patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

feat: hostapd back on bare

Browse source
This commit is contained in:
Patrick 2025-01-04 23:25:48 +01:00
parent d6b0a70a6f
commit 22b6a51357
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
9 changed files with 181 additions and 155 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

80
config/services/hass.nix Normal file
View file

@ -0,0 +1,80 @@
{
config,
globals,
nodes,
...
}:
{
environment.persistence."/persist".directories = [
{
directory = config.services.home-assistant.configDir;
user = "hass";
group = "hass";
mode = "0700";
}
];
wireguard.services = {
client.via = "nucnix";
firewallRuleForNode.nucnix-nginx.allowedTCPPorts = [ 3000 ];
};
services.home-assistant = {
enable = true;
extraComponents = [
"radio_browser"
"met"
"esphome"
"fritzbox"
"soundtouch"
"spotify"
"matter"
#"zha"
"mqtt"
];
config = {
http = {
server_host = [ "0.0.0.0" ];
server_port = 3000;
use_x_forwarded_for = true;
trusted_proxies = [ nodes.nucnix-nginx.config.wireguard.services.ipv4 ];
};
homeassistant = {
name = "!secret ha_name";
latitude = "!secret ha_latitude";
longitude = "!secret ha_longitude";
elevation = "!secret ha_elevation";
currency = "EUR";
time_zone = "Europe/Berlin";
unit_system = "metric";
#external_url = "https://";
packages = {
manual = "!include manual.yaml";
};
};
default_config = { };
### Components not from default_config
frontend = {
#themes = "!include_dir_merge_named themes";
};
influxdb = {
api_version = 2;
host = globals.services.influxdb.domain;
port = "443";
max_retries = 10;
ssl = true;
verify_ssl = true;
token = "!secret influxdb_token";
organization = "home";
bucket = "home_assistant";
};
};
extraPackages =
python3Packages: with python3Packages; [
psycopg2
gtts
];
};
}

120
config/services/hostapd.nix
View file

@ -1,120 +0,0 @@
{
globals,
pkgs,
lib,
...
}:
{
microvm.devices = [
{
bus = "pci";
path = "0000:01:00.0";
}
];
hardware.firmware = with pkgs; [
linux-firmware
intel2200BGFirmware
];
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.nftables.firewall.zones.untrusted.interfaces = [
"mv-home"
"br-home"
];
hardware.wirelessRegulatoryDatabase = true;
systemd.network = {
netdevs."40-br-home" = {
netdevConfig = {
Name = "br-home";
Kind = "bridge";
};
};
networks."10-mv-home" = {
networkConfig = {
LinkLocalAddressing = "no";
IPv6AcceptRA = lib.mkForce false;
Bridge = "br-home";
};
address = lib.mkForce [ ];
gateway = lib.mkForce [ ];
DHCP = "no";
};
networks."10-home" = {
matchConfig.Name = "br-home";
DHCP = "no";
address = [ "10.99.10.19/24" ];
gateway = [ "10.99.10.1" ];
};
networks."40-wifi" = {
matchConfig.Name = "wlan1";
networkConfig = {
LinkLocalAddressing = "no";
IPv6AcceptRA = lib.mkForce false;
Bridge = "br-home";
};
DHCP = "no";
};
};
networking.nftables.firewall.zones.wlan.interfaces = [ "wlan1" ];
networking.nftables.firewall.zones.home.interfaces = [ "mv-home" ];
networking.nftables.firewall.rules.wifi-forward = {
from = [ "wlan" ];
to = [ "home" ];
verdict = "accept";
};
services.hostapd = {
enable = true;
radios.wlan1 = {
band = "2g";
countryCode = "DE";
channel = 5;
wifi4.capabilities = [
"LDPC"
"HT40+"
"HT40-"
"SHORT-GI-20"
"SHORT-GI-40"
"TX-STBC"
"RX-STBC1"
];
wifi5.capabilities = [
"LDPC"
"HT40+"
"HT40-"
"SHORT-GI-20"
"SHORT-GI-40"
"TX-STBC"
"RX-STBC1"
];
wifi6.enable = true;
wifi7.enable = true;
networks.wlan1 = {
inherit (globals.hostapd) ssid;
apIsolate = true;
# settings.vlan_file = "${pkgs.writeText "hostaps.vlans" ''
# 10 wifi-home br-home
# 50 wifi-guest br-guest
# ''}";
authentication = {
saePasswords = [
{
password = "ctiectie";
# vlanid = 10;
}
# {
# password = "nrsgnrsg";
# vlanid = 50;
# }
];
pairwiseCiphers = [
"CCMP"
"GCMP"
"GCMP-256"
];
#enableRecommendedPairwiseCiphers = true;
};
bssid = "44:38:e8:db:a5:b5";
};
};
};
}

10
hosts/nucnix/guests.nix
View file

@ -107,13 +107,5 @@ in
];
};
in
{ }
// mkContainer "adguardhome" { }
// mkContainer "nginx" { }
// mkMicrovm "hostapd" {
vlans = [
# "guests"
"home"
];
};
{ } // mkContainer "adguardhome" { } // mkContainer "nginx" { };
}

