patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

feat: hostapd vm

Browse source
This commit is contained in:
Patrick 2024-12-23 12:42:21 +01:00
parent 40696db2f6
commit bdf7180a13
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
11 changed files with 155 additions and 57 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
config/services/adguardhome.nix
View file

@ -36,6 +36,8 @@
];
};
user_rules = [
"||homematic.${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 30 globals.net.vlans.home.cidrv4}"
"||testberry.${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 31 globals.net.vlans.home.cidrv4}"
"||${globals.services.samba.domain}^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}"
"||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 1 globals.net.vlans.services.cidrv4}"
"||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 "10.99.2.0/24"}"

87
config/services/hostapd.nix Normal file
View file

@ -0,0 +1,87 @@
{ globals, pkgs, ... }:
{
microvm.devices = [
{
bus = "pci";
path = "0000:01:00.0";
}
];
networking.nftables.firewall.zones.untrusted.interfaces = [ "lan-services" ];
hardware.wirelessRegulatoryDatabase = true;
systemd.network = {
netdevs."40-wifi-home" = {
netdevConfig = {
Name = "br-home";
Kind = "bridge";
};
};
networks."10-home-bridge" = {
matchConfig.Name = "lan-home";
DHCP = "no";
extraConfig = ''
[Network]
Bridge=br-home
'';
};
networks."10-home-" = {
matchConfig.Name = "br-home";
DHCP = "yes";
};
};
services.hostapd = {
enable = true;
radios.wlan1 = {
band = "2g";
countryCode = "DE";
channel = 5;
wifi4.capabilities = [
"LDPC"
"HT40+"
"HT40-"
"SHORT-GI-20"
"SHORT-GI-40"
"TX-STBC"
"RX-STBC1"
];
wifi5.capabilities = [
"LDPC"
"HT40+"
"HT40-"
"SHORT-GI-20"
"SHORT-GI-40"
"TX-STBC"
"RX-STBC1"
];
wifi6.enable = true;
wifi7.enable = true;
networks.wlan1 = {
inherit (globals.hostapd) ssid;
apIsolate = true;
settings.vlan_file = "${pkgs.writeText "hostaps.vlans" ''
10 wifi-home br-home
50 wifi-guest br-guest
''}";
authentication = {
saePasswords = [
{
password = "lol";
vlanid = 10;
}
{
password = "lel";
vlanid = 50;
}
];
pairwiseCiphers = [
"CCMP"
"GCMP"
"GCMP-256"
];
#enableRecommendedPairwiseCiphers = true;
};
bssid = "44:38:e8:db:a5:b5";
};
};
};
}

4
globals.nix
View file

@ -132,9 +132,11 @@ in
ip = 12;
};
ddclient = {
domain = "";
host = "elisabeth-ddclient";
};
hostapd = {
host = "nucnix-hostapd";
};
murmur = {
domain = "ts.${globals.domains.web}";
host = "elisabeth-murmur";

5
hosts/nucnix/default.nix
View file

@ -29,4 +29,9 @@
nixpkgs.hostPlatform = "x86_64-linux";
topology.self.interfaces.lan.network = "home";
boot = {
kernelParams = [
"intel_iommu=on,igx_off,sm_on"
];
};
}

9
hosts/nucnix/forwarding.nix
View file

@ -82,4 +82,13 @@ mkMerge [
];
protocol = "udp";
})
{
networking.nftables.chains.prerouting.mdns-forward = {
after = [ "hook" ];
rules = [
# "iifname lan-home ip daddr 224.0.0.251 ip saddr set ${net.cidr.host 1 globals.net.vlans.services.cidrv4} dup to 224.0.0.251 device lan-services notrack"
# "iifname lan-services ip daddr 224.0.0.251 ip saddr set ${net.cidr.host 1 globals.net.vlans.home.cidrv4} dup to 224.0.0.251 device lan-home notrack"
];
};
}
]

50
hosts/nucnix/guests.nix
View file

@ -7,6 +7,13 @@
minimal,
...
}:
let
inherit (lib)
listToAttrs
flip
nameValuePair
;
in
{
guests =
let
@ -57,21 +64,27 @@
];
};
mkMicrovm = guestName: cfg: {
${guestName} = mkGuest guestName cfg // {
backend = "microvm";
microvm = {
system = "x86_64-linux";
interfaces.lan = lib.trace "This don't work yet" { };
baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac;
};
extraSpecialArgs = {
inherit (inputs.self) nodes globals;
inherit (inputs.self.pkgs.x86_64-linux) lib;
inherit inputs minimal stateVersion;
mkMicrovm =
guestName:
{
vlans ? [ "services" ],
...
}@cfg:
{
${guestName} = mkGuest guestName cfg // {
backend = "microvm";
microvm = {
system = "x86_64-linux";
interfaces = listToAttrs (flip map vlans (x: (nameValuePair "lan-${x}" { })));
baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac;
};
extraSpecialArgs = {
inherit (inputs.self) nodes globals;
inherit (inputs.self.pkgs.x86_64-linux) lib;
inherit inputs minimal stateVersion;
};
};
};
};
mkContainer =
guestName:
@ -94,5 +107,14 @@
];
};
in
{ } // mkContainer "adguardhome" { } // mkContainer "nginx" { };
{ }
// mkContainer "adguardhome" { }
// mkContainer "nginx" { }
// mkMicrovm "hostapd" {
vlans = [
"guests"
"home"
"services"
];
};
}

40
hosts/nucnix/hostapd.nix
View file

@ -1,40 +0,0 @@
{ globals, ... }:
{
hardware.wirelessRegulatoryDatabase = true;
services.hostapd = {
enable = true;
radios.wlan1 = {
band = "2g";
countryCode = "DE";
# wifi4.capabilities = [
# "LDPC"
# "HT40+"
# "HT40-"
# "GF"
# "SHORT-GI-20"
# "SHORT-GI-40"
# "TX-STBC"
# "RX-STBC1"
# ];
wifi6.enable = true;
wifi7.enable = true;
networks.wlan1 = {
inherit (globals.hostapd) ssid;
apIsolate = true;
authentication = {
saePasswords = [
{
password = "lol";
vlanid = 10;
}
];
enableRecommendedPairwiseCiphers = true;
};
bssid = "02:c0:ca:b1:4f:9f";
};
};
};
}

10
hosts/nucnix/kea.nix
View file

@ -61,6 +61,16 @@ in
}
];
reservations = [
{
# homematic
hw-address = "b8:27:eb:5d:ff:36";
ip-address = net.cidr.host 30 subnet;
}
{
# testberry
hw-address = "d8:3a:dd:dc:b6:6a";
ip-address = net.cidr.host 31 subnet;
}
];
}
);

1
hosts/nucnix/net.nix
View file

@ -15,7 +15,6 @@ let
in
{
imports = [
./hostapd.nix
./kea.nix
./forwarding.nix
];

3
modules/globals.nix
View file

@ -125,8 +125,9 @@ in
types.submodule {
options = {
domain = mkOption {
type = types.str;
type = types.nullOr types.str;
description = "The domain under which this service can be reached";
default = null;
};
host = mkOption {
type = types.str;

1
users/root/default.nix
View file

@ -25,4 +25,5 @@
../patrick/programs/zsh
];
environment.systemPackages = [ pkgs.neovim ];
}