WIP: set up bpir3

2023-08-22 10:20:16 +02:00 · 2023-08-22 10:20:16 +02:00 · 3cd0eb718e
commit 3cd0eb718e
parent 2bedcc0fd3
6 changed files with 96 additions and 65 deletions
--- a/nix/os/devices/router0-dmz0/configuration.nix
+++ b/nix/os/devices/router0-dmz0/configuration.nix
@ -108,7 +108,7 @@ in {
        enable = true;
        zones = {
          lan.interfaces = ["br-lan"];
-          wan.interfaces = ["wan"];
+          wan.interfaces = ["wan" "lan0"];
        };
        rules = {
          lan = {
@ -130,6 +130,12 @@ in {
          incoming-wan = {
            from = ["wan"];
            to = ["fw"];
+            allowedTCPPortRanges = [
+              {
+                from = 22;
+                to = 22;
+              }
+            ];
            verdict = "drop";
          };
        };
@ -150,14 +156,6 @@ in {
    };
    networks = {
      # Connect the bridge ports to the bridge
-      "30-lan0" = {
-        matchConfig.Name = "lan0";
-        networkConfig = {
-          Bridge = "br-lan";
-          ConfigureWithoutCarrier = true;
-        };
-        linkConfig.RequiredForOnline = "enslaved";
-      };
      "30-lan1" = {
        matchConfig.Name = "lan1";
        networkConfig = {
@ -195,6 +193,22 @@ in {
        # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min
        linkConfig.RequiredForOnline = "no";
      };
+      # use lan0 as secondary WAN interface
+      "10-lan0-wan" = {
+        matchConfig.Name = "lan0";
+        networkConfig = {
+          # start a DHCP Client for IPv4 Addressing/Routing
+          DHCP = "ipv4";
+          # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
+          IPv6AcceptRA = true;
+          DNSOverTLS = true;
+          DNSSEC = true;
+          IPv6PrivacyExtensions = false;
+          IPForward = true;
+        };
+        # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min
+        linkConfig.RequiredForOnline = "no";
+      };
      "10-wan" = {
        matchConfig.Name = "wan";
        networkConfig = {
@ -216,7 +230,9 @@ in {
  # wireless access point
  services.hostapd = {
    enable = true;
-    radios = {
+    radios = let
+      mkBssid = i: "34:56:ce:0f:ed:4${builtins.toString i}";
+    in {
      wlan0 = {
        band = "2g";
        countryCode = "CH";
@ -234,12 +250,15 @@ in {
              mode = "wpa3-sae";
              # saePasswordsFile = config.sops.secrets.wifiPassword.path;
              saePasswords = [
-                {password = "justtestingwifi";}
+                {
+                  password = "justtestingwifi";
+                  # vlanid = 100;
+                }
              ];
            };

            # generated with https://miniwebtool.com/mac-address-generator/
-            bssid = "34:56:ce:0f:ed:40";
+            bssid = mkBssid 0;
            settings = {
              bridge = "br-lan";
            };
@ -251,13 +270,19 @@ in {
              mode = "wpa3-sae-transition";
              # saePasswordsFile = config.sops.secrets.wifiPassword.path;
              saePasswords = [
-                {password = "justtestingwifi";}
+                {
+                  password = "justtestingwifi";
+                  # vlanid = 100;
+                }
              ];
-              wpaPassword = "justtestingwifi";
+              wpaPskFile = pkgs.writeText "pskfile" ''
+                00:00:00:00:00:00 justtestingwifi
+                # vlanid=100 00:00:00:00:00:00 justtestingwifi-vlan
+              '';
            };

            # generated with https://miniwebtool.com/mac-address-generator/
-            bssid = "34:56:ce:0f:ed:41";
+            bssid = mkBssid 1;
            settings = {
              bridge = "br-lan";
            };
@ -392,9 +417,9 @@ in {
      domain = "lan";
      expand-hosts = true;

-      # don't use /etc/hosts as this would advertise surfer as localhost
+      # don't use /etc/hosts as this would advertise ${nodeName} as localhost
      no-hosts = true;
-      address = "/surfer.lan/192.168.10.1";
+      address = "/${nodeName}.lan/192.168.10.1";
    };
  };

