diff options
Diffstat (limited to 'nixos/configurations/adm-omnia.nix')
| -rw-r--r-- | nixos/configurations/adm-omnia.nix | 40 |
1 files changed, 26 insertions, 14 deletions
diff --git a/nixos/configurations/adm-omnia.nix b/nixos/configurations/adm-omnia.nix index 056a68e..55ee733 100644 --- a/nixos/configurations/adm-omnia.nix +++ b/nixos/configurations/adm-omnia.nix @@ -1,10 +1,12 @@ {config, ...}: let hosts = config.cynerd.hosts.adm; in { + system.stateVersion = "24.05"; + turris.board = "omnia"; deploy = { - enable = false; - ssh.host = "omnia.adm"; + enable = true; + ssh.host = "adm.cynerd.cz"; }; cynerd = { @@ -23,16 +25,16 @@ in { }; }; wifiAP.adm = { - enable = false; + enable = true; ar9287 = { - interface = "wlp1s0"; + interface = "wlp2s0"; bssids = config.secrets.wifiMacs.adm-omnia.ar9287; - channel = 11; + channel = 7; }; qca988x = { - interface = "wlp3s0"; + interface = "wlp1s0"; bssids = config.secrets.wifiMacs.adm-omnia.qca988x; - channel = 36; + channel = 44; }; }; wireguard = true; @@ -48,12 +50,18 @@ in { fileSystems = ["/"]; }; - networking = { - useNetworkd = true; - useDHCP = false; + services.fail2ban = { + enable = true; + ignoreIP = ["10.8.1.0/24" "10.8.2.0/24"]; }; + + networking.useDHCP = false; systemd.network = { networks = { + "end2" = { + matchConfig.Name = "end2"; # Ensure that it is managed by systemd-networkd + networkConfig.IPv6AcceptRA = false; + }; "pppoe-wan" = { matchConfig.Name = "pppoe-wan"; networkConfig = { @@ -75,7 +83,7 @@ in { linkConfig.RequiredForOnline = "routable"; }; "lan-brlan" = { - matchConfig.Name = "lan[1-4]"; + matchConfig.Name = "lan4"; networkConfig.Bridge = "brlan"; bridgeVLANs = [ { @@ -86,7 +94,7 @@ in { ]; }; "lan-guest" = { - matchConfig.Name = "lan0"; + matchConfig.Name = "lan[0-3]"; networkConfig.Bridge = "brlan"; bridgeVLANs = [ { @@ -114,10 +122,14 @@ in { password 02 ''; }; - systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.device"]; + systemd.services."pppd-wan" = { + after = ["sys-subsystem-net-devices-end2.device"]; + partOf = ["systemd-networkd.service"]; + }; # TODO limit NSS clamping to just pppoe-wan networking.firewall.extraForwardRules = '' tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4" - iifname {"home", "personalvpn", "wg"} oifname {"home", "personalvpn", "wg"} accept + iifname {"home", "wg"} oifname {"home", "wg"} accept + iifname "home" oifname "guest" accept comment "Allow home to access guest devices" ''; } |