From 7cd40525ff19d9adb6a7540e16a27c955cb1c517 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Sat, 16 Mar 2024 14:12:11 +0100 Subject: Add presentation from Installfest 2024 --- 2024-installfest/configuration.nix | 18 ++ 2024-installfest/flake.lock | 112 ++++++++ 2024-installfest/flake.nix | 42 +++ 2024-installfest/mox.nix | 6 + 2024-installfest/omnia.nix | 6 + 2024-installfest/pres.pdf | Bin 0 -> 106838 bytes 2024-installfest/pres.typ | 545 +++++++++++++++++++++++++++++++++++++ 2024-installfest/router-guest.nix | 148 ++++++++++ 2024-installfest/router.nix | 84 ++++++ 2024-installfest/switch.nix | 29 ++ 2024-installfest/wifi-guest.nix | 114 ++++++++ 2024-installfest/wifi.nix | 58 ++++ 12 files changed, 1162 insertions(+) create mode 100644 2024-installfest/configuration.nix create mode 100644 2024-installfest/flake.lock create mode 100644 2024-installfest/flake.nix create mode 100644 2024-installfest/mox.nix create mode 100644 2024-installfest/omnia.nix create mode 100644 2024-installfest/pres.pdf create mode 100644 2024-installfest/pres.typ create mode 100644 2024-installfest/router-guest.nix create mode 100644 2024-installfest/router.nix create mode 100644 2024-installfest/switch.nix create mode 100644 2024-installfest/wifi-guest.nix create mode 100644 2024-installfest/wifi.nix diff --git a/2024-installfest/configuration.nix b/2024-installfest/configuration.nix new file mode 100644 index 0000000..1950e6e --- /dev/null +++ b/2024-installfest/configuration.nix @@ -0,0 +1,18 @@ +{ + lib, + pkgs, + ... +}: { + users.users.root.password = lib.mkDefault "nixturris"; + environment.systemPackages = with pkgs; [ + htop + ]; + + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = true; + PermitRootLogin = "yes"; + }; + }; +} diff --git a/2024-installfest/flake.lock b/2024-installfest/flake.lock new file mode 100644 index 0000000..a73f66a --- /dev/null +++ b/2024-installfest/flake.lock @@ -0,0 +1,112 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "id": "flake-utils", + "type": "indirect" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "id": "flake-utils", + "type": "indirect" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1710503106, + "narHash": "sha256-WQenjcuNH9cnEYqh/PFxpmjK9PQnEPGt1Z7TCfYBhXs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b1d47989352fcb722a1f19295a9461ed1ef8435a", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixturris": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1710278775, + "narHash": "sha256-4kwVKv2Wrus6kNka/XtcrpYx1hemORAiv0wchoMxEvM=", + "owner": "cynerd", + "repo": "nixturris", + "rev": "b6f0fe38003fe22c2a0b94ac660e6063bb6f67b9", + "type": "gitlab" + }, + "original": { + "owner": "cynerd", + "repo": "nixturris", + "type": "gitlab" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs", + "nixturris": "nixturris" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/2024-installfest/flake.nix b/2024-installfest/flake.nix new file mode 100644 index 0000000..4cce0a8 --- /dev/null +++ b/2024-installfest/flake.nix @@ -0,0 +1,42 @@ +{ + description = "NixOS configuration for Turris