--- a/nix/os/devices/router0-dmz0/flake.lock
+++ b/nix/os/devices/router0-dmz0/flake.lock
@ -120,48 +120,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1691654369,
-        "narHash": "sha256-gSILTEx1jRaJjwZxRlnu3ZwMn1FVNk80qlwiCX8kmpo=",
-        "owner": "nixos",
+        "lastModified": 1691788113,
+        "narHash": "sha256-h5dnmk0QMQI+WkP7ZGbqusr7GfeXOrYCzO7BoZpSGJ0=",
+        "owner": "steveej-forks",
        "repo": "nixpkgs",
-        "rev": "ce5e4a6ef2e59d89a971bc434ca8ca222b9c7f5e",
+        "rev": "f358ddb768fad528772ae3faf786337fe89a7568",
        "type": "github"
      },
      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-master": {
-      "locked": {
-        "lastModified": 1691753935,
-        "narHash": "sha256-fjH5oZ0g8Cb0vrJ8TlS4B7kaVr7YmEdee64ueQ6arAo=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "650596759b8b38399a0c4d5e366847d190360e55",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "master",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-unstable": {
-      "locked": {
-        "lastModified": 1691703261,
-        "narHash": "sha256-jUzmIeh+F+XKkuEhfY+VRgbVitTOr5oh5Oi5p5kr9tQ=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "079f7bd05bf72641e3b5904ed891d44d21ea90ed",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable-small",
+        "owner": "steveej-forks",
+        "ref": "hostapd-fix",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -174,8 +142,6 @@
        "home-manager": "home-manager",
        "nixos-nftables-firewall": "nixos-nftables-firewall",
        "nixpkgs": "nixpkgs",
-        "nixpkgs-master": "nixpkgs-master",
-        "nixpkgs-unstable": "nixpkgs-unstable",
        "srvos": "srvos"
      }
    },
--- a/nix/os/devices/router0-dmz0/flake.nix
+++ b/nix/os/devices/router0-dmz0/flake.nix
@ -1,9 +1,7 @@
 {
  inputs = {
-    # nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
-    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
-    nixpkgs-master.url = "github:nixos/nixpkgs/master";
+    # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:steveej-forks/nixpkgs/hostapd-fix";

    get-flake.url = "github:ursi/get-flake";

--- a/nix/os/devices/sj-vps-htz0/system.nix
+++ b/nix/os/devices/sj-vps-htz0/system.nix
@ -3,8 +3,11 @@
  lib,
  config,
  repoFlake,
+  nodeName,
  ...
-}: {
+}: let
+  wireguardPort = 51820;
+in {
  networking.firewall.enable = true;
  networking.nftables.enable = true;

@ -12,6 +15,10 @@
    # iperf3
    5201
  ];
+  networking.firewall.allowedUDPPorts = [
+    wireguardPort
+  ];
+
  networking.firewall.logRefusedConnections = false;

  networking.usePredictableInterfaceNames = false;
@ -54,7 +61,7 @@

  networking.nat = {
    enable = true;
-    internalInterfaces = ["ve-*"];
+    internalInterfaces = ["ve-*" "wg*"];
    externalInterface = "eth0";
  };

@ -64,6 +71,28 @@
    meta nfproto ipv6 tcp flags syn tcp option maxseg size set 1340;
  '';

+  sops.secrets.wg0-private.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
+  sops.secrets.wg0-psk-steveej-psk.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
+
+  networking.wireguard.enable = true;
+  networking.wireguard.interfaces.wg0 = {
+    # eth0 MTU (1400) - 80
+    mtu = 1320;
+    ips = [
+      "192.168.99.1/31"
+    ];
+    listenPort =
+      wireguardPort;
+    privateKeyFile = config.sops.secrets.wg0-private.path;
+    peers = [
+      {
+        allowedIPs = ["192.168.99.2/32"];
+        publicKey = "O3k4jEdX6jkV1fHP/J8KSH5tvi+n1VvnBTD5na6Naw0=";
+        presharedKeyFile = config.sops.secrets.wg0-psk-steveej-psk.path;
+      }
+    ];
+  };
+
  # virtualization
  virtualisation = {docker.enable = false;};

