diff options
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/router.nix | 171 | ||||
-rw-r--r-- | nixos/modules/switch.nix | 65 | ||||
-rw-r--r-- | nixos/modules/wifi-adm.nix | 190 | ||||
-rw-r--r-- | nixos/modules/wifi-spt.nix | 171 |
4 files changed, 597 insertions, 0 deletions
diff --git a/nixos/modules/router.nix b/nixos/modules/router.nix new file mode 100644 index 0000000..ed634b1 --- /dev/null +++ b/nixos/modules/router.nix @@ -0,0 +1,171 @@ +{ + config, + lib, + ... +}: let + inherit (lib) mkOption types mkIf mapAttrsToList; + cnf = config.cynerd.router; +in { + options = { + cynerd.router = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable router support"; + }; + wan = mkOption { + type = types.str; + description = "Interface for the router's WAN"; + }; + lanIP = mkOption { + type = types.str; + description = "LAN IP address"; + }; + dynIPStart = mkOption { + type = types.ints.between 0 256; + default = 100; + description = "Offset for the dynamic IPv4 addresses"; + }; + dynIPCount = mkOption { + type = types.ints.between 0 256; + default = 100; + description = "Number of dynamically assigned IPv4 addresses"; + }; + lanPrefix = mkOption { + type = types.ints.between 0 32; + default = 24; + description = "LAN IP network prefix length"; + }; + staticLeases = mkOption { + type = with types; attrsOf str; + default = {}; + example = '' + {"xx:xx:xx:xx:xx:xx" = "10.8.1.30";} + ''; + description = "Mapping of MAC address to IP address"; + }; + }; + }; + + config = mkIf cnf.enable { + networking = { + useNetworkd = true; + nftables.enable = true; + firewall = { + logRefusedConnections = false; + interfaces = { + "home" = {allowedUDPPorts = [67 68];}; + "guest" = {allowedUDPPorts = [67 68];}; + }; + rejectPackets = true; + filterForward = true; + }; + nat = { + enable = true; + externalInterface = cnf.wan; + internalInterfaces = ["home" "guest"]; + }; + }; + + systemd.network = { + netdevs = { + "brlan" = { + netdevConfig = { + Kind = "bridge"; + Name = "brlan"; + }; + extraConfig = '' + [Bridge] + DefaultPVID=none + VLANFiltering=yes + ''; + }; + "home" = { + netdevConfig = { + Kind = "vlan"; + Name = "home"; + }; + vlanConfig.Id = 1; + }; + "guest" = { + netdevConfig = { + Kind = "vlan"; + Name = "guest"; + }; + vlanConfig.Id = 2; + }; + }; + networks = { + "brlan" = { + matchConfig.Name = "brlan"; + networkConfig.VLAN = ["home" "guest"]; + bridgeVLANs = [ + {bridgeVLANConfig.VLAN = 1;} + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + "home" = { + matchConfig.Name = "home"; + networkConfig = { + Address = "${cnf.lanIP}/${toString cnf.lanPrefix}"; + IPForward = "yes"; + DHCPServer = "yes"; + DHCPPrefixDelegation = "yes"; + IPv6SendRA = "yes"; + IPv6AcceptRA = "no"; + }; + dhcpServerConfig = { + UplinkInterface = cnf.wan; + PoolOffset = cnf.dynIPStart; + PoolSize = cnf.dynIPCount; + EmitDNS = "yes"; + DNS = "1.1.1.1"; + }; + dhcpServerStaticLeases = + mapAttrsToList (n: v: { + dhcpServerStaticLeaseConfig = { + MACAddress = n; + Address = v; + }; + }) + cnf.staticLeases; + dhcpPrefixDelegationConfig = { + UplinkInterface = cnf.wan; + SubnetId = 1; + Announce = "yes"; + }; + }; + "guest" = { + matchConfig.Name = "guest"; + networkConfig = { + Address = "192.168.1.1/24"; + IPForward = "yes"; + DHCPServer = "yes"; + DHCPPrefixDelegation = "yes"; + IPv6SendRA = "yes"; + IPv6AcceptRA = "no"; + }; + dhcpServerConfig = { + UplinkInterface = cnf.wan; + PoolOffset = cnf.dynIPStart; + PoolSize = cnf.dynIPCount; + EmitDNS = "yes"; + DNS = "1.1.1.1"; + }; + dhcpPrefixDelegationConfig = { + UplinkInterface = cnf.wan; + SubnetId = 2; + Announce = "yes"; + }; + }; + }; + wait-online.anyInterface = true; + }; + + services.resolved = { + enable = true; + dnssec = "true"; + fallbackDns = ["1.1.1.1" "8.8.8.8"]; + }; + }; +} diff --git a/nixos/modules/switch.nix b/nixos/modules/switch.nix new file mode 100644 index 0000000..16d57bc --- /dev/null +++ b/nixos/modules/switch.nix @@ -0,0 +1,65 @@ +{ + config, + lib, + ... +}: +with lib; let + cnf = config.cynerd.switch; +in { + options = { + cynerd.switch = { + enable = mkEnableOption "Enable switch support"; + lanAddress = mkOption { + type = types.str; + description = "LAN IP address"; + }; + lanGateway = mkOption { + type = types.str; + description = "LAN IP address of the gateway"; + }; + }; + }; + + config = mkIf cnf.enable { + networking = { + useNetworkd = true; + nftables.enable = true; + }; + + systemd.network = { + netdevs = { + "brlan" = { + netdevConfig = { + Kind = "bridge"; + Name = "brlan"; + }; + extraConfig = '' + [Bridge] + DefaultPVID=none + VLANFiltering=yes + ''; + }; + }; + networks = { + "brlan" = { + matchConfig.Name = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + PVID = 1; + EgressUntagged = 1; + }; + } + ]; + networkConfig = { + Address = cnf.lanAddress; + Gateway = cnf.lanGateway; + DNS = "1.1.1.1"; + IPv6AcceptRA = "yes"; + }; + }; + }; + wait-online.anyInterface = true; + }; + }; +} diff --git a/nixos/modules/wifi-adm.nix b/nixos/modules/wifi-adm.nix new file mode 100644 index 0000000..733f167 --- /dev/null +++ b/nixos/modules/wifi-adm.nix @@ -0,0 +1,190 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cnf = config.cynerd.wifiAP.adm; + + wOptions = card: channelDefault: { + interface = mkOption { + type = with types; nullOr str; + default = null; + description = "Specify interface for ${card}"; + }; + bssids = mkOption { + type = with types; listOf str; + default = []; + description = "BSSIDs for networks."; + }; + channel = mkOption { + type = types.ints.positive; + default = channelDefault; + description = "Channel to be used for ${card}"; + }; + }; +in { + options = { + cynerd.wifiAP.adm = { + enable = mkEnableOption "Enable Wi-Fi Access Point support"; + ar9287 = wOptions "Qualcom Atheros AR9287" 7; + qca988x = wOptions "Qualcom Atheros QCA988x" 36; + }; + }; + + config = mkIf cnf.enable { + services.hostapd = { + enable = true; + radios = { + "${cnf.ar9287.interface}" = mkIf (cnf.ar9287.interface != null) { + countryCode = "CZ"; + inherit (cnf.ar9287) channel; + wifi4 = { + enable = true; + inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities; + }; + networks = { + "${cnf.ar9287.interface}" = { + bssid = elemAt cnf.ar9287.bssids 0; + ssid = "TurrisAdamkovi"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass"; + }; + }; + "${cnf.ar9287.interface}-nela" = { + bssid = elemAt cnf.ar9287.bssids 1; + ssid = "Nela"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-Nela.pass"; + }; + }; + "${cnf.ar9287.interface}.milan" = { + bssid = elemAt cnf.ar9287.bssids 2; + ssid = "MILAN-AC"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-MILAN-AC.pass"; + }; + }; + }; + }; + "${cnf.qca988x.interface}" = mkIf (cnf.qca988x.interface != null) { + countryCode = "CZ"; + inherit (cnf.qca988x) channel; + band = "5g"; + wifi4 = { + enable = true; + inherit (hostapd.qualcomAtherosQCA988x.wifi4) capabilities; + }; + wifi5 = { + enable = true; + inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities; + }; + networks = { + "${cnf.qca988x.interface}" = { + bssid = elemAt cnf.qca988x.bssids 0; + ssid = "TurrisAdamkovi"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass"; + }; + }; + "${cnf.qca988x.interface}-nela" = { + bssid = elemAt cnf.qca988x.bssids 1; + ssid = "Nela"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-Nela.pass"; + }; + }; + "${cnf.qca988x.interface}.milan" = { + bssid = elemAt cnf.qca988x.bssids 2; + ssid = "MILAN-AC"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-MILAN-AC.pass"; + }; + }; + }; + }; + }; + }; + systemd.network.networks = { + "lan-${cnf.ar9287.interface}" = { + matchConfig.Name = cnf.ar9287.interface; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; + }; + "lan-${cnf.ar9287.interface}-nela" = { + matchConfig.Name = "${cnf.ar9287.interface}-nela"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; + }; + "lan-${cnf.ar9287.interface}.milan" = { + matchConfig.Name = "${cnf.ar9287.interface}.milan"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; + }; + "lan-${cnf.qca988x.interface}" = { + matchConfig.Name = cnf.qca988x.interface; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; + }; + "lan-${cnf.qca988x.interface}-nela" = { + matchConfig.Name = "${cnf.qca988x.interface}-nela"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; + }; + "lan-${cnf.qca988x.interface}.milan" = { + matchConfig.Name = "${cnf.qca988x.interface}.milan"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; + }; + }; + }; +} diff --git a/nixos/modules/wifi-spt.nix b/nixos/modules/wifi-spt.nix new file mode 100644 index 0000000..769449d --- /dev/null +++ b/nixos/modules/wifi-spt.nix @@ -0,0 +1,171 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib) mkOption mkEnableOption types mkIf mkMerge hostapd elemAt; + cnf = config.cynerd.wifiAP.spt; + + wOptions = card: channelDefault: { + interface = mkOption { + type = with types; nullOr str; + default = null; + description = "Specify interface for ${card}"; + }; + bssids = mkOption { + type = with types; listOf str; + default = []; + description = "BSSIDs for networks."; + }; + channel = mkOption { + type = types.ints.positive; + default = channelDefault; + description = "Channel to be used for ${card}"; + }; + }; +in { + options = { + cynerd.wifiAP.spt = { + enable = mkEnableOption "Enable Wi-Fi Access Point support"; + ar9287 = wOptions "Qualcom Atheros AR9287" 7; + qca988x = wOptions "Qualcom Atheros QCA988x" 36; + }; + }; + + config = mkIf cnf.enable { + # TODO regdom doesn't work for some reason + boot.extraModprobeConfig = '' + options cfg80211 ieee80211_regdom="CZ" + ''; + services.hostapd = { + enable = true; + radios = mkMerge [ + (mkIf (cnf.ar9287.interface != null) { + "${cnf.ar9287.interface}" = { + inherit (cnf.ar9287) channel; + countryCode = "CZ"; + wifi4 = { + enable = true; + inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities; + }; + networks = { + "${cnf.ar9287.interface}" = { + bssid = elemAt cnf.ar9287.bssids 0; + ssid = "TurrisRules"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; + }; + }; + #"${cnf.ar9287.interface}.guest" = { + # bssid = elemAt cnf.ar9287.bssids 1; + # ssid = "Kocovi"; + # authentication = { + # mode = "wpa2-sha256"; + # wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; + # }; + #}; + }; + }; + }) + (mkIf (cnf.qca988x.interface != null) { + "${cnf.qca988x.interface}" = let + is2g = cnf.qca988x.channel <= 14; + in { + inherit (cnf.qca988x) channel; + countryCode = "CZ"; + band = + if is2g + then "2g" + else "5g"; + wifi4 = { + enable = true; + inherit (hostapd.qualcomAtherosQCA988x.wifi4) capabilities; + }; + wifi5 = { + enable = !is2g; + inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities; + }; + networks = { + "${cnf.qca988x.interface}" = { + bssid = elemAt cnf.qca988x.bssids 0; + ssid = "TurrisRules${ + if is2g + then "" + else "5" + }"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; + }; + }; + #"${cnf.qca988x.interface}.guest" = { + # bssid = elemAt cnf.qca988x.bssids 1; + # ssid = "Kocovi"; + # authentication = { + # mode = "wpa2-sha256"; + # wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; + # }; + #}; + }; + }; + }) + ]; + }; + systemd.network.networks = mkMerge [ + (mkIf (cnf.ar9287.interface != null) { + "lan-${cnf.ar9287.interface}" = { + matchConfig.Name = cnf.ar9287.interface; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; + }; + #"lan-${cnf.ar9287.interface}-guest" = { + # matchConfig.Name = "${cnf.ar9287.interface}.guest"; + # networkConfig.Bridge = "brlan"; + # bridgeVLANs = [ + # { + # bridgeVLANConfig = { + # EgressUntagged = 2; + # PVID = 2; + # }; + # } + # ]; + #}; + }) + (mkIf (cnf.qca988x.interface != null) { + "lan-${cnf.qca988x.interface}" = { + matchConfig.Name = cnf.qca988x.interface; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; + }; + #"lan-${cnf.qca988x.interface}-guest" = { + # matchConfig.Name = "${cnf.qca988x.interface}.guest"; + # networkConfig.Bridge = "brlan"; + # bridgeVLANs = [ + # { + # bridgeVLANConfig = { + # EgressUntagged = 2; + # PVID = 2; + # }; + # } + # ]; + #}; + }) + ]; + }; +} |