aboutsummaryrefslogtreecommitdiff
path: root/nixos/routers
diff options
context:
space:
mode:
authorKarel Kočí <cynerd@email.cz>2024-01-27 13:20:03 +0100
committerKarel Kočí <cynerd@email.cz>2024-01-27 13:20:03 +0100
commitc1a76b4403edcf5e2a147d68b7bbdf1c33ac95ef (patch)
tree95b00eb500c49c3358b3f736eae9cfe9165f354a /nixos/routers
parent6b0bc35f83a14ee9f9a34e1af782f1ef4c363d6e (diff)
downloadnixos-personal-c1a76b4403edcf5e2a147d68b7bbdf1c33ac95ef.tar.gz
nixos-personal-c1a76b4403edcf5e2a147d68b7bbdf1c33ac95ef.tar.bz2
nixos-personal-c1a76b4403edcf5e2a147d68b7bbdf1c33ac95ef.zip
Rework routers to use systemd-networkd
Diffstat (limited to 'nixos/routers')
-rw-r--r--nixos/routers/default.nix1
-rw-r--r--nixos/routers/router.nix237
-rw-r--r--nixos/routers/switch.nix65
-rw-r--r--nixos/routers/wifi-adm.nix85
-rw-r--r--nixos/routers/wifi-spt.nix186
5 files changed, 313 insertions, 261 deletions
diff --git a/nixos/routers/default.nix b/nixos/routers/default.nix
index ab64316..dfc1266 100644
--- a/nixos/routers/default.nix
+++ b/nixos/routers/default.nix
@@ -1,5 +1,6 @@
{
cynerd-router = import ./router.nix;
+ cynerd-switch = import ./switch.nix;
cynerd-wifi-adm = import ./wifi-adm.nix;
cynerd-wifi-spt = import ./wifi-spt.nix;
}
diff --git a/nixos/routers/router.nix b/nixos/routers/router.nix
index da625e4..545f109 100644
--- a/nixos/routers/router.nix
+++ b/nixos/routers/router.nix
@@ -40,33 +40,71 @@ in {
};
config = mkIf cnf.enable {
+ networking = {
+ useNetworkd = true;
+ nftables.enable = true;
+ firewall = {
+ interfaces = {
+ "lan" = {
+ allowedUDPPorts = [53 67 68];
+ allowedTCPPorts = [53];
+ };
+ "guest" = {
+ allowedUDPPorts = [53 67 68];
+ allowedTCPPorts = [53];
+ };
+ };
+ filterForward = true;
+ extraForwardRules = ''
+ iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access lan"
+ '';
+ };
+ nat = {
+ enable = true;
+ externalInterface = cnf.wan;
+ internalInterfaces = ["lan" "guest"];
+ };
+ };
+
systemd.network = {
netdevs = {
- "brlan".netdevConfig = {
- Kind = "bridge";
- Name = "brlan";
- };
- "brguest".netdevConfig = {
- Kind = "bridge";
- Name = "brguest";
+ "brlan" = {
+ netdevConfig = {
+ Kind = "bridge";
+ Name = "brlan";
+ };
+ extraConfig = ''
+ [Bridge]
+ DefaultPVID=none
+ VLANFiltering=yes
+ '';
};
- };
- networks = {
- "${cnf.wan}" = {
- matchConfig.Name = cnf.wan;
- networkConfig = {
- DHCP = "yes";
- DHCPPrefixDelegation = "yes";
+ "lan" = {
+ netdevConfig = {
+ Kind = "vlan";
+ Name = "lan";
};
- dhcpPrefixDelegationConfig = {
- UplinkInterface = ":self";
- SubnetId = 0;
- Announce = "no";
+ vlanConfig.Id = 1;
+ };
+ "guest" = {
+ netdevConfig = {
+ Kind = "vlan";
+ Name = "guest";
};
- linkConfig.RequiredForOnline = "routable";
+ vlanConfig.Id = 2;
};
+ };
+ networks = {
"brlan" = {
matchConfig.Name = "brlan";
+ networkConfig.VLAN = ["lan" "guest"];
+ bridgeVLANs = [
+ {bridgeVLANConfig.VLAN = 1;}
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
+ };
+ "lan" = {
+ matchConfig.Name = "lan";
networkConfig = {
Address = "${cnf.lanIP}/${toString cnf.lanPrefix}";
IPForward = "yes";
@@ -74,7 +112,6 @@ in {
DHCPPrefixDelegation = "yes";
