aboutsummaryrefslogtreecommitdiff
path: root/nixos/modules
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/modules')
-rw-r--r--nixos/modules/router.nix171
-rw-r--r--nixos/modules/switch.nix65
-rw-r--r--nixos/modules/wifi-adm.nix190
-rw-r--r--nixos/modules/wifi-spt.nix171
4 files changed, 597 insertions, 0 deletions
diff --git a/nixos/modules/router.nix b/nixos/modules/router.nix
new file mode 100644
index 0000000..ed634b1
--- /dev/null
+++ b/nixos/modules/router.nix
@@ -0,0 +1,171 @@
+{
+ config,
+ lib,
+ ...
+}: let
+ inherit (lib) mkOption types mkIf mapAttrsToList;
+ cnf = config.cynerd.router;
+in {
+ options = {
+ cynerd.router = {
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = "Enable router support";
+ };
+ wan = mkOption {
+ type = types.str;
+ description = "Interface for the router's WAN";
+ };
+ lanIP = mkOption {
+ type = types.str;
+ description = "LAN IP address";
+ };
+ dynIPStart = mkOption {
+ type = types.ints.between 0 256;
+ default = 100;
+ description = "Offset for the dynamic IPv4 addresses";
+ };
+ dynIPCount = mkOption {
+ type = types.ints.between 0 256;
+ default = 100;
+ description = "Number of dynamically assigned IPv4 addresses";
+ };
+ lanPrefix = mkOption {
+ type = types.ints.between 0 32;
+ default = 24;
+ description = "LAN IP network prefix length";
+ };
+ staticLeases = mkOption {
+ type = with types; attrsOf str;
+ default = {};
+ example = ''
+ {"xx:xx:xx:xx:xx:xx" = "10.8.1.30";}
+ '';
+ description = "Mapping of MAC address to IP address";
+ };
+ };
+ };
+
+ config = mkIf cnf.enable {
+ networking = {
+ useNetworkd = true;
+ nftables.enable = true;
+ firewall = {
+ logRefusedConnections = false;
+ interfaces = {
+ "home" = {allowedUDPPorts = [67 68];};
+ "guest" = {allowedUDPPorts = [67 68];};
+ };
+ rejectPackets = true;
+ filterForward = true;
+ };
+ nat = {
+ enable = true;
+ externalInterface = cnf.wan;
+ internalInterfaces = ["home" "guest"];
+ };
+ };
+
+ systemd.network = {
+ netdevs = {
+ "brlan" = {
+ netdevConfig = {
+ Kind = "bridge";
+ Name = "brlan";
+ };
+ extraConfig = ''
+ [Bridge]
+ DefaultPVID=none
+ VLANFiltering=yes
+ '';
+ };
+ "home" = {
+ netdevConfig = {
+ Kind = "vlan";
+ Name = "home";
+ };
+ vlanConfig.Id = 1;
+ };
+ "guest" = {
+ netdevConfig = {
+ Kind = "vlan";
+ Name = "guest";
+ };
+ vlanConfig.Id = 2;
+ };
+ };
+ networks = {
+ "brlan" = {
+ matchConfig.Name = "brlan";
+ networkConfig.VLAN = ["home" "guest"];
+ bridgeVLANs = [
+ {bridgeVLANConfig.VLAN = 1;}
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
+ };
+ "home" = {
+ matchConfig.Name = "home";
+ networkConfig = {
+ Address = "${cnf.lanIP}/${toString cnf.lanPrefix}";
+ IPForward = "yes";
+ DHCPServer = "yes";
+ DHCPPrefixDelegation = "yes";
+ IPv6SendRA = "yes";
+ IPv6AcceptRA = "no";
+ };
+ dhcpServerConfig = {
+ UplinkInterface = cnf.wan;
+ PoolOffset = cnf.dynIPStart;
+ PoolSize = cnf.dynIPCount;
+ EmitDNS = "yes";
+ DNS = "1.1.1.1";
+ };
+ dhcpServerStaticLeases =
+ mapAttrsToList (n: v: {
+ dhcpServerStaticLeaseConfig = {
+ MACAddress = n;
+ Address = v;
+ };
+ })
+ cnf.staticLeases;
+ dhcpPrefixDelegationConfig = {
