODO + enable = false; + authoritative = true; + interfaces = ["brlan"]; + extraConfig = '' + ''; + }; + + services.kresd = { + enable = false; + }; + + networking.nftables.enable = true; + networking.firewall = { + filterForward = true; + extraForwardRules = '' + iifname "brguest" oifname != "${cnf.wan}" drop comment "prevent guest to access lan" + ''; + }; + }; +} diff --git a/nixos/routers/wifi-adm.nix b/nixos/routers/wifi-adm.nix new file mode 100644 index 0000000..df334e5 --- /dev/null +++ b/nixos/routers/wifi-adm.nix @@ -0,0 +1,97 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cnf = config.cynerd.wifiAP.adm; + + wOptions = card: channelDefault: { + interface = mkOption { + type = with types; nullOr str; + default = null; + description = "Specify interface for ${card}"; + }; + channel = mkOption { + type = types.ints.positive; + default = channelDefault; + description = "Channel to be used for ${card}"; + }; + }; +in { + options = { + cynerd.wifiAP.adm = { + enable = mkEnableOption "Enable Wi-Fi Access Point support"; + ar9287 = wOptions "Qualcom Atheros AR9287" 7; + qca988x = wOptions "Qualcom Atheros QCA988x" 36; + }; + }; + + config = mkIf cnf.enable { + networking.wirelessAP = { + enable = true; + environmentFile = "/run/secrets/hostapd.env"; + interfaces = + (optionalAttrs (cnf.ar9287.interface != null) { + "${cnf.ar9287.interface}" = + wifiAP.qualcomAtherosAR9287 { + channel = cnf.ar9287.channel; + } + // { + bssid = "@BSSID_W24_0@"; + ssid = "TurrisAdamkovi"; + wpa = 2; + wpaPassphrase = "@PASS_TURRIS_ADAMKOVI@"; + bridge = "brlan"; + bss = { + "${cnf.ar9287.interface}.nela" = { + bssid = "@BSSID_W24_1@"; + ssid = "Nela"; + wpa = 2; + wpaPassphrase = "@PASS_NELA@"; + bridge = "brguest"; + }; + "${cnf.ar9287.interface}.milan" = { + bssid = "@BSSID_W24_2@"; + ssid = "MILAN-AC"; + wpa = 2; + wpaPassphrase = "@PASS_MILAN_AC@"; + bridge = "brguest"; + }; + }; + }; + }) + // (optionalAttrs (cnf.qca988x.interface != null) { + "${cnf.qca988x.interface}" = + wifiAP.qualcomAtherosQCA988x { + channel = cnf.qca988x.channel; + } + // { + bssid = "@BSSID_W5_0@"; + countryCode = "CZ"; + ssid = "TurrisAdamkovi5"; + wpa = 2; + wpaPassphrase = "@PASS_TURRIS_ADAMKOVI@"; + bridge = "brlan"; + bss = { + "${cnf.qca988x.interface}.nela" = { + bssid = "@BSSID_W5_1@"; + ssid = "Nela5"; + wpa = 2; + wpaPassphrase = "@PASS_NELA@"; + bridge = "brguest"; + }; + "${cnf.qca988x.interface}.milan" = { + bssid = "@BSSID_W5_2@"; + ssid = "MILAN-AC"; + wpa = 2; + wpaPassphrase = "@PASS_MILAN_AC@"; + bridge = "brguest"; + }; + }; + }; + }); + }; + }; +} diff --git a/nixos/routers/wifi-spt.nix b/nixos/routers/wifi-spt.nix new file mode 100644 index 0000000..1cbb567 --- /dev/null +++ b/nixos/routers/wifi-spt.nix @@ -0,0 +1,83 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cnf = config.cynerd.wifiAP.spt; + + wOptions = card: channelDefault: { + interface = mkOption { + type = with types; nullOr str; + default = null; + description = "Specify interface for ${card}"; + }; + channel = mkOption { + type = types.ints.positive; + default = channelDefault; + description = "Channel to be used for ${card}"; + }; + }; +in { + options = { + cynerd.wifiAP.spt = { + enable = mkEnableOption "Enable Wi-Fi Access Point support"; + ar9287 = wOptions "Qualcom Atheros AR9287" 7; + qca988x = wOptions "Qualcom Atheros QCA988x" 36; + }; + }; + + config = mkIf cnf.enable { + networking.wirelessAP = { + enable = true; + environmentFile = "/run/secrets/hostapd.env"; + interfaces = + (optionalAttrs (cnf.ar9287.interface != null) { + "${cnf.ar9287.interface}" = + wifiAP.qualcomAtherosAR9287 { + channel = cnf.ar9287.channel; + } + // { + bssid = "@BSSID_AR9287_0@"; + ssid = "TurrisRules"; + wpa = 2; + wpaPassphrase = "@PASS_TURRIS_RULES@"; + bridge = "brlan"; + bss = { + "${cnf.ar9287.interface}.guest" = { + bssid = "@BSSID_AR9287_1@"; + ssid = "Kocovi"; + wpa = 2; + wpaPassphrase = "@PASS_KOCOVI@"; + bridge = "brguest"; + }; + }; + }; + }) + // (optionalAttrs (cnf.qca988x.interface != null) { + "${cnf.qca988x.interface}" = + wifiAP.qualcomAtherosQCA988x { + channel = cnf.qca988x.channel; + } + // { + bssid = "@BSSID_QCA988X_0@"; + countryCode = "CZ"; + ssid = "TurrisRules5"; + wpa = 2; + wpaPassphrase = "@PASS_TURRIS_RULES@"; + bridge = "brlan"; + bss = { + "${cnf.qca988x.interface}.guest" = { + bssid = "@BSSID_QCA988X_1@"; + ssid = "Kocovi"; + wpa = 2; + wpaPassphrase = "@PASS_KOCOVI@"; + bridge = "brguest"; + }; + }; + }; + }); + }; + }; +} |