From 31661e73a6ce84a25be1b80ee898fe7fe63b16b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Thu, 23 Jan 2025 15:31:16 +0100 Subject: nixos: refactor the modules --- flake.lock | 20 +++---- nixos/modules/Rpi.md | 25 --------- nixos/modules/generic.nix | 5 -- nixos/modules/nixos-system.sh | 27 ---------- nixos/modules/rpi.md | 25 +++++++++ nixos/modules/wifi-adm.nix | 118 ++++++++++++++++-------------------------- nixos/modules/wifi-spt.nix | 84 +++++++++++------------------- nixos/modules/wireguad.nix | 85 ------------------------------ nixos/modules/wireguard.nix | 85 ++++++++++++++++++++++++++++++ 9 files changed, 196 insertions(+), 278 deletions(-) delete mode 100644 nixos/modules/Rpi.md delete mode 100644 nixos/modules/nixos-system.sh create mode 100644 nixos/modules/rpi.md delete mode 100644 nixos/modules/wireguad.nix create mode 100644 nixos/modules/wireguard.nix diff --git a/flake.lock b/flake.lock index 4ce4cbc..9a0355b 100644 --- a/flake.lock +++ b/flake.lock @@ -201,11 +201,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1736978406, - "narHash": "sha256-oMr3PVIQ8XPDI8/x6BHxsWEPBRU98Pam6KGVwUh8MPk=", + "lastModified": 1737590910, + "narHash": "sha256-qM/y6Dtpu9Wmf5HqeZajQdn+cS0aljdYQQQnrvx+LJE=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "b678606690027913f3434dea3864e712b862dde5", + "rev": "9368027715d8dde4b84c79c374948b5306fdd2db", "type": "github" }, "original": { @@ -245,11 +245,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1737110817, - "narHash": "sha256-DSenga8XjPaUV5KUFW/i3rNkN7jm9XmguW+qQ1ZJTR4=", + "lastModified": 1737525964, + "narHash": "sha256-3wFonKmNRWKq1himW9N3TllbeGIHFACI5vmLpk6moF8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "041c867bad68dfe34b78b2813028a2e2ea70a23c", + "rev": "5757bbb8bd7c0630a0cc4bb19c47e588db30b97c", "type": "github" }, "original": { @@ -348,11 +348,11 @@ }, "personal-secret": { "locked": { - "lastModified": 1737306019, - "narHash": "sha256-XXrP6fZwG5jXDHAakvhIeSZlNJJ/ZwYgekuL2i2ANXY=", + "lastModified": 1737384491, + "narHash": "sha256-5ePb3HAOoepnaADMZF2ATdkMr0bBP/s9zDqSqyrlX+A=", "ref": "refs/heads/master", - "rev": "e975c3ce7c68245523bea96e5ecdaab118f0d5cc", - "revCount": 121, + "rev": "81298163c38df333577b498eaf372e287b31ba93", + "revCount": 122, "type": "git", "url": "ssh://git@cynerd.cz/nixos-personal-secret" }, diff --git a/nixos/modules/Rpi.md b/nixos/modules/Rpi.md deleted file mode 100644 index 43b172f..0000000 --- a/nixos/modules/Rpi.md +++ /dev/null @@ -1,25 +0,0 @@ -# Raspberry Pi SD card preparation steps - -``` -~# parted /dev/sdx -(parted) mktable msdos -(parted) mkpart primary fat16 0% 120M -(parted) mkpart primary btrfs 120M 100% -(parted) set 2 boot on -(parted) quit -~# mkfs.vfat -F16 /dev/sdx1 -~# mkfs.btrfs /dev/sdx2 - -~# mount /dev/sdx1 /mnt -~# nix build .#firmware-HOST -~# cp -r result/* /mnt/ -~# umount mnt - -~# mount /dev/sdx2 /mnt -~# nix copy --to /mnt .#toplevel-HOST -~# nix build --print-out-paths .#toplevel-HOST -~# nix eval .#nixosConfigurations.HOST.config.boot.loader.generic-extlinux-compatible.populateCmd -"/nix/store/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-extlinux-conf-builder.sh -g 20 -t 5" -~# /nix/store/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-extlinux-conf-builder.sh -c -d ./mnt/boot -~# umount mnt -``` diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix index c5dbd98..183bffe 100644 --- a/nixos/modules/generic.nix +++ b/nixos/modules/generic.nix @@ -62,11 +62,6 @@ in { }) ]; - system.extraSystemBuilderCmds = '' - substituteAll ${./nixos-system.sh} $out/bin/nixos-system - chmod +x $out/bin/nixos-system - ''; - documentation = { enable = mkDefault false; doc.enable = mkDefault false; diff --git a/nixos/modules/nixos-system.sh b/nixos/modules/nixos-system.sh deleted file mode 100644 index 7a220bb..0000000 --- a/nixos/modules/nixos-system.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!