+ UplinkInterface = cnf.wan;
+ SubnetId = 1;
+ Announce = "yes";
+ };
+ };
+ "guest" = {
+ matchConfig.Name = "guest";
+ networkConfig = {
+ Address = "192.168.1.1/24";
+ IPForward = "yes";
+ DHCPServer = "yes";
+ DHCPPrefixDelegation = "yes";
+ IPv6SendRA = "yes";
+ IPv6AcceptRA = "no";
+ };
+ dhcpServerConfig = {
+ UplinkInterface = cnf.wan;
+ PoolOffset = cnf.dynIPStart;
+ PoolSize = cnf.dynIPCount;
+ EmitDNS = "yes";
+ DNS = "1.1.1.1";
+ };
+ dhcpPrefixDelegationConfig = {
+ UplinkInterface = cnf.wan;
+ SubnetId = 2;
+ Announce = "yes";
+ };
+ };
+ };
+ wait-online.anyInterface = true;
+ };
+
+ services.resolved = {
+ enable = true;
+ dnssec = "true";
+ fallbackDns = ["1.1.1.1" "8.8.8.8"];
+ };
+ };
+}
diff --git a/nixos/modules/switch.nix b/nixos/modules/switch.nix
new file mode 100644
index 0000000..16d57bc
--- /dev/null
+++ b/nixos/modules/switch.nix
@@ -0,0 +1,65 @@
+{
+ config,
+ lib,
+ ...
+}:
+with lib; let
+ cnf = config.cynerd.switch;
+in {
+ options = {
+ cynerd.switch = {
+ enable = mkEnableOption "Enable switch support";
+ lanAddress = mkOption {
+ type = types.str;
+ description = "LAN IP address";
+ };
+ lanGateway = mkOption {
+ type = types.str;
+ description = "LAN IP address of the gateway";
+ };
+ };
+ };
+
+ config = mkIf cnf.enable {
+ networking = {
+ useNetworkd = true;
+ nftables.enable = true;
+ };
+
+ systemd.network = {
+ netdevs = {
+ "brlan" = {
+ netdevConfig = {
+ Kind = "bridge";
+ Name = "brlan";
+ };
+ extraConfig = ''
+ [Bridge]
+ DefaultPVID=none
+ VLANFiltering=yes
+ '';
+ };
+ };
+ networks = {
+ "brlan" = {
+ matchConfig.Name = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ PVID = 1;
+ EgressUntagged = 1;
+ };
+ }
+ ];
+ networkConfig = {
+ Address = cnf.lanAddress;
+ Gateway = cnf.lanGateway;
+ DNS = "1.1.1.1";
+ IPv6AcceptRA = "yes";
+ };
+ };
+ };
+ wait-online.anyInterface = true;
+ };
+ };
+}
diff --git a/nixos/modules/wifi-adm.nix b/nixos/modules/wifi-adm.nix
new file mode 100644
index 0000000..733f167
--- /dev/null
+++ b/nixos/modules/wifi-adm.nix
@@ -0,0 +1,190 @@
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
+with lib; let
+ cnf = config.cynerd.wifiAP.adm;
+
+ wOptions = card: channelDefault: {
+ interface = mkOption {
+ type = with types; nullOr str;
+ default = null;
+ description = "Specify interface for ${card}";
+ };
+ bssids = mkOption {
+ type = with types; listOf str;
+ default = [];
+ description = "BSSIDs for networks.";
+ };
+ channel = mkOption {
+ type = types.ints.positive;
+ default = channelDefault;
+ description = "Channel to be used for ${card}";
+ };
+ };
+in {
+ options = {
+ cynerd.wifiAP.adm = {
+ enable = mkEnableOption "Enable Wi-Fi Access Point support";
+ ar9287 = wOptions "Qualcom Atheros AR9287" 7;
+ qca988x = wOptions "Qualcom Atheros QCA988x" 36;
+ };
+ };
+
+ config = mkIf cnf.enable {
+ services.hostapd = {
+ enable = true;
+ radios = {
+ "${cnf.ar9287.interface}" = mkIf (cnf.ar9287.interface != null) {
+ countryCode = "CZ";
+ inherit (cnf.ar9287) channel;
+ wifi4 = {
+ enable = true;
+ inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities;
+ };
