Compare commits
2 commits
556cfab0df
...
bdf7180a13
Author | SHA1 | Date | |
---|---|---|---|
Patrick | bdf7180a13 | ||
Patrick | 40696db2f6 |
|
@ -36,6 +36,8 @@
|
|||
];
|
||||
};
|
||||
user_rules = [
|
||||
"||homematic.${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 30 globals.net.vlans.home.cidrv4}"
|
||||
"||testberry.${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 31 globals.net.vlans.home.cidrv4}"
|
||||
"||${globals.services.samba.domain}^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}"
|
||||
"||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 1 globals.net.vlans.services.cidrv4}"
|
||||
"||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 "10.99.2.0/24"}"
|
||||
|
|
87
config/services/hostapd.nix
Normal file
87
config/services/hostapd.nix
Normal file
|
@ -0,0 +1,87 @@
|
|||
{ globals, pkgs, ... }:
|
||||
{
|
||||
microvm.devices = [
|
||||
{
|
||||
bus = "pci";
|
||||
path = "0000:01:00.0";
|
||||
}
|
||||
];
|
||||
networking.nftables.firewall.zones.untrusted.interfaces = [ "lan-services" ];
|
||||
hardware.wirelessRegulatoryDatabase = true;
|
||||
systemd.network = {
|
||||
netdevs."40-wifi-home" = {
|
||||
netdevConfig = {
|
||||
Name = "br-home";
|
||||
Kind = "bridge";
|
||||
};
|
||||
};
|
||||
networks."10-home-bridge" = {
|
||||
matchConfig.Name = "lan-home";
|
||||
DHCP = "no";
|
||||
extraConfig = ''
|
||||
[Network]
|
||||
Bridge=br-home
|
||||
'';
|
||||
};
|
||||
networks."10-home-" = {
|
||||
matchConfig.Name = "br-home";
|
||||
DHCP = "yes";
|
||||
};
|
||||
};
|
||||
|
||||
services.hostapd = {
|
||||
enable = true;
|
||||
radios.wlan1 = {
|
||||
band = "2g";
|
||||
countryCode = "DE";
|
||||
channel = 5;
|
||||
wifi4.capabilities = [
|
||||
"LDPC"
|
||||
"HT40+"
|
||||
"HT40-"
|
||||
"SHORT-GI-20"
|
||||
"SHORT-GI-40"
|
||||
"TX-STBC"
|
||||
"RX-STBC1"
|
||||
];
|
||||
wifi5.capabilities = [
|
||||
"LDPC"
|
||||
"HT40+"
|
||||
"HT40-"
|
||||
"SHORT-GI-20"
|
||||
"SHORT-GI-40"
|
||||
"TX-STBC"
|
||||
"RX-STBC1"
|
||||
];
|
||||
wifi6.enable = true;
|
||||
wifi7.enable = true;
|
||||
networks.wlan1 = {
|
||||
inherit (globals.hostapd) ssid;
|
||||
apIsolate = true;
|
||||
settings.vlan_file = "${pkgs.writeText "hostaps.vlans" ''
|
||||
10 wifi-home br-home
|
||||
50 wifi-guest br-guest
|
||||
''}";
|
||||
authentication = {
|
||||
saePasswords = [
|
||||
{
|
||||
password = "lol";
|
||||
vlanid = 10;
|
||||
}
|
||||
{
|
||||
password = "lel";
|
||||
vlanid = 50;
|
||||
}
|
||||
];
|
||||
pairwiseCiphers = [
|
||||
"CCMP"
|
||||
"GCMP"
|
||||
"GCMP-256"
|
||||
];
|
||||
#enableRecommendedPairwiseCiphers = true;
|
||||
};
|
||||
bssid = "44:38:e8:db:a5:b5";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -132,9 +132,11 @@ in
|
|||
ip = 12;
|
||||
};
|
||||
ddclient = {
|
||||
domain = "";
|
||||
host = "elisabeth-ddclient";
|
||||
};
|
||||
hostapd = {
|
||||
host = "nucnix-hostapd";
|
||||
};
|
||||
murmur = {
|
||||
domain = "ts.${globals.domains.web}";
|
||||
host = "elisabeth-murmur";
|
||||
|
|
|
@ -29,4 +29,9 @@
|
|||
nixpkgs.hostPlatform = "x86_64-linux";
|
||||
|
||||
topology.self.interfaces.lan.network = "home";
|
||||
boot = {
|
||||
kernelParams = [
|
||||
"intel_iommu=on,igx_off,sm_on"
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -5,12 +5,14 @@ let
|
|||
net
|
||||
toUpper
|
||||
mkMerge
|
||||
optionalString
|
||||
;
|
||||
forward =
|
||||
{
|
||||
service,
|
||||
ports,
|
||||
protocol,
|
||||
fport ? null,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
@ -21,10 +23,10 @@ let
|
|||
rules = [
|
||||
"iifname { vlan-fritz, lan-home } ip daddr { ${net.cidr.host 1 globals.net.vlans.services.cidrv4}, ${net.cidr.host 2 "10.99.2.0/24"} } ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip to ${
|
||||
net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv4
|
||||
}"
|
||||
}${optionalString (fport != null) ":${toString fport}"}"
|
||||