@shell@ -# Simple script handy to be used for activation - -while getopts "s" opt; do - case "$opt" in - s) - if [ ! -v NIXOS_SYSTEM_GNU_SCREEN ]; then - export NIXOS_SYSTEM_GNU_SCREEN=1 - exec @out@/sw/bin/screen "$0" "$@" - fi - ;; - *) - echo "Invalid argument: $1" >&2 - exit 1 - ;; - esac -done -shift $((OPTIND - 1)) - - -@out@/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set '@out@' - -@out@/bin/switch-to-configuration "$@" || { - echo "Switch failed!" >&2 - read -r _ - exit 1 -} diff --git a/nixos/modules/rpi.md b/nixos/modules/rpi.md new file mode 100644 index 0000000..43b172f --- /dev/null +++ b/nixos/modules/rpi.md @@ -0,0 +1,25 @@ +# Raspberry Pi SD card preparation steps + +``` +~# parted /dev/sdx +(parted) mktable msdos +(parted) mkpart primary fat16 0% 120M +(parted) mkpart primary btrfs 120M 100% +(parted) set 2 boot on +(parted) quit +~# mkfs.vfat -F16 /dev/sdx1 +~# mkfs.btrfs /dev/sdx2 + +~# mount /dev/sdx1 /mnt +~# nix build .#firmware-HOST +~# cp -r result/* /mnt/ +~# umount mnt + +~# mount /dev/sdx2 /mnt +~# nix copy --to /mnt .#toplevel-HOST +~# nix build --print-out-paths .#toplevel-HOST +~# nix eval .#nixosConfigurations.HOST.config.boot.loader.generic-extlinux-compatible.populateCmd +"/nix/store/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-extlinux-conf-builder.sh -g 20 -t 5" +~# /nix/store/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-extlinux-conf-builder.sh -c -d ./mnt/boot +~# umount mnt +``` diff --git a/nixos/modules/wifi-adm.nix b/nixos/modules/wifi-adm.nix index 63dc19a..56ca65a 100644 --- a/nixos/modules/wifi-adm.nix +++ b/nixos/modules/wifi-adm.nix @@ -3,10 +3,10 @@ lib, ... }: let - inherit (lib) mkOption mkEnableOption types mkIf hostapd elemAt; + inherit (lib) mkOption mkEnableOption types mkIf mkMerge hostapd elemAt; cnf = config.cynerd.wifiAP.adm; - networks = name: { + wifi-networks = name: { "${cnf."${name}".interface}" = { bssid = elemAt cnf."${name}".bssids 0; ssid = "TurrisAdamkovi"; @@ -16,7 +16,7 @@ saePasswordsFile = "/run/secrets/hostapd-TurrisAdamkovi.pass"; }; }; - "${cnf."${name}".interface}-nela" = { + "${cnf."${name}".interface}.nela" = { bssid = elemAt cnf."${name}".bssids 1; ssid = "Nela"; authentication = { @@ -34,6 +34,42 @@ }; }; + net-networks = name: { + "lan-${cnf."${name}".interface}" = { + matchConfig = { + Name = cnf."${name}".interface; + WLANInterfaceType = "ap"; + }; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 1; + PVID = 1; + } + ]; + }; + "lan-${cnf."${name}".interface}.nela" = { + matchConfig.Name = "${cnf."${name}".interface}-nela"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 2; + PVID = 2; + } + ]; + }; + "lan-${cnf."${name}".interface}.milan" = { + matchConfig.Name = "${cnf."${name}".interface}.milan"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 2; + PVID = 2; + } + ]; + }; + }; + wOptions = card: channelDefault: { interface = mkOption { type = with types; nullOr str; @@ -71,7 +107,7 @@ in { enable = true; inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities; }; - networks = networks "ar9287"; + networks = wifi-networks "ar9287"; }; "${cnf.qca988x.interface}" = mkIf (cnf.qca988x.interface != null) { countryCode = "CZ"; @@ -85,77 +121,13 @@ in { enable = true; inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities; }; - networks = networks "qca988x"; + networks = wifi-networks "qca988x"; }; }; }; - systemd.network.networks = { - "lan-${cnf.ar9287.interface}" = { - matchConfig = { - Name = cnf.ar9287.interface; - WLANInterfaceType = "ap"; - }; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 1; - PVID = 1; - } - ]; - }; - "lan-${cnf.ar9287.interface}-nela" = { - matchConfig.Name = "${cnf.ar9287.interface}-nela"; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 2; - PVID = 2; - } - ]; - }; - "lan-${cnf.ar9287.interface}.milan" = { - matchConfig.Name = "${cnf.ar9287.interface}.milan"; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 