feat: hostapd vm

2024-12-23 12:42:21 +01:00 · 2024-12-23 12:42:21 +01:00 · bdf7180a13
parent 40696db2f6
commit bdf7180a13
11 changed files with 155 additions and 57 deletions
--- a/config/services/adguardhome.nix
+++ b/config/services/adguardhome.nix
@ -36,6 +36,8 @@
        ];
      };
      user_rules = [
        "||homematic.${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 30 globals.net.vlans.home.cidrv4}"
        "||testberry.${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 31 globals.net.vlans.home.cidrv4}"
        "||${globals.services.samba.domain}^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}"
        "||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 1 globals.net.vlans.services.cidrv4}"
        "||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 "10.99.2.0/24"}"
--- a/config/services/hostapd.nix
+++ b/config/services/hostapd.nix
@ -0,0 +1,87 @@
 { globals, pkgs, ... }:
 {
  microvm.devices = [
    {
      bus = "pci";
      path = "0000:01:00.0";
    }
  ];
  networking.nftables.firewall.zones.untrusted.interfaces = [ "lan-services" ];
  hardware.wirelessRegulatoryDatabase = true;
  systemd.network = {
    netdevs."40-wifi-home" = {
      netdevConfig = {
        Name = "br-home";
        Kind = "bridge";
      };
    };
    networks."10-home-bridge" = {
      matchConfig.Name = "lan-home";
      DHCP = "no";
      extraConfig = ''
        [Network]
        Bridge=br-home
      '';
    };
    networks."10-home-" = {
      matchConfig.Name = "br-home";
      DHCP = "yes";
    };
  };
  services.hostapd = {
    enable = true;
    radios.wlan1 = {
      band = "2g";
      countryCode = "DE";
      channel = 5;
      wifi4.capabilities = [
        "LDPC"
        "HT40+"
        "HT40-"
        "SHORT-GI-20"
        "SHORT-GI-40"
        "TX-STBC"
        "RX-STBC1"
      ];
      wifi5.capabilities = [
        "LDPC"
        "HT40+"
        "HT40-"
        "SHORT-GI-20"
        "SHORT-GI-40"
        "TX-STBC"
        "RX-STBC1"
      ];
      wifi6.enable = true;
      wifi7.enable = true;
      networks.wlan1 = {
        inherit (globals.hostapd) ssid;
        apIsolate = true;
        settings.vlan_file = "${pkgs.writeText "hostaps.vlans" ''
          10 wifi-home br-home
          50 wifi-guest br-guest
        ''}";
        authentication = {
          saePasswords = [
            {
              password = "lol";
              vlanid = 10;
            }
            {
              password = "lel";
              vlanid = 50;
            }
          ];
          pairwiseCiphers = [
            "CCMP"
            "GCMP"
            "GCMP-256"
          ];
          #enableRecommendedPairwiseCiphers = true;
        };
        bssid = "44:38:e8:db:a5:b5";
      };
    };
  };
 }
--- a/globals.nix
+++ b/globals.nix
@ -132,9 +132,11 @@ in
        ip = 12;
      };
      ddclient = {
        domain = "";
        host = "elisabeth-ddclient";
      };
      hostapd = {
        host = "nucnix-hostapd";
      };
      murmur = {
        domain = "ts.${globals.domains.web}";
        host = "elisabeth-murmur";
--- a/hosts/nucnix/default.nix
+++ b/hosts/nucnix/default.nix
@ -29,4 +29,9 @@
  nixpkgs.hostPlatform = "x86_64-linux";
  topology.self.interfaces.lan.network = "home";
  boot = {
    kernelParams = [
      "intel_iommu=on,igx_off,sm_on"
    ];
  };
 }
--- a/hosts/nucnix/forwarding.nix
+++ b/hosts/nucnix/forwarding.nix
@ -82,4 +82,13 @@ mkMerge [
    ];
    protocol = "udp";
  })
  {
    networking.nftables.chains.prerouting.mdns-forward = {
      after = [ "hook" ];
      rules = [
        # "iifname lan-home ip daddr 224.0.0.251 ip saddr set ${net.cidr.host 1 globals.net.vlans.services.cidrv4} dup to 224.0.0.251 device lan-services notrack"
        # "iifname lan-services ip daddr 224.0.0.251 ip saddr set ${net.cidr.host 1 globals.net.vlans.home.cidrv4} dup to 224.0.0.251 device lan-home notrack"
      ];
    };
  }
 ]
--- a/hosts/nucnix/guests.nix
+++ b/hosts/nucnix/guests.nix
@ -7,6 +7,13 @@
  minimal,
  ...
 }:
 let
  inherit (lib)
    listToAttrs
    flip
    nameValuePair
    ;
 in
 {
  guests =
    let
@ -57,21 +64,27 @@
          ];
        };
-      mkMicrovm = guestName: cfg: {
+      mkMicrovm =
-        ${guestName} = mkGuest guestName cfg // {
+        guestName:
-          backend = "microvm";
+        {
-          microvm = {
+          vlans ? [ "services" ],
-            system = "x86_64-linux";
+          ...
-            interfaces.lan = lib.trace "This don't work yet" { };
+        }@cfg:
-            baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac;
+        {
-          };
+          ${guestName} = mkGuest guestName cfg // {
-          extraSpecialArgs = {
+            backend = "microvm";
-            inherit (inputs.self) nodes globals;
+            microvm = {
-            inherit (inputs.self.pkgs.x86_64-linux) lib;
+              system = "x86_64-linux";
-            inherit inputs minimal stateVersion;
+              interfaces = listToAttrs (flip map vlans (x: (nameValuePair "lan-${x}" { })));
              baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac;
            };
            extraSpecialArgs = {
              inherit (inputs.self) nodes globals;
              inherit (inputs.self.pkgs.x86_64-linux) lib;
              inherit inputs minimal stateVersion;
            };
          };
        };
      };
      mkContainer =
        guestName:
@ -94,5 +107,14 @@
          ];
        };
    in
-    { } // mkContainer "adguardhome" { } // mkContainer "nginx" { };
+    { }
    // mkContainer "adguardhome" { }
    // mkContainer "nginx" { }
    // mkMicrovm "hostapd" {
      vlans = [
        "guests"
        "home"
        "services"
      ];
    };
 }
--- a/hosts/nucnix/hostapd.nix
+++ b/hosts/nucnix/hostapd.nix
@ -1,40 +0,0 @@
 { globals, ... }:
 {
  hardware.wirelessRegulatoryDatabase = true;
  services.hostapd = {
    enable = true;
    radios.wlan1 = {
      band = "2g";
      countryCode = "DE";
      # wifi4.capabilities = [
      #   "LDPC"
      #   "HT40+"
      #   "HT40-"
      #   "GF"
      #   "SHORT-GI-20"
      #   "SHORT-GI-40"
      #   "TX-STBC"
      #   "RX-STBC1"
      # ];
      wifi6.enable = true;
      wifi7.enable = true;
      networks.wlan1 = {
        inherit (globals.hostapd) ssid;
        apIsolate = true;
        authentication = {
          saePasswords = [
            {
              password = "lol";
              vlanid = 10;
            }
          ];
          enableRecommendedPairwiseCiphers = true;
        };
        bssid = "02:c0:ca:b1:4f:9f";
      };
    };
  };
 }
--- a/hosts/nucnix/kea.nix
+++ b/hosts/nucnix/kea.nix
@ -61,6 +61,16 @@ in
            }
          ];
          reservations = [
            {
              # homematic
              hw-address = "b8:27:eb:5d:ff:36";
              ip-address = net.cidr.host 30 subnet;
            }
            {
              # testberry
              hw-address = "d8:3a:dd:dc:b6:6a";
              ip-address = net.cidr.host 31 subnet;
            }
          ];
        }
      );
--- a/hosts/nucnix/net.nix
+++ b/hosts/nucnix/net.nix
@ -15,7 +15,6 @@ let
 in
 {
  imports = [
    ./hostapd.nix
    ./kea.nix
    ./forwarding.nix
  ];
--- a/modules/globals.nix
+++ b/modules/globals.nix
@ -125,8 +125,9 @@ in
              types.submodule {
                options = {
                  domain = mkOption {
-                    type = types.str;
+                    type = types.nullOr types.str;
                    description = "The domain under which this service can be reached";
                    default = null;
                  };
                  host = mkOption {
                    type = types.str;
--- a/users/root/default.nix
+++ b/users/root/default.nix
@ -25,4 +25,5 @@
    ../patrick/programs/zsh
  ];
  environment.systemPackages = [ pkgs.neovim ];
 }