Compare commits

...

2 commits

Author SHA1 Message Date
Patrick bdf7180a13
feat: hostapd vm 2024-12-23 12:42:21 +01:00
Patrick 40696db2f6
fix: forward forgejo to right port 2024-12-22 20:21:56 +01:00
11 changed files with 160 additions and 59 deletions

View file

@ -36,6 +36,8 @@
]; ];
}; };
user_rules = [ user_rules = [
"||homematic.${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 30 globals.net.vlans.home.cidrv4}"
"||testberry.${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 31 globals.net.vlans.home.cidrv4}"
"||${globals.services.samba.domain}^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}" "||${globals.services.samba.domain}^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}"
"||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 1 globals.net.vlans.services.cidrv4}" "||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 1 globals.net.vlans.services.cidrv4}"
"||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 "10.99.2.0/24"}" "||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 "10.99.2.0/24"}"

View file

@ -0,0 +1,87 @@
{ globals, pkgs, ... }:
{
microvm.devices = [
{
bus = "pci";
path = "0000:01:00.0";
}
];
networking.nftables.firewall.zones.untrusted.interfaces = [ "lan-services" ];
hardware.wirelessRegulatoryDatabase = true;
systemd.network = {
netdevs."40-wifi-home" = {
netdevConfig = {
Name = "br-home";
Kind = "bridge";
};
};
networks."10-home-bridge" = {
matchConfig.Name = "lan-home";
DHCP = "no";
extraConfig = ''
[Network]
Bridge=br-home
'';
};
networks."10-home-" = {
matchConfig.Name = "br-home";
DHCP = "yes";
};
};
services.hostapd = {
enable = true;
radios.wlan1 = {
band = "2g";
countryCode = "DE";
channel = 5;
wifi4.capabilities = [
"LDPC"
"HT40+"
"HT40-"
"SHORT-GI-20"
"SHORT-GI-40"
"TX-STBC"
"RX-STBC1"
];
wifi5.capabilities = [
"LDPC"
"HT40+"
"HT40-"
"SHORT-GI-20"
"SHORT-GI-40"
"TX-STBC"
"RX-STBC1"
];
wifi6.enable = true;
wifi7.enable = true;
networks.wlan1 = {
inherit (globals.hostapd) ssid;
apIsolate = true;
settings.vlan_file = "${pkgs.writeText "hostaps.vlans" ''
10 wifi-home br-home
50 wifi-guest br-guest
''}";
authentication = {
saePasswords = [
{
password = "lol";
vlanid = 10;
}
{
password = "lel";
vlanid = 50;
}
];
pairwiseCiphers = [
"CCMP"
"GCMP"
"GCMP-256"
];
#enableRecommendedPairwiseCiphers = true;
};
bssid = "44:38:e8:db:a5:b5";
};
};
};
}

View file

@ -132,9 +132,11 @@ in
ip = 12; ip = 12;
}; };
ddclient = { ddclient = {
domain = "";
host = "elisabeth-ddclient"; host = "elisabeth-ddclient";
}; };
hostapd = {
host = "nucnix-hostapd";
};
murmur = { murmur = {
domain = "ts.${globals.domains.web}"; domain = "ts.${globals.domains.web}";
host = "elisabeth-murmur"; host = "elisabeth-murmur";

View file

@ -29,4 +29,9 @@
nixpkgs.hostPlatform = "x86_64-linux"; nixpkgs.hostPlatform = "x86_64-linux";
topology.self.interfaces.lan.network = "home"; topology.self.interfaces.lan.network = "home";
boot = {
kernelParams = [
"intel_iommu=on,igx_off,sm_on"
];
};
} }

