aboutsummaryrefslogtreecommitdiff
path: root/2024-installfest
diff options
context:
space:
mode:
authorKarel Kočí <cynerd@email.cz>2024-03-16 14:12:11 +0100
committerKarel Kočí <cynerd@email.cz>2024-03-16 14:12:11 +0100
commit7cd40525ff19d9adb6a7540e16a27c955cb1c517 (patch)
treef65f918ed8f713e13f50296beff119b0eaedfd6f /2024-installfest
parent64af010c19bae50d19f6626d4138355b2971159e (diff)
downloadpresentations-7cd40525ff19d9adb6a7540e16a27c955cb1c517.tar.gz
presentations-7cd40525ff19d9adb6a7540e16a27c955cb1c517.tar.bz2
presentations-7cd40525ff19d9adb6a7540e16a27c955cb1c517.zip
Add presentation from Installfest 2024
Diffstat (limited to '2024-installfest')
-rw-r--r--2024-installfest/configuration.nix18
-rw-r--r--2024-installfest/flake.lock112
-rw-r--r--2024-installfest/flake.nix42
-rw-r--r--2024-installfest/mox.nix6
-rw-r--r--2024-installfest/omnia.nix6
-rw-r--r--2024-installfest/pres.pdfbin0 -> 106838 bytes
-rw-r--r--2024-installfest/pres.typ545
-rw-r--r--2024-installfest/router-guest.nix148
-rw-r--r--2024-installfest/router.nix84
-rw-r--r--2024-installfest/switch.nix29
-rw-r--r--2024-installfest/wifi-guest.nix114
-rw-r--r--2024-installfest/wifi.nix58
12 files changed, 1162 insertions, 0 deletions
diff --git a/2024-installfest/configuration.nix b/2024-installfest/configuration.nix
new file mode 100644
index 0000000..1950e6e
--- /dev/null
+++ b/2024-installfest/configuration.nix
@@ -0,0 +1,18 @@
+{
+ lib,
+ pkgs,
+ ...
+}: {
+ users.users.root.password = lib.mkDefault "nixturris";
+ environment.systemPackages = with pkgs; [
+ htop
+ ];
+
+ services.openssh = {
+ enable = true;
+ settings = {
+ PasswordAuthentication = true;
+ PermitRootLogin = "yes";
+ };
+ };
+}
diff --git a/2024-installfest/flake.lock b/2024-installfest/flake.lock
new file mode 100644
index 0000000..a73f66a
--- /dev/null
+++ b/2024-installfest/flake.lock
@@ -0,0 +1,112 @@
+{
+ "nodes": {
+ "flake-utils": {
+ "inputs": {
+ "systems": "systems"
+ },
+ "locked": {
+ "lastModified": 1710146030,
+ "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+ "type": "github"
+ },
+ "original": {
+ "id": "flake-utils",
+ "type": "indirect"
+ }
+ },
+ "flake-utils_2": {
+ "inputs": {
+ "systems": "systems_2"
+ },
+ "locked": {
+ "lastModified": 1710146030,
+ "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+ "type": "github"
+ },
+ "original": {
+ "id": "flake-utils",
+ "type": "indirect"
+ }
+ },
+ "nixpkgs": {
+ "locked": {
+ "lastModified": 1710503106,
+ "narHash": "sha256-WQenjcuNH9cnEYqh/PFxpmjK9PQnEPGt1Z7TCfYBhXs=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "b1d47989352fcb722a1f19295a9461ed1ef8435a",
+ "type": "github"
+ },
+ "original": {
+ "id": "nixpkgs",
+ "type": "indirect"
+ }
+ },
+ "nixturris": {
+ "inputs": {
+ "flake-utils": "flake-utils_2",
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1710278775,
+ "narHash": "sha256-4kwVKv2Wrus6kNka/XtcrpYx1hemORAiv0wchoMxEvM=",
+ "owner": "cynerd",
+ "repo": "nixturris",
+ "rev": "b6f0fe38003fe22c2a0b94ac660e6063bb6f67b9",
+ "type": "gitlab"
+ },
+ "original": {
+ "owner": "cynerd",
+ "repo": "nixturris",
+ "type": "gitlab"
+ }
+ },
+ "root": {
+ "inputs": {
+ "flake-utils": "flake-utils",
+ "nixpkgs": "nixpkgs",
+ "nixturris": "nixturris"
+ }
+ },
+ "systems": {
+ "locked": {
+ "lastModified": 1681028828,
+ "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+ "owner": "nix-systems",
+ "repo": "default",