system"; + + inputs.nixturris = { + url = "gitlab:cynerd/nixturris"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = { + self, + flake-utils, + nixpkgs, + nixturris, + }: let + inherit (flake-utils.lib) eachDefaultSystem; + inherit (nixturris.lib) nixturrisSystem; + in + { + nixosConfigurations = { + omnia = nixturrisSystem { + modules = [./omnia.nix ./configuration.nix]; + }; + mox = nixturrisSystem { + modules = [./mox.nix ./configuration.nix]; + }; + }; + } + // eachDefaultSystem (system: { + packages = { + omnia-toplevel = + self.nixosConfigurations.omnia.buildPlatform.${system}.config.system.build.toplevel; + mox-toplevel = + self.nixosConfigurations.mox.buildPlatform.${system}.config.system.build.toplevel; + omnia-tarball = + self.nixosConfigurations.omnia.buildPlatform.${system}.config.system.build.tarball; + mox-tarball = + self.nixosConfigurations.mox.buildPlatform.${system}.config.system.build.tarball; + }; + + formatter = nixpkgs.legacyPackages.${system}.alejandra; + }); +} diff --git a/2024-installfest/mox.nix b/2024-installfest/mox.nix new file mode 100644 index 0000000..f97f84a --- /dev/null +++ b/2024-installfest/mox.nix @@ -0,0 +1,6 @@ +{ + #imports = [./switch.nix]; + config = { + turris.board = "mox"; + }; +} diff --git a/2024-installfest/omnia.nix b/2024-installfest/omnia.nix new file mode 100644 index 0000000..7c4a7b3 --- /dev/null +++ b/2024-installfest/omnia.nix @@ -0,0 +1,6 @@ +{ + #imports = [./router.nix ./wifi.nix]; + config = { + turris.board = "omnia"; + }; +} diff --git a/2024-installfest/pres.pdf b/2024-installfest/pres.pdf new file mode 100644 index 0000000..ea88d38 Binary files /dev/null and b/2024-installfest/pres.pdf differ diff --git a/2024-installfest/pres.typ b/2024-installfest/pres.typ new file mode 100644 index 0000000..7572ff4 --- /dev/null +++ b/2024-installfest/pres.typ @@ -0,0 +1,545 @@ +#import "@preview/polylux:0.3.1": * +#import themes.metropolis: * +#show: metropolis-theme +#set text(size: 25pt) + +#title-slide( + title: [Instalace NixOS na Turris routery], + subtitle: [Installfest 2024], + author: [Karel Kočí], + date: [16.03.2024], +) + +#new-section-slide([Instalace na Turris Mox]) + +#slide(title: [Příprava SD karty])[ +```console +~$ sudo parted /dev/mmcblk1 +(parted) mktable gpt +(parted) mkpart NixTurris 0% 100% +(parted) set 1 boot on +(parted) quit +~$ sudo mkfs.btrfs /dev/mmcblk1p1 +~$ mount /dev/mmcblk1p1 /mnt +~$ tar -xf nixos-system-aarch64-linux.tar.xz -C /mnt +~$ umount /mnt +``` +] + +#slide(title: [U-Boot])[ +Nutné aktualizovat U-Boot: ```console +~# opkg update +~# opkg install turris-nor-update +~# nor-update +``` +] + +#slide( + title: [První boot], +)[ +```console +U-Boot 2022.07 (Aug 15 2022 - 12:25:08 +0000) +... +Hit any key to stop autoboot: 0 +=> setenv ramdisk_addr_r 0x9000000 +=> saveenv +Saving Environment to SPIFlash... Erasing SPI flash...Writing to SPI flash...done +OK +=> boot +``` +] + +#new-section-slide([Instalace na Turris Omnia]) + +#slide(title: [Příprava USB flash disku])[ +```console +~$ sudo parted /dev/sdx +(parted) mktable gpt +(parted) mkpart NixTurris 