"iifname { vlan-fritz, lan-home } ip6 daddr ${net.cidr.host 1 globals.net.vlans.services.cidrv6} ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip6 to ${
|
||||
net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv6
|
||||
}"
|
||||
}${optionalString (fport != null) ":${toString fport}"}"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
@ -63,6 +65,7 @@ mkMerge [
|
|||
9922
|
||||
];
|
||||
protocol = "tcp";
|
||||
fport = 22;
|
||||
})
|
||||
(forward {
|
||||
service = "murmur";
|
||||
|
@ -79,4 +82,13 @@ mkMerge [
|
|||
];
|
||||
protocol = "udp";
|
||||
})
|
||||
{
|
||||
networking.nftables.chains.prerouting.mdns-forward = {
|
||||
after = [ "hook" ];
|
||||
rules = [
|
||||
# "iifname lan-home ip daddr 224.0.0.251 ip saddr set ${net.cidr.host 1 globals.net.vlans.services.cidrv4} dup to 224.0.0.251 device lan-services notrack"
|
||||
# "iifname lan-services ip daddr 224.0.0.251 ip saddr set ${net.cidr.host 1 globals.net.vlans.home.cidrv4} dup to 224.0.0.251 device lan-home notrack"
|
||||
];
|
||||
};
|
||||
}
|
||||
]
|
||||
|
|
|
@ -7,6 +7,13 @@
|
|||
minimal,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (lib)
|
||||
listToAttrs
|
||||
flip
|
||||
nameValuePair
|
||||
;
|
||||
in
|
||||
{
|
||||
guests =
|
||||
let
|
||||
|
@ -57,12 +64,18 @@
|
|||
];
|
||||
};
|
||||
|
||||
mkMicrovm = guestName: cfg: {
|
||||
mkMicrovm =
|
||||
guestName:
|
||||
{
|
||||
vlans ? [ "services" ],
|
||||
...
|
||||
}@cfg:
|
||||
{
|
||||
${guestName} = mkGuest guestName cfg // {
|
||||
backend = "microvm";
|
||||
microvm = {
|
||||
system = "x86_64-linux";
|
||||
interfaces.lan = lib.trace "This don't work yet" { };
|
||||
interfaces = listToAttrs (flip map vlans (x: (nameValuePair "lan-${x}" { })));
|
||||
baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac;
|
||||
};
|
||||
extraSpecialArgs = {
|
||||
|
@ -94,5 +107,14 @@
|
|||
];
|
||||
};
|
||||
in
|
||||
{ } // mkContainer "adguardhome" { } // mkContainer "nginx" { };
|
||||
{ }
|
||||
// mkContainer "adguardhome" { }
|
||||
// mkContainer "nginx" { }
|
||||
// mkMicrovm "hostapd" {
|
||||
vlans = [
|
||||
"guests"
|
||||
"home"
|
||||
"services"
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,40 +0,0 @@
|
|||
{ globals, ... }:
|
||||
|
||||
{
|
||||
|
||||
hardware.wirelessRegulatoryDatabase = true;
|
||||
|
||||
services.hostapd = {
|
||||
enable = true;
|
||||
radios.wlan1 = {
|
||||
band = "2g";
|
||||
countryCode = "DE";
|
||||
# wifi4.capabilities = [
|
||||
# "LDPC"
|
||||
# "HT40+"
|
||||
# "HT40-"
|
||||
# "GF"
|
||||
# "SHORT-GI-20"
|
||||
# "SHORT-GI-40"
|
||||
# "TX-STBC"
|
||||
# "RX-STBC1"
|
||||
# ];
|
||||
wifi6.enable = true;
|
||||
wifi7.enable = true;
|
||||
networks.wlan1 = {
|
||||
inherit (globals.hostapd) ssid;
|
||||
apIsolate = true;
|
||||
authentication = {
|
||||
saePasswords = [
|
||||
{
|
||||
password = "lol";
|
||||
vlanid = 10;
|
||||
}
|
||||
];
|
||||
enableRecommendedPairwiseCiphers = true;
|
||||
};
|
||||
bssid = "02:c0:ca:b1:4f:9f";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -61,6 +61,16 @@ in
|
|||
}
|
||||
];
|
||||
reservations = [
|
||||
{
|
||||
# homematic
|
||||
hw-address = "b8:27:eb:5d:ff:36";
|
||||
ip-address = net.cidr.host 30 subnet;
|
||||
}
|
||||
{
|
||||
# testberry
|
||||
hw-address = "d8:3a:dd:dc:b6:6a";
|
||||
ip-address = net.cidr.host 31 subnet;
|
||||
}
|
||||
];
|
||||
}
|
||||
);
|
||||
|
|
|
@ -15,7 +15,6 @@ let
|
|||
in
|
||||
{
|
||||
imports = [
|
||||
./hostapd.nix
|
||||
./kea.nix
|
||||
./forwarding.nix
|
||||
];
|
||||
|
|
|
@ -125,8 +125,9 @@ in
|
|||
types.submodule {
|
||||
options = {
|
||||
domain = mkOption {
|
||||
type = types.str;
|
||||
type = types.nullOr types.str;
|
||||
description = "The domain under which this service can be reached";
|
||||
default = null;
|
||||
};
|
||||
host = mkOption {
|
||||
type = types.str;
|
||||
|
|
|
@ -25,4 +25,5 @@
|
|||
../patrick/programs/zsh
|
||||
|
||||
];
|
||||
environment.systemPackages = [ pkgs.neovim ];
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue