steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

feat(router0-dmz0): bump pkgs, adjust VLAN ids, use SFP with quirks

Browse source
This commit is contained in:
steveej 2025-02-07 11:56:00 +01:00
parent d629f4b354
commit 05973a61a5
4 changed files with 215 additions and 161 deletions
Download patch file Download diff file Expand all files Collapse all files

316
nix/os/devices/router0-dmz0/configuration.nix
View file

@ -43,23 +43,17 @@ let
};
vlans = {
"10".name = "mgmt";
"10".packet_priority = 0;
"2".name = "dmz";
"2".packet_priority = -5;
"11".name = "dmz";
"11".packet_priority = -5;
"3".name = "iot";
"3".packet_priority = -5;
"12".name = "iot";
"12".packet_priority = -5;
"4".name = "office";
"4".packet_priority = -10;
"13".name = "office";
"13".packet_priority = -10;
"14".name = "guests";
"14".packet_priority = 10;
"15".name = "iot2";
"15".packet_priority = -10;
"5".name = "guests";
"5".packet_priority = 10;
};
vlansByName = lib.attrsets.mapAttrs' (
@ -382,12 +376,77 @@ in
group = "systemd-network";
};
# TODO: this shouldn't be necessary _at all_
systemd.services.sfp-quirk = {
enable = true;
wantedBy = [
"network.target"
"multi-user.target"
];
requires = [
"sys-subsystem-net-devices-lan4.device"
"sys-subsystem-net-devices-eth1.device"
];
after = [
"sys-subsystem-net-devices-lan4.device"
"sys-subsystem-net-devices-eth1.device"
];
path = [
pkgs.ethtool
pkgs.iproute2
pkgs.coreutils
];
script = ''
set -xeE
ip l set dev lan4 down
ip l set dev eth1 down
sleep 0.5
ethtool -s lan4 duplex full autoneg off
ethtool -s eth1 duplex full autoneg off
sleep 0.5
ip l set dev lan4 up
ip l set dev eth1 up
echo quirk applied, fingers crossed.
'';
};
systemd.network = {
wait-online.anyInterface = true;
config.networkConfig = {
IPv4Forwarding = true;
IPv6Forwarding = true;
};
links = {
# TODO: this doesn't work, thus shoving it into a quirk service. however, there's a proper solution beyond any of this.
# "00-eth1" = {
# enable = true;
# matchConfig.Name = "eth1";
# linkConfig = {
# # BitsPerSecond = "2500M";
# Duplex= "full";
# AutoNegotiation = false;
# };
# };
# "00-lan4" = {
# enable = true;
# matchConfig.Name = "lan4@eth0";
# linkConfig = {
# # BitsPerSecond = "1000M";
# Duplex= "full";
# AutoNegotiation = false;
# };
# };
};
netdevs =
let
router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}";
@ -425,26 +484,24 @@ in
};
wireguardPeers = [
{
wireguardPeerConfig = {
AllowedIPs = [
# this allows all traffic to be routed through this interface
"0.0.0.0/0"
AllowedIPs = [
# this allows all traffic to be routed through this interface
"0.0.0.0/0"
# # alternatively, specific destinations could be allowed
# # alternatively, specific destinations could be allowed
# # remote peer wg addr
# "10.0.0.0/32"
# # remote peer wg addr
# "10.0.0.0/32"
# "1.1.1.1/32"
# # ifconfig.co.
# "172.67.168.106"
# "104.21.54.91"
];
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
Endpoint = router0-ifog_wg0Endpoint;
};
# "1.1.1.1/32"
# # ifconfig.co.
# "172.67.168.106"
# "104.21.54.91"
];
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
Endpoint = router0-ifog_wg0Endpoint;
}
];
};
@ -461,16 +518,14 @@ in
};
wireguardPeers = [
{
wireguardPeerConfig = {
AllowedIPs = [
# this allows all traffic to be routed through this interface
"0.0.0.0/0"
];
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
Endpoint = router0-ifog_wg1Endpoint;
};
AllowedIPs = [
# this allows all traffic to be routed through this interface
"0.0.0.0/0"
];
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
Endpoint = router0-ifog_wg1Endpoint;
}
];
};
@ -487,26 +542,24 @@ in
};
wireguardPeers = [
{
wireguardPeerConfig = {
AllowedIPs = [
# this allows all traffic to be routed through this interface
"0.0.0.0/0"
AllowedIPs = [
# this allows all traffic to be routed through this interface
"0.0.0.0/0"
# # alternatively, specific destinations could be allowed
# # alternatively, specific destinations could be allowed
# # remote peer wg addr
# "10.0.0.0/32"
# # remote peer wg addr
# "10.0.0.0/32"
# "1.1.1.1/32"
# # ifconfig.co.
# "172.67.168.106"
# "104.21.54.91"
];
