aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--flake.lock41
-rw-r--r--nixos/machine/adm-omnia.nix39
-rw-r--r--nixos/machine/adm-omnia2.nix52
-rw-r--r--nixos/modules/default.nix1
-rw-r--r--nixos/modules/router.nix55
-rw-r--r--nixos/modules/wifi-adm.nix98
6 files changed, 186 insertions, 100 deletions
diff --git a/flake.lock b/flake.lock
index cf1bed4..02a566e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -93,11 +93,11 @@
"nixpkgs-regression": "nixpkgs-regression"
},
"locked": {
- "lastModified": 1674061467,
- "narHash": "sha256-yvLbQusfeOizDwHFfTRtVwrUU15q2oaeDzImRGxoTs4=",
+ "lastModified": 1674221769,
+ "narHash": "sha256-R96ogn1ZZ9LFnGHzDV+Ns3jAPIwb7FiPBXYUbsJKGms=",
"owner": "NixOS",
"repo": "nix",
- "rev": "2513eba46a20578f54fd3ac3cb0d25aeb0d0b310",
+ "rev": "04de0dd0b4059c75115c780dae8ddc49a847b0e5",
"type": "github"
},
"original": {
@@ -186,11 +186,11 @@
},
"nixpkgs_3": {
"locked": {
- "lastModified": 1673954326,
- "narHash": "sha256-oAKwsXTptcY6gRCBxJlZ+W1BrZHNr9a28+4fQMLuRu0=",
+ "lastModified": 1674365217,
+ "narHash": "sha256-lL3qUbAr/tnt/xGk1MTc8xuOTKqErqubYha4vhjA4+g=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "8fc3a1dcc98d3603221d4afd239e666eeedb6141",
+ "rev": "6c582bdf390948a6be049e81ecbab81bb160a5d3",
"type": "github"
},
"original": {
@@ -251,26 +251,23 @@
]
},
"locked": {
- "lastModified": 1674078000,
- "narHash": "sha256-MJyqqUE6zzgHoNtsozITuenkSeX8l+4xkHiv/XQg+xo=",
- "owner": "cynerd",
- "repo": "nixturris",
- "rev": "2c90afe1d4c16020744c1730980e6d2d422dea67",
- "type": "github"
+ "lastModified": 1674418452,
+ "narHash": "sha256-sbvyo/FDdDTe1Vqbu0338cJGeixWq4Uu/HZCLBZtr1U=",
+ "type": "git",
+ "url": "file:///home/cynerd/projects/nixturris"
},
"original": {
- "owner": "cynerd",
- "repo": "nixturris",
- "type": "github"
+ "type": "git",
+ "url": "file:///home/cynerd/projects/nixturris"
}
},
"personal-secret": {
"locked": {
- "lastModified": 1674079601,
- "narHash": "sha256-AchABbDjOa54PHRNnzFkjL1qzzZ4jcbBM1uiueMgB1k=",
+ "lastModified": 1674426375,
+ "narHash": "sha256-8FrAIKgvw+uMXOKMS6zqN6oTXuY2MN6N1GBxOPaAVj8=",
"ref": "refs/heads/master",
- "rev": "1d985d755929d36757241af38840ed7affc09143",
- "revCount": 63,
+ "rev": "7b32419d01a30262ac522288f2753f2b8ab5016a",
+ "revCount": 65,
"type": "git",
"url": "ssh://git@cynerd.cz/nixos-personal-secret"
},
@@ -353,11 +350,11 @@
},
"vpsadminos": {
"locked": {
- "lastModified": 1673860594,
- "narHash": "sha256-P9d6EP8ej4/mlCBwjf4SN+dv4/szU1r1OoF8Te8dwL4=",
+ "lastModified": 1674346654,
+ "narHash": "sha256-5bEZxGkn02ZNZ21lvfj8z3hKQN54dMKu8CfWiijXZjw=",
"owner": "vpsfreecz",
"repo": "vpsadminos",
- "rev": "f3581a453258c0da305ec57b70eb22af78400ab8",
+ "rev": "1e370da163b34ce07b8989410a85c81393cff953",
"type": "github"
},
"original": {
