From c1a76b4403edcf5e2a147d68b7bbdf1c33ac95ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Sat, 27 Jan 2024 13:20:03 +0100 Subject: Rework routers to use systemd-networkd --- flake.lock | 70 ++++++------ flake.nix | 2 +- nixos/configurations.nix | 1 + nixos/machine/adm-omnia.nix | 68 +++++++---- nixos/machine/adm-omnia2.nix | 42 +++---- nixos/machine/spt-mox.nix | 43 +++---- nixos/machine/spt-mox2.nix | 52 ++++----- nixos/machine/spt-omnia.nix | 67 +++++++++-- nixos/machine/spt-omniax.nix | 57 ++++++++++ nixos/modules/develop.nix | 1 - nixos/modules/generic.nix | 2 + nixos/modules/home-assistant.nix | 1 + nixos/routers/default.nix | 1 + nixos/routers/router.nix | 237 ++++++++++----------------------------- nixos/routers/switch.nix | 65 +++++++++++ nixos/routers/wifi-adm.nix | 85 +++++++++++--- nixos/routers/wifi-spt.nix | 186 +++++++++++++++++++----------- 17 files changed, 580 insertions(+), 400 deletions(-) create mode 100644 nixos/machine/spt-omniax.nix create mode 100644 nixos/routers/switch.nix diff --git a/flake.lock b/flake.lock index f3dbd84..09ec32f 100644 --- a/flake.lock +++ b/flake.lock @@ -182,7 +182,7 @@ "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", "owner": "numtide", "repo": "flake-utils", - "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", "type": "github" }, "original": { @@ -213,11 +213,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1705325727, - "narHash": "sha256-1/MgywK8kH2h9GFbGbIH/rxWN+EtXF8CV75rorGJehU=", + "lastModified": 1706200622, + "narHash": "sha256-mOB5Awr2w4zzk3sZC8cIRuO3lFPS6zls6YkAVXWqy+k=", "ref": "refs/heads/master", - "rev": "155db0a014aa4687664fa17afb2a7d0fb2d409a4", - "revCount": 3448, + "rev": "ede7f6273fc193672d80b55638da449821168cf0", + "revCount": 3462, "submodules": true, "type": "git", "url": "https://gitlab.elektroline.cz/elektroline/flatlineng.git" @@ -255,11 +255,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1704892530, - "narHash": "sha256-sUs/yddB+UXjxAvMiXVgoy4UidLHqPOiUlbeg0cr+Ao=", + "lastModified": 1705505951, + "narHash": "sha256-9AK1KZr0enr02k6OLfb3qODxKzkEKpNePwGrYrSiyIw=", "ref": "refs/heads/master", - "rev": "fc7d59911023c4cdc7d6af7e39047367e8e2b883", - "revCount": 2395, + "rev": "a2a4ffd904113d3e2208843efe06f2d8914d81c0", + "revCount": 2399, "submodules": true, "type": "git", "url": "https://github.com/silicon-heaven/libshv.git" @@ -291,11 +291,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1705312285, - "narHash": "sha256-rd+dY+v61Y8w3u9bukO/hB55Xl4wXv4/yC8rCGVnK5U=", + "lastModified": 1706182238, + "narHash": "sha256-Ti7CerGydU7xyrP/ow85lHsOpf+XMx98kQnPoQCSi1g=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "bee2202bec57e521e3bd8acd526884b9767d7fa0", + "rev": "f84eaffc35d1a655e84749228cde19922fcf55f1", "type": "github" }, "original": { @@ -377,11 +377,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1705429789, - "narHash": "sha256-7gQju9WiToi7wI6oahTXiqwJu2RZoV0cg8OGa9YhEvw=", + "lastModified": 1706184243, + "narHash": "sha256-osj5MPUOCau0/ASS8SnXZ/fwJOjWfrZp3/0QvG6P0Gk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cc3ab0e45687d15cb21663a95f5a53a05abd39e4", + "rev": "03cd3a6324af183a660a67a14675989934ece970", "type": "github" }, "original": { @@ -420,11 +420,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1705242415, - "narHash": "sha256-a8DRYrNrzTudvO7XHUPNJD89Wbf1ZZT0VbwCsPnHWaE=", + "lastModified": 1705566941, + "narHash": "sha256-CLNtVRDA8eUPk+bxsCCZtRO0Cp+SpHdn1nNOLoFypLs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ea780f3de2d169f982564128804841500e85e373", + "rev": "b06ff4bf8f4ad900fe0c2a61fc2946edc3a84be7", "type": "github" }, "original": { @@ -448,11 +448,11 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1705242415, - "narHash": "sha256-a8DRYrNrzTudvO7XHUPNJD89Wbf1ZZT0VbwCsPnHWaE=", + "lastModified": 