IPv6SendRA = "yes";
IPv6AcceptRA = "no";
- VLAN = ["brlan.brguest"];
};
dhcpServerConfig = {
UplinkInterface = cnf.wan;
@@ -89,8 +126,8 @@ in {
Announce = "yes";
};
};
- "brguest" = {
- matchConfig.Name = "brguest";
+ "guest" = {
+ matchConfig.Name = "guest";
networkConfig = {
Address = "192.168.1.1/24";
IPForward = "yes";
@@ -116,166 +153,10 @@ in {
wait-online.anyInterface = true;
};
- networking = {
- nftables.enable = true;
- firewall = {
- interfaces = {
- "brlan" = {
- allowedUDPPorts = [53 67 68];
- allowedTCPPorts = [53];
- };
- "brguest" = {
- allowedUDPPorts = [53 67 68];
- allowedTCPPorts = [53];
- };
- };
- filterForward = true;
- extraForwardRules = ''
- iifname "brguest" oifname != "${cnf.wan}" drop comment "prevent guest to access lan"
- '';
- };
- nat = {
- enable = true;
- externalInterface = cnf.wan;
- internalInterfaces = ["brlan" "brguest"];
- };
- };
-
services.resolved = {
enable = true;
dnssec = "true";
fallbackDns = ["1.1.1.1" "8.8.8.8"];
};
-
- #networking = {
- # interfaces = {
- # brlan.ipv4.addresses = [
- # {
- # address = cnf.lanIP;
- # prefixLength = cnf.lanPrefix;
- # }
- # ];
- # brguest.ipv4.addresses = [
- # {
- # address = "192.168.1.1";
- # prefixLength = 24;
- # }
- # ];
- # };
- # vlans = {
- # "brlan.guest" = {
- # interface = "brlan";
- # id = 100;
- # };
- # };
- # bridges = {
- # brlan.interfaces = [];
- # brguest.interfaces = ["brlan.guest"];
- # };
- # nat = {
- # enable = true;
- # externalInterface = cnf.wan;
- # internalInterfaces = ["brlan" "brguest"];
- # };
- # dhcpcd = {
- # allowInterfaces = [cnf.wan];
- # extraConfig = ''
- # duid
- # noipv6rs
- # waitip 6
-
- # interface ${cnf.wan}
- # ipv6rs
- # iaid 1
-
- # ia_pd 1 brlan
- # #ia_pd 1/::/64 LAN/0/64
- #toString '';
- # };
- #nameservers = ["1.1.1.1" "8.8.8.8"];
- #};
-
- #services = {
- # kea = {
- # dhcp4 = {
- # enable = true;
- # settings = {
- # lease-database = {
- # name = "/var/lib/kea/dhcp4.leases";
- # persist = true;
- # type = "memfile";
- # };
- # valid-lifetime = 4000;
- # renew-timer = 1000;
- # rebind-timer = 2000;
- # interfaces-config = {
- # interfaces = ["brlan" "brguest"];
- # service-sockets-max-retries = -1;
- # };
- # option-data = [
- # {
- # name = "domain-name-servers";
- # data = "1.1.1.1, 8.8.8.8";
- # }
- # ];
- # subnet4 = [
- # {
- # interface = "brlan";
- # subnet = "${ipv4.prefix2ip cnf.lanIP cnf.lanPrefix}/${toString cnf.lanPrefix}";
- # pools = let
- # ip_start = ipv4.ipAdd cnf.lanIP cnf.lanPrefix cnf.dynIPStart;
- # ip_end = ipv4.ipAdd cnf.lanIP cnf.lanPrefix (cnf.dynIPStart + cnf.dynIPCount);
- # in [{pool = "${ip_start} - ${ip_end}";}];
- # option-data = [
- # {
- # name = "routers";
- # data = cnf.lanIP;
- # }
- # ];
- # reservations = [
- # {
- # duid = "e4:6f:13:f3:d5:be";
- # ip-address = ipv4.ipAdd cnf.lanIP cnf.lanPrefix 60;
- # }
- # ];
- # }
- # {
- # interface = "brguest";
- # subnet = "192.168.1.0/24";
- # pools = [{pool = "192.168.1.50 - 192.168.1.254";}];
- # "option-data" = [
- # {
- # name = "routers";
- # data = "192.168.1.1";
- # }
- # ];
- # }
- # ];
- # };
- # };
- # };
- # radvd = {
- # enable = true;