diff --git a/nixos/machine/adm-omnia.nix b/nixos/machine/adm-omnia.nix
index 96e936f..e3a66e1 100644
--- a/nixos/machine/adm-omnia.nix
+++ b/nixos/machine/adm-omnia.nix
@@ -12,10 +12,14 @@ with lib; {
wan = "end2"; # TODO pppoe-wan
lanIP = config.cynerd.hosts.adm.omnia;
};
+ wifiAP.adm = {
+ enable = true;
+ w24.interface = "wlp3s0";
+ w5.interface = "wlp2s0";
+ };
openvpn.oldpersonal = false;
};
- # TODO pppd service requires end2 interface
services.pppd = {
enable = false;
peers."wan".config = ''
@@ -33,38 +37,11 @@ with lib; {
password 02
'';
};
+ #systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.device"];
networking.bridges = {
- brlan.interfaces = ["lan0" "lan1" "lan2" "lan3" "lan4"];
- };
-
- networking.wirelessAP = {
- enable = true;
- environmentFile = "/run/secrets/hostapd.env";
- interfaces = {
- "wlp2s0" = {
- countryCode = "CZ";
- hwMode = "a";
- channel = 36;
- ieee80211ac = true;
- ht_capab = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "DSSS_CCK-40"];
- vht_capab = ["RXLDPC" "SHORT-GI-80" "TX-STBC-2BY1" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7"];
- ssid = "TurrisAdamkovi5";
- wpa = 2;
- wpaPassphrase = "@PASS_TURRIS_ADAMKOVI@";
- bridge = "brlan";
- };
- "wlp3s0" = {
- countryCode = "CZ";
- hwMode = "g";
- channel = 7;
- ht_capab = ["HT40+" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "DSSS_CCK-40"];
- ssid = "TurrisAdamkovi";
- wpa = 2;
- wpaPassphrase = "@PASS_TURRIS_ADAMKOVI@";
- bridge = "brlan";
- };
- };
+ brlan.interfaces = ["lan1" "lan2" "lan3" "lan4"];
+ brguest.interfaces = ["lan0"];
};
};
}
diff --git a/nixos/machine/adm-omnia2.nix b/nixos/machine/adm-omnia2.nix
index 3a47a84..ba71e7d 100644
--- a/nixos/machine/adm-omnia2.nix
+++ b/nixos/machine/adm-omnia2.nix
@@ -6,10 +6,25 @@
}:
with lib; {
config = {
+ cynerd = {
+ wifiAP.adm = {
+ enable = true;
+ w24.interface = "wlp3s0";
+ w5.interface = "wlp2s0";
+ };
+ };
+
networking = {
- bridges.brlan.interfaces = [
- "end2" "lan0" "lan1" "lan2" "lan3" "lan4"
- ];
+ vlans = {
+ "brlan.guest" = {
+ interface = "brlan";
+ id = 100;
+ };
+ };
+ bridges = {
+ brlan.interfaces = [ "end2" "lan0" "lan1" "lan2" "lan3" "lan4" ];
+ brguest.interfaces = ["brlan.guest"];
+ };
interfaces.brlan.ipv4.addresses = [
{
address = config.cynerd.hosts.adm.omnia2;
@@ -18,36 +33,7 @@ with lib; {
];
defaultGateway = config.cynerd.hosts.adm.omnia;
nameservers = ["1.1.1.1" "8.8.8.8"];
- dhcpcd.allowInterfaces = ["lan"];
- };
-
- networking.wirelessAP = {
- enable = true;
- environmentFile = "/run/secrets/hostapd.env";
- interfaces = {
- "wlp2s0" = {
- countryCode = "CZ";
- hwMode = "a";
- channel = 36;
- ieee80211ac = true;
- ht_capab = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "DSSS_CCK-40"];
- vht_capab = ["RXLDPC" "SHORT-GI-80" "TX-STBC-2BY1" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7"];