2; - PVID = 2; - } - ]; - }; - "lan-${cnf.qca988x.interface}" = { - matchConfig = { - Name = cnf.qca988x.interface; - WLANInterfaceType = "ap"; - }; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 1; - PVID = 1; - } - ]; - }; - "lan-${cnf.qca988x.interface}-nela" = { - matchConfig.Name = "${cnf.qca988x.interface}-nela"; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 2; - PVID = 2; - } - ]; - }; - "lan-${cnf.qca988x.interface}.milan" = { - matchConfig.Name = "${cnf.qca988x.interface}.milan"; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 2; - PVID = 2; - } - ]; - }; - }; + systemd.network.networks = mkMerge [ + (mkIf (cnf.ar9287.interface != null) (net-networks "ar9287")) + (mkIf (cnf.qca988x.interface != null) (net-networks "qca988x")) + ]; }; } diff --git a/nixos/modules/wifi-spt.nix b/nixos/modules/wifi-spt.nix index d3f6f68..bec093e 100644 --- a/nixos/modules/wifi-spt.nix +++ b/nixos/modules/wifi-spt.nix @@ -6,7 +6,7 @@ inherit (lib) mkOption mkEnableOption types mkIf mkForce mkMerge hostapd elemAt; cnf = config.cynerd.wifiAP.spt; - networks = name: let + wifi-networks = name: let is2g = cnf."${name}".channel <= 14; in { "${cnf."${name}".interface}" = { @@ -35,6 +35,32 @@ }; }; + net-networks = name: { + "lan-${cnf."${name}".interface}" = { + matchConfig = { + Name = cnf."${name}".interface; + WLANInterfaceType = "ap"; + }; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 1; + PVID = 1; + } + ]; + }; + "lan-${cnf."${name}".interface}-guest" = { + matchConfig.Name = "${cnf."${name}".interface}.guest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 2; + PVID = 2; + } + ]; + }; + }; + wOptions = card: channelDefault: { interface = mkOption { type = with types; nullOr str; @@ -77,7 +103,7 @@ in { enable = true; inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities; }; - networks = networks "ar9287"; + networks = wifi-networks "ar9287"; }; }) (mkIf (cnf.qca988x.interface != null) { @@ -98,62 +124,14 @@ in { enable = !is2g; inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities; }; - networks = networks "qca988x"; + networks = wifi-networks "qca988x"; }; }) ]; }; systemd.network.networks = mkMerge [ - (mkIf (cnf.ar9287.interface != null) { - "lan-${cnf.ar9287.interface}" = { - matchConfig = { - Name = cnf.ar9287.interface; - WLANInterfaceType = "ap"; - }; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 1; - PVID = 1; - } - ]; - }; - "lan-${cnf.ar9287.interface}-guest" = { - matchConfig.Name = "${cnf.ar9287.interface}.guest"; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 2; - PVID = 2; - } - ]; - }; - }) - (mkIf (cnf.qca988x.interface != null) { - "lan-${cnf.qca988x.interface}" = { - matchConfig = { - Name = cnf.qca988x.interface; - WLANInterfaceType = "ap"; - }; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 1; - PVID = 1; - } - ]; - }; - "lan-${cnf.qca988x.interface}-guest" = { - matchConfig.Name = "${cnf.qca988x.interface}.guest"; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 2; - PVID = 2; - } - ]; - }; - }) + (mkIf (cnf.ar9287.interface != null) (net-networks "ar9287")) + (mkIf (cnf.qca988x.interface != null) (net-networks "qca988x")) ]; }; } diff --git a/nixos/modules/wireguad.nix b/nixos/modules/wireguad.nix deleted file mode 100644 index b49eaae..0000000 --- a/nixos/modules/wireguad.nix +++ /dev/null @@ -1,85 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - inherit (lib) any all mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs; - inherit (config.networking) hostName; - endpoints = ["lipwig" "spt-omnia" "adm-omnia"]; - is_endpoint = any (v: v == hostName) endpoints; -in { - options = { - cynerd.wireguard = mkEnableOption "Enable Wireguard"; - }; - - config = mkIf config.cynerd.wireguard { - environment.systemPackages = [pkgs.wireguard-tools]; - systemd.network = { - netdevs."wg" = { - netdevConfig = { - Name = "wg"; - Kind = "wireguard"; - Description = "Personal