diff options
Diffstat (limited to '2024-installfest/pres.typ')
| -rw-r--r-- | 2024-installfest/pres.typ | 545 |
1 files changed, 545 insertions, 0 deletions
diff --git a/2024-installfest/pres.typ b/2024-installfest/pres.typ new file mode 100644 index 0000000..7572ff4 --- /dev/null +++ b/2024-installfest/pres.typ @@ -0,0 +1,545 @@ +#import "@preview/polylux:0.3.1": * +#import themes.metropolis: * +#show: metropolis-theme +#set text(size: 25pt) + +#title-slide( + title: [Instalace NixOS na Turris routery], + subtitle: [Installfest 2024], + author: [Karel Kočí], + date: [16.03.2024], +) + +#new-section-slide([Instalace na Turris Mox]) + +#slide(title: [Příprava SD karty])[ +```console +~$ sudo parted /dev/mmcblk1 +(parted) mktable gpt +(parted) mkpart NixTurris 0% 100% +(parted) set 1 boot on +(parted) quit +~$ sudo mkfs.btrfs /dev/mmcblk1p1 +~$ mount /dev/mmcblk1p1 /mnt +~$ tar -xf nixos-system-aarch64-linux.tar.xz -C /mnt +~$ umount /mnt +``` +] + +#slide(title: [U-Boot])[ +Nutné aktualizovat U-Boot: ```console +~# opkg update +~# opkg install turris-nor-update +~# nor-update +``` +] + +#slide( + title: [První boot], +)[ +```console +U-Boot 2022.07 (Aug 15 2022 - 12:25:08 +0000) +... +Hit any key to stop autoboot: 0 +=> setenv ramdisk_addr_r 0x9000000 +=> saveenv +Saving Environment to SPIFlash... Erasing SPI flash...Writing to SPI flash...done +OK +=> boot +``` +] + +#new-section-slide([Instalace na Turris Omnia]) + +#slide(title: [Příprava USB flash disku])[ +```console +~$ sudo parted /dev/sdx +(parted) mktable gpt +(parted) mkpart NixTurris 0% 100% +(parted) set 1 boot on +(parted) quit + ~$ sudo mkfs.btrfs /dev/sdx1 +~$ mount /dev/sdx /mnt +~$ tar -xf nixos-system-armv7l-linux.tar.xz -C /mnt +~$ umount /mnt +``` +] + +#slide(title: [U-Boot])[ +Nutné aktualizovat U-Boot: ```console +~# opkg update +~# opkg install turris-nor-update +~# nor-update +``` +] + +#slide( + title: [První boot], +)[ +```console +U-Boot 2022.10-rc4-OpenWrt-r16653+119-44ce70f0e2 +... +Hit any key to stop autoboot: 0 +=> setenv boot_targets usb0 mmc0 nvme0 scsi0 pxe dhcp +=> saveenv +Saving Environment to SPIFlash... Erasing SPI flash...Writing to SPI flash...done +OK +=> boot +``` +] + +#new-section-slide([Aktualizace]) + +#focus-slide[ +#text(size: 35pt)[ +```bash +nix flake init -t gitlab:cynerd/nixturris +nix build .#tarball +``` +] +] + +#slide(title: [Nasazení])[ +```bash + nix build .#toplevel + nix copy --to root@192.168.1.142 $(readlink -f result) + readlink -f result + ``` + +`ssh root@192.168.1.142`: +#text(size: 24pt)[ +```bash + nix-env -p /nix/var/nix/profiles/system --set /nix/store/... + /nix/var/nix/profiles/system/bin/switch-to-configuration switch + ``` +] +] + +#new-section-slide([Intermezzo]) + +#slide(title: [Výhody])[ + - Je to server nebo router? Aktualizuje se to stejně.. + - Nastavení systému nebo monitoring všude stejné + - Plošné nasazení konfigurace a její aktualizace + - Spousta připraveného softwaru a jednotné balení pro Nix + - Aktualizace je skoro to samé jako čistá instalace + - ... +] + +#slide(title: [Není to růžové])[ + - Ne vše co je v Nixpkgs jde cross-zkompilovat + - Armv7l není oficiálně podporovaná platforma + - Turris Omnia aktuálně jen Linux kernel 6.1 +] + +#slide(title: [NixDeploy])[ +Nasazení na běžící systémy přes SSH z vývojářského PC s podporou +cross-kompilace. ```bash + nix flake init -t gitlab:cynerd/nixdeploy + nix run . -- --help + nix run . laptop + ``` +] + +#new-section-slide([SystemD-NetworkD]) + +#slide[ +```nix + networking = { + useNetworkd = true; + useDHCP = false; + }; + systemd.network = {}; + ``` +] +#slide(title: [Switch])[ +#text(size: 17pt)[ +```nix + systemd.network = { + netdevs = { + "brlan".netdevConfig = {Kind = "bridge"; Name = "brlan";}; + }; + networks = { + "brlan" = { + matchConfig.Name = "brlan"; + networkConfig = {DHCP = "yes"; IPv6AcceptRA = "yes";}; + }; + "lan-brlan" = { + matchConfig.Name = "lan* end0"; networkConfig.Bridge = "brlan"; + }; + }; + }; + ``` +] +] + +#slide(title: [Router])[ +#text(size: 18pt)[ +```nix + systemd.network = { + netdevs."brlan".netdevConfig = { + Kind = "bridge"; + Name = "brlan"; + }; + networks."lan-brlan" = { + matchConfig.Name = "lan*"; + networkConfig.Bridge = "brlan"; + }; + wait-online.anyInterface = true; + }; + ``` +] +] +#slide(title: [Router (end2 jako wan)])[ +#text(size: 17pt)[ +```nix +systemd.network.networks = { + "end2" = { + matchConfig.Name = "end2"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = "yes"; DHCPPrefixDelegation = "yes"; + }; + dhcpV6Config.PrefixDelegationHint = "::/56"; + dhcpPrefixDelegationConfig = { + UplinkInterface = ":self"; + Announce = "no"; + }; + linkConfig.RequiredForOnline = "routable"; + }; +``` +] +] +#slide(title: [Router (brlan network)])[ +#text(size: 18pt)[ +```nix +systemd.network.networks"brlan" = { + matchConfig.Name = "brlan"; + networkConfig = { + Address = "192.168.4.1/24"; + IPForward = "yes"; + DHCPServer = "yes"; + DHCPPrefixDelegation = "yes"; + IPv6SendRA = "yes"; + IPv6AcceptRA = "no"; + }; +}; +``` +] +] +#slide( + title: [Router (DHCP)], +)[ +#text( + size: 18pt, +)[ +```nix +systemd.network.networks"brlan" = { + dhcpServerConfig = { + UplinkInterface = "end2"; + PoolOffset = 100; PoolSize = 100; + EmitDNS = "yes"; DNS = "192.168.4.1"; + }; + dhcpServerStaticLeases = [ + { dhcpServerStaticLeaseConfig = + { MACAddress = "a8:a1:59:10:32:c4"; Address = "192.168.4.20"; }; + } + ]; + dhcpPrefixDelegationConfig = {UplinkInterface = "end2"; Announce = "yes"; }; +}; +``` +] +] +#slide( + title: [Router (DNS, Firewall)], +)[ +#text( + size: 17pt, +)[ +```nix + services.resolved = { + enable = true; + fallbackDns = ["1.1.1.1" "8.8.8.8"]; + extraConfig = '' + DNSStubListenerExtra=192.168.4.1 + ''; + }; + networking = { + firewall = { + interfaces."brlan" = {allowedUDPPorts = [53 67 68];}; + filterForward = true; + }; + nat = { enable = true; externalInterface = "end2"; internalInterfaces = ["brlan"]; }; + }; + ``` +] +] + +#new-section-slide([Hostapd (Wi-Fi access point)]) + +#slide( + title: [AR9287], +)[ +#text( + size: 16pt, +)[ +```nix +services.hostapd = { enable = true; + radios = { + "wlp3s0" = { + channel = 7; countryCode = "CZ"; + wifi4 = { enable = true; + inherit (lib.hostapd.qualcomAtherosAR9287.wifi4) capabilities; + }; + networks."wlp3s0" = { + ssid = "NixOSInstallFest"; + authentication = { + mode = "wpa2-sha256"; wpaPassword = "InstallFest2024"; +}; }; }; }; }; +systemd.network.networks = { + "lan-wlp3s0" = { matchConfig.Name = "wlp3s0"; networkConfig.Bridge = "brlan"; }; +}; +``` +] +] + +#slide( + title: [QCA988x (Wi-Fi 5)], +)[ +#text( + size: 16pt, +)[ +```nix +nixpkgs.config.allowUnfree = true; +hardware.enableAllFirmware = true; +services.hostapd.radios."wlp2s0" = { + channel = 36; band = "5g"; countryCode = "CZ"; + wifi4 = { enable = true; inherit (lib.hostapd.qualcomAtherosQCA988x.wifi4) capabilities; }; + wifi5 = { enable = true; inherit (lib.hostapd.qualcomAtherosQCA988x.wifi5) capabilities; }; + networks."wlp2s0" = { + ssid = "NixOSInstallFest5"; + authentication = { mode = "wpa2-sha256"; wpaPassword = "InstallFest2024"; }; + }; +}; +systemd.network.networks = { + "lan-wlp2s0" = { matchConfig.Name = "wlp2s0"; networkConfig.Bridge = "brlan"; }; +}; +``` +] +] + +#new-section-slide([Síť pro hosty]) + +#slide( + title: [VLANy (brlan)], +)[ +#text( + size: 16pt, +)[ +```nix +systemd.network.netdevs = { + "brlan" = { netdevConfig = { Kind = "bridge"; Name = "brlan"; }; + extraConfig = '' + [Bridge] + DefaultPVID=none + VLANFiltering=yes + ''; }; + "home" = { netdevConfig = { Kind = "vlan"; Name = "home"; }; vlanConfig.Id = 1; }; + "guest" = { netdevConfig = { Kind = "vlan"; Name = "guest"; }; vlanConfig.Id = 