--- a/nix/os/devices/steveej-t14/system.nix
+++ b/nix/os/devices/steveej-t14/system.nix
@ -36,6 +36,9 @@ in {
    }
  ];

+  # needed to make wireguard managed by networkmanager route all traffic through it
+  networking.firewall.checkReversePath = false;
+
  networking.firewall.enable = true;
  services.openssh.openFirewall = false;

@ -93,6 +96,12 @@ in {
  services.samba.extraConfig = ''
    # client min protocol = NT1
  '';
+  services.gvfs = {
+    enable = true;
+    package = lib.mkForce pkgs.gnome3.gvfs;
+  };
+  environment.systemPackages = with pkgs; [ lxqt.lxqt-policykit ]; # provides a default authentification client for policykit
+

  security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];

--- a/secrets/sj-vps-htz0/secrets.yaml
+++ b/secrets/sj-vps-htz0/secrets.yaml
@ -1,5 +1,9 @@
 #ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment]
 passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str]
+wg0-private: ENC[AES256_GCM,data:hiUUUhQ/hi6d51Wgwb0gZ5lBB5TS9+F8gVEGrRUqLauKjGZujyqjZIFix7E=,iv:ISb5cqkOE0UyQqlQCeclyMBof037XF1+7zDFslKStr0=,tag:Ox0S+YOkfXpFCSbNrdSrxQ==,type:str]
+wg0-public: ENC[AES256_GCM,data:AnEK0wlEIlVrz0nubLWr3lv7R1ddzA/RPjP0CosyEJzCJU6cF2DBJig4xYo=,iv:ifaQVHQyoYqcr6a4kJ1Kvd4QBDLT5xNyr75GuogBv5g=,tag:Tl9HpsJ5+LaV81LiLcThkg==,type:str]
+wg0-psk-steveej-psk: ENC[AES256_GCM,data:Z5txIdXKVshlqMBLEnW/ulFiQSmMKj6m1vLE8fuL+zl+tJxh9EX/XvjLaC4=,iv:h4ypudvQAKPM7+5vQNAb69JntdZPNa8Km6wd14ovCHc=,tag:t7ZbbcpRCTAF7zP8vKPpJw==,type:str]
+wg0-psk-steveej-public: ENC[AES256_GCM,data:KU6aRVK06RkyvvYFzFZaCplz1HyirSfpjW+jjvHP+eTMs3hfhFUnPSZRCN4=,iv:2A019CQD2vjcOmX6PFpDaDCo8yN9oA9kdKxiW1e3Dss=,tag:kfRENOJY7RnwWGN1eOeEhQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -15,8 +19,8 @@ sops:
            czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0
            iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-08-11T16:32:20Z"
-    mac: ENC[AES256_GCM,data:dgiAU9oMoHi1KvmkSbmNYRA6s2dIrsn8JC5UVpmfUUV5X+u+xwzt+QA/9IRHQoBWL3UZNz4E5qIvitEDx0xP8BktfNd2cGmeaBWT5e7YiSYGWNek0r/2SgXf8aSKsay4g+qdkE4mnxhRcj1pOc6dP5cKE/qh7vjnjlpTOMdp1wE=,iv:M7HE/XQGwttkwY7uXf7SHffwcaSzLqATB5Vqes3+W9w=,tag:vBhNC8zgNPPIzeNjikLt9A==,type:str]
+    lastmodified: "2023-08-13T17:03:01Z"
+    mac: ENC[AES256_GCM,data:AtD2QZsLpOLQB7Jcb0Cn+zGUK/fMzuVhQ2r5f4jL3dttqfaDa4k+bUMP7wQ9RW6cUXm5ps+s1t9TkRUi2P7bkQjtEuyiTGAUiM8OnkJQ26npITWWs8giekKq01m2DlZufWRcrZrQU43EgVNDqRTVlMK1IoVS4zqNwqt4tXG6YWk=,iv:F+BbR5aGg+6/0LBxpC+AoNT4dLutvkgeUJszkMrV5xk=,tag:4Cvd4nG+h1+hXg/NzH0wRg==,type:str]
    pgp:
        - created_at: "2023-08-11T16:31:41Z"
          enc: |-