diff options
author | Karel Kočí <cynerd@email.cz> | 2024-01-27 13:20:03 +0100 |
---|---|---|
committer | Karel Kočí <cynerd@email.cz> | 2024-01-27 13:20:03 +0100 |
commit | c1a76b4403edcf5e2a147d68b7bbdf1c33ac95ef (patch) | |
tree | 95b00eb500c49c3358b3f736eae9cfe9165f354a /nixos | |
parent | 6b0bc35f83a14ee9f9a34e1af782f1ef4c363d6e (diff) | |
download | nixos-personal-c1a76b4403edcf5e2a147d68b7bbdf1c33ac95ef.tar.gz nixos-personal-c1a76b4403edcf5e2a147d68b7bbdf1c33ac95ef.tar.bz2 nixos-personal-c1a76b4403edcf5e2a147d68b7bbdf1c33ac95ef.zip |
Rework routers to use systemd-networkd
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/configurations.nix | 1 | ||||
-rw-r--r-- | nixos/machine/adm-omnia.nix | 68 | ||||
-rw-r--r-- | nixos/machine/adm-omnia2.nix | 42 | ||||
-rw-r--r-- | nixos/machine/spt-mox.nix | 43 | ||||
-rw-r--r-- | nixos/machine/spt-mox2.nix | 52 | ||||
-rw-r--r-- | nixos/machine/spt-omnia.nix | 67 | ||||
-rw-r--r-- | nixos/machine/spt-omniax.nix | 57 | ||||
-rw-r--r-- | nixos/modules/develop.nix | 1 | ||||
-rw-r--r-- | nixos/modules/generic.nix | 2 | ||||
-rw-r--r-- | nixos/modules/home-assistant.nix | 1 | ||||
-rw-r--r-- | nixos/routers/default.nix | 1 | ||||
-rw-r--r-- | nixos/routers/router.nix | 237 | ||||
-rw-r--r-- | nixos/routers/switch.nix | 65 | ||||
-rw-r--r-- | nixos/routers/wifi-adm.nix | 85 | ||||
-rw-r--r-- | nixos/routers/wifi-spt.nix | 186 |
15 files changed, 545 insertions, 363 deletions
diff --git a/nixos/configurations.nix b/nixos/configurations.nix index 2fa2261..47f6ce2 100644 --- a/nixos/configurations.nix +++ b/nixos/configurations.nix @@ -114,6 +114,7 @@ in // beagleboneSystem "gaspode" // turrisMoxSystem "dean" // turrisOmniaSystem "spt-omnia" + // turrisOmniaSystem "spt-omniax" // turrisMoxSystem "spt-mox" // turrisMoxSystem "spt-mox2" // turrisOmniaSystem "adm-omnia" diff --git a/nixos/machine/adm-omnia.nix b/nixos/machine/adm-omnia.nix index fd6d654..088481f 100644 --- a/nixos/machine/adm-omnia.nix +++ b/nixos/machine/adm-omnia.nix @@ -9,7 +9,7 @@ with lib; { cynerd = { router = { enable = true; - wan = "end2"; # TODO pppoe-wan + wan = "pppoe-wan"; lanIP = config.cynerd.hosts.adm.omnia; }; wifiAP.adm = { @@ -21,8 +21,53 @@ with lib; { monitoring.speedtest = true; }; + networking.useDHCP = false; + systemd.network = { + networks = { + "end2" = { + matchConfig.Name = "end2"; + #networkConfig = { + # DHCP = "ipv6"; + # IPv6AcceptRA = "yes"; + # DHCPPrefixDelegation = "yes"; + #}; + #dhcpPrefixDelegationConfig = { + # UplinkInterface = ":self"; + # SubnetId = 0; + # Announce = "no"; + #}; + linkConfig.RequiredForOnline = "routable"; + }; + "lan-brlan" = { + matchConfig.Name = "lan[1-4]"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + "lan0-guest" = { + matchConfig.Name = "lan0"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; + }; + }; + }; + services.pppd = { - enable = false; + enable = true; peers."wan".config = '' plugin pppoe.so end2 ifname pppoe-wan @@ -38,23 +83,6 @@ with lib; { password 02 ''; }; - #systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.device"]; - - environment.systemPackages = [pkgs.tcpdump]; - - networking = { - useNetworkd = true; - useDHCP = false; - }; - systemd.network.networks = { - "lan-brlan" = { - matchConfig.Name = "lan[1-4]"; - networkConfig.Bridge = "brlan"; - }; - "lan0-brguest" = { - matchConfig.Name = "lan0"; - networkConfig.Bridge = "brguest"; - }; - }; + systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.device"]; }; } diff --git a/nixos/machine/adm-omnia2.nix b/nixos/machine/adm-omnia2.nix index 7673ecf..31aecab 100644 --- a/nixos/machine/adm-omnia2.nix +++ b/nixos/machine/adm-omnia2.nix @@ -7,6 +7,11 @@ with lib; { config = { cynerd = { + switch = { + enable = true; + lanAddress = "${config.cynerd.hosts.adm.omnia2}/24"; + lanGateway = config.cynerd.hosts.adm.omnia; + }; wifiAP.adm = { enable = true; ar9287.interface = "wlp2s0"; @@ -15,28 +20,23 @@ with lib; { }; networking = { - vlans = { - "brlan.guest" = { - interface = "brlan"; - id = 2; # TODO later use 100 - }; - }; - bridges = { - brlan.interfaces = ["end2" "lan0" "lan1" "lan2" "lan3" "lan4"]; - brguest.interfaces = ["brlan.guest"]; + useNetworkd = true; + useDHCP = false; + }; + systemd.network.networks = { + "lan-brlan" = { + matchConfig.Name = "lan* eth0"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; }; - interfaces.brlan.ipv4.addresses = [ - { - address = config.cynerd.hosts.adm.omnia2; - prefixLength = 24; - } - ]; - defaultGateway = config.cynerd.hosts.adm.omnia; - nameservers = ["1.1.1.1" "8.8.8.8"]; - dhcpcd.allowInterfaces = []; }; - - # TODO: ubootTools build is broken! - firmware.environment.enable = false; }; } diff --git a/nixos/machine/spt-mox.nix b/nixos/machine/spt-mox.nix index accd963..452b187 100644 --- a/nixos/machine/spt-mox.nix +++ b/nixos/machine/spt-mox.nix @@ -9,38 +9,39 @@ with lib; { config = { cynerd = { home-assistant = true; + switch = { + enable = true; + lanAddress = "${config.cynerd.hosts.spt.mox}/24"; + lanGateway = config.cynerd.hosts.spt.omnia; + }; wifiAP.spt = { enable = true; qca988x = { interface = "wls1"; + bssids = ["04:f0:21:24:24:d2" "08:f0:21:24:24:d2"]; channel = 7; }; }; }; networking = { - vlans = { - "brlan.guest" = { - id = 2; - interface = "brlan"; - }; - }; - bridges = { - brlan.interfaces = ["eth0" "lan1" "lan2" "lan3" "lan4"]; - brguest.interfaces = ["brlan.guest"]; + useNetworkd = true; + useDHCP = false; + }; + systemd.network.networks = { + "lan-brlan" = { + matchConfig.Name = "lan* end0"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; }; - interfaces.brlan.ipv4.addresses = [ - { - address = config.cynerd.hosts.spt.mox; - prefixLength = 24; - } - ]; - defaultGateway = config.cynerd.hosts.spt.omnia; - nameservers = ["1.1.1.1" "8.8.8.8"]; - dhcpcd.allowInterfaces = []; }; - - # TODO: ubootTools build is broken! - firmware.environment.enable = false; }; } diff --git a/nixos/machine/spt-mox2.nix b/nixos/machine/spt-mox2.nix index 4d1a148..cf94798 100644 --- a/nixos/machine/spt-mox2.nix +++ b/nixos/machine/spt-mox2.nix @@ -7,45 +7,39 @@ with lib; { config = { cynerd = { + switch = { + enable = true; + lanAddress = "${config.cynerd.hosts.spt.mox2}/24"; + lanGateway = config.cynerd.hosts.spt.omnia; + }; wifiAP.spt = { enable = true; qca988x = { interface = "wls1"; - channel = 7; + bssids = ["04:f0:21:45:d3:47" "08:f0:21:45:d3:47"]; + channel = 1; }; }; }; - swapDevices = [ - { - device = "/dev/disk/by-partlabel/NixTurrisSwap"; - priority = 1; - } - ]; - networking = { - vlans = { - "brlan.guest" = { - id = 2; - interface = "brlan"; - }; - }; - bridges = { - brlan.interfaces = ["eth0"]; - brguest.interfaces = ["brlan.guest"]; + useNetworkd = true; + useDHCP = false; + }; + systemd.network.networks = { + "lan-brlan" = { + matchConfig.Name = "end0"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; }; - interfaces.brlan.ipv4.addresses = [ - { - address = config.cynerd.hosts.spt.mox2; - prefixLength = 24; - } - ]; - defaultGateway = config.cynerd.hosts.spt.omnia; - nameservers = ["1.1.1.1" "8.8.8.8"]; - dhcpcd.allowInterfaces = []; }; - - # TODO: ubootTools build is broken! - firmware.environment.enable = false; }; } diff --git a/nixos/machine/spt-omnia.nix b/nixos/machine/spt-omnia.nix index bf72a6e..15cabb6 100644 --- a/nixos/machine/spt-omnia.nix +++ b/nixos/machine/spt-omnia.nix @@ -14,18 +14,68 @@ with lib; { }; wifiAP.spt = { enable = true; - ar9287.interface = "wlp3s0"; - qca988x.interface = "wlp2s0"; + ar9287 = { + interface = "wlp3s0"; + bssids = ["04:f0:21:23:16:64" "08:f0:21:23:16:64"]; + channel = 13; + }; + qca988x = { + interface = "wlp2s0"; + bssids = ["04:f0:21:24:21:93" "08:f0:21:24:21:93"]; + channel = 36; + }; }; openvpn.oldpersonal = true; monitoring.speedtest = true; }; - networking.vlans."end2.848" = { - id = 848; - interface = "end2"; + networking.useDHCP = false; + systemd.network = { + netdevs = { + "end2.848" = { + netdevConfig = { + Kind = "vlan"; + Name = "end2.848"; + }; + vlanConfig.Id = 848; + }; + }; + networks = { + "end2" = { + matchConfig.Name = "end2"; + networkConfig.VLAN = ["end2.848"]; + }; + "end2.848" = { + matchConfig.Name = "end2.848"; + networkConfig = { + BindCarrier = "end2"; + #DHCP = "ipv6"; + #IPv6AcceptRA = "yes"; + #DHCPPrefixDelegation = "yes"; + }; + #dhcpPrefixDelegationConfig = { + # UplinkInterface = ":self"; + # SubnetId = 0; + # Announce = "no"; + #}; + linkConfig.RequiredForOnline = "routable"; + }; + "lan-brlan" = { + matchConfig.Name = "lan*"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + }; }; - # TODO pppd service requires end2.848 interface + services.pppd = { enable = true; peers."wan".config = '' @@ -43,10 +93,7 @@ with lib; { password metronet ''; }; - - networking.bridges = { - brlan.interfaces = ["lan0" "lan1" "lan2" "lan3" "lan4"]; - }; + systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.848.device"]; services.syncthing = { enable = true; diff --git a/nixos/machine/spt-omniax.nix b/nixos/machine/spt-omniax.nix new file mode 100644 index 0000000..9bdc3d3 --- /dev/null +++ b/nixos/machine/spt-omniax.