0% 100% +(parted) set 1 boot on +(parted) quit + ~$ sudo mkfs.btrfs /dev/sdx1 +~$ mount /dev/sdx /mnt +~$ tar -xf nixos-system-armv7l-linux.tar.xz -C /mnt +~$ umount /mnt +``` +] + +#slide(title: [U-Boot])[ +Nutné aktualizovat U-Boot: ```console +~# opkg update +~# opkg install turris-nor-update +~# nor-update +``` +] + +#slide( + title: [První boot], +)[ +```console +U-Boot 2022.10-rc4-OpenWrt-r16653+119-44ce70f0e2 +... +Hit any key to stop autoboot: 0 +=> setenv boot_targets usb0 mmc0 nvme0 scsi0 pxe dhcp +=> saveenv +Saving Environment to SPIFlash... Erasing SPI flash...Writing to SPI flash...done +OK +=> boot +``` +] + +#new-section-slide([Aktualizace]) + +#focus-slide[ +#text(size: 35pt)[ +```bash +nix flake init -t gitlab:cynerd/nixturris +nix build .#tarball +``` +] +] + +#slide(title: [Nasazení])[ +```bash + nix build .#toplevel + nix copy --to root@192.168.1.142 $(readlink -f result) + readlink -f result + ``` + +`ssh root@192.168.1.142`: +#text(size: 24pt)[ +```bash + nix-env -p /nix/var/nix/profiles/system --set /nix/store/... + /nix/var/nix/profiles/system/bin/switch-to-configuration switch + ``` +] +] + +#new-section-slide([Intermezzo]) + +#slide(title: [Výhody])[ + - Je to server nebo router? Aktualizuje se to stejně.. + - Nastavení systému nebo monitoring všude stejné + - Plošné nasazení konfigurace a její aktualizace + - Spousta připraveného softwaru a jednotné balení pro Nix + - Aktualizace je skoro to samé jako čistá instalace + - ... +] + +#slide(title: [Není to růžové])[ + - Ne vše co je v Nixpkgs jde cross-zkompilovat + - Armv7l není oficiálně podporovaná platforma + - Turris Omnia aktuálně jen Linux kernel 6.1 +] + +#slide(title: [NixDeploy])[ +Nasazení na běžící systémy přes SSH z vývojářského PC s podporou +cross-kompilace. ```bash + nix flake init -t gitlab:cynerd/nixdeploy + nix run . -- --help + nix run . laptop + ``` +] + +#new-section-slide([SystemD-NetworkD]) + +#slide[ +```nix + networking = { + useNetworkd = true; + useDHCP = false; + }; + systemd.network = {}; + ``` +] +#slide(title: [Switch])[ +#text(size: 17pt)[ +```nix + systemd.network = { + netdevs = { + "brlan".netdevConfig = {Kind = "bridge"; Name = "brlan";}; + }; + networks = { + "brlan" = { + matchConfig.Name = "brlan"; + networkConfig = {DHCP = "yes"; IPv6AcceptRA = "yes";}; + }; + "lan-brlan" = { + matchConfig.Name = "lan* end0"; networkConfig.Bridge = "brlan"; + }; + }; + }; + ``` +] +] + +#slide(title: [Router])[ +#text(size: 18pt)[ +```nix + systemd.network = { + netdevs."brlan".netdevConfig = { + Kind = "bridge"; + Name = "brlan"; + }; + networks."lan-brlan" = { + matchConfig.Name = "lan*"; + networkConfig.Bridge = "brlan"; + }; + wait-online.anyInterface = true; + }; + ``` +] +] +#slide(title: [Router (end2 jako wan)])[ +#text(size: 17pt)[ +```nix +systemd.network.networks = { + "end2" = { + matchConfig.Name = "end2"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = "yes"; DHCPPrefixDelegation = "yes"; + }; + dhcpV6Config.PrefixDelegationHint = "::/56"; + dhcpPrefixDelegationConfig = { + UplinkInterface = ":self"; + Announce = "no"; + }; + linkConfig.RequiredForOnline = "routable"; + }; +``` +] +] +#slide(title: [Router (brlan network)])[ +#text(size: 18pt)[ +```nix +systemd.network.networks"brlan" = { + matchConfig.Name = "brlan"; + networkConfig = { + Address = "192.168.4.1/24"; + IPForward = "yes"; + DHCPServer = "yes"; + DHCPPrefixDelegation = "yes"; + IPv6SendRA = "yes"; + IPv6AcceptRA = "no"; + }; +}; +``` +] +] +#slide( + title: [Router (DHCP)], +)[ +#text( + size: 18pt, +)[ +```nix +systemd.network.networks"brlan" = { + dhcpServerConfig = { + UplinkInterface = "end2"; + PoolOffset = 100; PoolSize = 100; + EmitDNS = "yes"; DNS = "192.168.4.1"; + }; + dhcpServerStaticLeases = [ + { dhcpServerStaticLeaseConfig = + { MACAddress = "a8:a1:59:10:32:c4"; Address = "192.168.4.20"; }; + } + ]; + dhcpPrefixDelegationConfig = {UplinkInterface = "end2"; Announce = "yes"; }; +}; +``` +] +] +#slide( + title: [Router (DNS, Firewall)], +)[ +#text( + size: 17pt, +)[ +```nix + services.resolved = { + enable = true; + fallbackDns = ["1.1.1.1" "8.8.8.8"]; + extraConfig = '' + DNSStubListenerExtra=192.168.4.1 + ''; + }; + networking = { + firewall = { + interfaces."brlan" = {allowedUDPPorts = [53 67 68];}; + filterForward = true; + }; + nat = { enable = true; externalInterface = "end2"; internalInterfaces = ["brlan"]; }; + }; + ``` +] +] + +#new-section-slide([Hostapd (Wi-Fi access point)]) + +#slide( + title: [AR9287], +)[ +#text( + size: 16pt, +)[ +```nix +services.hostapd = { enable = true; + radios = { + "wlp3s0" = { + channel = 7; countryCode = "CZ"; + wifi4 = { enable = true; + inherit (lib.hostapd.qualcomAtherosAR9287.wifi4) capabilities; + }; + networks."wlp3s0" = { + ssid = "NixOSInstallFest"; + authentication = { + mode = "wpa2-sha256"; wpaPassword = "InstallFest2024"; +}; }; }; }; }; +systemd.network.networks = { + "lan-wlp3s0" = { matchConfig.Name = "wlp3s0"; networkConfig.Bridge = "brlan"; }; +}; +``` +] +] + +#slide( + title: [QCA988x (Wi-Fi 5)], +)[ +#text( + size: 16pt, +)[ +```nix +nixpkgs.config.allowUnfree = true; +hardware.enableAllFirmware = true; +services.hostapd.radios."wlp2s0" = { + channel = 36; band = "5g"; countryCode = "CZ"; + wifi4 = { enable = true; inherit (lib.hostapd.qualcomAtherosQCA988x.wifi4) capabilities; }; + wifi5 = { enable = true; inherit (lib.hostapd.qualcomAtherosQCA988x.wifi5) capabilities; }; + networks."wlp2s0" = { + ssid = "NixOSInstallFest5"; + authentication = { mode = "wpa2-sha256"; wpaPassword = "InstallFest2024"; }; + }; +}; +systemd.network.networks = { + "lan-wlp2s0" = { matchConfig.Name = "wlp2s0"; networkConfig.Bridge = "brlan"; }; +}; +``` +] +] + +#new-section-slide([Síť pro hosty]) + +#slide( + title: [VLANy (brlan)], +)[ +#text( + size: 16pt, +)[ +```nix +systemd.network.netdevs = { + "brlan" = { netdevConfig = { Kind = "bridge"; Name = "brlan"; }; + extraConfig = '' + [Bridge] + DefaultPVID=none + VLANFiltering=yes + ''; }; + "home" = { netdevConfig = { Kind = "vlan"; Name = "home"; }; vlanConfig.Id = 1; }; + "guest" = { netdevConfig = { Kind = "vlan"; Name = "guest"; }; vlanConfig.Id = 2; }; +}; +systemd.network.networks."brlan" = { + matchConfig.Name = "brlan"; + networkConfig.VLAN = ["home" "guest"]; + bridgeVLANs = [ {bridgeVLANConfig.VLAN = 1;} {bridgeVLANConfig.VLAN = 2;} ]; +}; +``` +] +] + +#slide(title: [VLANy (brlan)])[ +#text(size: 17pt)[ +```nix +systemd.network.networks."lan-brlan" = { + matchConfig.Name = "lan*"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; +}; +``` +] +] + +#slide(title: [VLANy (home a guest)])[ +#text(size: 16pt)[ +```nix +systemd.network.networks = { + "home" = { + matchConfig.Name = "home"; + networkConfig = { + Address = "192.168.4.1/24"; + IPForward = "yes"; + DHCPServer = "yes"; +... + "guest" = { + matchConfig.Name = "guest"; + networkConfig = { + Address = "192.168.5.1/24"; + IPForward = "yes"; +... +}; +``` +] +] + +#slide( + title: [VLANy (Wi-Fi)], +)[ +#text( + size: 16pt, +)[ +```nix +services.hostapd.raios."wlp3s0".networks = { + "wlp3s0" = { + ssid = "Home"; bssid = "12:f0:21:23:2b:00"; + authentication = { mode = "wpa2-sha256"; wpaPassword = "InstallFest2024"; }; }; + "wlp3s0.guest" = { + ssid = "Guest"; bssid = "12:f0:21:23:2b:01"; authentication.mode = "none"; }; +}; +systemd.network.networks = { + "lan-wlp3s0" = { + matchConfig.Name = "wlp3s0"; networkConfig.Bridge = "brlan"; + bridgeVLANs = [ { bridgeVLANConfig = { EgressUntagged = 1; PVID = 1; }; } ]; }; + "lan-wlp3s0.guest" = { + matchConfig.Name = "wlp3s0.guest"; networkConfig.Bridge = "brlan"; + bridgeVLANs = [ { bridgeVLANConfig = { EgressUntagged = 2; PVID = 2; }; } ]; }; +}; +``` +] +] + +#new-section-slide([Další tipy]) + +#slide( + title: [PPPoE], +)[ +#text( + size: 16pt, +)[ +```nix +services.pppd = { enable = true; peers."wan".config = '' + plugin pppoe.so end2 + ifname pppoe-wan + lcp-echo-interval 1 + lcp-echo-failure 5 + lcp-echo-adaptive + +ipv6 + defaultroute + defaultroute6 + usepeerdns + maxfail 1 + user O2 + password 02 +''; }; +systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.device"]; +``` +] +] +#slide(title: [PPPoE (network)])[ +#text(size: 19pt)[ +```nix +systemd.network.networks."pppoe-wan" = { + matchConfig.Name = "pppoe-wan"; + networkConfig = { + BindCarrier = "end2"; + DHCP = "ipv6"; + IPv6AcceptRA = "no"; + DHCPPrefixDelegation = "yes"; + }; + ... +}; +networking.firewall.extraForwardRules = '' + tcp flags syn tcp option maxseg size set rt mtu comment "MSS clamping" +''; +``` +] +] +#slide( + title: [PPPoE na VLANě], +)[ +#text( + size: 19pt, +)[ +```nix +systemd.network = { + netdevs = { + "end2.848" = { + netdevConfig = { Kind = "vlan"; Name = "end2.848"; }; + vlanConfig.Id = 848; + }; }; + networks = { + "end2" = { matchConfig.Name = "end2"; networkConfig.VLAN = ["end2.848"]; }; + "end2.848" = { + matchConfig.Name = "end2.848"; + networkConfig.BindCarrier = "end2"; + }; }; +``` +] +] + +#slide(title: [Routable VPN - home])[ +#text(size: 19pt)[ +```nix +networking.firewall = { + nftables.enable = true; + extraForwardRules = '' + iifname {"home", "vpn"} oifname {"home", "vpn"} accept + ''; +}; +``` +] +] +#slide(title: [Wi-Fi (problémy s připojením klientů])[ +```nix +services.hostapd.radios."wlp3s0".networks."wlp3s0".settings = { + wpa_key_mgmt = mkForce "WPA-PSK"; # force use without sha256 + ieee80211w = 0; +}; +``` +] +#slide(title: [Firewall: Reject spam])[ +```nix +networking.firewall.logRefusedConnections = false; +``` +] +#slide(title: [Omezení velikosti logů])[ +```nix +services.journald.extraConfig = '' + SystemMaxUse=512M +''; +``` +] + +#slide(title: [Co dál?])