1705566941, + "narHash": "sha256-CLNtVRDA8eUPk+bxsCCZtRO0Cp+SpHdn1nNOLoFypLs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ea780f3de2d169f982564128804841500e85e373", + "rev": "b06ff4bf8f4ad900fe0c2a61fc2946edc3a84be7", "type": "github" }, "original": { @@ -481,11 +481,11 @@ }, "personal-secret": { "locked": { - "lastModified": 1705173603, - "narHash": "sha256-tiLrqR3MwF0JkbRpNz40whaIDUY8Yh53aWu9o3atRMw=", + "lastModified": 1705580312, + "narHash": "sha256-xUCP+q1bJkkuHBe6v1GGRTB9LtOuo77EZDaiZ4YHkFc=", "ref": "refs/heads/master", - "rev": "99c21ea7ead2203ead5b9d625a39efaf09affda4", - "revCount": 82, + "rev": "d91936caaea514e727e5727bdedd62f2a206dcad", + "revCount": 83, "type": "git", "url": "ssh://git@cynerd.cz/nixos-personal-secret" }, @@ -501,16 +501,15 @@ "nixpkgs": "nixpkgs_9" }, "locked": { - "lastModified": 1705325629, - "narHash": "sha256-WipDjHJlxFZCZQVu+b3tLiP7PFzYvNo2+FGl/p8yMF0=", + "lastModified": 1705600354, + "narHash": "sha256-zJ0JMQe5qOIGYwZAR4B7KTow/cF+rQhyuZr/1n4sxLQ=", "owner": "elektroline-predator", "repo": "pyshv", - "rev": "2f3d513d8633ee82639911b97e18389643994229", + "rev": "71d5af3f93e5ee8657c6695c723fab78de47cca9", "type": "gitlab" }, "original": { "owner": "elektroline-predator", - "ref": "multiple-tweaks", "repo": "pyshv", "type": "gitlab" } @@ -558,16 +557,15 @@ "pyshv": "pyshv" }, "locked": { - "lastModified": 1705325793, - "narHash": "sha256-5x1ygdoN+h5aR/wxD+lwF3k/fHQJ5wYMSF/O6Qekjgk=", + "lastModified": 1705605949, + "narHash": "sha256-Iew8BK+5wPIRSef2gAgqoETDddP/aLEeTml3aX2OU4o=", "owner": "silicon-heaven", "repo": "shvcli", - "rev": "f67bd6bc8d5b42b03f67c3bc76033577ac675593", + "rev": "acfb114fff62138fa99fbb03b2a901541ca05dfb", "type": "github" }, "original": { "owner": "silicon-heaven", - "ref": "indent-cpon", "repo": "shvcli", "type": "github" } @@ -749,11 +747,11 @@ }, "vpsadminos": { "locked": { - "lastModified": 1705262735, - "narHash": "sha256-Sfb+/odQov3In5ZtTnaXgQesOIigeoTs7deKjjAFxDs=", + "lastModified": 1706035822, + "narHash": "sha256-nGpoHvn/w24VjJtRdsRvxKOSEowUXEqGxsqaFmMgl/s=", "owner": "vpsfreecz", "repo": "vpsadminos", - "rev": "915fbcedfdb6eb19ab370344e5d72ba78a82bfef", + "rev": "b2db597146d9c7717da874712290cf9559086157", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index b062e82..8e3c2bb 100644 --- a/flake.nix +++ b/flake.nix @@ -9,7 +9,7 @@ agenix.url = "github:ryantm/agenix"; shvspy.url = "git+https://github.com/silicon-heaven/shvspy.git?submodules=1"; flatline.url = "git+https://gitlab.elektroline.cz/elektroline/flatlineng.git?submodules=1"; - shvcli.url = "github:silicon-heaven/shvcli/indent-cpon"; + shvcli.url = "github:silicon-heaven/shvcli"; nixturris.url = "gitlab:cynerd/nixturris"; nixbigclown.url = "github:cynerd/nixbigclown"; diff --git a/nixos/configurations.nix b/nixos/configurations.nix index 2fa2261..47f6ce2 100644 --- a/nixos/configurations.nix +++ b/nixos/configurations.nix @@ -114,6 +114,7 @@ in // beagleboneSystem "gaspode" // turrisMoxSystem "dean" // turrisOmniaSystem "spt-omnia" + // turrisOmniaSystem "spt-omniax" // turrisMoxSystem "spt-mox" // turrisMoxSystem "spt-mox2" // turrisOmniaSystem "adm-omnia" diff --git a/nixos/machine/adm-omnia.nix b/nixos/machine/adm-omnia.nix index fd6d654..088481f 100644 --- a/nixos/machine/adm-omnia.nix +++ b/nixos/machine/adm-omnia.nix @@ -9,7 +9,7 @@ with lib; { cynerd = { router = { enable = true; - wan = "end2"; # TODO pppoe-wan + wan = "pppoe-wan"; lanIP = config.cynerd.hosts.adm.omnia; }; wifiAP.adm = { @@ -21,8 +21,53 @@ with lib; { monitoring.speedtest = true; }; + networking.useDHCP = false; + systemd.network = { + networks = { + "end2" = { + matchConfig.Name = "end2"; + #networkConfig = { + # DHCP = "ipv6"; + # IPv6AcceptRA = "yes"; + # DHCPPrefixDelegation = "yes"; + #}; + #dhcpPrefixDelegationConfig = { + # UplinkInterface = ":self"; + # SubnetId = 0; + # Announce = "no"; + #}; + linkConfig.RequiredForOnline = "routable"; + }; + "lan-brlan" = { + matchConfig.Name = "lan[1-4]"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + "lan0-guest" = { + matchConfig.Name = "lan0"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; + }; + }; + }; + services.pppd = { - enable = false; + enable = true; peers."wan".config = '' plugin pppoe.so end2 ifname pppoe-wan @@ -38,23 +83,6 @@ with lib; { password 02 ''; }; - #systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.device"]; - - environment.systemPackages = [pkgs.tcpdump]; - - networking = { - useNetworkd = true; - useDHCP = false; - }; - systemd.network.networks = { - "lan-brlan" = { - matchConfig.Name = "lan[1-4]"; - networkConfig.Bridge = "brlan"; - }; - "lan0-brguest" = { - matchConfig.Name = "lan0"; - networkConfig.Bridge = "brguest"; - }; - }; + systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.device"]; }; } diff --git a/nixos/machine/adm-omnia2.nix b/nixos/machine/adm-omnia2.nix index 7673ecf..31aecab 100644 --- a/nixos/machine/adm-omnia2.nix +++ b/nixos/machine/adm-omnia2.nix @@ -7,6 +7,11 @@ with lib; { config = { cynerd = { + switch = { + enable = true; + lanAddress = "${config.cynerd.hosts.adm.omnia2}/24"; + lanGateway = config.cynerd.hosts.adm.omnia; + }; wifiAP.adm = { enable = true; ar9287.interface = "wlp2s0"; @@ -15,28 +20,23 @@ with lib; { }; networking = { - vlans = { - "brlan.guest" = { - interface = "brlan"; - id = 2; # TODO later use 100 - }; - }; - bridges = { - brlan.interfaces = ["end2" "lan0" "lan1" "lan2" "lan3" "lan4"]; - brguest.interfaces = ["brlan.guest"]; + useNetworkd = true; + useDHCP = false; + }; + systemd.network.networks = { + "lan-brlan" = { + matchConfig.Name = "lan* eth0"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; }; - interfaces.brlan.ipv4.addresses = [ - { - address = config.cynerd.hosts.adm.omnia2; - prefixLength = 24; - } - ]; - defaultGateway = config.cynerd.hosts.adm.omnia; - nameservers = ["1.1.1.1" "8.8.8.8"]; - dhcpcd.allowInterfaces = []; }; - - # TODO: ubootTools build is broken! - firmware.environment.enable = false; }; } diff --git a/nixos/machine/spt-mox.nix b/nixos/machine/spt-mox.nix index accd963..452b187 100644 --- a/nixos/machine/spt-mox.nix +++ b/nixos/machine/spt-mox.nix @@ -9,38 +9,39 @@ with lib; { config = { cynerd = { home-assistant = true; + switch = { + enable = true; + lanAddress = "${config.cynerd.hosts.spt.mox}/24"; + lanGateway = config.cynerd.hosts.spt.omnia; + }; wifiAP.spt = { enable = true; qca988x = { interface = "wls1"; + bssids = ["04:f0:21:24:24:d2" "08:f0:21:24:24:d2"]; channel = 7; }; }; }; networking = { - vlans = { - "brlan.guest" = { - id = 2; - interface = "brlan"; - }; - }; - bridges = { - brlan.interfaces = ["eth0" "lan1" "lan2" "lan3" "lan4"]; - brguest.interfaces = ["brlan.guest"]; + useNetworkd = true; + useDHCP = false; + }; + systemd.network.networks = { + "lan-brlan" = { + matchConfig.Name = "lan* end0"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; }; - interfaces.brlan.ipv4.addresses = [ - { - address = config.cynerd.hosts.spt.mox; - prefixLength = 24; - } - ]; - defaultGateway = config.cynerd.hosts.spt.omnia; - nameservers = ["1.1.1.1" "8.8.8.8"]; - dhcpcd.allowInterfaces = []; }; - - # TODO: ubootTools build is broken! - firmware.environment.enable = false; }; } diff --git a/nixos/machine/spt-mox2.nix b/nixos/machine/spt-mox2.nix index 4d1a148..cf94798 100644 --- a/nixos/machine/spt-mox2.nix +++ b/nixos/machine/spt-mox2.nix @@ -7,45 +7,39 @@ with lib; { config = { cynerd = { + switch = { + enable = true; + lanAddress = "${config.cynerd.hosts.spt.mox2}/24"; + lanGateway = config.cynerd.hosts.spt.omnia; + }; wifiAP.spt = { enable = true; qca988x = { interface = "wls1"; - channel = 7; + bssids = ["04:f0:21:45:d3:47" "08:f0:21:45:d3:47"]; + channel = 1; }; }; }; - swapDevices = [ - { - device = "/dev/disk/by-partlabel/NixTurrisSwap"; - priority = 1; - } - ]; - networking = { - vlans = { - "brlan.guest" = { - id = 2; - interface = "brlan"; - }; - }; - bridges = { - brlan.interfaces = ["eth0"]; - brguest.interfaces = ["brlan.guest"]; + useNetworkd = true; + useDHCP = false; + }; + systemd.network.networks = { + "lan-brlan" = { + matchConfig.Name = "end0"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; }; - interfaces.brlan.ipv4.addresses = [ - { - address = config.cynerd.hosts.spt.mox2; - prefixLength = 24; - } - ]; - defaultGateway = config.cynerd.hosts.spt.omnia; - nameservers = ["1.1.1.1" "8.8.8.8"]; - dhcpcd.allowInterfaces = []; }; - - # TODO: ubootTools build is broken! - firmware.environment.enable = false; }; } diff --git a/nixos/machine/spt-omnia.nix b/nixos/machine/spt-omnia.nix index bf72a6e..15cabb6 100644 --- a/nixos/machine/spt-omnia.nix +++ b/nixos/machine/spt-omnia.nix @@ -14,18 +14,68 @@ with lib; { }; wifiAP.spt = { enable = true; - ar9287.interface = "wlp3s0"; - qca988x.interface = "wlp2s0"; + ar9287 = { + interface = "wlp3s0"; + bssids = ["04:f0:21:23:16:64" "08:f0:21:23:16:64"]; + channel = 13; + }; + qca988x = { + interface = "wlp2s0"; + bssids = ["04:f0:21:24:21:93" "08:f0:21:24:21:93"]; + channel = 36; + }; }; openvpn.oldpersonal = true; monitoring.speedtest = true; }; - networking.vlans."end2.848" = { - id = 848; - interface = "end2"; + networking.useDHCP = false; + systemd.network = { + netdevs = { + "end2.848" = { + netdevConfig = { + Kind = "vlan"; + Name = "end2.848"; + }; + vlanConfig.Id = 848; + }; + }; + networks = { + "end2" = { + matchConfig.Name = "end2"; + networkConfig.VLAN = ["end2.848"]; + }; + "end2.848" = { + matchConfig.Name = "end2.848"; + networkConfig = { + BindCarrier = "end2"; + #DHCP = "ipv6"; + #IPv6AcceptRA = "yes"; + #DHCPPrefixDelegation = "yes"; + }; + #dhcpPrefixDelegationConfig = { + # UplinkInterface = ":self"; + # SubnetId = 0; + # Announce = "no"; + #}; + linkConfig.RequiredForOnline = "routable"; + }; + "lan-brlan" = { + matchConfig.Name = "lan*"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + }; }; - # TODO pppd service requires end2.848 interface + services.pppd = { enable = true; peers."wan".config = '' @@ -43,10 +93,7 @@ with lib; { password metronet ''; }; - - networking.bridges = { - brlan.interfaces = ["lan0" "lan1" "lan2" "lan3" "lan4"]; - }; + systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.848.device"]; services.syncthing = { enable = true; diff --git a/nixos/machine/spt-omniax.nix b/nixos/machine/spt-omniax.nix new file mode 100644 index 0000000..9bdc3d3 --- /dev/null +++ b/nixos/machine/spt-omniax.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; { + config = { + cynerd = { + router = { + enable = true; + wan = "end2"; + lanIP = "192.168.2.1"; + }; + wifiAP.spt = { + enable = true; + ar9287.interface = "wlp3s0"; + qca988x.interface = "wlp2s0"; + }; + monitoring.speedtest = true; + }; + + networking.useDHCP = false; + systemd.network = { + networks = { + "end2" = { + matchConfig.Name = "end2"; + networkConfig = { + BindCarrier = "end2"; + DHCP = "yes"; + IPv6AcceptRA = "yes"; + DHCPPrefixDelegation = "yes"; + }; + dhcpPrefixDelegationConfig = { + UplinkInterface = ":self"; + SubnetId = 0; + Announce = "no"; + }; + linkConfig.RequiredForOnline = "routable"; + }; + "lan-brlan" = { + matchConfig.Name = "lan*"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + }; + }; + }; +} diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix index 1826e36..97c54ee 100644 --- a/nixos/modules/develop.nix +++ b/nixos/modules/develop.nix @@ -28,7 +28,6 @@ in { cloc