From 9e7eca47bb3ddb6e88720cfcb28c995acbb072c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Sat, 17 Feb 2024 12:18:48 +0100 Subject: spt-omnia: deploy --- flake.lock | 32 +++++----- nixos/machine/spt-omnia.nix | 37 ++++++----- nixos/modules/develop.nix | 4 +- nixos/modules/generic.nix | 4 +- nixos/modules/syncthing.nix | 1 - nixos/routers/router.nix | 145 +++++++++++++++++++++++--------------------- 6 files changed, 118 insertions(+), 105 deletions(-) diff --git a/flake.lock b/flake.lock index 31aa83e..a88521c 100644 --- a/flake.lock +++ b/flake.lock @@ -308,11 +308,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1707842204, - "narHash": "sha256-M+HAq1qWQBi/gywaMZwX0odU+Qb/XeqVeANGKRBDOwU=", + "lastModified": 1708091350, + "narHash": "sha256-o28BJYi68qqvHipT7V2jkWxDiMS1LF9nxUsou+eFUPQ=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "f1b2f71c86a5b1941d20608db0b1e88a07d31303", + "rev": "106d3fec43bcea19cb2e061ca02531d54b542ce3", "type": "github" }, "original": { @@ -426,11 +426,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1707877513, - "narHash": "sha256-sp0w2apswd3wv0sAEF7StOGHkns3XUQaO5erhWFZWXk=", + "lastModified": 1708057191, + "narHash": "sha256-O3M5EGAeKZdEzfFIjqah0d8M44A4QCSVwvkbz4cbC2s=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "89653a03e0915e4a872788d10680e7eec92f8600", + "rev": "5e55f0bb65124b05d0a52e164514c03596023634", "type": "github" }, "original": { @@ -440,11 +440,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1707885413, - "narHash": "sha256-7Syfxjpmh8xBoxvLiGvKF5gNa8+U+5AeGD6/9vIRUno=", + "lastModified": 1708103068, + "narHash": "sha256-A3Itq2swJOJ9+RzcmHEA8Tpd8opWAVin3GchouNR8uk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4e91cd1c6859a363a34c837a50d97a9fb682fafa", + "rev": "607312f76ac46232b6f690748ff0383a2249af05", "type": "github" }, "original": { @@ -530,11 +530,11 @@ }, "personal-secret": { "locked": { - "lastModified": 1707942813, - "narHash": "sha256-P4yJViu9SAKrO0htZoBoY7G3+G6QKS3hXPYn80TesmI=", + "lastModified": 1708111656, + "narHash": "sha256-GXPsF79NePyUy4VoQIzU4gQNNcIqpvsimjV+4Mzqq+I=", "ref": "refs/heads/master", - "rev": "f07ae9c8bd6d9186b7cd10ad4f5bb5657128603d", - "revCount": 87, + "rev": "37ce5a6415fd787fb272f52f30b4cb6a2976f096", + "revCount": 88, "type": "git", "url": "ssh://git@cynerd.cz/nixos-personal-secret" }, @@ -812,11 +812,11 @@ }, "vpsadminos": { "locked": { - "lastModified": 1706035822, - "narHash": "sha256-nGpoHvn/w24VjJtRdsRvxKOSEowUXEqGxsqaFmMgl/s=", + "lastModified": 1708015534, + "narHash": "sha256-IB+aVK43i5/+F3vAlR8UcasviCz1xSUaBC5JNXBD5RM=", "owner": "vpsfreecz", "repo": "vpsadminos", - "rev": "b2db597146d9c7717da874712290cf9559086157", + "rev": "4f2f74ded6a6b1b9de6d45918dbe53073b9561c2", "type": "github" }, "original": { diff --git a/nixos/machine/spt-omnia.nix b/nixos/machine/spt-omnia.nix index c0a6ec2..ac4ebdf 100644 --- a/nixos/machine/spt-omnia.nix +++ b/nixos/machine/spt-omnia.nix @@ -3,14 +3,19 @@ lib, pkgs, ... -}: -with lib; { +}: let + hosts = config.cynerd.hosts.spt; +in { config = { cynerd = { router = { enable = true; wan = "pppoe-wan"; - lanIP = config.cynerd.hosts.spt.omnia; + lanIP = hosts.omnia; + staticLeases = { + "a8:a1:59:10:32:c4" = hosts.errol; + "4c:d5:77:0d:85:d9" = hosts.binky; + }; }; wifiAP.spt = { enable = true; @@ -25,7 +30,7 @@ with lib; { channel = 36; }; }; - openvpn.oldpersonal = true; + #openvpn.oldpersonal = true; monitoring.speedtest = true; }; @@ -54,7 +59,7 @@ with lib; { networkConfig = { BindCarrier = "end2.848"; DHCP = "ipv6"; - IPv6AcceptRA = "yes"; + IPv6AcceptRA = "no"; DHCPPrefixDelegation = "yes"; }; dhcpPrefixDelegationConfig = { @@ -67,15 +72,15 @@ with lib; { "lan-brlan" = { matchConfig.Name = "lan*"; networkConfig.Bridge = "brlan"; - #bridgeVLANs = [ - # { - # bridgeVLANConfig = { - # EgressUntagged = 1; - # PVID = 1; - # }; - # } - # {bridgeVLANConfig.VLAN = 2;} - #]; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; }; }; }; @@ -88,7 +93,6 @@ with lib; { lcp-echo-interval 1 lcp-echo-failure 5 lcp-echo-adaptive - +ipv6 defaultroute defaultroute6 usepeerdns @@ -98,6 +102,9 @@ with lib; { ''; }; systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.848.device"]; + networking.firewall.extraForwardRules = '' + tcp flags syn tcp option maxseg size set rt mtu + ''; services.syncthing = { enable = true; diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix index 97c54ee..3ef6ce6 100644 --- a/nixos/modules/develop.nix +++ b/nixos/modules/develop.nix @@ -90,7 +90,6 @@ in { # Network iperf3 - wireshark inetutils # Gtk @@ -116,7 +115,7 @@ in { # Images imagemagick ]; - programs.wireshark.enable = true; + programs.wireshark.package = pkgs.wireshark; documentation = { dev.enable = true; @@ -152,7 +151,6 @@ in { "lxd" "develop" "libvirtd" - "wireshark" ]; }; } diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix index a3e8dd1..33d7024 100644 --- a/nixos/modules/generic.nix +++ b/nixos/modules/generic.nix @@ -121,7 +121,7 @@ in { }; cynerd = { group = "cynerd"; - extraGroups = ["users" "wheel" "dialout" "kvm" "uucp"]; + extraGroups = ["users" "wheel" "dialout" "kvm" "uucp" "wireshark"]; uid = 1000; subUidRanges = [ { @@ -155,6 +155,8 @@ in { }; shellrc = true; vim.defaultEditor = mkDefault true; + + wireshark.enable = true; }; security.sudo.extraRules = [ diff --git a/nixos/modules/syncthing.nix b/nixos/modules/syncthing.nix index af6d957..b93ecdb 100644 --- a/nixos/modules/syncthing.nix +++ b/nixos/modules/syncthing.nix @@ -13,7 +13,6 @@ "errol" "lipwig" "ridcully" - "susan" "spt-omnia" ]; mediaDevices = [ diff --git a/nixos/routers/router.nix b/nixos/routers/router.nix index a3fc0c1..5aa6cc6 100644 --- a/nixos/routers/router.nix +++ b/nixos/routers/router.nix @@ -2,8 +2,8 @@ config, lib, ... -}: -with lib; let +}: let + inherit (lib) mkOption types mkIf mapAttrsToList; cnf = config.cynerd.router; in { options = { @@ -36,6 +36,14 @@ in { default = 24; description = "LAN IP network prefix length"; }; + staticLeases = mkOption { + type = with types; attrsOf str; + default = {}; + example = '' + {"xx:xx:xx:xx:xx:xx" = "10.8.1.30";} + ''; + description = "Mapping of MAC address to IP address"; + }; }; }; @@ -44,25 +52,21 @@ in { useNetworkd = true; nftables.enable = true; firewall = { + logRefusedConnections = false; interfaces = { - "brlan" = { - allowedUDPPorts = [53 