From c1a76b4403edcf5e2a147d68b7bbdf1c33ac95ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Sat, 27 Jan 2024 13:20:03 +0100 Subject: Rework routers to use systemd-networkd --- nixos/routers/default.nix | 1 + nixos/routers/router.nix | 237 +++++++++++---------------------------------- nixos/routers/switch.nix | 65 +++++++++++++ nixos/routers/wifi-adm.nix | 85 +++++++++++++--- nixos/routers/wifi-spt.nix | 186 ++++++++++++++++++++++------------- 5 files changed, 313 insertions(+), 261 deletions(-) create mode 100644 nixos/routers/switch.nix (limited to 'nixos/routers') diff --git a/nixos/routers/default.nix b/nixos/routers/default.nix index ab64316..dfc1266 100644 --- a/nixos/routers/default.nix +++ b/nixos/routers/default.nix @@ -1,5 +1,6 @@ { cynerd-router = import ./router.nix; + cynerd-switch = import ./switch.nix; cynerd-wifi-adm = import ./wifi-adm.nix; cynerd-wifi-spt = import ./wifi-spt.nix; } diff --git a/nixos/routers/router.nix b/nixos/routers/router.nix index da625e4..545f109 100644 --- a/nixos/routers/router.nix +++ b/nixos/routers/router.nix @@ -40,33 +40,71 @@ in { }; config = mkIf cnf.enable { + networking = { + useNetworkd = true; + nftables.enable = true; + firewall = { + interfaces = { + "lan" = { + allowedUDPPorts = [53 67 68]; + allowedTCPPorts = [53]; + }; + "guest" = { + allowedUDPPorts = [53 67 68]; + allowedTCPPorts = [53]; + }; + }; + filterForward = true; + extraForwardRules = '' + iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access lan" + ''; + }; + nat = { + enable = true; + externalInterface = cnf.wan; + internalInterfaces = ["lan" "guest"]; + }; + }; + systemd.network = { netdevs = { - "brlan".netdevConfig = { - Kind = "bridge"; - Name = "brlan"; - }; - "brguest".netdevConfig = { - Kind = "bridge"; - Name = "brguest"; + "brlan" = { + netdevConfig = { + Kind = "bridge"; + Name = "brlan"; + }; + extraConfig = '' + [Bridge] + DefaultPVID=none + VLANFiltering=yes + ''; }; - }; - networks = { - "${cnf.wan}" = { - matchConfig.Name = cnf.wan; - networkConfig = { - DHCP = "yes"; - DHCPPrefixDelegation = "yes"; + "lan" = { + netdevConfig = { + Kind = "vlan"; + Name = "lan"; }; - dhcpPrefixDelegationConfig = { - UplinkInterface = ":self"; - SubnetId = 0; - Announce = "no"; + vlanConfig.Id = 1; + }; + "guest" = { + netdevConfig = { + Kind = "vlan"; + Name = "guest"; }; - linkConfig.RequiredForOnline = "routable"; + vlanConfig.Id = 2; }; + }; + networks = { "brlan" = { matchConfig.Name = "brlan"; + networkConfig.VLAN = ["lan" "guest"]; + bridgeVLANs = [ + {bridgeVLANConfig.VLAN = 1;} + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + "lan" = { + matchConfig.Name = "lan"; networkConfig = { Address = "${cnf.lanIP}/${toString cnf.lanPrefix}"; IPForward = "yes"; @@ -74,7 +112,6 @@ in { DHCPPrefixDelegation = "yes"; IPv6SendRA = "yes"; IPv6AcceptRA = "no"; - VLAN = ["brlan.brguest"]; }; dhcpServerConfig = { UplinkInterface = cnf.wan; @@ -89,8 +126,8 @@ in { Announce = "yes"; }; }; - "brguest" = { - matchConfig.Name = "brguest"; + "guest" = { + matchConfig.Name = "guest"; networkConfig = { Address = "192.168.1.1/24"; IPForward = "yes"; @@ -116,166 +153,10 @@ in { wait-online.anyInterface = true; }; - networking = { - nftables.enable = true; - firewall = { - interfaces = { - "brlan" = { - allowedUDPPorts = [53 67 68]; - allowedTCPPorts = [53]; - }; - "brguest" = { - allowedUDPPorts = [53 67 68]; - allowedTCPPorts = [53]; - }; - }; - filterForward = true; - extraForwardRules = '' - iifname "brguest" oifname != "${cnf.wan}" drop comment "prevent guest to access lan" - ''; - }; - nat = { - enable = true; - externalInterface = cnf.wan; - internalInterfaces = ["brlan" "brguest"]; - }; - }; - services.resolved = { enable = true; dnssec = "true"; fallbackDns = ["1.1.1.1" "8.8.8.8"]; }; - - #networking = { - # interfaces = { - # brlan.ipv4.addresses = [ - # { - # address = cnf.lanIP; - # prefixLength = cnf.lanPrefix; - # } - # ]; - # brguest.ipv4.addresses = [ - # { - # address = "192.168.1.1"; - # prefixLength = 24; - # } - # ]; - # }; - # vlans = { - # "brlan.guest" = { - # interface = "brlan"; - # id = 100; - # }; - # }; - # bridges = { - # brlan.interfaces = []; - # brguest.interfaces = ["brlan.guest"]; - # }; - # nat = { - # enable = true; - # externalInterface = cnf.wan; - # internalInterfaces = ["brlan" "brguest"]; - # }; - # dhcpcd = { - # allowInterfaces = [cnf.wan]; - # extraConfig = '' - # duid - # noipv6rs - # waitip 6 - - # interface ${cnf.wan} - # ipv6rs - # iaid 1 - - # ia_pd 1 brlan - # #ia_pd 1/::/64 LAN/0/64 - #toString ''; - # }; - #nameservers = ["1.1.1.1" "8.8.8.8"]; - #}; - - #services = { - # kea = { - # dhcp4 = { - # enable = true; - # settings = { - # lease-database = { - # name = "/var/lib/kea/dhcp4.leases"; - # persist = true; - # type = "memfile"; - # }; - # valid-lifetime = 4000; - # renew-timer = 1000; - # rebind-timer = 2000; - # interfaces-config = { - # interfaces = ["brlan" "brguest"]; - # service-sockets-max-retries = -1; - # }; - # option-data = [ - # { - # name = "domain-name-servers"; - # data = "1.1.1.1, 8.8.8.8"; - # } - # ]; - # subnet4 = [ - # { - # interface = "brlan"; - # subnet = "${ipv4.prefix2ip cnf.lanIP cnf.lanPrefix}/${toString cnf.lanPrefix}"; - # pools = let - # ip_start = ipv4.ipAdd cnf.lanIP cnf.lanPrefix cnf.dynIPStart; - # ip_end = ipv4.ipAdd cnf.lanIP cnf.lanPrefix (cnf.dynIPStart + cnf.dynIPCount); - # in [{pool = "${ip_start} - ${ip_end}";}]; - # option-data = [ - # { - # name = "routers"; - # data = cnf.lanIP; - # } - # ]; - # reservations = [ - # { - # duid = "e4:6f:13:f3:d5:be"; - # ip-address = ipv4.ipAdd cnf.lanIP cnf.lanPrefix 60; - # } - # ]; - # } - # { - # interface = "brguest"; - # subnet = "192.168.1.0/24"; - # pools = [{pool = "192.168.1.50 - 192.168.1.254";}]; - # "option-data" = [ - # { - # name = "routers"; - # data = "192.168.1.1"; - # } - # ]; - # } - # ]; - # }; - # }; - # }; - # radvd = { - # enable = true; - # config = '' - # interface brlan { - # AdvSendAdvert on; - # MinRtrAdvInterval 3; - # MaxRtrAdvInterval 10; - # prefix ::/64 { - # AdvOnLink on; - # AdvAutonomous on; - # AdvRouterAddr on; - # }; - # RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 { - # }; - # }; - # ''; - # }; - # kresd = {enable = false;}; - #}; - #systemd.services.kea-dhcp4-server.after = [ - # "sys-subsystem-net-devices-brlan.device" - # "sys-subsystem-net-devices-brguest.device" - #]; }; } diff --git a/nixos/routers/switch.nix b/nixos/routers/switch.nix new file mode 100644 index 0000000..16d57bc --- /dev/null +++ b/nixos/routers/switch.nix @@ -0,0 +1,65 @@ +{ + config, + lib, + ... +}: +with lib; let + cnf = config.cynerd.switch; +in { + options = { + cynerd.switch = { + enable = mkEnableOption "Enable switch support"; + lanAddress = mkOption { + type = types.str; + description = "LAN IP address"; + }; + lanGateway = mkOption { + type = types.str; + description = "LAN IP address of the gateway"; + }; + }; + }; + + config = mkIf cnf.enable { + networking = { + useNetworkd = true; + nftables.enable = true; + }; + + systemd.network = { + netdevs = { + "brlan" = { + netdevConfig = { + Kind = "bridge"; + Name = "brlan"; + }; + extraConfig = '' + [Bridge] + DefaultPVID=none + VLANFiltering=yes + ''; + }; + }; + networks = { + "brlan" = { + matchConfig.Name = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + PVID = 1; + EgressUntagged = 1; + }; + } + ]; + networkConfig = { + Address = cnf.lanAddress; + Gateway = cnf.lanGateway; + DNS = "1.1.1.1"; + IPv6AcceptRA = "yes"; + }; + }; + }; + wait-online.anyInterface = true; + }; + }; +} diff --git a/nixos/routers/wifi-adm.nix b/nixos/routers/wifi-adm.nix index 26a5e15..733f167 100644 --- a/nixos/routers/wifi-adm.nix +++ b/nixos/routers/wifi-adm.nix @@ -13,6 +13,11 @@ with lib; let default = null; description = "Specify interface for ${card}"; }; + bssids = mkOption { + type = with types; listOf str; + default = []; + description = "BSSIDs for networks."; + }; channel = mkOption { type = types.ints.positive; default = channelDefault; @@ -41,15 +46,15 @@ in { }; networks = { "${cnf.ar9287.interface}" = { - bssid = "02:f0:21:23:2b:00"; + bssid = elemAt cnf.ar9287.bssids 0; ssid = "TurrisAdamkovi"; authentication = { mode = "wpa2-sha256"; wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass"; }; }; - "${cnf.ar9287.interface}.nela" = { - bssid = "06:f0:21:23:2b:00"; + "${cnf.ar9287.interface}-nela" = { + bssid = elemAt cnf.ar9287.bssids 1; ssid = "Nela"; authentication = { mode = "wpa2-sha256"; @@ -57,7 +62,7 @@ in { }; }; "${cnf.ar9287.interface}.milan" = { - bssid = "0a:f0:21:23:2b:00"; + bssid = elemAt cnf.ar9287.bssids 2; ssid = "MILAN-AC"; authentication = { mode = "wpa2-sha256"; @@ -80,15 +85,15 @@ in { }; networks = { "${cnf.qca988x.interface}" = { - bssid = "04:f0:21:24:24:d2"; + bssid = elemAt cnf.qca988x.bssids 0; ssid = "TurrisAdamkovi"; authentication = { mode = "wpa2-sha256"; wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass"; }; }; - "${cnf.qca988x.interface}.nela" = { - bssid = "06:f0:21:24:24:d2"; + "${cnf.qca988x.interface}-nela" = { + bssid = elemAt cnf.qca988x.bssids 1; ssid = "Nela"; authentication = { mode = "wpa2-sha256"; @@ -96,7 +101,7 @@ in { }; }; "${cnf.qca988x.interface}.milan" = { - bssid = "0a:f0:21:24:24:d2"; + bssid = elemAt cnf.qca988x.bssids 2; ssid = "MILAN-AC"; authentication = { mode = "wpa2-sha256"; @@ -111,26 +116,74 @@ in { "lan-${cnf.ar9287.interface}" = { matchConfig.Name = cnf.ar9287.interface; networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; }; - "lan-${cnf.ar9287.interface}.nela" = { - matchConfig.Name = "${cnf.ar9287.interface}.nela"; - networkConfig.Bridge = "brguest"; + "lan-${cnf.ar9287.interface}-nela" = { + matchConfig.Name = "${cnf.ar9287.interface}-nela"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; }; "lan-${cnf.ar9287.interface}.milan" = { matchConfig.Name = "${cnf.ar9287.interface}.milan"; - networkConfig.Bridge = "brguest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; }; "lan-${cnf.qca988x.interface}" = { matchConfig.Name = cnf.qca988x.interface; networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; }; - "lan-${cnf.qca988x.interface}.nela" = { - matchConfig.Name = "${cnf.qca988x.interface}.nela"; - networkConfig.Bridge = "brguest"; + "lan-${cnf.qca988x.interface}-nela" = { + matchConfig.Name = "${cnf.qca988x.interface}-nela"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; }; "lan-${cnf.qca988x.interface}.milan" = { matchConfig.Name = "${cnf.qca988x.interface}.milan"; - networkConfig.Bridge = "brguest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; }; }; }; diff --git a/nixos/routers/wifi-spt.nix b/nixos/routers/wifi-spt.nix index 87cbd14..84527fd 100644 --- a/nixos/routers/wifi-spt.nix +++ b/nixos/routers/wifi-spt.nix @@ -13,6 +13,11 @@ with lib; let default = null; description = "Specify interface for ${card}"; }; + bssids = mkOption { + type = with types; listOf str; + default = []; + description = "BSSIDs for networks."; + }; channel = mkOption { type = types.ints.positive; default = channelDefault; @@ -31,83 +36,130 @@ in { config = mkIf cnf.enable { services.hostapd = { enable = true; - radios = { - "${cnf.ar9287.interface}" = mkIf (cnf.ar9287.interface != null) { - countryCode = "CZ"; - inherit (cnf.ar9287) channel; - wifi4 = { - enable = true; - inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities; - }; - networks = { - "${cnf.ar9287.interface}" = { - bssid = "02:f0:21:23:2b:00"; - ssid = "TurrisRules"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; - }; + radios = + mkIf (cnf.ar9287.interface != null) { + "${cnf.ar9287.interface}" = { + countryCode = "CZ"; + inherit (cnf.ar9287) channel; + wifi4 = { + enable = true; + inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities; }; - "${cnf.ar9287.interface}.guest" = { - bssid = "0a:f0:21:23:2b:00"; - ssid = "Kocovi"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; + networks = { + "${cnf.ar9287.interface}" = { + bssid = elemAt cnf.ar9287.bssids 0; + ssid = "TurrisRules"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; + }; + }; + "${cnf.ar9287.interface}.guest" = { + bssid = elemAt cnf.ar9287.bssids 1; + ssid = "Kocovi"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; + }; }; }; }; - }; - "${cnf.qca988x.interface}" = mkIf (cnf.qca988x.interface != null) { - countryCode = "CZ"; - inherit (cnf.qca988x) channel; - band = "5g"; - wifi4 = { - enable = true; - inherit (hostapd.qualcomAtherosQCA988x.wifi4) capabilities; - }; - wifi5 = { - enable = true; - inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities; - }; - networks = { - "${cnf.qca988x.interface}" = { - bssid = "04:f0:21:24:24:d2"; - ssid = "TurrisRules5"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; - }; + } + // mkIf (cnf.qca988x.interface != null) { + "${cnf.qca988x.interface}" = let + is2g = cnf.qca988x.channel <= 14; + in { + countryCode = "CZ"; + inherit (cnf.qca988x) channel; + band = + if is2g + then "2g" + else "5g"; + wifi4 = { + enable = true; + inherit (hostapd.qualcomAtherosQCA988x.wifi4) capabilities; + }; + wifi5 = { + enable = !is2g; + inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities; }; - "${cnf.qca988x.interface}.guest" = { - bssid = "0a:f0:21:24:24:d2"; - ssid = "Kocovi"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; + networks = { + "${cnf.qca988x.interface}" = { + bssid = elemAt cnf.qca988x.bssids 0; + ssid = "TurrisRules${ + if is2g + then "" + else "5" + }"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; + }; + }; + "${cnf.qca988x.interface}.guest" = { + bssid = elemAt cnf.qca988x.bssids 1; + ssid = "Kocovi"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; + }; }; }; }; }; - }; }; - systemd.network.networks = { - "lan-${cnf.ar9287.interface}" = { - matchConfig.Name = cnf.ar9287.interface; - networkConfig.Bridge = "brlan"; - }; - "lan-${cnf.ar9287.interface}.guest" = { - matchConfig.Name = "${cnf.ar9287.interface}.guest"; - networkConfig.Bridge = "brguest"; - }; - "lan-${cnf.qca988x.interface}" = { - matchConfig.Name = cnf.qca988x.interface; - networkConfig.Bridge = "brlan"; - }; - "lan-${cnf.qca988x.interface}.guest" = { - matchConfig.Name = "${cnf.qca988x.interface}.guest"; - networkConfig.Bridge = "brguest"; + systemd.network.networks = + mkIf (cnf.ar9287.interface != null) { + "lan-${cnf.ar9287.interface}" = { + matchConfig.Name = cnf.ar9287.interface; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; + }; + "lan-${cnf.ar9287.interface}-guest" = { + matchConfig.Name = "${cnf.ar9287.interface}.guest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; + }; + } + // mkIf (cnf.qca988x.interface != null) { + "lan-${cnf.qca988x.interface}" = { + matchConfig.Name = cnf.qca988x.interface; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; + }; + "lan-${cnf.qca988x.interface}-guest" = { + matchConfig.Name = "${cnf.qca988x.interface}.guest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; + }; }; - }; }; } -- cgit v1.2.3