openssl tio - parted vim-vint nodePackages.vim-language-server ctags diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix index f2a0d3b..e8cc563 100644 --- a/nixos/modules/generic.nix +++ b/nixos/modules/generic.nix @@ -63,6 +63,7 @@ in { usbutils pciutils smartmontools + parted # NCurses tools htop @@ -92,6 +93,7 @@ in { wakeonlan speedtest-cli librespeed-cli + termshark lm_sensors ] diff --git a/nixos/modules/home-assistant.nix b/nixos/modules/home-assistant.nix index e55533e..862b31c 100644 --- a/nixos/modules/home-assistant.nix +++ b/nixos/modules/home-assistant.nix @@ -123,6 +123,7 @@ in { }; systemd.services.telegraf.wants = ["mosquitto.service"]; + #nixpkgs.config.permittedInsecurePackages = ["openssl-1.1.1w"]; # TODO services.home-assistant = { enable = false; openFirewall = true; diff --git a/nixos/routers/default.nix b/nixos/routers/default.nix index ab64316..dfc1266 100644 --- a/nixos/routers/default.nix +++ b/nixos/routers/default.nix @@ -1,5 +1,6 @@ { cynerd-router = import ./router.nix; + cynerd-switch = import ./switch.nix; cynerd-wifi-adm = import ./wifi-adm.nix; cynerd-wifi-spt = import ./wifi-spt.nix; } diff --git a/nixos/routers/router.nix b/nixos/routers/router.nix index da625e4..545f109 100644 --- a/nixos/routers/router.nix +++ b/nixos/routers/router.nix @@ -40,33 +40,71 @@ in { }; config = mkIf cnf.enable { + networking = { + useNetworkd = true; + nftables.enable = true; + firewall = { + interfaces = { + "lan" = { + allowedUDPPorts = [53 67 68]; + allowedTCPPorts = [53]; + }; + "guest" = { + allowedUDPPorts = [53 67 68]; + allowedTCPPorts = [53]; + }; + }; + filterForward = true; + extraForwardRules = '' + iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access lan" + ''; + }; + nat = { + enable = true; + externalInterface = cnf.wan; + internalInterfaces = ["lan" "guest"]; + }; + }; + systemd.network = { netdevs = { - "brlan".netdevConfig = { - Kind = "bridge"; - Name = "brlan"; - }; - "brguest".netdevConfig = { - Kind = "bridge"; - Name = "brguest"; + "brlan" = { + netdevConfig = { + Kind = "bridge"; + Name = "brlan"; + }; + extraConfig = '' + [Bridge] + DefaultPVID=none + VLANFiltering=yes + ''; }; - }; - networks = { - "${cnf.wan}" = { - matchConfig.Name = cnf.wan; - networkConfig = { - DHCP = "yes"; - DHCPPrefixDelegation = "yes"; + "lan" = { + netdevConfig = { + Kind = "vlan"; + Name = "lan"; }; - dhcpPrefixDelegationConfig = { - UplinkInterface = ":self"; - SubnetId = 0; - Announce = "no"; + vlanConfig.Id = 1; + }; + "guest" = { + netdevConfig = { + Kind = "vlan"; + Name = "guest"; }; - linkConfig.RequiredForOnline = "routable"; + vlanConfig.Id = 2; }; + }; + networks = { "brlan" = { matchConfig.Name = "brlan"; + networkConfig.VLAN = ["lan" "guest"]; + bridgeVLANs = [ + {bridgeVLANConfig.VLAN = 1;} + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + "lan" = { + matchConfig.Name = "lan"; networkConfig = { Address = "${cnf.lanIP}/${toString cnf.lanPrefix}"; IPForward = "yes"; @@ -74,7 +112,6 @@ in { DHCPPrefixDelegation = "yes"; IPv6SendRA = "yes"; IPv6AcceptRA = "no"; - VLAN = ["brlan.brguest"]; }; dhcpServerConfig = { UplinkInterface = cnf.wan; @@ -89,8 +126,8 @@ in { Announce = "yes"; }; }; - "brguest" = { - matchConfig.Name = "brguest"; + "guest" = { + matchConfig.Name = "guest"; networkConfig = { Address = "192.168.1.1/24"; IPForward = "yes"; @@ -116,166 +153,10 @@ in { wait-online.anyInterface = true; }; - networking = { - nftables.enable = true; - firewall = { - interfaces = { - "brlan" = { - allowedUDPPorts = [53 67 68]; - allowedTCPPorts = [53]; - }; - "brguest" = { - allowedUDPPorts = [53 67 68]; - allowedTCPPorts = [53]; - }; - }; - filterForward = true; - extraForwardRules = '' - iifname "brguest" oifname != "${cnf.wan}" drop comment "prevent guest to access lan" - ''; - }; - nat = { - enable = true; - externalInterface = cnf.wan; - internalInterfaces = ["brlan" "brguest"]; - }; - }; - services.resolved = { enable = true; dnssec = "true"; fallbackDns = ["1.1.1.1" "8.8.8.8"]; }; - - #networking = { - # interfaces = { - # brlan.ipv4.addresses = [ - # { - # address = cnf.lanIP; - # prefixLength = cnf.lanPrefix; - # } - # ]; - # brguest.ipv4.addresses = [ - # { - # address = "192.168.1.1"; - # prefixLength = 24; - # } - # ]; - # }; - # vlans = { - # "brlan.guest" = { - # interface = "brlan"; - # id = 100; - # }; - # }; - # bridges = { - # brlan.interfaces = []; - # brguest.interfaces = ["brlan.guest"]; - # }; - # nat = { - # enable = true; - # externalInterface = cnf.wan; - # internalInterfaces = ["brlan" "brguest"]; - # }; - # dhcpcd = { - # allowInterfaces = [cnf.wan]; - # extraConfig = '' - # duid - # noipv6rs - # waitip 6 - - # interface ${cnf.wan} - # ipv6rs - # iaid 1 - - # ia_pd 1 brlan - # #ia_pd 1/::/64 LAN/0/64 - #toString ''; - # }; - #nameservers = ["1.1.1.1" "8.8.8.8"]; - #}; - - #services = { - # kea = { - # dhcp4 = { - # enable = true; - # settings = { - # lease-database = { - # name = "/var/lib/kea/dhcp4.leases"; - # persist = true; - # type = "memfile"; - # }; - # valid-lifetime = 4000; - # renew-timer = 1000; - # rebind-timer = 2000; - # interfaces-config = { - # interfaces = ["brlan" "brguest"]; - # service-sockets-max-retries = -1; - # }; - # option-data = [ - # { - # name = "domain-name-servers"; - # data = "1.1.1.1, 8.8.8.8"; - # } - # ]; - # subnet4 = [ - # { - # interface = "brlan"; - # subnet = "${ipv4.prefix2ip cnf.lanIP cnf.lanPrefix}/${toString cnf.lanPrefix}"; - # pools = let - # ip_start = ipv4.ipAdd cnf.lanIP cnf.lanPrefix cnf.dynIPStart; - # ip_end = ipv4.ipAdd cnf.lanIP cnf.lanPrefix (cnf.dynIPStart + cnf.dynIPCount); - # in [{pool = "${ip_start} - ${ip_end}";}]; - # option-data = [ - # { - # name = "routers"; - # data = cnf.lanIP; - # } - # ]; - # reservations = [ - # { - # duid = "e4:6f:13:f3:d5:be"; - # ip-address = ipv4.ipAdd cnf.lanIP cnf.lanPrefix 60; - # } - # ]; - # } - # { - # interface = "brguest"; - # subnet = "192.168.1.0/24"; - # pools = [{pool = "192.168.1.50 - 192.168.1.254";}]; - # "option-data" = [ - # { - # name = "routers"; - # data = "192.168.1.1"; - # } - # ]; - # } - # ]; - # }; - # }; - # }; - # radvd = { - # enable = true; - # config = '' - # interface brlan { - # AdvSendAdvert on; - # MinRtrAdvInterval 3; - # MaxRtrAdvInterval 10; - # prefix ::/64 { - # AdvOnLink on; - # AdvAutonomous on; - # AdvRouterAddr on; - # }; - # RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 { - # }; - # }; - # ''; - # }; - # kresd = {enable = false;}; - #}; - #systemd.services.kea-dhcp4-server.after = [ - # "sys-subsystem-net-devices-brlan.device" - # "sys-subsystem-net-devices-brguest.device" - #]; }; } diff --git a/nixos/routers/switch.nix b/nixos/routers/switch.nix new file mode 100644 index 0000000..16d57bc --- /dev/null +++ b/nixos/routers/switch.nix @@ -0,0 +1,65 @@ +{ + config, + lib, + ... +}: +with lib; let + cnf = config.cynerd.switch; +in { + options = { + cynerd.switch = { + enable = mkEnableOption "Enable switch support"; + lanAddress = mkOption { + type = types.str; + description = "LAN IP address"; + }; + lanGateway = mkOption { + type = types.str; + description = "LAN IP address of the gateway"; + }; + }; + }; + + config = mkIf cnf.enable { + networking = { + useNetworkd = true; + nftables.enable = true; + }; + + systemd.network = { + netdevs = { + "brlan" = { + netdevConfig = { + Kind = "bridge"; + Name = "brlan"; + }; + extraConfig = '' + [Bridge] + DefaultPVID=none + VLANFiltering=yes + ''; + }; + }; + networks = { + "brlan" = { + matchConfig.Name = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + PVID = 1; + EgressUntagged = 