+ "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-systems",
+ "repo": "default",
+ "type": "github"
+ }
+ },
+ "systems_2": {
+ "locked": {
+ "lastModified": 1681028828,
+ "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+ "owner": "nix-systems",
+ "repo": "default",
+ "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-systems",
+ "repo": "default",
+ "type": "github"
+ }
+ }
+ },
+ "root": "root",
+ "version": 7
+}
diff --git a/2024-installfest/flake.nix b/2024-installfest/flake.nix
new file mode 100644
index 0000000..4cce0a8
--- /dev/null
+++ b/2024-installfest/flake.nix
@@ -0,0 +1,42 @@
+{
+ description = "NixOS configuration for Turris system";
+
+ inputs.nixturris = {
+ url = "gitlab:cynerd/nixturris";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+
+ outputs = {
+ self,
+ flake-utils,
+ nixpkgs,
+ nixturris,
+ }: let
+ inherit (flake-utils.lib) eachDefaultSystem;
+ inherit (nixturris.lib) nixturrisSystem;
+ in
+ {
+ nixosConfigurations = {
+ omnia = nixturrisSystem {
+ modules = [./omnia.nix ./configuration.nix];
+ };
+ mox = nixturrisSystem {
+ modules = [./mox.nix ./configuration.nix];
+ };
+ };
+ }
+ // eachDefaultSystem (system: {
+ packages = {
+ omnia-toplevel =
+ self.nixosConfigurations.omnia.buildPlatform.${system}.config.system.build.toplevel;
+ mox-toplevel =
+ self.nixosConfigurations.mox.buildPlatform.${system}.config.system.build.toplevel;
+ omnia-tarball =
+ self.nixosConfigurations.omnia.buildPlatform.${system}.config.system.build.tarball;
+ mox-tarball =
+ self.nixosConfigurations.mox.buildPlatform.${system}.config.system.build.tarball;
+ };
+
+ formatter = nixpkgs.legacyPackages.${system}.alejandra;
+ });
+}
diff --git a/2024-installfest/mox.nix b/2024-installfest/mox.nix
new file mode 100644
index 0000000..f97f84a
--- /dev/null
+++ b/2024-installfest/mox.nix
@@ -0,0 +1,6 @@
+{
+ #imports = [./switch.nix];
+ config = {
+ turris.board = "mox";
+ };
+}
diff --git a/2024-installfest/omnia.nix b/2024-installfest/omnia.nix
new file mode 100644
index 0000000..7c4a7b3
--- /dev/null
+++ b/2024-installfest/omnia.nix
@@ -0,0 +1,6 @@
+{
+ #imports = [./router.nix ./wifi.nix];
+ config = {
+ turris.board = "omnia";
+ };
+}
diff --git a/2024-installfest/pres.pdf b/2024-installfest/pres.pdf
new file mode 100644
index 0000000..ea88d38
--- /dev/null
+++ b/2024-installfest/pres.pdf
Binary files differ
diff --git a/2024-installfest/pres.typ b/2024-installfest/pres.typ
new file mode 100644
index 0000000..7572ff4
--- /dev/null
+++ b/2024-installfest/pres.typ
@@ -0,0 +1,545 @@
+#import "@preview/polylux:0.3.1": *
+#import themes.metropolis: *
+#show: metropolis-theme
+#set text(size: 25pt)
+
+#title-slide(
+ title: [Instalace NixOS na Turris routery],
+ subtitle: [Installfest 2024],
+ author: [Karel Kočí],
+ date: [16.03.2024],
+)
+
+#new-section-slide([Instalace na Turris Mox])
+
+#slide(title: [Příprava SD karty])[
+```console
+~$ sudo parted /dev/mmcblk1
+(parted) mktable gpt
+(parted) mkpart NixTurris 0% 100%
+(parted) set 1 boot on
+(parted) quit
+~$ sudo mkfs.btrfs /dev/mmcblk1p1
+~$ mount /dev/mmcblk1p1 /mnt
+~$ tar -xf nixos-system-aarch64-linux.tar.xz -C /mnt
+~$ umount /mnt
+```
+]
+
+#slide(title: [U-Boot])[
+Nutné aktualizovat U-Boot: ```console
+~# opkg update
+~# opkg install turris-nor-update
+~# nor-update
+```
+]
+
+#slide(
+ title: [První boot],
+)[
+```console
+U-Boot 2022.07 (Aug 15 2022 - 12:25:08 +0000)
+...