[ + - Dokumentace nastavení routeru na NixOS Wiki + - systemd-resolved a DNSSEC do sítě + - Podpora Turris Sentinel + - Šifrovaný root disk (atsha a mox-otp) + - Snazší nastavení pro routery +] + +#focus-slide[ + Děkuji za pozornost + + Karel Kočí + + https://gitlab.com/cynerd/nixturris + + #text(size: 25pt)[https://git.cynerd.cz https://gitlab.com/cynerd] +] diff --git a/2024-installfest/router-guest.nix b/2024-installfest/router-guest.nix new file mode 100644 index 0000000..a3fd1ed --- /dev/null +++ b/2024-installfest/router-guest.nix @@ -0,0 +1,148 @@ +{ + systemd.network = { + netdevs = { + "brlan" = { + netdevConfig = { + Kind = "bridge"; + Name = "brlan"; + }; + extraConfig = '' + [Bridge] + DefaultPVID=none + VLANFiltering=yes + ''; + }; + "home" = { + netdevConfig = { + Kind = "vlan"; + Name = "home"; + }; + vlanConfig.Id = 1; + }; + "guest" = { + netdevConfig = { + Kind = "vlan"; + Name = "guest"; + }; + vlanConfig.Id = 2; + }; + }; + networks = { + "end2" = { + matchConfig.Name = "end2"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = "yes"; + DHCPPrefixDelegation = "yes"; + }; + dhcpV6Config.PrefixDelegationHint = "::/56"; + dhcpPrefixDelegationConfig = { + UplinkInterface = ":self"; + SubnetId = 0; + Announce = "no"; + }; + linkConfig.RequiredForOnline = "routable"; + }; + "brlan" = { + matchConfig.Name = "brlan"; + networkConfig.VLAN = ["home" "guest"]; + bridgeVLANs = [ + {bridgeVLANConfig.VLAN = 1;} + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + "lan-brlan" = { + matchConfig.Name = "lan*"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + "home" = { + matchConfig.Name = "home"; + networkConfig = { + Address = "192.168.4.1/24"; + IPForward = "yes"; + DHCPServer = "yes"; + DHCPPrefixDelegation = "yes"; + IPv6SendRA = "yes"; + IPv6AcceptRA = "no"; + }; + dhcpServerConfig = { + UplinkInterface = "end2"; + PoolOffset = 100; + PoolSize = 100; + EmitDNS = "yes"; + DNS = "192.168.4.1"; + }; + dhcpServerStaticLeases = [ + { + dhcpServerStaticLeaseConfig = { + MACAddress = "a8:a1:59:10:32:c4"; + Address = "192.168.4.20"; + }; + } + ]; + dhcpPrefixDelegationConfig = { + UplinkInterface = "end2"; + Announce = "yes"; + }; + }; + "guest" = { + matchConfig.Name = "guest"; + networkConfig = { + Address = "192.168.5.1/24"; + IPForward = "yes"; + DHCPServer = "yes"; + DHCPPrefixDelegation = "yes"; + IPv6SendRA = "yes"; + IPv6AcceptRA = "no"; + }; + dhcpServerConfig = { + UplinkInterface = "end2"; + PoolOffset = 100; + PoolSize = 100; + EmitDNS = "yes"; + DNS = "192.168.5.1"; + }; + dhcpPrefixDelegationConfig = { + UplinkInterface = "end2"; + Announce = "yes"; + }; + }; + }; + wait-online.anyInterface = true; + }; + + services.resolved = { + enable = true; + fallbackDns = ["1.1.1.1" "8.8.8.8"]; + extraConfig = '' + DNSStubListenerExtra=192.168.4.1 + DNSStubListenerExtra=192.168.5.1 + ''; + }; + + networking = { + useNetworkd = true; + nftables.enable = true; + firewall = { + interfaces = { + "home" = {allowedUDPPorts = [53 67 68];}; + "guest" = {allowedUDPPorts = [53 67 68];}; + }; + filterForward = true; + }; + nat = { + enable = true; + externalInterface = "end2"; + internalInterfaces = ["home" "guest"]; + }; + }; +} diff --git a/2024-installfest/router.nix b/2024-installfest/router.nix new file mode 100644 index 0000000..91fc6bf --- /dev/null +++ b/2024-installfest/router.nix @@ -0,0 +1,84 @@ +{ + systemd.network = { + netdevs = { + "brlan".netdevConfig = { + Kind = "bridge"; + Name = "brlan"; + }; + }; + networks = { + "end2" = { + matchConfig.Name = "end2"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = "yes"; + DHCPPrefixDelegation = "yes"; + }; + dhcpV6Config.PrefixDelegationHint = "::/56"; + dhcpPrefixDelegationConfig = { + UplinkInterface = ":self"; + SubnetId = 0; + Announce = "no"; + }; + linkConfig.RequiredForOnline = "routable"; + }; + "brlan" = { + matchConfig.Name = "brlan"; + networkConfig = { + Address = "192.168.4.1/24"; + IPForward = "yes"; + DHCPServer = "yes"; + DHCPPrefixDelegation = "yes"; + IPv6SendRA = "yes"; + IPv6AcceptRA = "no"; + }; + dhcpServerConfig = { + UplinkInterface = "end2"; + PoolOffset = 100; + PoolSize = 100; + EmitDNS = "yes"; + DNS = "192.168.4.1"; + }; + dhcpServerStaticLeases = [ + { + dhcpServerStaticLeaseConfig = { + MACAddress = "a8:a1:59:10:32:c4"; + Address = "192.168.4.20"; + }; + } + ]; + dhcpPrefixDelegationConfig = { + UplinkInterface = "end2"; + Announce = "yes"; + }; + }; + "lan-brlan" = { + matchConfig.Name = "lan*"; + networkConfig.Bridge = "brlan"; + }; + }; + wait-online.anyInterface = true; + }; + + services.resolved = { + enable = true; + fallbackDns = ["1.1.1.1" "8.8.8.8"]; + extraConfig = '' + DNSStubListenerExtra=192.168.4.1 + ''; + }; + + networking = { + useNetworkd = true; + nftables.enable = true; + firewall = { + interfaces."brlan" = {allowedUDPPorts = [53 67 68];}; + filterForward = true; + }; + nat = { + enable = true; + externalInterface = "end2"; + internalInterfaces = ["brlan"]; + }; + }; +} diff --git a/2024-installfest/switch.nix b/2024-installfest/switch.nix new file mode 100644 index 0000000..fdd7647 --- /dev/null +++ b/2024-installfest/switch.nix @@ -0,0 +1,29 @@ +{ + networking = { + useNetworkd = true; + useDHCP = false; + nftables.enable = true; + }; + + systemd.network = { + netdevs = { + "brlan".netdevConfig = { + Kind = "bridge"; + Name = "brlan"; + }; + }; + networks = { + "brlan" = { + matchConfig.Name = "brlan"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = "yes"; + }; + }; + "lan-brlan" = { + matchConfig.Name = "lan* end0"; + networkConfig.Bridge = "brlan"; + }; + }; + }; +} diff --git a/2024-installfest/wifi-guest.nix b/2024-installfest/wifi-guest.nix new file mode 100644 index 0000000..46c5817 --- /dev/null +++ b/2024-installfest/wifi-guest.nix @@ -0,0 +1,114 @@ +{lib, ...