1; + }; + } + ]; + networkConfig = { + Address = cnf.lanAddress; + Gateway = cnf.lanGateway; + DNS = "1.1.1.1"; + IPv6AcceptRA = "yes"; + }; + }; + }; + wait-online.anyInterface = true; + }; + }; +} diff --git a/nixos/routers/wifi-adm.nix b/nixos/routers/wifi-adm.nix index 26a5e15..733f167 100644 --- a/nixos/routers/wifi-adm.nix +++ b/nixos/routers/wifi-adm.nix @@ -13,6 +13,11 @@ with lib; let default = null; description = "Specify interface for ${card}"; }; + bssids = mkOption { + type = with types; listOf str; + default = []; + description = "BSSIDs for networks."; + }; channel = mkOption { type = types.ints.positive; default = channelDefault; @@ -41,15 +46,15 @@ in { }; networks = { "${cnf.ar9287.interface}" = { - bssid = "02:f0:21:23:2b:00"; + bssid = elemAt cnf.ar9287.bssids 0; ssid = "TurrisAdamkovi"; authentication = { mode = "wpa2-sha256"; wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass"; }; }; - "${cnf.ar9287.interface}.nela" = { - bssid = "06:f0:21:23:2b:00"; + "${cnf.ar9287.interface}-nela" = { + bssid = elemAt cnf.ar9287.bssids 1; ssid = "Nela"; authentication = { mode = "wpa2-sha256"; @@ -57,7 +62,7 @@ in { }; }; "${cnf.ar9287.interface}.milan" = { - bssid = "0a:f0:21:23:2b:00"; + bssid = elemAt cnf.ar9287.bssids 2; ssid = "MILAN-AC"; authentication = { mode = "wpa2-sha256"; @@ -80,15 +85,15 @@ in { }; networks = { "${cnf.qca988x.interface}" = { - bssid = "04:f0:21:24:24:d2"; + bssid = elemAt cnf.qca988x.bssids 0; ssid = "TurrisAdamkovi"; authentication = { mode = "wpa2-sha256"; wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass"; }; }; - "${cnf.qca988x.interface}.nela" = { - bssid = "06:f0:21:24:24:d2"; + "${cnf.qca988x.interface}-nela" = { + bssid = elemAt cnf.qca988x.bssids 1; ssid = "Nela"; authentication = { mode = "wpa2-sha256"; @@ -96,7 +101,7 @@ in { }; }; "${cnf.qca988x.interface}.milan" = { - bssid = "0a:f0:21:24:24:d2"; + bssid = elemAt cnf.qca988x.bssids 2; ssid = "MILAN-AC"; authentication = { mode = "wpa2-sha256"; @@ -111,26 +116,74 @@ in { "lan-${cnf.ar9287.interface}" = { matchConfig.Name = cnf.ar9287.interface; networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; }; - "lan-${cnf.ar9287.interface}.nela" = { - matchConfig.Name = "${cnf.ar9287.interface}.nela"; - networkConfig.Bridge = "brguest"; + "lan-${cnf.ar9287.interface}-nela" = { + matchConfig.Name = "${cnf.ar9287.interface}-nela"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; }; "lan-${cnf.ar9287.interface}.milan" = { matchConfig.Name = "${cnf.ar9287.interface}.milan"; - networkConfig.Bridge = "brguest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; }; "lan-${cnf.qca988x.interface}" = { matchConfig.Name = cnf.qca988x.interface; networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; }; - "lan-${cnf.qca988x.interface}.nela" = { - matchConfig.Name = "${cnf.qca988x.interface}.nela"; - networkConfig.Bridge = "brguest"; + "lan-${cnf.qca988x.interface}-nela" = { + matchConfig.Name = "${cnf.qca988x.interface}-nela"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; }; "lan-${cnf.qca988x.interface}.milan" = { matchConfig.Name = "${cnf.qca988x.interface}.milan"; - networkConfig.Bridge = "brguest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; }; }; }; diff --git a/nixos/routers/wifi-spt.nix b/nixos/routers/wifi-spt.nix index 87cbd14..84527fd 100644 --- a/nixos/routers/wifi-spt.nix +++ b/nixos/routers/wifi-spt.nix @@ -13,6 +13,11 @@ with lib; let default = null; description = "Specify interface for ${card}"; }; + bssids = mkOption { + type = with types; listOf str; + default = []; + description = "BSSIDs for networks."; + }; channel = mkOption { type = types.ints.positive; default = channelDefault; @@ -31,83 +36,130 @@ in { config = mkIf cnf.enable { services.hostapd = { enable = true; - radios = { - "${cnf.ar9287.interface}" = mkIf (cnf.ar9287.interface != null) { - countryCode = "CZ"; - inherit (cnf.ar9287) channel; - wifi4 = { - enable = true; - inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities; - }; - networks = { - "${cnf.ar9287.interface}" = { - bssid = "02:f0:21:23:2b:00"; - ssid = "TurrisRules"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; - }; + radios = + mkIf (cnf.ar9287.interface != null) { + "${cnf.ar9287.interface}" = { + countryCode = "CZ"; + inherit (cnf.ar9287) channel; + wifi4 = { + enable = true; + inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities; }; - "${cnf.ar9287.interface}.guest" = { - bssid = "0a:f0:21:23:2b:00"; - ssid = "Kocovi"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; + networks = { + "${cnf.ar9287.interface}" = { + bssid = elemAt cnf.ar9287.bssids 0; + ssid = "TurrisRules"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; + }; + }; + "${cnf.ar9287.interface}.guest" = { + bssid = elemAt cnf.ar9287.bssids 1; + ssid = "Kocovi"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; + }; }; }; }; - }; - "${cnf.qca988x.interface}" = mkIf (cnf.qca988x.interface != null) { - countryCode = "CZ"; - inherit (cnf.qca988x) channel; - band = "5g"; - wifi4 = { - enable = true; - inherit (hostapd.qualcomAtherosQCA988x.wifi4) capabilities; - }; - wifi5 = { - enable = true; - inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities; - }; - networks = { - "${cnf.qca988x.interface}" = { - bssid = "04:f0:21:24:24:d2"; - ssid = "TurrisRules5"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; - }; + } + // mkIf (cnf.qca988x.interface != null) { + "${cnf.qca988x.interface}" = let + is2g = cnf.qca988x.channel <= 14; + in { + countryCode = "CZ"; + inherit (cnf.qca988x) channel; + band = + if is2g + then "2g" + else "5g"; + wifi4 = { + enable = true; + inherit (hostapd.qualcomAtherosQCA988x.wifi4) capabilities; + }; + wifi5 = { + enable = !is2g; + inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities; }; - "${cnf.qca988x.interface}.guest" = { - bssid = "0a:f0:21:24:24:d2"; - ssid = "Kocovi"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; + networks = { + "${cnf.qca988x.interface}" = { + bssid = elemAt cnf.qca988x.bssids 0; + ssid = "TurrisRules${ + if is2g + then "" + else "5" + }"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; + }; + }; + "${cnf.qca988x.interface}.guest" = { + bssid = elemAt cnf.qca988x.bssids 1; + ssid = "Kocovi"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; + }; }; }; }; }; - }; }; - systemd.network.networks = { - "lan-${cnf.ar9287.interface}" = { - matchConfig.Name = cnf.ar9287.interface; - networkConfig.Bridge = "brlan"; - }; - "lan-${cnf.ar9287.interface}.guest" = { - matchConfig.Name = "${cnf.ar9287.interface}.guest"; - networkConfig.Bridge = "brguest"; - }; - "lan-${cnf.qca988x.interface}" = { - matchConfig.Name = cnf.qca988x.interface; - networkConfig.Bridge = "brlan"; - }; - "lan-${cnf.qca988x.interface}.guest" = { - matchConfig.Name = "${cnf.qca988x.interface}.guest"; - networkConfig.Bridge = "brguest"; + systemd.network.networks = + mkIf (cnf.ar9287.interface != null) { + "lan-${cnf.ar9287.interface}" = { + matchConfig.Name = cnf.ar9287.interface; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; + }; + "lan-${cnf.ar9287.interface}-guest" = { + matchConfig.Name = "${cnf.ar9287.interface}.guest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; + }; + } + // mkIf (cnf.qca988x.interface != null) { + "lan-${cnf.qca988x.interface}" = { + matchConfig.Name = cnf.qca988x.interface; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; + }; + "lan-${cnf.qca988x.interface}-guest" = { + matchConfig.Name = "${cnf.qca988x.interface}.guest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; + }; }; - }; }; } -- cgit v1.2.3