+Hit any key to stop autoboot: 0
+=> setenv ramdisk_addr_r 0x9000000
+=> saveenv
+Saving Environment to SPIFlash... Erasing SPI flash...Writing to SPI flash...done
+OK
+=> boot
+```
+]
+
+#new-section-slide([Instalace na Turris Omnia])
+
+#slide(title: [Příprava USB flash disku])[
+```console
+~$ sudo parted /dev/sdx
+(parted) mktable gpt
+(parted) mkpart NixTurris 0% 100%
+(parted) set 1 boot on
+(parted) quit
+ ~$ sudo mkfs.btrfs /dev/sdx1
+~$ mount /dev/sdx /mnt
+~$ tar -xf nixos-system-armv7l-linux.tar.xz -C /mnt
+~$ umount /mnt
+```
+]
+
+#slide(title: [U-Boot])[
+Nutné aktualizovat U-Boot: ```console
+~# opkg update
+~# opkg install turris-nor-update
+~# nor-update
+```
+]
+
+#slide(
+ title: [První boot],
+)[
+```console
+U-Boot 2022.10-rc4-OpenWrt-r16653+119-44ce70f0e2
+...
+Hit any key to stop autoboot: 0
+=> setenv boot_targets usb0 mmc0 nvme0 scsi0 pxe dhcp
+=> saveenv
+Saving Environment to SPIFlash... Erasing SPI flash...Writing to SPI flash...done
+OK
+=> boot
+```
+]
+
+#new-section-slide([Aktualizace])
+
+#focus-slide[
+#text(size: 35pt)[
+```bash
+nix flake init -t gitlab:cynerd/nixturris
+nix build .#tarball
+```
+]
+]
+
+#slide(title: [Nasazení])[
+```bash
+ nix build .#toplevel
+ nix copy --to root@192.168.1.142 $(readlink -f result)
+ readlink -f result
+ ```
+
+`ssh root@192.168.1.142`:
+#text(size: 24pt)[
+```bash
+ nix-env -p /nix/var/nix/profiles/system --set /nix/store/...
+ /nix/var/nix/profiles/system/bin/switch-to-configuration switch
+ ```
+]
+]
+
+#new-section-slide([Intermezzo])
+
+#slide(title: [Výhody])[
+ - Je to server nebo router? Aktualizuje se to stejně..
+ - Nastavení systému nebo monitoring všude stejné
+ - Plošné nasazení konfigurace a její aktualizace
+ - Spousta připraveného softwaru a jednotné balení pro Nix
+ - Aktualizace je skoro to samé jako čistá instalace
+ - ...
+]
+
+#slide(title: [Není to růžové])[
+ - Ne vše co je v Nixpkgs jde cross-zkompilovat
+ - Armv7l není oficiálně podporovaná platforma
+ - Turris Omnia aktuálně jen Linux kernel 6.1
+]
+
+#slide(title: [NixDeploy])[
+Nasazení na běžící systémy přes SSH z vývojářského PC s podporou
+cross-kompilace. ```bash
+ nix flake init -t gitlab:cynerd/nixdeploy
+ nix run . -- --help
+ nix run . laptop
+ ```
+]
+
+#new-section-slide([SystemD-NetworkD])
+
+#slide[
+```nix
+ networking = {
+ useNetworkd = true;
+ useDHCP = false;
+ };
+ systemd.network = {};
+ ```
+]
+#slide(title: [Switch])[
+#text(size: 17pt)[
+```nix
+ systemd.network = {
+ netdevs = {
+ "brlan".netdevConfig = {Kind = "bridge"; Name = "brlan";};
+ };
+ networks = {
+ "brlan" = {
+ matchConfig.Name = "brlan";
+ networkConfig = {DHCP = "yes"; IPv6AcceptRA = "yes";};
+ };
+ "lan-brlan" = {
+ matchConfig.Name = "lan* end0"; networkConfig.Bridge = "brlan";
+ };
+ };
+ };
+ ```
+]
+]
+
+#slide(title: [Router])[
+#text(size: 18pt)[
+```nix
+ systemd.network = {
+ netdevs."brlan".netdevConfig = {
+ Kind = "bridge";
+ Name = "brlan";
+ };
+ networks."lan-brlan" = {
+ matchConfig.Name = "lan*";
+ networkConfig.Bridge = "brlan";
+ };
+ wait-online.anyInterface = true;
+ };
+ ```
+]
+]
+#slide(title: [Router (end2 jako wan)])[
+#text(size: 17pt)[
+```nix
+systemd.network.networks = {
+ "end2" = {
+ matchConfig.Name = "end2";
+ networkConfig = {
+ DHCP = "yes";
+ IPv6AcceptRA = "yes"; DHCPPrefixDelegation = "yes";
+ };
+ dhcpV6Config.PrefixDelegationHint = "::/56";
+ dhcpPrefixDelegationConfig = {
+ UplinkInterface = ":self";
+ Announce = "no";
+ };
+ linkConfig.RequiredForOnline = "routable";
+ };
+```
+]
+]
+#slide(title: [Router (brlan network)])[
+#text(size: 18pt)[