}: { + nixpkgs.config.allowUnfree = true; + hardware.enableAllFirmware = true; + boot.extraModprobeConfig = '' + options cfg80211 ieee80211_regdom="CZ" + ''; + services.hostapd = { + enable = true; + radios = { + "wlp3s0" = { + channel = 7; + countryCode = "CZ"; + wifi4 = { + enable = true; + inherit (lib.hostapd.qualcomAtherosAR9287.wifi4) capabilities; + }; + networks = { + "wlp3s0" = { + ssid = "NixOSInstallFest"; + bssid = "12:f0:21:23:2b:00"; + authentication = { + mode = "wpa2-sha256"; + wpaPassword = "InstallFest2024"; + }; + }; + "wlp3s0.guest" = { + ssid = "NixOSInstallFest-guest"; + bssid = "12:f0:21:23:2b:01"; + authentication.mode = "none"; + }; + }; + }; + "wlp2s0" = { + channel = 36; + band = "5g"; + countryCode = "CZ"; + wifi4 = { + enable = true; + inherit (lib.hostapd.qualcomAtherosQCA988x.wifi4) capabilities; + }; + wifi5 = { + enable = true; + inherit (lib.hostapd.qualcomAtherosQCA988x.wifi5) capabilities; + }; + networks = { + "wlp2s0" = { + ssid = "NixOSInstallFest5"; + bssid = "12:f0:21:23:2b:02"; + authentication = { + mode = "wpa2-sha256"; + wpaPassword = "InstallFest2024"; + }; + }; + "wlp2s0.guest" = { + ssid = "NixOSInstallFest-guest"; + bssid = "12:f0:21:23:2b:03"; + authentication.mode = "none"; + }; + }; + }; + }; + }; + + systemd.network.networks = { + "lan-wlp3s0" = { + matchConfig.Name = "wlp3s0"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; + }; + "lan-wlp3s0.guest" = { + matchConfig.Name = "wlp3s0.guest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; + }; + "lan-wlp2s0" = { + matchConfig.Name = "wlp2s0"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; + }; + "lan-wlp2s0.guest" = { + matchConfig.Name = "wlp2s0.guest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; + }; + }; +} diff --git a/2024-installfest/wifi.nix b/2024-installfest/wifi.nix new file mode 100644 index 0000000..ae6531e --- /dev/null +++ b/2024-installfest/wifi.nix @@ -0,0 +1,58 @@ +{lib, ...}: { + nixpkgs.config.allowUnfree = true; + hardware.enableAllFirmware = true; + boot.extraModprobeConfig = '' + options cfg80211 ieee80211_regdom="CZ" + ''; + services.hostapd = { + enable = true; + radios = { + "wlp3s0" = { + channel = 7; + countryCode = "CZ"; + wifi4 = { + enable = true; + inherit (lib.hostapd.qualcomAtherosAR9287.wifi4) capabilities; + }; + networks."wlp3s0" = { + ssid = "NixOSInstallFest"; + authentication = { + mode = "wpa2-sha256"; + wpaPassword = "InstallFest2024"; + }; + }; + }; + "wlp2s0" = { + channel = 36; + band = "5g"; + countryCode = "CZ"; + wifi4 = { + enable = true; + inherit (lib.hostapd.qualcomAtherosQCA988x.wifi4) capabilities; + }; + wifi5 = { + enable = true; + inherit (lib.hostapd.qualcomAtherosQCA988x.wifi5) capabilities; + }; + networks."wlp2s0" = { + ssid = "NixOSInstallFest5"; + authentication = { + mode = "wpa2-sha256"; + wpaPassword = "InstallFest2024"; + }; + }; + }; + }; + }; + + systemd.network.networks = { + "lan-wlp3s0" = { + matchConfig.Name = "wlp3s0"; + networkConfig.Bridge = "brlan"; + }; + "lan-wlp2s0" = { + matchConfig.Name = "wlp2s0"; + networkConfig.Bridge = "brlan"; + }; + }; +} -- cgit v1.2.3