Wireguard tunnel"; - MTUBytes = "1300"; - }; - wireguardConfig = { - ListenPort = 51820; - PrivateKeyFile = "/run/secrets/wg.key"; - }; - wireguardPeers = - [ - ({ - Endpoint = "cynerd.cz:51820"; - AllowedIPs = ["0.0.0.0/0"]; - PublicKey = config.secrets.wireguardPubs.lipwig; - } - // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;})) - ({ - Endpoint = "spt.cynerd.cz:51820"; - AllowedIPs = [ - "${config.cynerd.hosts.wg.spt-omnia}/32" - "10.8.2.0/24" - ]; - PublicKey = config.secrets.wireguardPubs.spt-omnia; - } - // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;})) - ({ - Endpoint = "adm.cynerd.cz:51820"; - AllowedIPs = [ - "${config.cynerd.hosts.wg.adm-omnia}/32" - "10.8.3.0/24" - ]; - PublicKey = config.secrets.wireguardPubs.adm-omnia; - } - // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;})) - ] - ++ (optionals is_endpoint (mapAttrsToList (n: v: { - AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32"; - PublicKey = v; - }) (filterAttrs (n: _: all (v: v != n) endpoints) config.secrets.wireguardPubs))); - }; - networks."wg" = { - matchConfig.Name = "wg"; - networkConfig = { - Address = "${config.cynerd.hosts.wg."${hostName}"}/24"; - IPv4Forwarding = "yes"; - }; - routes = - (optional (hostName != "spt-omnia") { - # SPT network - Gateway = config.cynerd.hosts.wg.spt-omnia; - Destination = "10.8.2.0/24"; - Metric = 2048; - }) - ++ (optional (hostName != "adm-omnia") { - # ADM network - Gateway = config.cynerd.hosts.wg.adm-omnia; - Destination = "10.8.3.0/24"; - Metric = 2048; - }); - }; - }; - networking.firewall.allowedUDPPorts = [51820]; - }; -} diff --git a/nixos/modules/wireguard.nix b/nixos/modules/wireguard.nix new file mode 100644 index 0000000..b49eaae --- /dev/null +++ b/nixos/modules/wireguard.nix @@ -0,0 +1,85 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib) any all mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs; + inherit (config.networking) hostName; + endpoints = ["lipwig" "spt-omnia" "adm-omnia"]; + is_endpoint = any (v: v == hostName) endpoints; +in { + options = { + cynerd.wireguard = mkEnableOption "Enable Wireguard"; + }; + + config = mkIf config.cynerd.wireguard { + environment.systemPackages = [pkgs.wireguard-tools]; + systemd.network = { + netdevs."wg" = { + netdevConfig = { + Name = "wg"; + Kind = "wireguard"; + Description = "Personal Wireguard tunnel"; + MTUBytes = "1300"; + }; + wireguardConfig = { + ListenPort = 51820; + PrivateKeyFile = "/run/secrets/wg.key"; + }; + wireguardPeers = + [ + ({ + Endpoint = "cynerd.cz:51820"; + AllowedIPs = ["0.0.0.0/0"]; + PublicKey = config.secrets.wireguardPubs.lipwig; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;})) + ({ + Endpoint = "spt.cynerd.cz:51820"; + AllowedIPs = [ + "${config.cynerd.hosts.wg.spt-omnia}/32" + "10.8.2.0/24" + ]; + PublicKey = config.secrets.wireguardPubs.spt-omnia; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;})) + ({ + Endpoint = "adm.cynerd.cz:51820"; + AllowedIPs = [ + "${config.cynerd.hosts.wg.adm-omnia}/32" + "10.8.3.0/24" + ]; + PublicKey = config.secrets.wireguardPubs.adm-omnia; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;})) + ] + ++ (optionals is_endpoint (mapAttrsToList (n: v: { + AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32"; + PublicKey = v; + }) (filterAttrs (n: _: all (v: v != n) endpoints) config.secrets.wireguardPubs))); + }; + networks."wg" = { + matchConfig.Name = "wg"; + networkConfig = { + Address = "${config.cynerd.hosts.wg."${hostName}"}/24"; + IPv4Forwarding = "yes"; + }; + routes = + (optional (hostName != "spt-omnia") { + # SPT network + Gateway = config.cynerd.hosts.wg.spt-omnia; + Destination = "10.8.2.0/24"; + Metric = 2048; + }) + ++ (optional (hostName != "adm-omnia") { + # ADM network + Gateway = config.cynerd.hosts.wg.adm-omnia; + Destination = "10.8.3.0/24"; + Metric = 2048; + }); + }; + }; + networking.firewall.allowedUDPPorts = [51820]; + }; +} -- cgit v1.2.3