#import "@preview/polylux:0.3.1": * #import themes.metropolis: * #show: metropolis-theme #set text(size: 25pt) #title-slide( title: [Instalace NixOS na Turris routery], subtitle: [Installfest 2024], author: [Karel Kočí], date: [16.03.2024], ) #new-section-slide([Instalace na Turris Mox]) #slide(title: [Příprava SD karty])[ ```console ~$ sudo parted /dev/mmcblk1 (parted) mktable gpt (parted) mkpart NixTurris 0% 100% (parted) set 1 boot on (parted) quit ~$ sudo mkfs.btrfs /dev/mmcblk1p1 ~$ mount /dev/mmcblk1p1 /mnt ~$ tar -xf nixos-system-aarch64-linux.tar.xz -C /mnt ~$ umount /mnt ``` ] #slide(title: [U-Boot])[ Nutné aktualizovat U-Boot: ```console ~# opkg update ~# opkg install turris-nor-update ~# nor-update ``` ] #slide( title: [První boot], )[ ```console U-Boot 2022.07 (Aug 15 2022 - 12:25:08 +0000) ... Hit any key to stop autoboot: 0 => setenv ramdisk_addr_r 0x9000000 => saveenv Saving Environment to SPIFlash... Erasing SPI flash...Writing to SPI flash...done OK => boot ``` ] #new-section-slide([Instalace na Turris Omnia]) #slide(title: [Příprava USB flash disku])[ ```console ~$ sudo parted /dev/sdx (parted) mktable gpt (parted) mkpart NixTurris 0% 100% (parted) set 1 boot on (parted) quit ~$ sudo mkfs.btrfs /dev/sdx1 ~$ mount /dev/sdx /mnt ~$ tar -xf nixos-system-armv7l-linux.tar.xz -C /mnt ~$ umount /mnt ``` ] #slide(title: [U-Boot])[ Nutné aktualizovat U-Boot: ```console ~# opkg update ~# opkg install turris-nor-update ~# nor-update ``` ] #slide( title: [První boot], )[ ```console U-Boot 2022.10-rc4-OpenWrt-r16653+119-44ce70f0e2 ... Hit any key to stop autoboot: 0 => setenv boot_targets usb0 mmc0 nvme0 scsi0 pxe dhcp => saveenv Saving Environment to SPIFlash... Erasing SPI flash...Writing to SPI flash...done OK => boot ``` ] #new-section-slide([Aktualizace]) #focus-slide[ #text(size: 35pt)[ ```bash nix flake init -t gitlab:cynerd/nixturris nix build .#tarball ``` ] ] #slide(title: [Nasazení])[ ```bash nix build .#toplevel nix copy --to root@192.168.1.142 $(readlink -f result) readlink -f result ``` `ssh root@192.168.1.142`: #text(size: 24pt)[ ```bash nix-env -p /nix/var/nix/profiles/system --set /nix/store/... /nix/var/nix/profiles/system/bin/switch-to-configuration switch ``` ] ] #new-section-slide([Intermezzo]) #slide(title: [Výhody])[ - Je to server nebo router? Aktualizuje se to stejně.. - Nastavení systému nebo monitoring všude stejné - Plošné nasazení konfigurace a její aktualizace - Spousta připraveného softwaru a jednotné balení pro Nix - Aktualizace je skoro to samé jako čistá instalace - ... ] #slide(title: [Není to růžové])[ - Ne vše co je v Nixpkgs jde cross-zkompilovat - Armv7l není oficiálně podporovaná platforma - Turris Omnia aktuálně jen Linux kernel 6.1 ] #slide(title: [NixDeploy])[ Nasazení na běžící systémy přes SSH z vývojářského PC s podporou cross-kompilace. ```bash nix flake init -t gitlab:cynerd/nixdeploy nix run . -- --help nix run . laptop ``` ] #new-section-slide([SystemD-NetworkD]) #slide[ ```nix networking = { useNetworkd = true; useDHCP = false; }; systemd.network = {}; ``` ] #slide(title: [Switch])[ #text(size: 17pt)[ ```nix systemd.network = { netdevs = { "brlan".netdevConfig = {Kind = "bridge"; Name = "brlan";}; }; networks = { "brlan" = { matchConfig.Name = "brlan"; networkConfig = {DHCP = "yes"; IPv6AcceptRA = "yes";}; }; "lan-brlan" = { matchConfig.Name = "lan* end0"; networkConfig.Bridge = "brlan"; }; }; }; ``` ] ] #slide(title: [Router])[ #text(size: 18pt)[ ```nix systemd.network = { netdevs."brlan".netdevConfig = { Kind = "bridge"; Name = "brlan"; }; networks."lan-brlan" = { matchConfig.Name = "lan*"; networkConfig.Bridge = "brlan"; }; wait-online.anyInterface = true; }; ``` ] ] #slide(title: [Router (end2 jako wan)])[ #text(size: 17pt)[ ```nix systemd.network.networks = { "end2" = { matchConfig.Name = "end2"; networkConfig = { DHCP = "yes"; IPv6AcceptRA = "yes"; DHCPPrefixDelegation = "yes"; }; dhcpV6Config.PrefixDelegationHint = "::/56"; dhcpPrefixDelegationConfig = { UplinkInterface = ":self"; Announce = "no"; }; linkConfig.RequiredForOnline = "routable"; }; ``` ] ] #slide(title: [Router (brlan network)])[ #text(size: 18pt)[ ```nix systemd.network.networks"brlan" = { matchConfig.Name = "brlan"; networkConfig = { Address = "192.168.4.1/24"; IPForward = "yes"; DHCPServer = "yes"; DHCPPrefixDelegation = "yes"; IPv6SendRA = "yes"; IPv6AcceptRA = "no"; }; }; ``` ] ] #slide( title: [Router (DHCP)], )[ #text( size: 18pt, )[ ```nix systemd.network.networks"brlan" = { dhcpServerConfig = { UplinkInterface = "end2"; PoolOffset = 100; PoolSize = 100; EmitDNS = "yes"; DNS = "192.168.4.1"; }; dhcpServerStaticLeases = [ { dhcpServerStaticLeaseConfig = { MACAddress = "a8:a1:59:10:32:c4"; Address = "192.168.4.20"; }; } ]; dhcpPrefixDelegationConfig = {UplinkInterface = "end2"; Announce = "yes"; }; }; ``` ] ] #slide( title: [Router (DNS, Firewall)], )[ #text( size: 17pt, )[ ```nix services.resolved = { enable = true; fallbackDns = ["1.1.1.1" "8.8.8.8"]; extraConfig = '' DNSStubListenerExtra=192.168.4.1 ''; }; networking = { firewall = { interfaces."brlan" = {allowedUDPPorts = [53 67 68];}; filterForward = true; }; nat = { enable = true; externalInterface = "end2"; internalInterfaces = ["brlan"]; }; }; ``` ] ] #new-section-slide([Hostapd (Wi-Fi access point)]) #slide( title: [AR9287], )[ #text( size: 16pt, )[ ```nix services.hostapd = { enable = true; radios = { "wlp3s0" = { channel = 7; countryCode = "CZ"; wifi4 = { enable = true; inherit (lib.hostapd.qualcomAtherosAR9287.wifi4) capabilities; }; networks."wlp3s0" = { ssid = "NixOSInstallFest"; authentication = { mode = "wpa2-sha256"; wpaPassword = "InstallFest2024"; }; }; }; }; }; systemd.network.networks = { "lan-wlp3s0" = { matchConfig.Name = "wlp3s0"; networkConfig.Bridge = "brlan"; }; }; ``` ] ] #slide( title: [QCA988x (Wi-Fi 5)], )[ #text( size: 16pt, )[ ```nix nixpkgs.config.allowUnfree = true; hardware.enableAllFirmware = true; services.hostapd.radios."wlp2s0" = { channel = 36; band = "5g"; countryCode = "CZ"; wifi4 = { enable = true; inherit (lib.hostapd.qualcomAtherosQCA988x.wifi4) capabilities; }; wifi5 = { enable = true; inherit (lib.hostapd.qualcomAtherosQCA988x.wifi5) capabilities; }; networks."wlp2s0" = { ssid = "NixOSInstallFest5"; authentication = { mode = "wpa2-sha256"; wpaPassword = "InstallFest2024"; }; }; }; systemd.network.networks = { "lan-wlp2s0" = { matchConfig.Name = "wlp2s0"; networkConfig.Bridge = "brlan"; }; }; ``` ] ] #new-section-slide([Síť pro hosty]) #slide( title: [VLANy (brlan)], )[ #text( size: 16pt, )[ ```nix systemd.network.netdevs = { "brlan" = { netdevConfig = { Kind = "bridge"; Name = "brlan"; }; extraConfig = '' [Bridge] DefaultPVID=none VLANFiltering=yes ''; }; "home" = { netdevConfig = { Kind = "vlan"; Name = "home"; }; vlanConfig.Id = 1; }; "guest" = { netdevConfig = { Kind = "vlan"; Name = "guest"; }; vlanConfig.Id = 2; }; }; systemd.network.networks."brlan" = { matchConfig.Name = "brlan"; networkConfig.VLAN = ["home" "guest"]; bridgeVLANs = [ {bridgeVLANConfig.VLAN = 1;} {bridgeVLANConfig.VLAN = 2;} ]; }; ``` ] ] #slide(title: [VLANy (brlan)])[ #text(size: 17pt)[ ```nix systemd.network.networks."lan-brlan" = { matchConfig.Name = "lan*"; networkConfig.Bridge = "brlan"; bridgeVLANs = [ { bridgeVLANConfig = { EgressUntagged = 1; PVID = 1; }; } {bridgeVLANConfig.VLAN = 2;} ]; }; ``` ] ] #slide(title: [VLANy (home a guest)])[ #text(size: 16pt)[ ```nix systemd.network.networks = { "home" = { matchConfig.Name = "home"; networkConfig = { Address = "192.168.4.1/24"; IPForward = "yes"; DHCPServer = "yes"; ... "guest" = { matchConfig.Name = "guest"; networkConfig = { Address = "192.168.5.1/24"; IPForward = "yes"; ... }; ``` ] ] #slide( title: [VLANy (Wi-Fi)], )[ #text( size: 16pt, )[ ```nix services.hostapd.raios."wlp3s0".networks = { "wlp3s0" = { ssid = "Home"; bssid = "12:f0:21:23:2b:00"; authentication = { mode = "wpa2-sha256"; wpaPassword = "InstallFest2024"; }; }; "wlp3s0.guest" = { ssid = "Guest"; bssid = "12:f0:21:23:2b:01"; authentication.mode = "none"; }; }; systemd.network.networks = { "lan-wlp3s0" = { matchConfig.Name = "wlp3s0"; networkConfig.Bridge = "brlan"; bridgeVLANs = [ { bridgeVLANConfig = { EgressUntagged = 1; PVID = 1; }; } ]; }; "lan-wlp3s0.guest" = { matchConfig.Name = "wlp3s0.guest"; networkConfig.Bridge = "brlan"; bridgeVLANs = [ { bridgeVLANConfig = { EgressUntagged = 2; PVID = 2; }; } ]; }; }; ``` ] ] #new-section-slide([Další tipy]) #slide( title: [PPPoE], )[ #text( size: 16pt, )[ ```nix services.pppd = { enable = true; peers."wan".config = '' plugin pppoe.so end2 ifname pppoe-wan lcp-echo-interval 1 lcp-echo-failure 5 lcp-echo-adaptive +ipv6 defaultroute defaultroute6 usepeerdns maxfail 1 user O2 password 02 ''; }; ``` ] ] #slide(title: [PPPoE (network)])[ #text(size: 19pt)[ ```nix systemd.network.networks."pppoe-wan" = { matchConfig.Name = "pppoe-wan"; networkConfig = { BindCarrier = "end2"; DHCP = "ipv6"; IPv6AcceptRA = "no"; DHCPPrefixDelegation = "yes"; }; ... }; networking.firewall.extraForwardRules = '' tcp flags syn tcp option maxseg size set rt mtu comment "MSS clamping" ''; ``` ] ] #slide( title: [PPPoE na VLANě], )[ #text( size: 18pt, )[ ```nix systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.848.device"]; systemd.network = { netdevs = { "end2.848" = { netdevConfig = { Kind = "vlan"; Name = "end2.848"; }; vlanConfig.Id = 848; }; }; networks = { "end2" = { matchConfig.Name = "end2"; networkConfig.VLAN = ["end2.848"]; }; "end2.848" = { matchConfig.Name = "end2.848"; networkConfig.BindCarrier = "end2"; }; }; ``` ] ] #slide(title: [Routable VPN - home])[ #text(size: 19pt)[ ```nix networking.firewall = { nftables.enable = true; extraForwardRules = '' iifname {"home", "vpn"} oifname {"home", "vpn"} accept ''; }; ``` ] ] #slide(title: [Wi-Fi (problémy s připojením klientů])[ ```nix services.hostapd.radios."wlp3s0".networks."wlp3s0".settings = { wpa_key_mgmt = mkForce "WPA-PSK"; ieee80211w = 0; }; ``` ] #slide(title: [Firewall: Reject spam])[ ```nix networking.firewall.logRefusedConnections = false; ``` ] #slide(title: [Omezení velikosti logů])[ ```nix services.journald.extraConfig = '' SystemMaxUse=512M ''; ``` ] #slide(title: [Co dál?])[ - Dokumentace nastavení routeru na NixOS Wiki - systemd-resolved a DNSSEC do sítě - Podpora Turris Sentinel - Šifrovaný root disk (atsha a mox-otp) - Snazší nastavení pro routery ] #focus-slide[ Děkuji za pozornost Karel Kočí https://gitlab.com/cynerd/nixturris #text(size: 25pt)[https://git.cynerd.cz https://gitlab.com/cynerd] ]