diff --git a/config/services/adguardhome.nix b/config/services/adguardhome.nix index 0258bda..822c324 100644 --- a/config/services/adguardhome.nix +++ b/config/services/adguardhome.nix @@ -36,6 +36,8 @@ ]; }; user_rules = [ + "||homematic.${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 30 globals.net.vlans.home.cidrv4}" + "||testberry.${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 31 globals.net.vlans.home.cidrv4}" "||${globals.services.samba.domain}^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}" "||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 1 globals.net.vlans.services.cidrv4}" "||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 "10.99.2.0/24"}" diff --git a/config/services/hostapd.nix b/config/services/hostapd.nix new file mode 100644 index 0000000..2a5af1c --- /dev/null +++ b/config/services/hostapd.nix @@ -0,0 +1,87 @@ +{ globals, pkgs, ... }: +{ + microvm.devices = [ + { + bus = "pci"; + path = "0000:01:00.0"; + } + ]; + networking.nftables.firewall.zones.untrusted.interfaces = [ "lan-services" ]; + hardware.wirelessRegulatoryDatabase = true; + systemd.network = { + netdevs."40-wifi-home" = { + netdevConfig = { + Name = "br-home"; + Kind = "bridge"; + }; + }; + networks."10-home-bridge" = { + matchConfig.Name = "lan-home"; + DHCP = "no"; + extraConfig = '' + [Network] + Bridge=br-home + ''; + }; + networks."10-home-" = { + matchConfig.Name = "br-home"; + DHCP = "yes"; + }; + }; + + services.hostapd = { + enable = true; + radios.wlan1 = { + band = "2g"; + countryCode = "DE"; + channel = 5; + wifi4.capabilities = [ + "LDPC" + "HT40+" + "HT40-" + "SHORT-GI-20" + "SHORT-GI-40" + "TX-STBC" + "RX-STBC1" + ]; + wifi5.capabilities = [ + "LDPC" + "HT40+" + "HT40-" + "SHORT-GI-20" + "SHORT-GI-40" + "TX-STBC" + "RX-STBC1" + ]; + wifi6.enable = true; + wifi7.enable = true; + networks.wlan1 = { + inherit (globals.hostapd) ssid; + apIsolate = true; + settings.vlan_file = "${pkgs.writeText "hostaps.vlans" '' + 10 wifi-home br-home + 50 wifi-guest br-guest + ''}"; + authentication = { + saePasswords = [ + { + password = "lol"; + vlanid = 10; + } + { + password = "lel"; + vlanid = 50; + } + ]; + pairwiseCiphers = [ + "CCMP" + "GCMP" + "GCMP-256" + ]; + #enableRecommendedPairwiseCiphers = true; + }; + bssid = "44:38:e8:db:a5:b5"; + }; + }; + }; +} diff --git a/globals.nix b/globals.nix index 49bb3d4..8dba54a 100644 --- a/globals.nix +++ b/globals.nix @@ -132,9 +132,11 @@ in ip = 12; }; ddclient = { - domain = ""; host = "elisabeth-ddclient"; }; + hostapd = { + host = "nucnix-hostapd"; + }; murmur = { domain = "ts.${globals.domains.web}"; host = "elisabeth-murmur"; diff --git a/hosts/nucnix/default.nix b/hosts/nucnix/default.nix index 2b6efd7..bc5a23b 100644 --- a/hosts/nucnix/default.nix +++ b/hosts/nucnix/default.nix @@ -29,4 +29,9 @@ nixpkgs.hostPlatform = "x86_64-linux"; topology.self.interfaces.lan.network = "home"; + boot = { + kernelParams = [ + "intel_iommu=on,igx_off,sm_on" + ]; + }; } diff --git a/hosts/nucnix/forwarding.nix b/hosts/nucnix/forwarding.nix index 62f3fbf..b9cbf68 100644 --- a/hosts/nucnix/forwarding.nix +++ b/hosts/nucnix/forwarding.nix @@ -82,4 +82,13 @@ mkMerge [ ]; protocol = "udp"; }) + { + networking.nftables.chains.prerouting.mdns-forward = { + after = [ "hook" ]; + rules = [ + # "iifname lan-home ip daddr 224.0.0.251 ip saddr set ${net.cidr.host 1 globals.net.vlans.services.cidrv4} dup to 224.0.0.251 device lan-services notrack" + # "iifname lan-services ip daddr 224.0.0.251 ip saddr set ${net.cidr.host 1 globals.net.vlans.home.cidrv4} dup to 224.0.0.251 device lan-home notrack" + ]; + }; + } ] diff --git a/hosts/nucnix/guests.nix b/hosts/nucnix/guests.nix index df70f45..5768999 100644 --- a/hosts/nucnix/guests.nix +++ b/hosts/nucnix/guests.nix @@ -7,6 +7,13 @@ minimal, ... }: +let + inherit (lib) + listToAttrs + flip + nameValuePair + ; +in { guests = let @@ -57,21 +64,27 @@ ]; }; - mkMicrovm = guestName: cfg: { - ${guestName} = mkGuest guestName cfg // { - backend = "microvm"; - microvm = { - system = "x86_64-linux"; - interfaces.lan = lib.trace "This don't work yet" { }; - baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac; - }; - extraSpecialArgs = { - inherit (inputs.self) nodes globals; - inherit (inputs.self.pkgs.x86_64-linux) lib; - inherit inputs minimal stateVersion; + mkMicrovm = + guestName: + { + vlans ? [ "services" ], + ... + }@cfg: + { + ${guestName} = mkGuest guestName cfg // { + backend = "microvm"; + microvm = { + system = "x86_64-linux"; + interfaces = listToAttrs (flip map vlans (x: (nameValuePair "lan-${x}" { }))); + baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac; + }; + extraSpecialArgs = { + inherit (inputs.self) nodes globals; + inherit (inputs.self.pkgs.x86_64-linux) lib; + inherit inputs minimal stateVersion; + }; }; }; - }; mkContainer = guestName: @@ -94,5 +107,14 @@ ]; }; in - { } // mkContainer "adguardhome" { } // mkContainer "nginx" { }; + { } + // mkContainer "adguardhome" { } + // mkContainer "nginx" { } + // mkMicrovm "hostapd" { + vlans = [ + "guests" + "home" + "services" + ]; + }; } diff --git a/hosts/nucnix/hostapd.nix b/hosts/nucnix/hostapd.nix deleted file mode 100644 index 8b05b5d..0000000 --- a/hosts/nucnix/hostapd.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ globals, ... }: - -{ - - hardware.wirelessRegulatoryDatabase = true; - - services.hostapd = { - enable = true; - radios.wlan1 = { - band = "2g"; - countryCode = "DE"; - # wifi4.capabilities = [ - # "LDPC" - # "HT40+" - # "HT40-" - # "GF" - # "SHORT-GI-20" - # "SHORT-GI-40" - # "TX-STBC" - # "RX-STBC1" - # ]; - wifi6.enable = true; - wifi7.enable = true; - networks.wlan1 = { - inherit (globals.hostapd) ssid; - apIsolate = true; - authentication = { - saePasswords = [ - { - password = "lol"; - vlanid = 10; - } - ]; - enableRecommendedPairwiseCiphers = true; - }; - bssid = "02:c0:ca:b1:4f:9f"; - }; - }; - }; -} diff --git a/hosts/nucnix/kea.nix b/hosts/nucnix/kea.nix index 04106ff..cf644db 100644 --- a/hosts/nucnix/kea.nix +++ b/hosts/nucnix/kea.nix @@ -61,6 +61,16 @@ in } ]; reservations = [ + { + # homematic + hw-address = "b8:27:eb:5d:ff:36"; + ip-address = net.cidr.host 30 subnet; + } + { + # testberry + hw-address = "d8:3a:dd:dc:b6:6a"; + ip-address = net.cidr.host 31 subnet; + } ]; } ); diff --git a/hosts/nucnix/net.nix b/hosts/nucnix/net.nix index bb7b52d..036eb09 100644 --- a/hosts/nucnix/net.nix +++ b/hosts/nucnix/net.nix @@ -15,7 +15,6 @@ let in { imports = [ - ./hostapd.nix ./kea.nix ./forwarding.nix ]; diff --git a/modules/globals.nix b/modules/globals.nix index 42f84f7..95cc62d 100644 --- a/modules/globals.nix +++ b/modules/globals.nix @@ -125,8 +125,9 @@ in types.submodule { options = { domain = mkOption { - type = types.str; + type = types.nullOr types.str; description = "The domain under which this service can be reached"; + default = null; }; host = mkOption { type = types.str; diff --git a/users/root/default.nix b/users/root/default.nix index 2fef20e..8981411 100644 --- a/users/root/default.nix +++ b/users/root/default.nix @@ -25,4 +25,5 @@ ../patrick/programs/zsh ]; + environment.systemPackages = [ pkgs.neovim ]; }