+ networks = {
+ "${cnf.ar9287.interface}" = {
+ bssid = elemAt cnf.ar9287.bssids 0;
+ ssid = "TurrisAdamkovi";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass";
+ };
+ };
+ "${cnf.ar9287.interface}-nela" = {
+ bssid = elemAt cnf.ar9287.bssids 1;
+ ssid = "Nela";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPasswordFile = "/run/secrets/hostapd-Nela.pass";
+ };
+ };
+ "${cnf.ar9287.interface}.milan" = {
+ bssid = elemAt cnf.ar9287.bssids 2;
+ ssid = "MILAN-AC";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPasswordFile = "/run/secrets/hostapd-MILAN-AC.pass";
+ };
+ };
+ };
+ };
+ "${cnf.qca988x.interface}" = mkIf (cnf.qca988x.interface != null) {
+ countryCode = "CZ";
+ inherit (cnf.qca988x) channel;
+ band = "5g";
+ wifi4 = {
+ enable = true;
+ inherit (hostapd.qualcomAtherosQCA988x.wifi4) capabilities;
+ };
+ wifi5 = {
+ enable = true;
+ inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities;
+ };
+ networks = {
+ "${cnf.qca988x.interface}" = {
+ bssid = elemAt cnf.qca988x.bssids 0;
+ ssid = "TurrisAdamkovi";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass";
+ };
+ };
+ "${cnf.qca988x.interface}-nela" = {
+ bssid = elemAt cnf.qca988x.bssids 1;
+ ssid = "Nela";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPasswordFile = "/run/secrets/hostapd-Nela.pass";
+ };
+ };
+ "${cnf.qca988x.interface}.milan" = {
+ bssid = elemAt cnf.qca988x.bssids 2;
+ ssid = "MILAN-AC";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPasswordFile = "/run/secrets/hostapd-MILAN-AC.pass";
+ };
+ };
+ };
+ };
+ };
+ };
+ systemd.network.networks = {
+ "lan-${cnf.ar9287.interface}" = {
+ matchConfig.Name = cnf.ar9287.interface;
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ ];
+ };
+ "lan-${cnf.ar9287.interface}-nela" = {
+ matchConfig.Name = "${cnf.ar9287.interface}-nela";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
+ };
+ "lan-${cnf.ar9287.interface}.milan" = {
+ matchConfig.Name = "${cnf.ar9287.interface}.milan";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
+ };
+ "lan-${cnf.qca988x.interface}" = {
+ matchConfig.Name = cnf.qca988x.interface;
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ ];
+ };
+ "lan-${cnf.qca988x.interface}-nela" = {
+ matchConfig.Name = "${cnf.qca988x.interface}-nela";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
+ };
+ "lan-${cnf.qca988x.interface}.milan" = {
+ matchConfig.Name = "${cnf.qca988x.interface}.milan";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
+ };
+ };
+ };
+}
diff --git a/nixos/modules/wifi-spt.nix b/nixos/modules/wifi-spt.nix
new file mode 100644
index 0000000..769449d
--- /dev/null
+++ b/nixos/modules/wifi-spt.nix
@@ -0,0 +1,171 @@
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}: let
+ inherit (lib) mkOption mkEnableOption types mkIf mkMerge hostapd elemAt;
+ cnf = config.cynerd.wifiAP.spt;
+
+ wOptions = card: channelDefault: {
+ interface = mkOption {
+ type = with types; nullOr str;
+ default = null;
+ description = "Specify interface for ${card}";
+ };
+ bssids = mkOption {
+ type = with types; listOf str;
+ default = [];
+ description = "BSSIDs for networks.";