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
Endpoint = router0-hosthatch_wg0Endpoint;
};
# "1.1.1.1/32"
# # ifconfig.co.
# "172.67.168.106"
# "104.21.54.91"
];
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
Endpoint = router0-hosthatch_wg0Endpoint;
}
];
};
@ -588,49 +641,37 @@ in
# ip rule add fwmark 101 priority 1 prohibit
routingPolicyRules = [
{
routingPolicyRuleConfig = {
FirewallMark = 100;
Priority = 30000;
Table = 100;
};
FirewallMark = 100;
Priority = 30000;
Table = 100;
}
{
routingPolicyRuleConfig = {
FirewallMark = 100;
Priority = 30001;
Table = 100;
Type = "prohibit";
};
FirewallMark = 100;
Priority = 30001;
Table = 100;
Type = "prohibit";
}
{
routingPolicyRuleConfig = {
FirewallMark = 101;
Priority = 30000;
Table = 101;
};
FirewallMark = 101;
Priority = 30000;
Table = 101;
}
{
routingPolicyRuleConfig = {
FirewallMark = 101;
Priority = 30001;
Table = 101;
Type = "prohibit";
};
FirewallMark = 101;
Priority = 30001;
Table = 101;
Type = "prohibit";
}
{
routingPolicyRuleConfig = {
FirewallMark = 102;
Priority = 30000;
Table = 102;
};
FirewallMark = 102;
Priority = 30000;
Table = 102;
}
{
routingPolicyRuleConfig = {
FirewallMark = 102;
Priority = 30001;
Table = 102;
Type = "prohibit";
};
FirewallMark = 102;
Priority = 30001;
Table = 102;
Type = "prohibit";
}
];
};
@ -649,10 +690,8 @@ in
# ip route add default via 172.16.0.1 table 101
routes = [
{
routeConfig = {
Gateway = "_dhcp4";
Table = 101;
};
Gateway = "_dhcp4";
Table = 101;
}
];
};
@ -670,16 +709,12 @@ in
# ip route add default via 192.168.0.1 table 100
routes = [
{
routeConfig = {
Gateway = "_dhcp4";
Table = 100;
};
Gateway = "_dhcp4";
Table = 100;
}
{
routeConfig = {
Gateway = "_dhcp4";
Table = 102;
};
Gateway = "_dhcp4";
Table = 102;
}
];
};
@ -695,11 +730,9 @@ in
bridgeVLANs = [
{
bridgeVLANConfig = {
VLAN = vlansByName.dmz.id;
PVID = vlansByName.dmz.id;
EgressUntagged = vlansByName.dmz.id;
};
VLAN = vlansByName.dmz.id;
PVID = vlansByName.dmz.id;
EgressUntagged = vlansByName.dmz.id;
}
];
};
@ -714,11 +747,9 @@ in
bridgeVLANs = [
{
bridgeVLANConfig = {
VLAN = vlansByName.office.id;
PVID = vlansByName.office.id;
EgressUntagged = vlansByName.office.id;
};
VLAN = vlansByName.office.id;
PVID = vlansByName.office.id;
EgressUntagged = vlansByName.office.id;
}
];
};
@ -733,9 +764,39 @@ in
bridgeVLANs = [
{
bridgeVLANConfig = {
VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}";
};
VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}";
}
];
};
"30-lan4" = {
matchConfig.Name = "lan4";
networkConfig = {
Bridge = bridgeInterfaceName;
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "enslaved";
bridgeVLANs = [
{
VLAN = vlansByName.office.id;
PVID = vlansByName.office.id;
EgressUntagged = vlansByName.office.id;
}
];
};
"30-eth1" = {
matchConfig.Name = "eth1";
networkConfig = {
Bridge = bridgeInterfaceName;
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "enslaved";
bridgeVLANs = [
{
VLAN = vlansByName.dmz.id;
PVID = vlansByName.dmz.id;
EgressUntagged = vlansByName.dmz.id;
}
];
};
@ -758,9 +819,7 @@ in
bridgeVLANs = [
{
bridgeVLANConfig = {
VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}";
};
VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}";
}
];
@ -774,11 +833,9 @@ in
routes = [
# {
# routeConfig = {
# # test the set uprouting to a specific IP
# Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32";
# MultiPathRoute = "10.0.0.0 1";
# };
# }
];
};
@ -788,10 +845,8 @@ in
address = [ "10.0.0.3/31" ];
routes = [
# {
# routeConfig = {
# Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32";
# MultiPathRoute = "10.0.0.2 1";
# };
# }
];
};
@ -848,9 +903,7 @@ in
bridgeVLANs = [
{
bridgeVLANConfig = {
VLAN = vlanid;
};
VLAN = vlanid;
}
];
};
@ -870,11 +923,9 @@ in
bridgeVLANs = [
{
bridgeVLANConfig = {
VLAN = vlanid;
PVID = vlanid;
EgressUntagged = vlanid;
};
VLAN = vlanid;
PVID = vlanid;
EgressUntagged = vlanid;
}
];
};
@ -1215,13 +1266,14 @@ in
};
};
system.stateVersion = "24.05";
system.stateVersion = "24.11";
# boot.kernelPackages = pkgs.linuxPackages_bpir3_6_6;
environment.systemPackages = [
pkgs.ethtool
pkgs.vim
pkgs.iperf3
pkgs.wireguard-tools
pkgs.tshark