View file

@ -5,12 +5,14 @@ let
net net
toUpper toUpper
mkMerge mkMerge
optionalString
; ;
forward = forward =
{ {
service, service,
ports, ports,
protocol, protocol,
fport ? null,
... ...
}: }:
{ {
@ -21,10 +23,10 @@ let
rules = [ rules = [
"iifname { vlan-fritz, lan-home } ip daddr { ${net.cidr.host 1 globals.net.vlans.services.cidrv4}, ${net.cidr.host 2 "10.99.2.0/24"} } ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip to ${ "iifname { vlan-fritz, lan-home } ip daddr { ${net.cidr.host 1 globals.net.vlans.services.cidrv4}, ${net.cidr.host 2 "10.99.2.0/24"} } ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip to ${
net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv4 net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv4
}" }${optionalString (fport != null) ":${toString fport}"}"
"iifname { vlan-fritz, lan-home } ip6 daddr ${net.cidr.host 1 globals.net.vlans.services.cidrv6} ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip6 to ${ "iifname { vlan-fritz, lan-home } ip6 daddr ${net.cidr.host 1 globals.net.vlans.services.cidrv6} ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip6 to ${
net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv6 net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv6
}" }${optionalString (fport != null) ":${toString fport}"}"
]; ];
}; };
}; };
@ -63,6 +65,7 @@ mkMerge [
9922 9922
]; ];
protocol = "tcp"; protocol = "tcp";
fport = 22;
}) })
(forward { (forward {
service = "murmur"; service = "murmur";
@ -79,4 +82,13 @@ mkMerge [
]; ];
protocol = "udp"; protocol = "udp";
}) })
{
networking.nftables.chains.prerouting.mdns-forward = {
after = [ "hook" ];
rules = [
# "iifname lan-home ip daddr 224.0.0.251 ip saddr set ${net.cidr.host 1 globals.net.vlans.services.cidrv4} dup to 224.0.0.251 device lan-services notrack"
# "iifname lan-services ip daddr 224.0.0.251 ip saddr set ${net.cidr.host 1 globals.net.vlans.home.cidrv4} dup to 224.0.0.251 device lan-home notrack"
];
};
}
] ]

View file

@ -7,6 +7,13 @@
minimal, minimal,
... ...
}: }:
let
inherit (lib)
listToAttrs
flip
nameValuePair
;
in
{ {
guests = guests =
let let
@ -57,21 +64,27 @@
]; ];
}; };
mkMicrovm = guestName: cfg: { mkMicrovm =
${guestName} = mkGuest guestName cfg // { guestName:
backend = "microvm"; {
microvm = { vlans ? [ "services" ],
system = "x86_64-linux"; ...
interfaces.lan = lib.trace "This don't work yet" { }; }@cfg:
baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac; {
}; ${guestName} = mkGuest guestName cfg // {
extraSpecialArgs = { backend = "microvm";
inherit (inputs.self) nodes globals; microvm = {
inherit (inputs.self.pkgs.x86_64-linux) lib; system = "x86_64-linux";
inherit inputs minimal stateVersion; interfaces = listToAttrs (flip map vlans (x: (nameValuePair "lan-${x}" { })));
baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac;
};
extraSpecialArgs = {
inherit (inputs.self) nodes globals;
inherit (inputs.self.pkgs.x86_64-linux) lib;
inherit inputs minimal stateVersion;
};
}; };
}; };
};
mkContainer = mkContainer =
guestName: guestName:
@ -94,5 +107,14 @@
]; ];
}; };
in in
{ } // mkContainer "adguardhome" { } // mkContainer "nginx" { }; { }
// mkContainer "adguardhome" { }
// mkContainer "nginx" { }
// mkMicrovm "hostapd" {
vlans = [
"guests"
"home"
"services"
];
};
} }

View file

@ -1,40 +0,0 @@
{ globals, ... }:
{
hardware.wirelessRegulatoryDatabase = true;
services.hostapd = {
enable = true;
radios.wlan1 = {
band = "2g";
countryCode = "DE";
# wifi4.capabilities = [
# "LDPC"
# "HT40+"
# "HT40-"
# "GF"
# "SHORT-GI-20"
# "SHORT-GI-40"
# "TX-STBC"
# "RX-STBC1"
# ];
wifi6.enable = true;
wifi7.enable = true;
networks.wlan1 = {
inherit (globals.hostapd) ssid;
apIsolate = true;
authentication = {
saePasswords = [
{
password = "lol";
vlanid = 10;
}
];
enableRecommendedPairwiseCiphers = true;
};
bssid = "02:c0:ca:b1:4f:9f";
};
};
};
}

View file

@ -61,6 +61,16 @@ in
} }
]; ];
reservations = [ reservations = [
{
# homematic
hw-address = "b8:27:eb:5d:ff:36";
ip-address = net.cidr.host 30 subnet;
}
{
# testberry
hw-address = "d8:3a:dd:dc:b6:6a";
ip-address = net.cidr.host 31 subnet;
}
]; ];
} }
); );

View file

@ -15,7 +15,6 @@ let
in in
{ {
imports = [ imports = [
./hostapd.nix
./kea.nix ./kea.nix
./forwarding.nix ./forwarding.nix
]; ];

View file

@ -125,8 +125,9 @@ in
types.submodule { types.submodule {
options = { options = {
domain = mkOption { domain = mkOption {
type = types.str; type = types.nullOr types.str;
description = "The domain under which this service can be reached"; description = "The domain under which this service can be reached";
default = null;
}; };
host = mkOption { host = mkOption {
type = types.str; type = types.str;

View file

@ -25,4 +25,5 @@
../patrick/programs/zsh ../patrick/programs/zsh
]; ];
environment.systemPackages = [ pkgs.neovim ];
} }