+ };
+ channel = mkOption {
+ type = types.ints.positive;
+ default = channelDefault;
+ description = "Channel to be used for ${card}";
+ };
+ };
+in {
+ options = {
+ cynerd.wifiAP.spt = {
+ enable = mkEnableOption "Enable Wi-Fi Access Point support";
+ ar9287 = wOptions "Qualcom Atheros AR9287" 7;
+ qca988x = wOptions "Qualcom Atheros QCA988x" 36;
+ };
+ };
+
+ config = mkIf cnf.enable {
+ # TODO regdom doesn't work for some reason
+ boot.extraModprobeConfig = ''
+ options cfg80211 ieee80211_regdom="CZ"
+ '';
+ services.hostapd = {
+ enable = true;
+ radios = mkMerge [
+ (mkIf (cnf.ar9287.interface != null) {
+ "${cnf.ar9287.interface}" = {
+ inherit (cnf.ar9287) channel;
+ countryCode = "CZ";
+ wifi4 = {
+ enable = true;
+ inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities;
+ };
+ networks = {
+ "${cnf.ar9287.interface}" = {
+ bssid = elemAt cnf.ar9287.bssids 0;
+ ssid = "TurrisRules";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass";
+ };
+ };
+ #"${cnf.ar9287.interface}.guest" = {
+ # bssid = elemAt cnf.ar9287.bssids 1;
+ # ssid = "Kocovi";
+ # authentication = {
+ # mode = "wpa2-sha256";
+ # wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass";
+ # };
+ #};
+ };
+ };
+ })
+ (mkIf (cnf.qca988x.interface != null) {
+ "${cnf.qca988x.interface}" = let
+ is2g = cnf.qca988x.channel <= 14;
+ in {
+ inherit (cnf.qca988x) channel;
+ countryCode = "CZ";
+ band =
+ if is2g
+ then "2g"
+ else "5g";
+ wifi4 = {
+ enable = true;
+ inherit (hostapd.qualcomAtherosQCA988x.wifi4) capabilities;
+ };
+ wifi5 = {
+ enable = !is2g;
+ inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities;
+ };
+ networks = {
+ "${cnf.qca988x.interface}" = {
+ bssid = elemAt cnf.qca988x.bssids 0;
+ ssid = "TurrisRules${
+ if is2g
+ then ""
+ else "5"
+ }";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass";
+ };
+ };
+ #"${cnf.qca988x.interface}.guest" = {
+ # bssid = elemAt cnf.qca988x.bssids 1;
+ # ssid = "Kocovi";
+ # authentication = {
+ # mode = "wpa2-sha256";
+ # wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass";
+ # };
+ #};
+ };
+ };
+ })
+ ];
+ };
+ systemd.network.networks = mkMerge [
+ (mkIf (cnf.ar9287.interface != null) {
+ "lan-${cnf.ar9287.interface}" = {
+ matchConfig.Name = cnf.ar9287.interface;
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ ];
+ };
+ #"lan-${cnf.ar9287.interface}-guest" = {
+ # matchConfig.Name = "${cnf.ar9287.interface}.guest";
+ # networkConfig.Bridge = "brlan";
+ # bridgeVLANs = [
+ # {
+ # bridgeVLANConfig = {
+ # EgressUntagged = 2;
+ # PVID = 2;
+ # };
+ # }
+ # ];
+ #};
+ })
+ (mkIf (cnf.qca988x.interface != null) {
+ "lan-${cnf.qca988x.interface}" = {
+ matchConfig.Name = cnf.qca988x.interface;
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ ];
+ };
+ #"lan-${cnf.qca988x.interface}-guest" = {
+ # matchConfig.Name = "${cnf.qca988x.interface}.guest";
+ # networkConfig.Bridge = "brlan";
+ # bridgeVLANs = [
+ # {
+ # bridgeVLANConfig = {
+ # EgressUntagged = 2;
+ # PVID = 2;
+ # };
+ # }
+ # ];
+ #};
+ })
+ ];
+ };
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-03 16:37:39 +0000