+```nix
+systemd.network.networks"brlan" = {
+ matchConfig.Name = "brlan";
+ networkConfig = {
+ Address = "192.168.4.1/24";
+ IPForward = "yes";
+ DHCPServer = "yes";
+ DHCPPrefixDelegation = "yes";
+ IPv6SendRA = "yes";
+ IPv6AcceptRA = "no";
+ };
+};
+```
+]
+]
+#slide(
+ title: [Router (DHCP)],
+)[
+#text(
+ size: 18pt,
+)[
+```nix
+systemd.network.networks"brlan" = {
+ dhcpServerConfig = {
+ UplinkInterface = "end2";
+ PoolOffset = 100; PoolSize = 100;
+ EmitDNS = "yes"; DNS = "192.168.4.1";
+ };
+ dhcpServerStaticLeases = [
+ { dhcpServerStaticLeaseConfig =
+ { MACAddress = "a8:a1:59:10:32:c4"; Address = "192.168.4.20"; };
+ }
+ ];
+ dhcpPrefixDelegationConfig = {UplinkInterface = "end2"; Announce = "yes"; };
+};
+```
+]
+]
+#slide(
+ title: [Router (DNS, Firewall)],
+)[
+#text(
+ size: 17pt,
+)[
+```nix
+ services.resolved = {
+ enable = true;
+ fallbackDns = ["1.1.1.1" "8.8.8.8"];
+ extraConfig = ''
+ DNSStubListenerExtra=192.168.4.1
+ '';
+ };
+ networking = {
+ firewall = {
+ interfaces."brlan" = {allowedUDPPorts = [53 67 68];};
+ filterForward = true;
+ };
+ nat = { enable = true; externalInterface = "end2"; internalInterfaces = ["brlan"]; };
+ };
+ ```
+]
+]
+
+#new-section-slide([Hostapd (Wi-Fi access point)])
+
+#slide(
+ title: [AR9287],
+)[
+#text(
+ size: 16pt,
+)[
+```nix
+services.hostapd = { enable = true;
+ radios = {
+ "wlp3s0" = {
+ channel = 7; countryCode = "CZ";
+ wifi4 = { enable = true;
+ inherit (lib.hostapd.qualcomAtherosAR9287.wifi4) capabilities;
+ };
+ networks."wlp3s0" = {
+ ssid = "NixOSInstallFest";
+ authentication = {
+ mode = "wpa2-sha256"; wpaPassword = "InstallFest2024";
+}; }; }; }; };
+systemd.network.networks = {
+ "lan-wlp3s0" = { matchConfig.Name = "wlp3s0"; networkConfig.Bridge = "brlan"; };
+};
+```
+]
+]
+
+#slide(
+ title: [QCA988x (Wi-Fi 5)],
+)[
+#text(
+ size: 16pt,
+)[
+```nix
+nixpkgs.config.allowUnfree = true;
+hardware.enableAllFirmware = true;
+services.hostapd.radios."wlp2s0" = {
+ channel = 36; band = "5g"; countryCode = "CZ";
+ wifi4 = { enable = true; inherit (lib.hostapd.qualcomAtherosQCA988x.wifi4) capabilities; };
+ wifi5 = { enable = true; inherit (lib.hostapd.qualcomAtherosQCA988x.wifi5) capabilities; };
+ networks."wlp2s0" = {
+ ssid = "NixOSInstallFest5";
+ authentication = { mode = "wpa2-sha256"; wpaPassword = "InstallFest2024"; };
+ };
+};
+systemd.network.networks = {
+ "lan-wlp2s0" = { matchConfig.Name = "wlp2s0"; networkConfig.Bridge = "brlan"; };
+};
+```
+]
+]
+
+#new-section-slide([Síť pro hosty])
+
+#slide(
+ title: [VLANy (brlan)],
+)[
+#text(
+ size: 16pt,
+)[
+```nix
+systemd.network.netdevs = {
+ "brlan" = { netdevConfig = { Kind = "bridge"; Name = "brlan"; };
+ extraConfig = ''
+ [Bridge]
+ DefaultPVID=none
+ VLANFiltering=yes
+ ''; };
+ "home" = { netdevConfig = { Kind = "vlan"; Name = "home"; }; vlanConfig.Id = 1; };
+ "guest" = { netdevConfig = { Kind = "vlan"; Name = "guest"; }; vlanConfig.Id = 2; };
+};
+systemd.network.networks."brlan" = {
+ matchConfig.Name = "brlan";
+ networkConfig.VLAN = ["home" "guest"];
+ bridgeVLANs = [ {bridgeVLANConfig.VLAN = 1;} {bridgeVLANConfig.VLAN = 2;} ];
+};
+```
+]
+]
+
+#slide(title: [VLANy (brlan)])[
+#text(size: 17pt)[
+```nix
+systemd.network.networks."lan-brlan" = {
+ matchConfig.Name = "lan*";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
+};
+```
+]
+]
+
+#slide(title: [VLANy (home a guest)])[
+#text(size: 16pt)[
+```nix
+systemd.network.networks = {
+ "home" = {
+ matchConfig.Name = "home";
+ networkConfig = {
+ Address = "192.168.4.1/24";
+ IPForward = "yes";
+ DHCPServer = "yes";
+...