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; { + config = { + cynerd = { + router = { + enable = true; + wan = "end2"; + lanIP = "192.168.2.1"; + }; + wifiAP.spt = { + enable = true; + ar9287.interface = "wlp3s0"; + qca988x.interface = "wlp2s0"; + }; + monitoring.speedtest = true; + }; + + networking.useDHCP = false; + systemd.network = { + networks = { + "end2" = { + matchConfig.Name = "end2"; + networkConfig = { + BindCarrier = "end2"; + DHCP = "yes"; + IPv6AcceptRA = "yes"; + DHCPPrefixDelegation = "yes"; + }; + dhcpPrefixDelegationConfig = { + UplinkInterface = ":self"; + SubnetId = 0; + Announce = "no"; + }; + linkConfig.RequiredForOnline = "routable"; + }; + "lan-brlan" = { + matchConfig.Name = "lan*"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + }; + }; + }; +} diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix index 1826e36..97c54ee 100644 --- a/nixos/modules/develop.nix +++ b/nixos/modules/develop.nix @@ -28,7 +28,6 @@ in { cloc openssl tio - parted vim-vint nodePackages.vim-language-server ctags diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix index f2a0d3b..e8cc563 100644 --- a/nixos/modules/generic.nix +++ b/nixos/modules/generic.nix @@ -63,6 +63,7 @@ in { usbutils pciutils smartmontools + parted # NCurses tools htop @@ -92,6 +93,7 @@ in { wakeonlan speedtest-cli librespeed-cli + termshark lm_sensors ] diff --git a/nixos/modules/home-assistant.nix b/nixos/modules/home-assistant.nix index e55533e..862b31c 100644 --- a/nixos/modules/home-assistant.nix +++ b/nixos/modules/home-assistant.nix @@ -123,6 +123,7 @@ in { }; systemd.services.telegraf.wants = ["mosquitto.service"]; + #nixpkgs.config.permittedInsecurePackages = ["openssl-1.1.1w"]; # TODO services.home-assistant = { enable = false; openFirewall = true; diff --git a/nixos/routers/default.nix b/nixos/routers/default.nix index ab64316..dfc1266 100644 --- a/nixos/routers/default.nix +++ b/nixos/routers/default.nix @@ -1,5 +1,6 @@ { cynerd-router = import ./router.nix; + cynerd-switch = import ./switch.nix; cynerd-wifi-adm = import ./wifi-adm.nix; cynerd-wifi-spt = import ./wifi-spt.nix; } diff --git a/nixos/routers/router.nix b/nixos/routers/router.nix index da625e4..545f109 100644 --- a/nixos/routers/router.nix +++ b/nixos/routers/router.nix @@ -40,33 +40,71 @@ in { }; config = mkIf cnf.enable { + networking = { + useNetworkd = true; + nftables.enable = true; + firewall = { + interfaces = { + "lan" = { + allowedUDPPorts = [53 67 68]; + allowedTCPPorts = [53]; + }; + "guest" = { + allowedUDPPorts = [53 67 68]; + allowedTCPPorts = [53]; + }; + }; + filterForward = true; + extraForwardRules = '' + iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access lan" + ''; + }; + nat = { + enable = true; + externalInterface = cnf.wan; + internalInterfaces = ["lan" "guest"]; + }; + }; + systemd.network = { netdevs = { - "brlan".netdevConfig = { - Kind = "bridge"; - Name = "brlan"; - }; - "brguest".netdevConfig = { - Kind = "bridge"; - Name = "brguest"; + "brlan" = { + netdevConfig = { + Kind = "bridge"; + Name = "brlan"; + }; + extraConfig = '' + [Bridge] + DefaultPVID=none + VLANFiltering=yes + ''; }; - }; - networks = { - "${cnf.wan}" = { - matchConfig.Name = cnf.wan; - networkConfig = { - DHCP = "yes"; - DHCPPrefixDelegation = "yes"; + "lan" = { + netdevConfig = { + Kind = "vlan"; + Name = "lan"; }; - dhcpPrefixDelegationConfig = { - UplinkInterface = ":self"; - SubnetId = 0; - Announce = "no"; + vlanConfig.Id = 1; + }; + "guest" = { + netdevConfig = { + Kind = "vlan"; + Name = "guest"; }; - linkConfig.RequiredForOnline = "routable"; + vlanConfig.Id = 2; }; + }; + networks = { "brlan" = { matchConfig.Name = "brlan"; + networkConfig.VLAN = ["lan" "guest"]; + bridgeVLANs = [ + {bridgeVLANConfig.VLAN = 1;} + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + "lan" = { + matchConfig.Name = "lan"; networkConfig = { Address = "${cnf.lanIP}/${toString cnf.lanPrefix}"; IPForward = "yes"; @@ -74,7 +112,6 @@ in { DHCPPrefixDelegation = "yes"; IPv6SendRA = "yes"; IPv6AcceptRA = "no"; - VLAN = ["brlan.brguest"]; }; dhcpServerConfig = { UplinkInterface = cnf.wan; @@ -89,8 +126,8 @@ in { Announce = "yes"; }; }; - "brguest" = { - matchConfig.Name = "brguest"; + "guest" = { + matchConfig.Name = "guest"; networkConfig = { Address = "192.168.1.1/24"; IPForward = "yes"; @@ -116,166 +153,10 @@ in { wait-online.anyInterface = true; }; - networking = { - nftables.enable = true; - firewall = { - interfaces = { - "brlan" = { - allowedUDPPorts = [53 67 68]; - allowedTCPPorts = [53]; - }; - "brguest" = { - allowedUDPPorts = [53 67 68]; - allowedTCPPorts = [53]; - }; - }; - filterForward = true; - extraForwardRules = '' - iifname "brguest" oifname != "${cnf.wan}" drop comment "prevent guest to access lan" - ''; - }; - nat = { - enable = true; - externalInterface = cnf.wan; - internalInterfaces = ["brlan" "brguest"]; - }; - }; - services.resolved = { enable = true; dnssec = "true"; fallbackDns = ["1.1.1.1" "8.8.8.8"]; }; - - #networking = { - # interfaces = { - # brlan.ipv4.addresses = [ - # { - # address = cnf.lanIP; - # prefixLength = cnf.lanPrefix; - # } - # ]; - # brguest.ipv4.addresses = [ - # { - # address = "192.168.1.1"; - # prefixLength = 24; - # } - # ]; - # }; - # vlans = { - # "brlan.guest" = { - # interface = "brlan"; - # id = 100; - # }; - # }; - # bridges = { - # brlan.interfaces = []; - # brguest.interfaces = ["brlan.guest"]; - # }; - # nat = { - # enable = true; - # externalInterface = cnf.wan; - # internalInterfaces = ["brlan" "brguest"]; - # }; - # dhcpcd = { - # allowInterfaces = [cnf.wan]; - # extraConfig = '' - # duid - # noipv6rs - # waitip 6 - - # interface ${cnf.wan} - # ipv6rs - # iaid 1 - - # ia_pd 1 brlan - # #ia_pd 1/::/64 LAN/0/64 - #toString ''; - # }; - #nameservers = ["1.1.1.1" "8.8.8.8"]; - #}; - - #services = { - # kea = { - # dhcp4 = { - # enable = true; - # settings = { - # lease-database = { - # name = "/var/lib/kea/dhcp4.leases"; - # persist = true; - # type = "memfile"; - # }; - # valid-lifetime = 4000; - # renew-timer = 1000; - # rebind-timer = 2000; - # interfaces-config = { - # interfaces = ["brlan" "brguest"]; - # service-sockets-max-retries = -1; - # }; - # option-data = [ - # { - # name = "domain-name-servers"; - # data = "1.1.1.1, 8.8.8.8"; - # } - # ]; - # subnet4 = [ - # { - # interface = "brlan"; - # subnet = "${ipv4.prefix2ip cnf.lanIP cnf.lanPrefix}/${toString cnf.lanPrefix}"; - # pools = let - # ip_start = ipv4.ipAdd cnf.lanIP cnf.lanPrefix cnf.dynIPStart; - # ip_end = ipv4.ipAdd cnf.lanIP cnf.lanPrefix (cnf.dynIPStart + cnf.dynIPCount); - # in [{pool = "${ip_start} - ${ip_end}";}]; - # option-data = [ - # { - # name = "routers"; - # data = cnf.lanIP; - # } - # ]; - # reservations = [ - # { - # duid = "e4:6f:13:f3:d5:be"; - # ip-address = ipv4.ipAdd cnf.lanIP cnf.lanPrefix 60; - # } - # ]; - # } - # { - # interface = "brguest"; - # subnet = "192.168.1.0/24"; - # pools = [{pool = "192.168.1.50 - 192.168.1.254";}]; - # "option-data" = [ - # { - # name = "routers"; - # data = "192.168.1.1"; - # } - # ]; - # } - # ]; - # }; - # }; - # }; - # radvd = { - # enable = true; - # config = '' - # interface brlan { - # AdvSendAdvert on; - # MinRtrAdvInterval 3; - # MaxRtrAdvInterval 10; - # prefix ::/64 { - # AdvOnLink on; - # AdvAutonomous on; - # AdvRouterAddr on; - # }; - # RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 { - # }; - # }; - # ''; - # }; - # kresd = {enable = false;}; - #}; - #systemd.services.kea-dhcp4-server.after = [ - # "sys-subsystem-net-devices-brlan.device" - # "sys-subsystem-net-devices-brguest.device" - #]; }; } diff --git a/nixos/routers/switch.nix b/nixos/routers/switch.nix new file mode 100644 index 0000000..16d57bc --- /dev/null +++ b/nixos/routers/switch.nix @@ -0,0 +1,65 @@ +{ + config, + lib, + ... +}: +with lib; let + cnf = config.cynerd.switch; +in { + options = { + cynerd.switch = { + enable = mkEnableOption "Enable switch support"; + lanAddress = mkOption { + type = types.str; + description = "LAN IP address"; + }; + lanGateway = mkOption { + type = types.str; + description = "LAN IP address of the gateway"; + }; + }; + }; + + config = mkIf cnf.enable { + networking = { + useNetworkd = true; + nftables.enable = true; + }; + + systemd.network = { + netdevs = { + "brlan" = { + netdevConfig = { + Kind = "bridge"; + Name = "brlan"; + }; + extraConfig = '' + [Bridge] + DefaultPVID=none + VLANFiltering=yes + ''; + }; + }; + networks = { + "brlan" = { + matchConfig.Name = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + PVID = 1; + EgressUntagged = 1; + }; + } + ]; + networkConfig = { + Address = cnf.lanAddress; + Gateway = cnf.lanGateway; + DNS = "1.1.1.1"; + IPv6AcceptRA = "yes"; + }; + }; + }; + wait-online.anyInterface = true; + }; + }; +} diff --git a/nixos/routers/wifi-adm.nix b/nixos/routers/wifi-adm.nix index 26a5e15..733f167 100644 --- a/nixos/routers/wifi-adm.nix +++ b/nixos/routers/wifi-adm.nix @@ -13,6 +13,11 @@ with lib; let default = null; description = "Specify interface for ${card}"; }; + bssids = mkOption { + type = with types; listOf str; + default = []; + description = "BSSIDs for networks."; + }; channel = mkOption { type = types.ints.positive; default = channelDefault; @@ -41,15 +46,15 @@ in { }; networks = { "${cnf.ar9287.interface}" = { - bssid = "02:f0:21:23:2b:00"; + bssid = elemAt cnf.ar9287.bssids 0; ssid = "TurrisAdamkovi"; authentication = { mode = "wpa2-sha256"; wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass"; }; }; - "${cnf.ar9287.interface}.nela" = { - bssid = "06:f0:21:23:2b:00"; + "${cnf.ar9287.interface}-nela" = { + bssid = elemAt cnf.ar9287.bssids 1; ssid = "Nela"; authentication = { mode = "wpa2-sha256"; @@ -57,7 +62,7 @@ in { }; }; "${cnf.ar9287.interface}.milan" = { - bssid = "0a:f0:21:23:2b:00"; + bssid = elemAt cnf.ar9287.bssids 2; ssid = "MILAN-AC"; authentication = { mode = "wpa2-sha256"; @@ -80,15 +85,15 @@ in { }; networks = { "${cnf.qca988x.interface}" = { - bssid = "04:f0:21:24:24:d2"; + bssid = elemAt cnf.qca988x.bssids 0; ssid = "TurrisAdamkovi"; authentication = { mode = "wpa2-sha256"; wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass"; }; }; - "${cnf.qca988x.interface}.nela" = { - bssid = "06:f0:21:24:24:d2"; + "${cnf.qca988x.interface}-nela" = { + bssid = elemAt cnf.qca988x.bssids 1; ssid = "Nela"; authentication = { mode = "wpa2-sha256"; @@ -96,7 +101,7 @@ in { }; }; "${cnf.qca988x.interface}.milan" = { - bssid = "0a:f0:21:24:24:d2"; + bssid = elemAt cnf.qca988x.bssids 2; ssid = "MILAN-AC"; authentication = { mode = "wpa2-sha256"; @@ -111,26 +116,74 @@ in { "lan-${cnf.ar9287.interface}" = { matchConfig.Name = cnf.ar9287.interface; networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; }; - "lan-${cnf.ar9287.interface}.nela" = { - matchConfig.Name = "${cnf.ar9287.interface}.nela"; - networkConfig.Bridge = "brguest"; + "lan-${cnf.ar9287.interface}-nela" = { + matchConfig.Name = "${cnf.ar9287.interface}-nela"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; }; "lan-${cnf.ar9287.interface}.milan" = { matchConfig.Name = "${cnf.ar9287.interface}.milan"; - networkConfig.Bridge = "brguest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; }; "lan-${cnf.qca988x.interface}" = { matchConfig.Name = cnf.qca988x.interface; networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; }; - "lan-${cnf.qca988x.interface}.nela" = { - matchConfig.Name = "${cnf.qca988x.interface}.nela"; - networkConfig.Bridge = "brguest"; + "lan-${cnf.qca988x.interface}-nela" = { + matchConfig.Name = "${cnf.qca988x.interface}-nela"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; }; "lan-${cnf.qca988x.interface}.milan" = { matchConfig.Name = "${cnf.qca988x.interface}.milan"; - networkConfig.Bridge = "brguest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; }; }; }; diff --git a/nixos/routers/wifi-spt.nix b/nixos/routers/wifi-spt.nix index 87cbd14..84527fd 100644 --- a/nixos/routers/wifi-spt.nix +++ b/nixos/routers/wifi-spt.nix @@ -13,6 +13,11 @@ with lib; let default = null; description = "Specify interface for ${card}"; }; + bssids = mkOption { + type = with types; listOf str; + default = []; + description = "BSSIDs for networks."; + }; channel = mkOption { type = types.ints.positive; default = channelDefault; @@ -31,83 +36,130 @@ in { config = mkIf cnf.enable { services.hostapd = { enable = true; - radios = { - "${cnf.ar9287.interface}" = mkIf (cnf.ar9287.interface != null) { - countryCode = "CZ"; - inherit (cnf.ar9287) channel; - wifi4 = { - enable = true; - inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities; - }; - networks = { - "${cnf.ar9287.interface}" = { - bssid = "02:f0:21:23:2b:00"; - ssid = "TurrisRules"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; - }; + radios = + mkIf (cnf.ar9287.interface != null) { + "${cnf.ar9287.interface}" = { + countryCode = "CZ"; + inherit (cnf.ar9287) channel; + wifi4 = { + enable = true; + inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities; }; - "${cnf.ar9287.interface}.guest" = { - bssid = "0a:f0:21:23:2b:00"; - ssid = "Kocovi"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; + networks = { + "${cnf.ar9287.interface}" = { + bssid = elemAt cnf.ar9287.bssids 0; + ssid = "TurrisRules"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; + }; + }; + "${cnf.ar9287.interface}.guest" = { + bssid = elemAt cnf.ar9287.bssids 1; + ssid = "Kocovi"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; + }; }; }; }; - }; - "${cnf.qca988x.interface}" = mkIf (cnf.qca988x.interface != null) { - countryCode = "CZ"; - inherit (cnf.qca988x) channel; - band = "5g"; - wifi4 = { - enable = true; - inherit (hostapd.qualcomAtherosQCA988x.wifi4) capabilities; - }; - wifi5 = { - enable = true; - inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities; - }; - networks = { - "${cnf.qca988x.interface}" = { - bssid = "04:f0:21:24:24:d2"; - ssid = "TurrisRules5"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; - }; + } + // mkIf (cnf.qca988x.interface != null) { + "${cnf.qca988x.interface}" = let + is2g = cnf.qca988x.channel <= 14; + in { + countryCode = "CZ"; + inherit (cnf.qca988x) channel; + band = + if is2g + then "2g" + else "5g"; + wifi4 = { + enable = true; + inherit (hostapd.qualcomAtherosQCA988x.wifi4) capabilities; + }; + wifi5 = { + enable = !is2g; + inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities; }; - "${cnf.qca988x.interface}.guest" = { - bssid = "0a:f0:21:24:24:d2"; - ssid = "Kocovi"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; + networks = { + "${cnf.qca988x.interface}" = { + bssid = elemAt cnf.qca988x.bssids 0; + ssid = "TurrisRules${ + if is2g + then "" + else "5" + }"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; + }; + }; + "${cnf.qca988x.interface}.guest" = { + bssid = elemAt cnf.qca988x.bssids 1; + ssid = "Kocovi"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; + }; }; }; }; }; - }; }; - systemd.network.networks = { - "lan-${cnf.ar9287.interface}" = { - matchConfig.Name = cnf.ar9287.interface; - networkConfig.Bridge = "brlan"; - }; - "lan-${cnf.ar9287.interface}.guest" = { - matchConfig.Name = "${cnf.ar9287.interface}.guest"; - networkConfig.Bridge = "brguest"; - }; - "lan-${cnf.qca988x.interface}" = { - matchConfig.Name = cnf.qca988x.interface; - networkConfig.Bridge = "brlan"; - }; - "lan-${cnf.qca988x.interface}.guest" = { - matchConfig.Name = "${cnf.qca988x.interface}.guest"; - networkConfig.Bridge = "brguest"; + systemd.network.networks = + mkIf (cnf.ar9287.interface != null) { + "lan-${cnf.ar9287.interface}" = { + matchConfig.Name = cnf.ar9287.interface; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; + }; + "lan-${cnf.ar9287.interface}-guest" = { + matchConfig.Name = "${cnf.ar9287.interface}.guest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; + }; + } + // mkIf (cnf.qca988x.interface != null) { + "lan-${cnf.qca988x.interface}" = { + matchConfig.Name = cnf.qca988x.interface; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; + }; + "lan-${cnf.qca988x.interface}-guest" = { + matchConfig.Name = "${cnf.qca988x.interface}.guest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; + }; }; - }; }; } |