WIP: set up bpir3

2023-08-22 10:20:16 +02:00 · 2023-08-22 10:20:16 +02:00 · 3cd0eb718e
commit 3cd0eb718e
parent 2bedcc0fd3
6 changed files with 96 additions and 65 deletions
--- a/nix/os/devices/router0-dmz0/configuration.nix
+++ b/nix/os/devices/router0-dmz0/configuration.nix
@ -108,7 +108,7 @@ in {
        enable = true;
        zones = {
          lan.interfaces = ["br-lan"];
-          wan.interfaces = ["wan"];
+          wan.interfaces = ["wan" "lan0"];
        };
        rules = {
          lan = {
@ -130,6 +130,12 @@ in {
          incoming-wan = {
            from = ["wan"];
            to = ["fw"];
+            allowedTCPPortRanges = [
+              {
+                from = 22;
+                to = 22;
+              }
+            ];
            verdict = "drop";
          };
        };
@ -150,14 +156,6 @@ in {
    };
    networks = {
      # Connect the bridge ports to the bridge
-      "30-lan0" = {
-        matchConfig.Name = "lan0";
-        networkConfig = {
-          Bridge = "br-lan";
-          ConfigureWithoutCarrier = true;
-        };
-        linkConfig.RequiredForOnline = "enslaved";
-      };
      "30-lan1" = {
        matchConfig.Name = "lan1";
        networkConfig = {
@ -195,6 +193,22 @@ in {
        # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min
        linkConfig.RequiredForOnline = "no";
      };
+      # use lan0 as secondary WAN interface
+      "10-lan0-wan" = {
+        matchConfig.Name = "lan0";
+        networkConfig = {
+          # start a DHCP Client for IPv4 Addressing/Routing
+          DHCP = "ipv4";
+          # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
+          IPv6AcceptRA = true;
+          DNSOverTLS = true;
+          DNSSEC = true;
+          IPv6PrivacyExtensions = false;
+          IPForward = true;
+        };
+        # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min
+        linkConfig.RequiredForOnline = "no";
+      };
      "10-wan" = {
        matchConfig.Name = "wan";
        networkConfig = {
@ -216,7 +230,9 @@ in {
  # wireless access point
  services.hostapd = {
    enable = true;
-    radios = {
+    radios = let
+      mkBssid = i: "34:56:ce:0f:ed:4${builtins.toString i}";
+    in {
      wlan0 = {
        band = "2g";
        countryCode = "CH";
@ -234,12 +250,15 @@ in {
              mode = "wpa3-sae";
              # saePasswordsFile = config.sops.secrets.wifiPassword.path;
              saePasswords = [
-                {password = "justtestingwifi";}
+                {
+                  password = "justtestingwifi";
+                  # vlanid = 100;
+                }
              ];
            };

            # generated with https://miniwebtool.com/mac-address-generator/
-            bssid = "34:56:ce:0f:ed:40";
+            bssid = mkBssid 0;
            settings = {
              bridge = "br-lan";
            };
@ -251,13 +270,19 @@ in {
              mode = "wpa3-sae-transition";
              # saePasswordsFile = config.sops.secrets.wifiPassword.path;
              saePasswords = [
-                {password = "justtestingwifi";}
+                {
+                  password = "justtestingwifi";
+                  # vlanid = 100;
+                }
              ];
-              wpaPassword = "justtestingwifi";
+              wpaPskFile = pkgs.writeText "pskfile" ''
+                00:00:00:00:00:00 justtestingwifi
+                # vlanid=100 00:00:00:00:00:00 justtestingwifi-vlan
+              '';
            };

            # generated with https://miniwebtool.com/mac-address-generator/
-            bssid = "34:56:ce:0f:ed:41";
+            bssid = mkBssid 1;
            settings = {
              bridge = "br-lan";
            };
@ -392,9 +417,9 @@ in {
      domain = "lan";
      expand-hosts = true;

-      # don't use /etc/hosts as this would advertise surfer as localhost
+      # don't use /etc/hosts as this would advertise ${nodeName} as localhost
      no-hosts = true;
-      address = "/surfer.lan/192.168.10.1";
+      address = "/${nodeName}.lan/192.168.10.1";
    };
  };

--- a/nix/os/devices/router0-dmz0/flake.lock
+++ b/nix/os/devices/router0-dmz0/flake.lock
@ -120,48 +120,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1691654369,
-        "narHash": "sha256-gSILTEx1jRaJjwZxRlnu3ZwMn1FVNk80qlwiCX8kmpo=",
-        "owner": "nixos",
+        "lastModified": 1691788113,
+        "narHash": "sha256-h5dnmk0QMQI+WkP7ZGbqusr7GfeXOrYCzO7BoZpSGJ0=",
+        "owner": "steveej-forks",
        "repo": "nixpkgs",
-        "rev": "ce5e4a6ef2e59d89a971bc434ca8ca222b9c7f5e",
+        "rev": "f358ddb768fad528772ae3faf786337fe89a7568",
        "type": "github"
      },
      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-master": {
-      "locked": {
-        "lastModified": 1691753935,
-        "narHash": "sha256-fjH5oZ0g8Cb0vrJ8TlS4B7kaVr7YmEdee64ueQ6arAo=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "650596759b8b38399a0c4d5e366847d190360e55",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "master",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-unstable": {
-      "locked": {
-        "lastModified": 1691703261,
-        "narHash": "sha256-jUzmIeh+F+XKkuEhfY+VRgbVitTOr5oh5Oi5p5kr9tQ=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "079f7bd05bf72641e3b5904ed891d44d21ea90ed",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable-small",
+        "owner": "steveej-forks",
+        "ref": "hostapd-fix",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -174,8 +142,6 @@
        "home-manager": "home-manager",
        "nixos-nftables-firewall": "nixos-nftables-firewall",
        "nixpkgs": "nixpkgs",
-        "nixpkgs-master": "nixpkgs-master",
-        "nixpkgs-unstable": "nixpkgs-unstable",
        "srvos": "srvos"
      }
    },
--- a/nix/os/devices/router0-dmz0/flake.nix
+++ b/nix/os/devices/router0-dmz0/flake.nix
@ -1,9 +1,7 @@
 {
  inputs = {
-    # nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
-    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
-    nixpkgs-master.url = "github:nixos/nixpkgs/master";
+    # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:steveej-forks/nixpkgs/hostapd-fix";

    get-flake.url = "github:ursi/get-flake";