- # config = ''
- # interface brlan {
- # AdvSendAdvert on;
- # MinRtrAdvInterval 3;
- # MaxRtrAdvInterval 10;
- # prefix ::/64 {
- # AdvOnLink on;
- # AdvAutonomous on;
- # AdvRouterAddr on;
- # };
- # RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {
- # };
- # };
- # '';
- # };
- # kresd = {enable = false;};
- #};
- #systemd.services.kea-dhcp4-server.after = [
- # "sys-subsystem-net-devices-brlan.device"
- # "sys-subsystem-net-devices-brguest.device"
- #];
};
}
diff --git a/nixos/routers/switch.nix b/nixos/routers/switch.nix
new file mode 100644
index 0000000..16d57bc
--- /dev/null
+++ b/nixos/routers/switch.nix
@@ -0,0 +1,65 @@
+{
+ config,
+ lib,
+ ...
+}:
+with lib; let
+ cnf = config.cynerd.switch;
+in {
+ options = {
+ cynerd.switch = {
+ enable = mkEnableOption "Enable switch support";
+ lanAddress = mkOption {
+ type = types.str;
+ description = "LAN IP address";
+ };
+ lanGateway = mkOption {
+ type = types.str;
+ description = "LAN IP address of the gateway";
+ };
+ };
+ };
+
+ config = mkIf cnf.enable {
+ networking = {
+ useNetworkd = true;
+ nftables.enable = true;
+ };
+
+ systemd.network = {
+ netdevs = {
+ "brlan" = {
+ netdevConfig = {
+ Kind = "bridge";
+ Name = "brlan";
+ };
+ extraConfig = ''
+ [Bridge]
+ DefaultPVID=none
+ VLANFiltering=yes
+ '';
+ };
+ };
+ networks = {
+ "brlan" = {
+ matchConfig.Name = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ PVID = 1;
+ EgressUntagged = 1;
+ };
+ }
+ ];
+ networkConfig = {
+ Address = cnf.lanAddress;
+ Gateway = cnf.lanGateway;
+ DNS = "1.1.1.1";
+ IPv6AcceptRA = "yes";
+ };
+ };
+ };
+ wait-online.anyInterface = true;
+ };
+ };
+}
diff --git a/nixos/routers/wifi-adm.nix b/nixos/routers/wifi-adm.nix
index 26a5e15..733f167 100644
--- a/nixos/routers/wifi-adm.nix
+++ b/nixos/routers/wifi-adm.nix
@@ -13,6 +13,11 @@ with lib; let
default = null;
description = "Specify interface for ${card}";
};
+ bssids = mkOption {
+ type = with types; listOf str;
+ default = [];
+ description = "BSSIDs for networks.";
+ };
channel = mkOption {
type = types.ints.positive;
default = channelDefault;
@@ -41,15 +46,15 @@ in {
};
networks = {
"${cnf.ar9287.interface}" = {
- bssid = "02:f0:21:23:2b:00";
+ bssid = elemAt cnf.ar9287.bssids 0;
ssid = "TurrisAdamkovi";
authentication = {
mode = "wpa2-sha256";
wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass";
};
};
- "${cnf.ar9287.interface}.nela" = {
- bssid = "06:f0:21:23:2b:00";
+ "${cnf.ar9287.interface}-nela" = {
+ bssid = elemAt cnf.ar9287.bssids 1;
ssid = "Nela";
authentication = {
mode = "wpa2-sha256";
@@ -57,7 +62,7 @@ in {
};
};
"${cnf.ar9287.interface}.milan" = {
- bssid = "0a:f0:21:23:2b:00";
+ bssid = elemAt cnf.ar9287.bssids 2;
ssid = "MILAN-AC";
authentication = {
mode = "wpa2-sha256";
@@ -80,15 +85,15 @@ in {
};
networks = {
"${cnf.qca988x.interface}" = {
- bssid = "04:f0:21:24:24:d2";
+ bssid = elemAt cnf.qca988x.bssids 0;
ssid = "TurrisAdamkovi";
authentication = {
mode = "wpa2-sha256";
wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass";
};
};
- "${cnf.qca988x.interface}.nela" = {
- bssid = "06:f0:21:24:24:d2";