+ "guest" = {
+ matchConfig.Name = "guest";
+ networkConfig = {
+ Address = "192.168.5.1/24";
+ IPForward = "yes";
+...
+};
+```
+]
+]
+
+#slide(
+ title: [VLANy (Wi-Fi)],
+)[
+#text(
+ size: 16pt,
+)[
+```nix
+services.hostapd.raios."wlp3s0".networks = {
+ "wlp3s0" = {
+ ssid = "Home"; bssid = "12:f0:21:23:2b:00";
+ authentication = { mode = "wpa2-sha256"; wpaPassword = "InstallFest2024"; }; };
+ "wlp3s0.guest" = {
+ ssid = "Guest"; bssid = "12:f0:21:23:2b:01"; authentication.mode = "none"; };
+};
+systemd.network.networks = {
+ "lan-wlp3s0" = {
+ matchConfig.Name = "wlp3s0"; networkConfig.Bridge = "brlan";
+ bridgeVLANs = [ { bridgeVLANConfig = { EgressUntagged = 1; PVID = 1; }; } ]; };
+ "lan-wlp3s0.guest" = {
+ matchConfig.Name = "wlp3s0.guest"; networkConfig.Bridge = "brlan";
+ bridgeVLANs = [ { bridgeVLANConfig = { EgressUntagged = 2; PVID = 2; }; } ]; };
+};
+```
+]
+]
+
+#new-section-slide([Další tipy])
+
+#slide(
+ title: [PPPoE],
+)[
+#text(
+ size: 16pt,
+)[
+```nix
+services.pppd = { enable = true; peers."wan".config = ''
+ plugin pppoe.so end2
+ ifname pppoe-wan
+ lcp-echo-interval 1
+ lcp-echo-failure 5
+ lcp-echo-adaptive
+ +ipv6
+ defaultroute
+ defaultroute6
+ usepeerdns
+ maxfail 1
+ user O2
+ password 02
+''; };
+systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.device"];
+```
+]
+]
+#slide(title: [PPPoE (network)])[
+#text(size: 19pt)[
+```nix
+systemd.network.networks."pppoe-wan" = {
+ matchConfig.Name = "pppoe-wan";
+ networkConfig = {
+ BindCarrier = "end2";
+ DHCP = "ipv6";
+ IPv6AcceptRA = "no";
+ DHCPPrefixDelegation = "yes";
+ };
+ ...
+};
+networking.firewall.extraForwardRules = ''
+ tcp flags syn tcp option maxseg size set rt mtu comment "MSS clamping"
+'';
+```
+]
+]
+#slide(
+ title: [PPPoE na VLANě],
+)[
+#text(
+ size: 19pt,
+)[
+```nix
+systemd.network = {
+ netdevs = {
+ "end2.848" = {
+ netdevConfig = { Kind = "vlan"; Name = "end2.848"; };
+ vlanConfig.Id = 848;
+ }; };
+ networks = {
+ "end2" = { matchConfig.Name = "end2"; networkConfig.VLAN = ["end2.848"]; };
+ "end2.848" = {
+ matchConfig.Name = "end2.848";
+ networkConfig.BindCarrier = "end2";
+ }; };
+```
+]
+]
+
+#slide(title: [Routable VPN - home])[
+#text(size: 19pt)[
+```nix
+networking.firewall = {
+ nftables.enable = true;
+ extraForwardRules = ''
+ iifname {"home", "vpn"} oifname {"home", "vpn"} accept
+ '';
+};
+```
+]
+]
+#slide(title: [Wi-Fi (problémy s připojením klientů])[
+```nix
+services.hostapd.radios."wlp3s0".networks."wlp3s0".settings = {
+ wpa_key_mgmt = mkForce "WPA-PSK"; # force use without sha256
+ ieee80211w = 0;
+};
+```
+]
+#slide(title: [Firewall: Reject spam])[
+```nix
+networking.firewall.logRefusedConnections = false;
+```
+]
+#slide(title: [Omezení velikosti logů])[
+```nix
+services.journald.extraConfig = ''
+ SystemMaxUse=512M
+'';
+```
+]
+
+#slide(title: [Co dál?])[
+ - Dokumentace nastavení routeru na NixOS Wiki
+ - systemd-resolved a DNSSEC do sítě
+ - Podpora Turris Sentinel
+ - Šifrovaný root disk (atsha a mox-otp)
+ - Snazší nastavení pro routery
+]
+
+#focus-slide[
+ Děkuji za pozornost
+
+ Karel Kočí
+
+ https://gitlab.com/cynerd/nixturris
+
+ #text(size: 25pt)[https://git.cynerd.cz https://gitlab.com/cynerd]
+]
diff --git a/2024-installfest/router-guest.nix b/2024-installfest/router-guest.nix
new file mode 100644
index 0000000..a3fd1ed
--- /dev/null
+++ b/2024-installfest/router-guest.nix
@@ -0,0 +1,148 @@
+{
+ systemd.network = {
+ netdevs = {
+ "brlan" = {
+ netdevConfig = {
+ Kind = "bridge";
+ Name = "brlan";
+ };
+ extraConfig = ''
+ [Bridge]
+ DefaultPVID=none
+ VLANFiltering=yes
+ '';
+ };
+ "home" = {
+ netdevConfig = {
+ Kind = "vlan";
+ Name = "home";
+ };
+ vlanConfig.Id = 1;
+ };
+ "guest" = {
+ netdevConfig = {
+ Kind = "vlan";
+ Name = "guest";
+ };
+ vlanConfig.Id = 2;
+ };
+ };
+ networks = {
+ "end2" = {
+ matchConfig.Name = "end2";
+ networkConfig = {
+ DHCP = "yes";
+ IPv6AcceptRA = "yes";
+ DHCPPrefixDelegation = "yes";
+ };
+ dhcpV6Config.PrefixDelegationHint = "::/56";
+ dhcpPrefixDelegationConfig = {
+ UplinkInterface = ":self";
+ SubnetId = 0;
+ Announce = "no";
+ };
+ linkConfig.RequiredForOnline = "routable";
+ };
+ "brlan" = {
+ matchConfig.Name = "brlan";
+ networkConfig.VLAN = ["home" "guest"];
+ bridgeVLANs = [
+ {bridgeVLANConfig.VLAN = 1;}
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
+ };
+ "lan-brlan" = {
+ matchConfig.Name = "lan*";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
+ };
+ "home" = {
+ matchConfig.Name = "home";
+ networkConfig = {
+ Address = "192.168.4.1/24";
+ IPForward = "yes";
+ DHCPServer = "yes";
+ DHCPPrefixDelegation = "yes";
+ IPv6SendRA = "yes";
+ IPv6AcceptRA = "no";
+ };
+ dhcpServerConfig = {
+ UplinkInterface = "end2";
+ PoolOffset = 100;
+ PoolSize = 100;
+ EmitDNS = "yes";
+ DNS = "192.168.4.1";
+ };
+ dhcpServerStaticLeases = [
+ {
+ dhcpServerStaticLeaseConfig = {
+ MACAddress = "a8:a1:59:10:32:c4";
+ Address = "192.168.4.20";
+ };
+ }
+ ];
+ dhcpPrefixDelegationConfig = {