67 68]; - allowedTCPPorts = [53]; - }; - #"guest" = { - # allowedUDPPorts = [53 67 68]; - # allowedTCPPorts = [53]; - #}; + "home" = {allowedUDPPorts = [67 68];}; + "guest" = {allowedUDPPorts = [67 68];}; }; + rejectPackets = true; filterForward = true; - #extraForwardRules = '' - # iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access brlan" - #''; + extraForwardRules = '' + iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access other networks" + ''; }; nat = { enable = true; externalInterface = cnf.wan; - internalInterfaces = ["brlan"]; + internalInterfaces = ["home" "guest"]; }; }; @@ -73,43 +77,38 @@ in { Kind = "bridge"; Name = "brlan"; }; - #extraConfig = '' - # [Bridge] - # DefaultPVID=none - # VLANFiltering=yes - #''; + extraConfig = '' + [Bridge] + DefaultPVID=none + VLANFiltering=yes + ''; + }; + "home" = { + netdevConfig = { + Kind = "vlan"; + Name = "home"; + }; + vlanConfig.Id = 1; + }; + "guest" = { + netdevConfig = { + Kind = "vlan"; + Name = "guest"; + }; + vlanConfig.Id = 2; }; - #"home" = { - # netdevConfig = { - # Kind = "vlan"; - # Name = "home"; - # }; - # vlanConfig.Id = 1; - #}; - #"guest" = { - # netdevConfig = { - # Kind = "vlan"; - # Name = "guest"; - # }; - # vlanConfig.Id = 2; - #}; }; networks = { "brlan" = { matchConfig.Name = "brlan"; - #networkConfig.VLAN = ["home"]; - #bridgeVLANs = [ - # { - # bridgeVLANConfig = { - # EgressUntagged = 1; - # PVID = 1; - # }; - # } - # {bridgeVLANConfig.VLAN = 2;} - #]; - #}; - #"home" = { - #matchConfig.Name = "home"; + networkConfig.VLAN = ["home" "guest"]; + bridgeVLANs = [ + {bridgeVLANConfig.VLAN = 1;} + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + "home" = { + matchConfig.Name = "home"; networkConfig = { Address = "${cnf.lanIP}/${toString cnf.lanPrefix}"; IPForward = "yes"; @@ -125,35 +124,43 @@ in { EmitDNS = "yes"; DNS = "1.1.1.1"; }; + dhcpServerStaticLeases = + mapAttrsToList (n: v: { + dhcpServerStaticLeaseConfig = { + MACAddress = n; + Address = v; + }; + }) + cnf.staticLeases; dhcpPrefixDelegationConfig = { UplinkInterface = cnf.wan; SubnetId = 1; Announce = "yes"; }; }; - #"guest" = { - # matchConfig.Name = "guest"; - # networkConfig = { - # Address = "192.168.1.1/24"; - # IPForward = "yes"; - # DHCPServer = "yes"; - # DHCPPrefixDelegation = "yes"; - # IPv6SendRA = "yes"; - # IPv6AcceptRA = "no"; - # }; - # dhcpServerConfig = { - # UplinkInterface = cnf.wan; - # PoolOffset = cnf.dynIPStart; - # PoolSize = cnf.dynIPCount; - # EmitDNS = "yes"; - # DNS = "1.1.1.1"; - # }; - # dhcpPrefixDelegationConfig = { - # UplinkInterface = cnf.wan; - # SubnetId = 2; - # Announce = "yes"; - # }; - #}; + "guest" = { + matchConfig.Name = "guest"; + networkConfig = { + Address = "192.168.1.1/24"; + IPForward = "yes"; + DHCPServer = "yes"; + DHCPPrefixDelegation = "yes"; + IPv6SendRA = "yes"; + IPv6AcceptRA = "no"; + }; + dhcpServerConfig = { + UplinkInterface = cnf.wan; + PoolOffset = cnf.dynIPStart; + PoolSize = cnf.dynIPCount; + EmitDNS = "yes"; + DNS = "1.1.1.1"; + }; + dhcpPrefixDelegationConfig = { + UplinkInterface = cnf.wan; + SubnetId = 2; + Announce = "yes"; + }; + }; }; wait-online.anyInterface = true; }; -- cgit v1.2.3