+ "${cnf.qca988x.interface}-nela" = {
+ bssid = elemAt cnf.qca988x.bssids 1;
ssid = "Nela";
authentication = {
mode = "wpa2-sha256";
@@ -96,7 +101,7 @@ in {
};
};
"${cnf.qca988x.interface}.milan" = {
- bssid = "0a:f0:21:24:24:d2";
+ bssid = elemAt cnf.qca988x.bssids 2;
ssid = "MILAN-AC";
authentication = {
mode = "wpa2-sha256";
@@ -111,26 +116,74 @@ in {
"lan-${cnf.ar9287.interface}" = {
matchConfig.Name = cnf.ar9287.interface;
networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ ];
};
- "lan-${cnf.ar9287.interface}.nela" = {
- matchConfig.Name = "${cnf.ar9287.interface}.nela";
- networkConfig.Bridge = "brguest";
+ "lan-${cnf.ar9287.interface}-nela" = {
+ matchConfig.Name = "${cnf.ar9287.interface}-nela";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
};
"lan-${cnf.ar9287.interface}.milan" = {
matchConfig.Name = "${cnf.ar9287.interface}.milan";
- networkConfig.Bridge = "brguest";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
};
"lan-${cnf.qca988x.interface}" = {
matchConfig.Name = cnf.qca988x.interface;
networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ ];
};
- "lan-${cnf.qca988x.interface}.nela" = {
- matchConfig.Name = "${cnf.qca988x.interface}.nela";
- networkConfig.Bridge = "brguest";
+ "lan-${cnf.qca988x.interface}-nela" = {
+ matchConfig.Name = "${cnf.qca988x.interface}-nela";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
};
"lan-${cnf.qca988x.interface}.milan" = {
matchConfig.Name = "${cnf.qca988x.interface}.milan";
- networkConfig.Bridge = "brguest";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
};
};
};
diff --git a/nixos/routers/wifi-spt.nix b/nixos/routers/wifi-spt.nix
index 87cbd14..84527fd 100644
--- a/nixos/routers/wifi-spt.nix
+++ b/nixos/routers/wifi-spt.nix
@@ -13,6 +13,11 @@ with lib; let
default = null;
description = "Specify interface for ${card}";
};
+ bssids = mkOption {
+ type = with types; listOf str;
+ default = [];
+ description = "BSSIDs for networks.";
+ };
channel = mkOption {
type = types.ints.positive;
default = channelDefault;
@@ -31,83 +36,130 @@ in {
config = mkIf cnf.enable {
services.hostapd = {
enable = true;
- radios = {
- "${cnf.ar9287.interface}" = mkIf (cnf.ar9287.interface != null) {
- countryCode = "CZ";
- inherit (cnf.ar9287) channel;
- wifi4 = {
- enable = true;
- inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities;
- };
- networks = {
- "${cnf.ar9287.interface}" = {
- bssid = "02:f0:21:23:2b:00";
- ssid = "TurrisRules";
- authentication = {
- mode = "wpa2-sha256";
- wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass";
- };
+ radios =
+ mkIf (cnf.ar9287.interface != null) {
+ "${cnf.ar9287.interface}" = {
+ countryCode = "CZ";
+ inherit (cnf.ar9287) channel;
+ wifi4 = {
+ enable = true;
+ inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities;
};
- "${cnf.ar9287.interface}.guest" = {
- bssid = "0a:f0:21:23:2b:00";
- ssid = "Kocovi";
- authentication = {
- mode = "wpa2-sha256";
- wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass";
+ networks = {
+ "${cnf.ar9287.interface}" = {
+ bssid = elemAt cnf.ar9287.bssids 0;