- ssid = "TurrisAdamkovi5";
- wpa = 2;
- wpaPassphrase = "@PASS_TURRIS_ADAMKOVI@";
- bridge = "brlan";
- };
- "wlp3s0" = {
- countryCode = "CZ";
- hwMode = "g";
- channel = 7;
- ht_capab = ["HT40+" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "DSSS_CCK-40"];
- ssid = "TurrisAdamkovi";
- wpa = 2;
- wpaPassphrase = "@PASS_TURRIS_ADAMKOVI@";
- bridge = "brlan";
- };
- };
+ dhcpcd.allowInterfaces = [];
};
};
}
diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix
index bdab3b2..7d12eef 100644
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@@ -11,5 +11,6 @@
cynerd-openvpn = import ./openvpn.nix;
cynerd-router = import ./router.nix;
cynerd-syncthing = import ./syncthing.nix;
+ cynerd-wifi-adm = import ./wifi-adm.nix;
cynerd-wifi-client = import ./wifi-client.nix;
}
diff --git a/nixos/modules/router.nix b/nixos/modules/router.nix
index e149633..f5c8668 100644
--- a/nixos/modules/router.nix
+++ b/nixos/modules/router.nix
@@ -18,11 +18,6 @@ in {
type = types.str;
description = "Interface for the router's WAN";
};
- brlan = mkOption {
- type = types.str;
- default = "brlan";
- description = "LAN interface (commonly some bridge)";
- };
lanIP = mkOption {
type = types.str;
description = "LAN IP address";
@@ -47,16 +42,34 @@ in {
config = mkIf cnf.enable {
networking = {
- interfaces."${cnf.brlan}".ipv4.addresses = [
- {
- address = cnf.lanIP;
- prefixLength = cnf.lanPrefix;
- }
- ];
+ interfaces = {
+ brlan.ipv4.addresses = [
+ {
+ address = cnf.lanIP;
+ prefixLength = cnf.lanPrefix;
+ }
+ ];
+ brguest.ipv4.addresses = [
+ {
+ address = "192.168.1.1";
+ prefixLength = 24;
+ }
+ ];
+ };
+ vlans = {
+ "brlan.guest" = {
+ interface = "brlan";
+ id = 100;
+ };
+ };
+ bridges = {
+ brlan.interfaces = [];
+ brguest.interfaces = ["brlan.guest"];
+ };
nat = {
enable = true;
externalInterface = cnf.wan;
- internalInterfaces = [cnf.brlan];
+ internalInterfaces = ["brlan" "brguest"];
};
dhcpcd.allowInterfaces = [cnf.wan];
nameservers = ["1.1.1.1" "8.8.8.8"];
@@ -65,7 +78,7 @@ in {
services.dhcpd4 = {
enable = true;
authoritative = true;
- interfaces = [cnf.brlan];
+ interfaces = ["brlan" "brguest"];
extraConfig = ''
option domain-name-servers 1.1.1.1, 8.8.8.8;
subnet ${ipv4.prefix2ip cnf.lanIP cnf.lanPrefix} netmask ${ipv4.prefix2netmask cnf.lanPrefix} {
@@ -78,6 +91,12 @@ in {
option subnet-mask ${ipv4.prefix2netmask cnf.lanPrefix};
option broadcast-address ${ipv4.prefix2broadcast cnf.lanIP cnf.lanPrefix};
}
+ subnet 192.168.1.0 netmask 255.255.255.0 {
+ range 192.168.1.50 192.168.1.254;
+ option routers 192.168.1.1;
+ option subnet-mask 255.255.255.0;
+ option broadcast-address 192.168.1.255;
+ }
'';
};
@@ -85,7 +104,7 @@ in {
# TODO
enable = false;
authoritative = true;
- interfaces = [cnf.brlan];
