From 22b6a513572fdcca63f69159070f99ab4147cdd7 Mon Sep 17 00:00:00 2001 From: Patrick Date: Sat, 4 Jan 2025 23:25:48 +0100 Subject: [PATCH] feat: hostapd back on bare --- config/services/hass.nix | 80 +++++++++++++ config/services/hostapd.nix | 120 ------------------- hosts/nucnix/guests.nix | 10 +- hosts/nucnix/hostapd.nix | 78 ++++++++++++ hosts/nucnix/mdns.nix | 2 +- hosts/nucnix/net.nix | 28 +++-- hosts/nucnix/secrets/hostapd/host.pub | 1 - hosts/nucnix/secrets/hostapd/secrets.nix.age | 17 --- hosts/nucnix/secrets/secrets.nix.age | Bin 912 -> 1016 bytes 9 files changed, 181 insertions(+), 155 deletions(-) create mode 100644 config/services/hass.nix delete mode 100644 config/services/hostapd.nix create mode 100644 hosts/nucnix/hostapd.nix delete mode 100644 hosts/nucnix/secrets/hostapd/host.pub delete mode 100644 hosts/nucnix/secrets/hostapd/secrets.nix.age diff --git a/config/services/hass.nix b/config/services/hass.nix new file mode 100644 index 0000000..697650f --- /dev/null +++ b/config/services/hass.nix @@ -0,0 +1,80 @@ +{ + config, + globals, + nodes, + ... +}: +{ + environment.persistence."/persist".directories = [ + { + directory = config.services.home-assistant.configDir; + user = "hass"; + group = "hass"; + mode = "0700"; + } + ]; + wireguard.services = { + client.via = "nucnix"; + firewallRuleForNode.nucnix-nginx.allowedTCPPorts = [ 3000 ]; + }; + services.home-assistant = { + enable = true; + extraComponents = [ + "radio_browser" + "met" + "esphome" + "fritzbox" + "soundtouch" + "spotify" + "matter" + #"zha" + "mqtt" + ]; + config = { + http = { + server_host = [ "0.0.0.0" ]; + server_port = 3000; + use_x_forwarded_for = true; + trusted_proxies = [ nodes.nucnix-nginx.config.wireguard.services.ipv4 ]; + }; + + homeassistant = { + name = "!secret ha_name"; + latitude = "!secret ha_latitude"; + longitude = "!secret ha_longitude"; + elevation = "!secret ha_elevation"; + currency = "EUR"; + time_zone = "Europe/Berlin"; + unit_system = "metric"; + #external_url = "https://"; + packages = { + manual = "!include manual.yaml"; + }; + }; + + default_config = { }; + ### Components not from default_config + + frontend = { + #themes = "!include_dir_merge_named themes"; + }; + + influxdb = { + api_version = 2; + host = globals.services.influxdb.domain; + port = "443"; + max_retries = 10; + ssl = true; + verify_ssl = true; + token = "!secret influxdb_token"; + organization = "home"; + bucket = "home_assistant"; + }; + }; + extraPackages = + python3Packages: with python3Packages; [ + psycopg2 + gtts + ]; + }; +} diff --git a/config/services/hostapd.nix b/config/services/hostapd.nix deleted file mode 100644 index 1ad44c2..0000000 --- a/config/services/hostapd.nix +++ /dev/null @@ -1,120 +0,0 @@ -{ - globals, - pkgs, - lib, - ... -}: -{ - microvm.devices = [ - { - bus = "pci"; - path = "0000:01:00.0"; - } - ]; - hardware.firmware = with pkgs; [ - linux-firmware - intel2200BGFirmware - ]; - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - networking.nftables.firewall.zones.untrusted.interfaces = [ - "mv-home" - "br-home" - ]; - hardware.wirelessRegulatoryDatabase = true; - systemd.network = { - netdevs."40-br-home" = { - netdevConfig = { - Name = "br-home"; - Kind = "bridge"; - }; - }; - networks."10-mv-home" = { - networkConfig = { - LinkLocalAddressing = "no"; - IPv6AcceptRA = lib.mkForce false; - Bridge = "br-home"; - }; - address = lib.mkForce [ ]; - gateway = lib.mkForce [ ]; - DHCP = "no"; - }; - networks."10-home" = { - matchConfig.Name = "br-home"; - DHCP = "no"; - address = [ "10.99.10.19/24" ]; - gateway = [ "10.99.10.1" ]; - }; - networks."40-wifi" = { - matchConfig.Name = "wlan1"; - networkConfig = { - LinkLocalAddressing = "no"; - IPv6AcceptRA = lib.mkForce false; - Bridge = "br-home"; - }; - DHCP = "no"; - }; - }; - - networking.nftables.firewall.zones.wlan.interfaces = [ "wlan1" ]; - networking.nftables.firewall.zones.home.interfaces = [ "mv-home" ]; - networking.nftables.firewall.rules.wifi-forward = { - from = [ "wlan" ]; - to = [ "home" ]; - verdict = "accept"; - }; - services.hostapd = { - enable = true; - radios.wlan1 = { - band = "2g"; - countryCode = "DE"; - channel = 5; - wifi4.capabilities = [ - "LDPC" - "HT40+" - "HT40-" - "SHORT-GI-20" - "SHORT-GI-40" - "TX-STBC" - "RX-STBC1" - ]; - wifi5.capabilities = [ - "LDPC" - "HT40+" - "HT40-" - "SHORT-GI-20" - "SHORT-GI-40" - "TX-STBC" - "RX-STBC1" - ]; - wifi6.enable = true; - wifi7.enable = true; - networks.wlan1 = { - inherit (globals.hostapd) ssid; - apIsolate = true; - # settings.vlan_file = "${pkgs.writeText "hostaps.vlans" '' - # 10 wifi-home br-home - # 50 wifi-guest br-guest - # ''}"; - authentication = { - saePasswords = [ - { - password = "ctiectie"; - # vlanid = 10; - } - # { - # password = "nrsgnrsg"; - # vlanid = 50; - # } - ]; - pairwiseCiphers = [ - "CCMP" - "GCMP" - "GCMP-256" - ]; - #enableRecommendedPairwiseCiphers = true; - }; - bssid = "44:38:e8:db:a5:b5"; - }; - }; - }; -} diff --git a/hosts/nucnix/guests.nix b/hosts/nucnix/guests.nix index 6ad9c11..84f0550 100644 --- a/hosts/nucnix/guests.nix +++ b/hosts/nucnix/guests.nix @@ -107,13 +107,5 @@ in ]; }; in - { } - // mkContainer "adguardhome" { } - // mkContainer "nginx" { } - // mkMicrovm "hostapd" { - vlans = [ - # "guests" - "home" - ]; - }; + { } // mkContainer "adguardhome" { } // mkContainer "nginx" { }; } diff --git a/hosts/nucnix/hostapd.nix b/hosts/nucnix/hostapd.nix new file mode 100644 index 0000000..9728e1d --- /dev/null +++ b/hosts/nucnix/hostapd.nix @@ -0,0 +1,78 @@ +{ + globals, + pkgs, + ... +}: +{ + hardware.firmware = with pkgs; [ + linux-firmware + intel2200BGFirmware + ]; + #boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + + networking.nftables.firewall.zones.wlan.interfaces = [ "wlan1" ]; + networking.nftables.firewall.zones.home.interfaces = [ "br-home" ]; + networking.nftables.firewall.rules.wifi-forward = { + from = [ "wlan" ]; + to = [ "home" ]; + verdict = "accept"; + }; + services.hostapd = { + enable = true; + radios.wlan01 = { + band = "2g"; + countryCode = "DE"; + channel = 5; + wifi4.capabilities = [ + "LDPC" + "HT40+" + "HT40-" + "SHORT-GI-20" + "SHORT-GI-40" + "TX-STBC" + "RX-STBC1" + ]; + wifi5.capabilities = [ + "LDPC" + "HT40+" + "HT40-" + "SHORT-GI-20" + "SHORT-GI-40" + "TX-STBC" + "RX-STBC1" + ]; + wifi6.enable = true; + wifi7.enable = true; + networks.wlan01 = { + inherit (globals.hostapd) ssid; + apIsolate = true; + # not supporte by laptop :( + # settings.ieee80211w = 0; + settings.bridge = "br-home"; + settings.vlan_file = "${pkgs.writeText "hostaps.vlans" '' + 10 wifi-home br-home + 50 wifi-guest br-guest + ''}"; + authentication = { + saePasswords = [ + { + password = "ctiectie"; + vlanid = 10; + } + { + password = "nrsgnrsg"; + vlanid = 50; + } + ]; + pairwiseCiphers = [ + "CCMP" + "GCMP" + "GCMP-256" + ]; + #enableRecommendedPairwiseCiphers = true; + }; + bssid = "44:38:e8:db:a5:b5"; + }; + }; + }; +} diff --git a/hosts/nucnix/mdns.nix b/hosts/nucnix/mdns.nix index c13ec7e..171a1fe 100644 --- a/hosts/nucnix/mdns.nix +++ b/hosts/nucnix/mdns.nix @@ -23,7 +23,7 @@ let { from = "lan-home"; to = "lan-devices"; - allow_questions = "(printer|ipp)"; + allow_questions = "(printer|ipp|uscans|alljoyn)"; allow_answers = ""; } ]; diff --git a/hosts/nucnix/net.nix b/hosts/nucnix/net.nix index ca22042..610e531 100644 --- a/hosts/nucnix/net.nix +++ b/hosts/nucnix/net.nix @@ -19,6 +19,7 @@ in ./kea.nix ./forwarding.nix ./mdns.nix + ./hostapd.nix ]; boot.kernel.sysctl."net.ipv4.ip_forward" = 1; networking.nftables.firewall.zones = mkMerge [ @@ -31,9 +32,6 @@ in adguard.ipv4Addresses = [ (lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4) ]; - samba.ipv4Addresses = [ - (lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4) - ]; } (genAttrs (attrNames globals.net.vlans) (name: { interfaces = [ "lan-${name}" ]; @@ -65,6 +63,12 @@ in }; vlanConfig.Id = id; }; + "50-bridge-${name}" = { + netdevConfig = { + Name = "br-${name}"; + Kind = "bridge"; + }; + }; "50-macvlan-${name}" = { netdevConfig = { Name = "lan-${name}"; @@ -115,10 +119,17 @@ in # this interface to gain a carrier. networkConfig.LinkLocalAddressing = "no"; linkConfig.RequiredForOnline = "carrier"; - extraConfig = '' - [Network] - MACVLAN=lan-${name} - ''; + networkConfig = { + Bridge = "br-${name}"; + }; + }; + "10-${name}" = { + matchConfig.Name = "br-${name}"; + networkConfig.LinkLocalAddressing = "no"; + linkConfig.RequiredForOnline = "carrier"; + networkConfig = { + MACVLAN = "lan-${name}"; + }; }; "20-lan-${name}" = { address = [ @@ -148,6 +159,9 @@ in from = [ "home" "services" + "devices" + "guests" + "iot" ]; to = [ "local" ]; allowedUDPPorts = [ 5353 ]; diff --git a/hosts/nucnix/secrets/hostapd/host.pub b/hosts/nucnix/secrets/hostapd/host.pub deleted file mode 100644 index 2dccaec..0000000 --- a/hosts/nucnix/secrets/hostapd/host.