44
nix/os/devices/router0-dmz0/flake.lock generated
View file

@ -28,11 +28,11 @@
]
},
"locked": {
"lastModified": 1734701201,
"narHash": "sha256-hk0roBX10j/hospoWIJIJj3i2skd7Oml6yKQBx7mTFk=",
"lastModified": 1738148035,
"narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=",
"owner": "nix-community",
"repo": "disko",
"rev": "2ee76c861af3b895b3b104bae04777b61397485b",
"rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54",
"type": "github"
},
"original": {
@ -63,11 +63,11 @@
]
},
"locked": {
"lastModified": 1734366194,
"narHash": "sha256-vykpJ1xsdkv0j8WOVXrRFHUAdp9NXHpxdnn1F4pYgSw=",
"lastModified": 1736373539,
"narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "80b0fdf483c5d1cb75aaad909bd390d48673857f",
"rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
"type": "github"
},
"original": {
@ -80,11 +80,11 @@
"hostapd": {
"flake": false,
"locked": {
"lastModified": 1734953168,
"narHash": "sha256-fMzGrnLPOtMPlY/Myyj93p7rKMi3xHoR7PXZOXjVui8=",
"lastModified": 1738518662,
"narHash": "sha256-MeE2FTG7Jh4BqchSvevJH7IsqTotjemndLzev8TkiRk=",
"ref": "refs/heads/main",
"rev": "fd9bf2cc2f59834b5d9c50a23ac7a833d21eefb2",
"revCount": 20150,
"rev": "c12fc97e3b59742e0c5743fceae6a87a8b13a576",
"revCount": 20282,
"type": "git",
"url": "git://w1.fi/hostap.git?branch=main"
},
@ -121,11 +121,11 @@
]
},
"locked": {
"lastModified": 1734884731,
"narHash": "sha256-8DaMF6XNZobeZo+sOf13nifri0mRXYDAUTh5AD4h4aM=",
"lastModified": 1738254353,
"narHash": "sha256-SYpvOn0v/wi8lrgEBhobjKFvFWPlJ3gP7SZPfyw9td0=",
"owner": "nakato",
"repo": "nixos-sbc",
"rev": "2e6bfee808b5291b365795ed11931e1702d30386",
"rev": "21be4ab012197a2eea4bbff8315c40f26f715a18",
"type": "github"
},
"original": {
@ -136,11 +136,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1734875076,
"narHash": "sha256-Pzyb+YNG5u3zP79zoi8HXYMs15Q5dfjDgwCdUI5B0nY=",
"lastModified": 1738702386,
"narHash": "sha256-nJj8f78AYAxl/zqLiFGXn5Im1qjFKU8yBPKoWEeZN5M=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "1807c2b91223227ad5599d7067a61665c52d1295",
"rev": "030ba1976b7c0e1a67d9716b17308ccdab5b381e",
"type": "github"
},
"original": {
@ -152,11 +152,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1734649271,
"narHash": "sha256-4EVBRhOjMDuGtMaofAIqzJbg4Ql7Ai0PSeuVZTHjyKQ=",
"lastModified": 1738680400,
"narHash": "sha256-ooLh+XW8jfa+91F1nhf9OF7qhuA/y1ChLx6lXDNeY5U=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "d70bd19e0a38ad4790d3913bf08fcbfc9eeca507",
"rev": "799ba5bffed04ced7067a91798353d360788b30d",
"type": "github"
},
"original": {
@ -205,11 +205,11 @@
]
},
"locked": {
"lastModified": 1734915306,
"narHash": "sha256-cXoiU+doyRAZ/tcCCGcJjwK2bEZbRcuC0E+ZrnmgFOI=",
"lastModified": 1738198321,
"narHash": "sha256-lhnHBXO9Y8xEn92JqxjancdL8Gh16ONuxZp60iZfmX4=",
"owner": "numtide",
"repo": "srvos",
"rev": "31c75c0d702f940aeb89eacc9c5dbde5d43df338",
"rev": "7d5a4aaadac9ff63f9ed4347df95175aceee5079",
"type": "github"
},
"original": {

3
nix/os/devices/router0-dmz0/flake.nix
View file

@ -15,7 +15,8 @@
nixos-sbc.url =
"github:nakato/nixos-sbc"
# "github:steveej-forks/nakato_nixos-sbc/wifi-workaround"
# "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.12"
# "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.13"
# "github:steveej-forks/nakato_nixos-sbc/kernel-6.9_and_cross-compile"
# "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile"
# "git+file:///home/steveej/src/others/nakato_nixos-sbc/"