From cccd4338c96ac35c0f5eb37a82c8131f0268e083 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Tue, 20 Feb 2024 21:09:58 +0100 Subject: nixos/spt-omnia: update and fix --- nixos/machine/spt-omnia.nix | 83 ++++++++++++++++++++++++++++++++++++++++----- nixos/modules/generic.nix | 8 ++++- nixos/modules/hosts.nix | 1 + nixos/routers/router.nix | 3 -- nixos/routers/wifi-spt.nix | 66 +++++++++++++++++++---------------- 5 files changed, 118 insertions(+), 43 deletions(-) (limited to 'nixos') diff --git a/nixos/machine/spt-omnia.nix b/nixos/machine/spt-omnia.nix index ac4ebdf..f2ea4f0 100644 --- a/nixos/machine/spt-omnia.nix +++ b/nixos/machine/spt-omnia.nix @@ -14,26 +14,89 @@ in { lanIP = hosts.omnia; staticLeases = { "a8:a1:59:10:32:c4" = hosts.errol; + "7c:b0:c2:bb:9c:ca" = hosts.albert; "4c:d5:77:0d:85:d9" = hosts.binky; + "b8:27:eb:57:a2:31" = hosts.mpd; + "74:bf:c0:42:82:19" = hosts.printer; }; }; wifiAP.spt = { enable = true; ar9287 = { - interface = "wlp3s0"; - bssids = ["04:f0:21:23:16:64" "08:f0:21:23:16:64"]; - channel = 13; + interface = "wlp1s0"; + bssids = ["04:f0:21:24:21:93" "08:f0:21:24:21:93"]; + channel = 11; }; qca988x = { - interface = "wlp2s0"; - bssids = ["04:f0:21:24:21:93" "08:f0:21:24:21:93"]; + interface = "wlp3s0"; + bssids = ["04:f0:21:23:16:64" "08:f0:21:23:16:64"]; channel = 36; }; }; - #openvpn.oldpersonal = true; + openvpn.oldpersonal = true; monitoring.speedtest = true; }; + environment = { + etc.crypttab.text = '' + nas UUID=3472bef9-cbae-48bd-873e-fd4858a0b72f /run/secrets/luks-spt-omnia-nas.key luks + nassec UUID=016e9e75-bbc8-4b24-8bb7-c800c8f6a500 /run/secrets/luks-spt-omnia-nas.key luks + ''; + systemPackages = with pkgs; [ + cryptsetup + ]; + }; + fileSystems = { + "/data" = { + device = "/dev/mapper/nas"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@data" "nofail"]; + }; + "/srv" = { + device = "/dev/mapper/nas"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@srv" "nofail"]; + depends = ["/data"]; + }; + }; + services.btrfs.autoScrub = { + enable = true; + fileSystems = ["/" "/data"]; + }; + services.udev.packages = [ + (pkgs.writeTextFile rec { + name = "queue_depth_sata.rules"; + destination = "/etc/udev/rules.d/50-${name}"; + text = '' + ACTION=="add|change", SUBSYSTEM=="scsi", ATTR{queue_depth}="1" + ''; + }) + ]; + + users = { + groups.nas = {}; + users = { + nas = { + group = "nas"; + openssh.authorizedKeys.keyFiles = [(config.personal-secrets + "/unencrypted/nas.pub")]; + isNormalUser = true; + home = "/data/nas"; + homeMode = "770"; + }; + cynerd.extraGroups = ["nas"]; + }; + }; + services.openssh = { + settings.Macs = ["hmac-sha2-256"]; # Allow sha2-256 for Nexcloud access + extraConfig = '' + Match User nas + X11Forwarding no + AllowTcpForwarding no + AllowAgentForwarding no + ForceCommand internal-sftp -d /data/nas + ''; + }; + networking.useDHCP = false; systemd.network = { netdevs = { @@ -102,18 +165,20 @@ in { ''; }; systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.848.device"]; + # TODO limit NSS clamping to just pppoe-wan networking.firewall.extraForwardRules = '' - tcp flags syn tcp option maxseg size set rt mtu + tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4" + iifname {"home", "personalvpn"} oifname {"home", "personalvpn"} accept ''; services.syncthing = { - enable = true; + enable = false; openDefaultPorts = true; overrideDevices = false; overrideFolders = false; - dataDir = "/data"; + dataDir = "/data"; # TODO this can't be the location }; }; } diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix index 33d7024..35880f1 100644 --- a/nixos/modules/generic.nix +++ b/nixos/modules/generic.nix @@ -167,7 +167,13 @@ in { ]; networking.dhcpcd.extraConfig = "controlgroup wheel"; - services.openssh.enable = true; + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + }; time.timeZone = "Europe/Prague"; i18n.defaultLocale = "en_US.UTF-8"; diff --git a/nixos/modules/hosts.nix b/nixos/modules/hosts.nix index 76e884d..8a9318c 100644 --- a/nixos/modules/hosts.nix +++ b/nixos/modules/hosts.nix @@ -46,6 +46,7 @@ in { # Local "mpd" = "10.8.2.51"; "errol" = "10.8.2.60"; + "printer" = "10.8.2.90"; # Portable "albert" = "10.8.2.61"; "binky" = "10.8.2.63"; diff --git a/nixos/routers/router.nix b/nixos/routers/router.nix index 5aa6cc6..ed634b1 100644 --- a/nixos/routers/router.nix +++ b/nixos/routers/router.nix @@ -59,9 +59,6 @@ in { }; rejectPackets = true; filterForward = true; - extraForwardRules = '' - iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access other networks" - ''; }; nat = { enable = true; diff --git a/nixos/routers/wifi-spt.nix b/nixos/routers/wifi-spt.nix index 0ebcaa1..769449d 100644 --- a/nixos/routers/wifi-spt.nix +++ b/nixos/routers/wifi-spt.nix @@ -3,8 +3,8 @@ lib, pkgs, ... -}: -with lib; let +}: let + inherit (lib) mkOption mkEnableOption types mkIf mkMerge hostapd elemAt; cnf = config.cynerd.wifiAP.spt; wOptions = card: channelDefault: { @@ -34,13 +34,17 @@ in { }; config = mkIf cnf.enable { + # TODO regdom doesn't work for some reason + boot.extraModprobeConfig = '' + options cfg80211 ieee80211_regdom="CZ" + ''; services.hostapd = { enable = true; - radios = - mkIf (cnf.ar9287.interface != null) { + radios = mkMerge [ + (mkIf (cnf.ar9287.interface != null) { "${cnf.ar9287.interface}" = { - countryCode = "CZ"; inherit (cnf.ar9287) channel; + countryCode = "CZ"; wifi4 = { enable = true; inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities; @@ -64,13 +68,13 @@ in { #}; }; }; - } - // mkIf (cnf.qca988x.interface != null) { + }) + (mkIf (cnf.qca988x.interface != null) { "${cnf.qca988x.interface}" = let is2g = cnf.qca988x.channel <= 14; in { - countryCode = "CZ"; inherit (cnf.qca988x) channel; + countryCode = "CZ"; band = if is2g then "2g" @@ -106,21 +110,22 @@ in { #}; }; }; - }; + }) + ]; }; - systemd.network.networks = - mkIf (cnf.ar9287.interface != null) { + systemd.network.networks = mkMerge [ + (mkIf (cnf.ar9287.interface != null) { "lan-${cnf.ar9287.interface}" = { matchConfig.Name = cnf.ar9287.interface; networkConfig.Bridge = "brlan"; - #bridgeVLANs = [ - # { - # bridgeVLANConfig = { - # EgressUntagged = 1; - # PVID = 1; - # }; - # } - #]; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; }; #"lan-${cnf.ar9287.interface}-guest" = { # matchConfig.Name = "${cnf.ar9287.interface}.guest"; @@ -134,19 +139,19 @@ in { # } # ]; #}; - } - // mkIf (cnf.qca988x.interface != null) { + }) + (mkIf (cnf.qca988x.interface != null) { "lan-${cnf.qca988x.interface}" = { matchConfig.Name = cnf.qca988x.interface; networkConfig.Bridge = "brlan"; - #bridgeVLANs = [ - # { - # bridgeVLANConfig = { - # EgressUntagged = 1; - # PVID = 1; - # }; - # } - #]; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; }; #"lan-${cnf.qca988x.interface}-guest" = { # matchConfig.Name = "${cnf.qca988x.interface}.guest"; @@ -160,6 +165,7 @@ in { # } # ]; #}; - }; + }) + ]; }; } -- cgit v1.2.3