+ UplinkInterface = "end2";
+ Announce = "yes";
+ };
+ };
+ "guest" = {
+ matchConfig.Name = "guest";
+ networkConfig = {
+ Address = "192.168.5.1/24";
+ IPForward = "yes";
+ DHCPServer = "yes";
+ DHCPPrefixDelegation = "yes";
+ IPv6SendRA = "yes";
+ IPv6AcceptRA = "no";
+ };
+ dhcpServerConfig = {
+ UplinkInterface = "end2";
+ PoolOffset = 100;
+ PoolSize = 100;
+ EmitDNS = "yes";
+ DNS = "192.168.5.1";
+ };
+ dhcpPrefixDelegationConfig = {
+ UplinkInterface = "end2";
+ Announce = "yes";
+ };
+ };
+ };
+ wait-online.anyInterface = true;
+ };
+
+ services.resolved = {
+ enable = true;
+ fallbackDns = ["1.1.1.1" "8.8.8.8"];
+ extraConfig = ''
+ DNSStubListenerExtra=192.168.4.1
+ DNSStubListenerExtra=192.168.5.1
+ '';
+ };
+
+ networking = {
+ useNetworkd = true;
+ nftables.enable = true;
+ firewall = {
+ interfaces = {
+ "home" = {allowedUDPPorts = [53 67 68];};
+ "guest" = {allowedUDPPorts = [53 67 68];};
+ };
+ filterForward = true;
+ };
+ nat = {
+ enable = true;
+ externalInterface = "end2";
+ internalInterfaces = ["home" "guest"];
+ };
+ };
+}
diff --git a/2024-installfest/router.nix b/2024-installfest/router.nix
new file mode 100644
index 0000000..91fc6bf
--- /dev/null
+++ b/2024-installfest/router.nix
@@ -0,0 +1,84 @@
+{
+ systemd.network = {
+ netdevs = {
+ "brlan".netdevConfig = {
+ Kind = "bridge";
+ Name = "brlan";
+ };
+ };
+ networks = {
+ "end2" = {
+ matchConfig.Name = "end2";
+ networkConfig = {
+ DHCP = "yes";
+ IPv6AcceptRA = "yes";
+ DHCPPrefixDelegation = "yes";
+ };
+ dhcpV6Config.PrefixDelegationHint = "::/56";
+ dhcpPrefixDelegationConfig = {
+ UplinkInterface = ":self";
+ SubnetId = 0;
+ Announce = "no";
+ };
+ linkConfig.RequiredForOnline = "routable";
+ };
+ "brlan" = {
+ matchConfig.Name = "brlan";
+ networkConfig = {
+ Address = "192.168.4.1/24";
+ IPForward = "yes";
+ DHCPServer = "yes";
+ DHCPPrefixDelegation = "yes";
+ IPv6SendRA = "yes";
+ IPv6AcceptRA = "no";
+ };
+ dhcpServerConfig = {
+ UplinkInterface = "end2";
+ PoolOffset = 100;
+ PoolSize = 100;
+ EmitDNS = "yes";
+ DNS = "192.168.4.1";
+ };
+ dhcpServerStaticLeases = [
+ {
+ dhcpServerStaticLeaseConfig = {
+ MACAddress = "a8:a1:59:10:32:c4";
+ Address = "192.168.4.20";
+ };
+ }
+ ];
+ dhcpPrefixDelegationConfig = {
+ UplinkInterface = "end2";
+ Announce = "yes";
+ };
+ };
+ "lan-brlan" = {
+ matchConfig.Name = "lan*";
+ networkConfig.Bridge = "brlan";
+ };
+ };
+ wait-online.anyInterface = true;
+ };
+
+ services.resolved = {
+ enable = true;
+ fallbackDns = ["1.1.1.1" "8.8.8.8"];
+ extraConfig = ''
+ DNSStubListenerExtra=192.168.4.1
+ '';
+ };
+
+ networking = {
+ useNetworkd = true;
+ nftables.enable = true;
+ firewall = {
+ interfaces."brlan" = {allowedUDPPorts = [53 67 68];};
+ filterForward = true;
+ };
+ nat = {
+ enable = true;
+ externalInterface = "end2";
+ internalInterfaces = ["brlan"];
+ };
+ };
+}
diff --git a/2024-installfest/switch.nix b/2024-installfest/switch.nix
new file mode 100644
index 0000000..fdd7647
--- /dev/null
+++ b/2024-installfest/switch.nix
@@ -0,0 +1,29 @@
+{
+ networking = {
+ useNetworkd = true;
+ useDHCP = false;
+ nftables.enable = true;
+ };
+
+ systemd.network = {
+ netdevs = {
+ "brlan".netdevConfig = {
+ Kind = "bridge";
+ Name = "brlan";
+ };
+ };
+ networks = {
+ "brlan" = {
+ matchConfig.Name = "brlan";
+ networkConfig = {
+ DHCP = "yes";
+ IPv6AcceptRA = "yes";
+ };
+ };
+ "lan-brlan" = {