+ interfaces = ["brlan"];
extraConfig = ''
'';
};
@@ -93,5 +112,13 @@ in {
services.kresd = {
enable = false;
};
+
+ networking.nftables.enable = true;
+ networking.firewall = {
+ filterForward = true;
+ extraForwardRules = ''
+ iifname "brguest" oifname != "${cnf.wan}" drop comment "prevent guest to access lan"
+ '';
+ };
};
}
diff --git a/nixos/modules/wifi-adm.nix b/nixos/modules/wifi-adm.nix
new file mode 100644
index 0000000..46476a3
--- /dev/null
+++ b/nixos/modules/wifi-adm.nix
@@ -0,0 +1,98 @@
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
+with lib; let
+ cnf = config.cynerd.wifiAP.adm;
+
+ wOptions = band: channelDefault: {
+ interface = mkOption {
+ type = with types; nullOr str;
+ default = null;
+ description = "Specify interface for ${band}";
+ };
+ channel = mkOption {
+ type = types.ints.positive;
+ default = channelDefault;
+ description = "Channel to be used for ${band} range";
+ };
+ };
+in {
+ options = {
+ cynerd.wifiAP.adm = {
+ enable = mkEnableOption "Enable Wi-Fi Access Point support";
+ w24 = wOptions "2.4GHz" 7;
+ w5 = wOptions "5GHz" 36;
+ };
+ };
+
+ config = mkIf cnf.enable {
+ networking.wirelessAP = {
+ enable = true;
+ environmentFile = "/run/secrets/hostapd.env";
+ interfaces =
+ (optionalAttrs (cnf.w24.interface != null) {
+ "${cnf.w24.interface}" = {
+ bssid = "@BSSID_W24_0@";
+ countryCode = "CZ";
+ hwMode = "g";
+ channel = cnf.w24.channel;
+ ht_capab = ["HT40+" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "DSSS_CCK-40"];
+ ssid = "TurrisAdamkovi";
+ wpa = 2;
+ wpaPassphrase = "@PASS_TURRIS_ADAMKOVI@";
+ bridge = "brlan";
+ bss = {
+ "wlp3s0.nela" = {
+ bssid = "@BSSID_W24_1@";
+ ssid = "Nela";
+ wpa = 2;
+ wpaPassphrase = "@PASS_NELA@";
+ bridge = "brguest";
+ };
+ "wlp3s0.milan" = {
+ bssid = "@BSSID_W24_2@";
+ ssid = "MILAN-AC";
+ wpa = 2;
+ wpaPassphrase = "@PASS_MILAN_AC@";
+ bridge = "brguest";
+ };
+ };
+ };
+ })
+ // (optionalAttrs (cnf.w5.interface != null) {
+ "${cnf.w5.interface}" = {
+ bssid = "@BSSID_W5_0@";
+ countryCode = "CZ";
+ hwMode = "a";
+ channel = cnf.w5.channel;
+ ieee80211ac = true;
+ ht_capab = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "DSSS_CCK-40"];
+ vht_capab = ["RXLDPC" "SHORT-GI-80" "TX-STBC-2BY1" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7"];
+ ssid = "TurrisAdamkovi5";
+ wpa = 2;
+ wpaPassphrase = "@PASS_TURRIS_ADAMKOVI@";
+ bridge = "brlan";
+ bss = {
+ "wlp2s0.nela" = {
+ bssid = "@BSSID_W5_1@";
+ ssid = "Nela5";
+ wpa = 2;
+ wpaPassphrase = "@PASS_NELA@";
+ bridge = "brguest";
+ };
+ "wlp2s0.milan" = {
+ bssid = "@BSSID_W5_2@";
+ ssid = "MILAN-AC";
+ wpa = 2;
+ wpaPassphrase = "@PASS_MILAN_AC@";
+ bridge = "brguest";
+ };
+ };
+ };
+ });
+ };
+ };
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-16 21:20:31 +0000