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOR54uUS7TdVFs8SmKEThJcwNqQhLhqIfkTneoPSNJe diff --git a/hosts/nucnix/secrets/hostapd/secrets.nix.age b/hosts/nucnix/secrets/hostapd/secrets.nix.age deleted file mode 100644 index f9279ae..0000000 --- a/hosts/nucnix/secrets/hostapd/secrets.nix.age +++ /dev/null @@ -1,17 +0,0 @@ -age-encryption.org/v1 --> X25519 q8aZVIpO27A7gSGGepzDYQINfV9BT5Vdlck4Ywl/tw4 -f7OZDaBI1nGbWVKz7c/fCTjl5avQMZwweKuGsMZaHmw --> piv-p256 ZFgiIw AzIXNOToQeNgxBaPr2Ay8PNbWci5KXsOO0hPzntcr9jh -A45KdFFCcHss+yp9o1lMeyGAquweqAAYdN3rebTOV+k --> piv-p256 XTQkUA Ams4qG3cUEr5JuhwJVl0I9vNvUBSwmeGlO4y1RjW+HM0 -09tBHurIIUJrwXfJEDnTpZppseJSxF/Rrzp81tLiEaI --> piv-p256 ZFgiIw Ar7T0wlAqoYOPxtm8lZnWRCctOFQ3MpmPhZpzz4dm+0i -8vfGeTyhxjU28KeCmOl59IOhxgSEK/invMRBj5y8wvE --> piv-p256 5vmPtQ Am6sq2Wde4bMWzMTw6+o+yhkM2ZSkpBbbLGVA3RIAylz -6y8WNKVZiMOuyolKGJjGj+Fc9hqkHw362LtYaGhl274 --> 5nt&Ew>-grease V;8yod -bApmEO5jhTtDghPr4gisoTKEuhrFOdKxAuNH4iqUufY3dNfojeB/5IjctLLe5VG7 -vWl2CF8Tyw ---- hpy8mTYDQSOQCLhIcQ+5mHcdqRQkvWOIDQHLltWTJD0 -2UzT_˴^ -}XZgVԧ% ?Mt]v:;wژ*XO˂U}dِxKA%6 \ No newline at end of file diff --git a/hosts/nucnix/secrets/secrets.nix.age b/hosts/nucnix/secrets/secrets.nix.age index baa034564f25dc2d5471b89f5ac4b13a8e8b0eca..994ca0a035c38c924ebe73d372ce303049bf5b17 100644 GIT binary patch literal 1016 zcmY+>-;3J>0KoBia^S*n3L?6L(UZA>u}#x9ZK~X9k|u51v}w|&NvpS+q`%TMZGJbY zjzbtY5g&BAah!UGiUT+FhM>prNw=qsQ-_KZ@j*cyJ2p6c@IgfP;KTg|AHIC$UMJca zsdi|(+ISQj+dasKf#_mHN+1ZFjbw!&0I8Bkq+Nmwy5&y1-koMhr<8yZCW{w`6$zcB zx)pOM0C}vXB@ijmu(R!!z_)NFO9XPY;HJu0SE2hL>NT5OI~=v>JA$eCQ8R(0BQ2_@ z(US;fDQa~hh6G{NhUGY3L+e_NphB=>!fF%c2YndoP9aO-MF_B)8E}veGd^ke@OGov zBNeK$IVPMyk@#&?sk@h4@C*{Iy&&sqvtu*`^p16Cl1o9+p52k1 zPQ;Fp#ihl=k>|t_YXOWLuToZvE$K!#m2j}2PfGH%Kg83zsHJk5xC4#V4r#Ng0?md= z3sDPsqLCTWs7KNQp9l2HSf^B+Ray}12!jrn)1j&v=0TyEOEN?gO1UZvxnWHTMFKY) zQzbv?Bd~@I|JxglMnZ!xNDwJXNI56!b%pXkI-vbTx0O?KUZq_N)bbS0i-R!=?ESlc z>gU)W+Ot>pZ3TDTI>!CB>}ijFD*e>D@g23Zc`h2=zi`_4Vbc!U8}?&AUYUg$Yi{ZH z*nuw&AM@XlSB^6Gs=qvPDK(mR9%!EsZyMX{A1<#p$fc)d!s{2#yuR|!HYaBPB3JSC zH3|R@>{+D2=cU=VOy$ov81T6C^piJ$qv74}&nVX}U)g*4vlZ^6$Isq#eg4F?mp(Xk zb?)}8F+O;F=FeB{-2@cz#) zg0H=@ulw@cI`gLV$+z(Gxo6HM_e=4Ed%i|$x1{%W&YYLduRVN-NPhFemQ}{yJ$-Ru J;pEN}{{mwPY3Bd{ literal 912 zcmY+<-;3J>0KoBW`ryJ|WDhz$q#(Luxn9#GO)m__(l%|bO`0FgkEV*F&F`l9acSBn zRS+L!jKg0O6;Fh7r`t`=lVeZw7h@ZO3ho@JL;P_sdsM-P4Mmym!H4?`KHqQGGO~uR zMQIp2fj=KaR&JaJvd1!QxKPOB8K}R=8KB_t>XMc)4#e>a!cC2FG2$_yE?Y`BrWZ^r z?oV9+<}hVS3d(3oaa3&_rA6G8u#nUP91AQ@naGU>YlWU{F?WT~8D~SdfMq&W%UPUc zh#0L?U4Cqs-9g<|b)WW|h$K?Er50PDLmLFsh~vni&)Etva%#Oe@j?!Vmh!ghnmR3* za-=kyunpG?n@ScDu?0CGMeefNBJWB>h8Wp7(Ss(V#srcZtrQFe{J-ob;(FK9w=G_Btcv$t8~@E>V%V~vEC}{GCN5K5Uj$qGMoy5RssboW{6$Z|6kw$@fArM zijBZk@qiAoj)Wv-3N^fI#%&bCn$vnSv63XAS-Z({ z0h`zQm;(Ev=}5b*!r0?tK0}1VSV;Q|mN_JtcE6MJtr9tea9QXxWsEH%bc3kN6|s*v z0l>P2o?_T!l+)V_P75coN?(t9aw#CANzkG_sz>kxL?f8su61-y#fhvH8Qr0gnTrw- zKsyT_O!FWU2S%<|410OETQA%7G)Q8j#OtcZu$tJfSW$vI&Tq12EKI`;HvH_uSU% z@?86gkN+;GFPu2^>f2}5XU;sc_t(##+;`*#dSUG**5My{;J$EvPw}7p!R2pPe#pLY z%z7nr_A+woc=xTJh?gct`uf&y>BiNan|n^)n9eMH;6L=s`R6{;x3`uzR@(3Aw`V@t zIRE9|ZTr#JeDdgl4<`qoI=O!~r>#Bs$EVxCyDP+{>9Y?HHT3$mL;Gi+-rPCx+3%;V z?|-~>C3ybv7uV(cZ@sKu-}(8Q)2FJ=YI