2; }; +}; +systemd.network.networks."brlan" = { + matchConfig.Name = "brlan"; + networkConfig.VLAN = ["home" "guest"]; + bridgeVLANs = [ {bridgeVLANConfig.VLAN = 1;} {bridgeVLANConfig.VLAN = 2;} ]; +}; +``` +] +] + +#slide(title: [VLANy (brlan)])[ +#text(size: 17pt)[ +```nix +systemd.network.networks."lan-brlan" = { + matchConfig.Name = "lan*"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; +}; +``` +] +] + +#slide(title: [VLANy (home a guest)])[ +#text(size: 16pt)[ +```nix +systemd.network.networks = { + "home" = { + matchConfig.Name = "home"; + networkConfig = { + Address = "192.168.4.1/24"; + IPForward = "yes"; + DHCPServer = "yes"; +... + "guest" = { + matchConfig.Name = "guest"; + networkConfig = { + Address = "192.168.5.1/24"; + IPForward = "yes"; +... +}; +``` +] +] + +#slide( + title: [VLANy (Wi-Fi)], +)[ +#text( + size: 16pt, +)[ +```nix +services.hostapd.raios."wlp3s0".networks = { + "wlp3s0" = { + ssid = "Home"; bssid = "12:f0:21:23:2b:00"; + authentication = { mode = "wpa2-sha256"; wpaPassword = "InstallFest2024"; }; }; + "wlp3s0.guest" = { + ssid = "Guest"; bssid = "12:f0:21:23:2b:01"; authentication.mode = "none"; }; +}; +systemd.network.networks = { + "lan-wlp3s0" = { + matchConfig.Name = "wlp3s0"; networkConfig.Bridge = "brlan"; + bridgeVLANs = [ { bridgeVLANConfig = { EgressUntagged = 1; PVID = 1; }; } ]; }; + "lan-wlp3s0.guest" = { + matchConfig.Name = "wlp3s0.guest"; networkConfig.Bridge = "brlan"; + bridgeVLANs = [ { bridgeVLANConfig = { EgressUntagged = 2; PVID = 2; }; } ]; }; +}; +``` +] +] + +#new-section-slide([Další tipy]) + +#slide( + title: [PPPoE], +)[ +#text( + size: 16pt, +)[ +```nix +services.pppd = { enable = true; peers."wan".config = '' + plugin pppoe.so end2 + ifname pppoe-wan + lcp-echo-interval 1 + lcp-echo-failure 5 + lcp-echo-adaptive + +ipv6 + defaultroute + defaultroute6 + usepeerdns + maxfail 1 + user O2 + password 02 +''; }; +systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.device"]; +``` +] +] +#slide(title: [PPPoE (network)])[ +#text(size: 19pt)[ +```nix +systemd.network.networks."pppoe-wan" = { + matchConfig.Name = "pppoe-wan"; + networkConfig = { + BindCarrier = "end2"; + DHCP = "ipv6"; + IPv6AcceptRA = "no"; + DHCPPrefixDelegation = "yes"; + }; + ... +}; +networking.firewall.extraForwardRules = '' + tcp flags syn tcp option maxseg size set rt mtu comment "MSS clamping" +''; +``` +] +] +#slide( + title: [PPPoE na VLANě], +)[ +#text( + size: 19pt, +)[ +```nix +systemd.network = { + netdevs = { + "end2.848" = { + netdevConfig = { Kind = "vlan"; Name = "end2.848"; }; + vlanConfig.Id = 848; + }; }; + networks = { + "end2" = { matchConfig.Name = "end2"; networkConfig.VLAN = ["end2.848"]; }; + "end2.848" = { + matchConfig.Name = "end2.848"; + networkConfig.BindCarrier = "end2"; + }; }; +``` +] +] + +#slide(title: [Routable VPN - home])[ +#text(size: 19pt)[ +```nix +networking.firewall = { + nftables.enable = true; + extraForwardRules = '' + iifname {"home", "vpn"} oifname {"home", "vpn"} accept + ''; +}; +``` +] +] +#slide(title: [Wi-Fi (problémy s připojením klientů])[ +```nix +services.hostapd.radios."wlp3s0".networks."wlp3s0".settings = { + wpa_key_mgmt = mkForce "WPA-PSK"; # force use without sha256 + ieee80211w = 0; +}; +``` +] +#slide(title: [Firewall: Reject spam])[ +```nix +networking.firewall.logRefusedConnections = false; +``` +] +#slide(title: [Omezení velikosti logů])[ +```nix +services.journald.extraConfig = '' + SystemMaxUse=512M +''; +``` +] + +#slide(title: [Co dál?])[ + - Dokumentace nastavení routeru na NixOS Wiki + - systemd-resolved a DNSSEC do sítě + - Podpora Turris Sentinel + - Šifrovaný root disk (atsha a mox-otp) + - Snazší nastavení pro routery +] + +#focus-slide[ + Děkuji za pozornost + + Karel Kočí + + https://gitlab.com/cynerd/nixturris + + #text(size: 25pt)[https://git.cynerd.cz https://gitlab.com/cynerd] +] |