78
hosts/nucnix/hostapd.nix Normal file
View file

@ -0,0 +1,78 @@
{
globals,
pkgs,
...
}:
{
hardware.firmware = with pkgs; [
linux-firmware
intel2200BGFirmware
];
#boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.nftables.firewall.zones.wlan.interfaces = [ "wlan1" ];
networking.nftables.firewall.zones.home.interfaces = [ "br-home" ];
networking.nftables.firewall.rules.wifi-forward = {
from = [ "wlan" ];
to = [ "home" ];
verdict = "accept";
};
services.hostapd = {
enable = true;
radios.wlan01 = {
band = "2g";
countryCode = "DE";
channel = 5;
wifi4.capabilities = [
"LDPC"
"HT40+"
"HT40-"
"SHORT-GI-20"
"SHORT-GI-40"
"TX-STBC"
"RX-STBC1"
];
wifi5.capabilities = [
"LDPC"
"HT40+"
"HT40-"
"SHORT-GI-20"
"SHORT-GI-40"
"TX-STBC"
"RX-STBC1"
];
wifi6.enable = true;
wifi7.enable = true;
networks.wlan01 = {
inherit (globals.hostapd) ssid;
apIsolate = true;
# not supporte by laptop :(
# settings.ieee80211w = 0;
settings.bridge = "br-home";
settings.vlan_file = "${pkgs.writeText "hostaps.vlans" ''
10 wifi-home br-home
50 wifi-guest br-guest
''}";
authentication = {
saePasswords = [
{
password = "ctiectie";
vlanid = 10;
}
{
password = "nrsgnrsg";
vlanid = 50;
}
];
pairwiseCiphers = [
"CCMP"
"GCMP"
"GCMP-256"
];
#enableRecommendedPairwiseCiphers = true;
};
bssid = "44:38:e8:db:a5:b5";
};
};
};
}

2
hosts/nucnix/mdns.nix
View file

@ -23,7 +23,7 @@ let
{
from = "lan-home";
to = "lan-devices";
allow_questions = "(printer|ipp)";
allow_questions = "(printer|ipp|uscans|alljoyn)";
allow_answers = "";
}
];

28
hosts/nucnix/net.nix
View file

@ -19,6 +19,7 @@ in
./kea.nix
./forwarding.nix
./mdns.nix
./hostapd.nix
];
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.nftables.firewall.zones = mkMerge [
@ -31,9 +32,6 @@ in
adguard.ipv4Addresses = [
(lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4)
];
samba.ipv4Addresses = [
(lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4)
];
}
(genAttrs (attrNames globals.net.vlans) (name: {
interfaces = [ "lan-${name}" ];
@ -65,6 +63,12 @@ in
};
vlanConfig.Id = id;
};
"50-bridge-${name}" = {
netdevConfig = {
Name = "br-${name}";
Kind = "bridge";
};
};
"50-macvlan-${name}" = {
netdevConfig = {
Name = "lan-${name}";
@ -115,10 +119,17 @@ in
# this interface to gain a carrier.
networkConfig.LinkLocalAddressing = "no";
linkConfig.RequiredForOnline = "carrier";
extraConfig = ''
[Network]
MACVLAN=lan-${name}
'';
networkConfig = {
Bridge = "br-${name}";
};
};
"10-${name}" = {
matchConfig.Name = "br-${name}";
networkConfig.LinkLocalAddressing = "no";
linkConfig.RequiredForOnline = "carrier";
networkConfig = {
MACVLAN = "lan-${name}";
};
};
"20-lan-${name}" = {
address = [
@ -148,6 +159,9 @@ in
from = [
"home"
"services"
"devices"
"guests"
"iot"
];
to = [ "local" ];
allowedUDPPorts = [ 5353 ];

1
hosts/nucnix/secrets/hostapd/host.pub
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOR54uUS7TdVFs8SmKEThJcwNqQhLhqIfkTneoPSNJe

17
hosts/nucnix/secrets/hostapd/secrets.nix.age
View file

@ -1,17 +0,0 @@
age-encryption.org/v1
-> X25519 q8aZVIpO27A7gSGGepzDYQINfV9BT5Vdlck4Ywl/tw4
f7OZDaBI1nGbWVKz7c/fCTjl5avQMZwweKuGsMZaHmw
-> piv-p256 ZFgiIw AzIXNOToQeNgxBaPr2Ay8PNbWci5KXsOO0hPzntcr9jh
A45KdFFCcHss+yp9o1lMeyGAquweqAAYdN3rebTOV+k
-> piv-p256 XTQkUA Ams4qG3cUEr5JuhwJVl0I9vNvUBSwmeGlO4y1RjW+HM0
09tBHurIIUJrwXfJEDnTpZppseJSxF/Rrzp81tLiEaI
-> piv-p256 ZFgiIw Ar7T0wlAqoYOPxtm8lZnWRCctOFQ3MpmPhZpzz4dm+0i
8vfGeTyhxjU28KeCmOl59IOhxgSEK/invMRBj5y8wvE
-> piv-p256 5vmPtQ Am6sq2Wde4bMWzMTw6+o+yhkM2ZSkpBbbLGVA3RIAylz
6y8WNKVZiMOuyolKGJjGj+Fc9hqkHw362LtYaGhl274
-> 5nt&Ew>-grease V;8yod
bApmEO5jhTtDghPr4gisoTKEuhrFOdKxAuNH4iqUufY3dNfojeB/5IjctLLe5VG7
vWl2CF8Tyw
--- hpy8mTYDQSOQCLhIcQ+5mHcdqRQkvWOIDQHLltWTJD0
…2¿äUðzT§_ÜË´^<5E>
¾¦}…XZg°éVÔ§ñ%áé ?Mèt]vøœ:Ý;ÆwÚ˜*…XOë÷ËÔU}þþd¤Ù<C2A4>ºxKîáA¨§%<25>6

BIN
hosts/nucnix/secrets/secrets.nix.age
View file

Binary file not shown.