+ matchConfig.Name = "lan* end0";
+ networkConfig.Bridge = "brlan";
+ };
+ };
+ };
+}
diff --git a/2024-installfest/wifi-guest.nix b/2024-installfest/wifi-guest.nix
new file mode 100644
index 0000000..46c5817
--- /dev/null
+++ b/2024-installfest/wifi-guest.nix
@@ -0,0 +1,114 @@
+{lib, ...}: {
+ nixpkgs.config.allowUnfree = true;
+ hardware.enableAllFirmware = true;
+ boot.extraModprobeConfig = ''
+ options cfg80211 ieee80211_regdom="CZ"
+ '';
+ services.hostapd = {
+ enable = true;
+ radios = {
+ "wlp3s0" = {
+ channel = 7;
+ countryCode = "CZ";
+ wifi4 = {
+ enable = true;
+ inherit (lib.hostapd.qualcomAtherosAR9287.wifi4) capabilities;
+ };
+ networks = {
+ "wlp3s0" = {
+ ssid = "NixOSInstallFest";
+ bssid = "12:f0:21:23:2b:00";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPassword = "InstallFest2024";
+ };
+ };
+ "wlp3s0.guest" = {
+ ssid = "NixOSInstallFest-guest";
+ bssid = "12:f0:21:23:2b:01";
+ authentication.mode = "none";
+ };
+ };
+ };
+ "wlp2s0" = {
+ channel = 36;
+ band = "5g";
+ countryCode = "CZ";
+ wifi4 = {
+ enable = true;
+ inherit (lib.hostapd.qualcomAtherosQCA988x.wifi4) capabilities;
+ };
+ wifi5 = {
+ enable = true;
+ inherit (lib.hostapd.qualcomAtherosQCA988x.wifi5) capabilities;
+ };
+ networks = {
+ "wlp2s0" = {
+ ssid = "NixOSInstallFest5";
+ bssid = "12:f0:21:23:2b:02";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPassword = "InstallFest2024";
+ };
+ };
+ "wlp2s0.guest" = {
+ ssid = "NixOSInstallFest-guest";
+ bssid = "12:f0:21:23:2b:03";
+ authentication.mode = "none";
+ };
+ };
+ };
+ };
+ };
+
+ systemd.network.networks = {
+ "lan-wlp3s0" = {
+ matchConfig.Name = "wlp3s0";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ ];
+ };
+ "lan-wlp3s0.guest" = {
+ matchConfig.Name = "wlp3s0.guest";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
+ };
+ "lan-wlp2s0" = {
+ matchConfig.Name = "wlp2s0";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ ];
+ };
+ "lan-wlp2s0.guest" = {
+ matchConfig.Name = "wlp2s0.guest";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
+ };
+ };
+}
diff --git a/2024-installfest/wifi.nix b/2024-installfest/wifi.nix
new file mode 100644
index 0000000..ae6531e
--- /dev/null
+++ b/2024-installfest/wifi.nix
@@ -0,0 +1,58 @@
+{lib, ...}: {
+ nixpkgs.config.allowUnfree = true;
+ hardware.enableAllFirmware = true;
+ boot.extraModprobeConfig = ''
+ options cfg80211 ieee80211_regdom="CZ"
+ '';
+ services.hostapd = {
+ enable = true;
+ radios = {
+ "wlp3s0" = {
+ channel = 7;
+ countryCode = "CZ";
+ wifi4 = {
+ enable = true;
+ inherit (lib.hostapd.qualcomAtherosAR9287.wifi4) capabilities;
+ };
+ networks."wlp3s0" = {
+ ssid = "NixOSInstallFest";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPassword = "InstallFest2024";
+ };
+ };
+ };
+ "wlp2s0" = {
+ channel = 36;
+ band = "5g";
+ countryCode = "CZ";
+ wifi4 = {
+ enable = true;
+ inherit (lib.hostapd.qualcomAtherosQCA988x.wifi4) capabilities;
+ };
+ wifi5 = {
+ enable = true;
+ inherit (lib.hostapd.qualcomAtherosQCA988x.wifi5) capabilities;
+ };
+ networks."wlp2s0" = {
+ ssid = "NixOSInstallFest5";
+ authentication = {
+ mode = "wpa2-sha256";
+ wpaPassword = "InstallFest2024";
+ };
+ };
+ };
+ };
+ };
+
+ systemd.network.networks = {
+ "lan-wlp3s0" = {
+ matchConfig.Name = "wlp3s0";
+ networkConfig.Bridge = "brlan";
+ };
+ "lan-wlp2s0" = {
+ matchConfig.Name = "wlp2s0";
+ networkConfig.Bridge = "brlan";
+ };
+ };
+}