+ ssid = "TurrisRules";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass";
+ };
+ };
+ "${cnf.ar9287.interface}.guest" = {
+ bssid = elemAt cnf.ar9287.bssids 1;
+ ssid = "Kocovi";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass";
+ };
};
};
};
- };
- "${cnf.qca988x.interface}" = mkIf (cnf.qca988x.interface != null) {
- countryCode = "CZ";
- inherit (cnf.qca988x) channel;
- band = "5g";
- wifi4 = {
- enable = true;
- inherit (hostapd.qualcomAtherosQCA988x.wifi4) capabilities;
- };
- wifi5 = {
- enable = true;
- inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities;
- };
- networks = {
- "${cnf.qca988x.interface}" = {
- bssid = "04:f0:21:24:24:d2";
- ssid = "TurrisRules5";
- authentication = {
- mode = "wpa2-sha256";
- wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass";
- };
+ }
+ // mkIf (cnf.qca988x.interface != null) {
+ "${cnf.qca988x.interface}" = let
+ is2g = cnf.qca988x.channel <= 14;
+ in {
+ countryCode = "CZ";
+ inherit (cnf.qca988x) channel;
+ band =
+ if is2g
+ then "2g"
+ else "5g";
+ wifi4 = {
+ enable = true;
+ inherit (hostapd.qualcomAtherosQCA988x.wifi4) capabilities;
+ };
+ wifi5 = {
+ enable = !is2g;
+ inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities;
};
- "${cnf.qca988x.interface}.guest" = {
- bssid = "0a:f0:21:24:24:d2";
- ssid = "Kocovi";
- authentication = {
- mode = "wpa2-sha256";
- wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass";
+ networks = {
+ "${cnf.qca988x.interface}" = {
+ bssid = elemAt cnf.qca988x.bssids 0;
+ ssid = "TurrisRules${
+ if is2g
+ then ""
+ else "5"
+ }";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass";
+ };
+ };
+ "${cnf.qca988x.interface}.guest" = {
+ bssid = elemAt cnf.qca988x.bssids 1;
+ ssid = "Kocovi";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass";
+ };
};
};
};
};
- };
};
- systemd.network.networks = {
- "lan-${cnf.ar9287.interface}" = {
- matchConfig.Name = cnf.ar9287.interface;
- networkConfig.Bridge = "brlan";
- };
- "lan-${cnf.ar9287.interface}.guest" = {
- matchConfig.Name = "${cnf.ar9287.interface}.guest";
- networkConfig.Bridge = "brguest";
- };
- "lan-${cnf.qca988x.interface}" = {
- matchConfig.Name = cnf.qca988x.interface;
- networkConfig.Bridge = "brlan";
- };
- "lan-${cnf.qca988x.interface}.guest" = {
- matchConfig.Name = "${cnf.qca988x.interface}.guest";
- networkConfig.Bridge = "brguest";
+ systemd.network.networks =
+ mkIf (cnf.ar9287.interface != null) {
+ "lan-${cnf.ar9287.interface}" = {
+ matchConfig.Name = cnf.ar9287.interface;
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ ];
+ };
+ "lan-${cnf.ar9287.interface}-guest" = {
+ matchConfig.Name = "${cnf.ar9287.interface}.guest";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
+ };
+ }
+ // mkIf (cnf.qca988x.interface != null) {
+ "lan-${cnf.qca988x.interface}" = {
+ matchConfig.Name = cnf.qca988x.interface;
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ ];
+ };
+ "lan-${cnf.qca988x.interface}-guest" = {
+ matchConfig.Name = "${cnf.qca988x.interface}.guest";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
+ };
};
- };
};
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-01 13:51:49 +0000