feat(router0-dmz0): use (forked) nixos-sbc and bump to nixos-24.05 / linux-6.9

2024-06-02 23:27:14 +02:00 · 2024-06-02 23:27:14 +02:00 · 47e03a7a5d
commit 47e03a7a5d
parent ce20251ad6
3 changed files with 95 additions and 144 deletions
--- a/nix/os/devices/router0-dmz0/configuration.nix
+++ b/nix/os/devices/router0-dmz0/configuration.nix
@ -11,8 +11,8 @@
 }: let
  inherit
    (nodeFlake.inputs)
    bpir3
    nixos-nftables-firewall
    nixos-sbc
    ;
  vlanRangeStart = builtins.head vlanRange;
@ -86,31 +86,30 @@
    then bridgeInterfaceName
    else "${bridgeInterfaceName}.${toString vlanid}";
-  exposedHost = "sj-srv1.dmz.internal";
+  dmzExposedHost = "sj-srv1.dmz.internal";
  dmzExposedHostIpv4 = mkVlanIpv4HostAddr {
    vlanid = vlansByName.dmz.id;
    host = 99;
    cidr = false;
  };
  # "sj-srv1.dmz.internal";
 in {
  imports = [
    nixos-sbc.nixosModules.default
    nixos-sbc.nixosModules.boards.bananapi.bpir3
    {
      sbc.version = "0.2";
      sbc.bootstrap.rootFilesystem = "btrfs";
      sbc.wireless.wifi.acceptRegulatoryResponsibility = true;
    }
    repoFlake.inputs.sops-nix.nixosModules.sops
    ../../profiles/common/user.nix
-
+    ../../snippets/nix-settings.nix
    "${bpir3}/lib/sd-image-mt7986.nix"
    nixos-nftables-firewall.nixosModules.default
    {
      nix.nixPath = [
        "nixpkgs=${pkgs.path}"
      ];
      nix.settings.experimental-features = [
        "nix-command"
        "flakes"
      ];
      nix.settings.max-jobs = lib.mkDefault "auto";
      nix.settings.cores = lib.mkDefault 0;
    }
    {
      services.openssh.enable = true;
      services.openssh.settings.PermitRootLogin = "yes";
@ -193,12 +192,10 @@ in {
            after = ["hook"];
            rules = let
              wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces;
-            in
+            in [
-              # ***TODO***: if this hostname doesn't resolve it'll break the whole ruleset
+              "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22"
-              [
+              "iifname { ${wanInterfaces} } dnat ip to ${dmzExposedHostIpv4}"
-                "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22"
+            ];
                "iifname { ${wanInterfaces} } dnat ip to ${exposedHost}"
              ];
          };
        };
      };
@ -811,7 +808,7 @@ in {
  # wireless access point
  services.hostapd = {
    enable = true;
-    package = nodeFlake.packages.${system}.hostapd_patched;
+    # package = nodeFlake.packages.${system}.hostapd_patched;
    radios = let
      # generated with https://miniwebtool.com/mac-address-generator/
      mkBssid = i: "34:56:ce:0f:ed:4${toString i}";
@ -1105,19 +1102,14 @@ in {
        )
        vlanRangeWith0;
-      # interface = bridgeInterfaceName;
+      # TODO: double-check that this works
-      # bind-interfaces = true;
+      dhcp-host = "1c:69:7a:07:08:5f,${dmzExposedHostIpv4},${dmzExposedHost}";
      # dhcp-host = "192.168.10.1";
      # local domains
      # local = "/${getVlanDomain {vlanid = 0;}/";
      # domain = getVlanDomain {vlanid = 0;};
      expand-hosts = true;
      # don't use /etc/hosts as this would advertise ${nodeName} as localhost
      no-hosts = true;
      # address = "/${nodeName}.lan/${fwLanHostAddr}";
      server = [
        # upstream DNS servers
@ -1175,80 +1167,19 @@ in {
      # ];
      cname = [
-        "mailserver.svc.stefanjunker.de,${exposedHost}"
+        "mailserver.svc.stefanjunker.de,${dmzExposedHost}"
-        "www.stefanjunker.de,${exposedHost}"
+        "www.stefanjunker.de,${dmzExposedHost}"
-        "hedgedoc.www.stefanjunker.de,${exposedHost}"
+        "hedgedoc.www.stefanjunker.de,${dmzExposedHost}"
-        "jitsi.www.stefanjunker.de,${exposedHost}"
+        "jitsi.www.stefanjunker.de,${dmzExposedHost}"
-        "lldap.www.stefanjunker.de,${exposedHost}"
+        "lldap.www.stefanjunker.de,${dmzExposedHost}"
        "forgejo.www.stefanjunker.de,${dmzExposedHost}"
      ];
    };
  };
-  # The service irqbalance is useful as it assigns certain IRQ calls to specific CPUs instead of letting the first CPU core to handle everything. This is supposed to increase performance by hitting CPU cache more often.
+  system.stateVersion = "24.05";
  # disable for now as i think it causes wifi issues
  services.irqbalance.enable = false;
-  system.stateVersion = "23.05";
+  # boot.kernelPackages = pkgs.linuxPackages_bpir3_6_6;
  boot.kernelPackages = pkgs.linuxPackages_bpir3_6_6;
  # We exclude a number of modules included in the default list. A non-insignificant amount do
  # not apply to embedded hardware like this, so simply skip the defaults.
  #
  # Custom kernel is required as a lot of MTK components misbehave when built as modules.
  # They fail to load properly, leaving the system without working ethernet, they'll oops on
  # remove. MTK-DSA parts and PCIe were observed to do this.
  boot.initrd.includeDefaultModules = false;
  boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"];
  boot.initrd.availableKernelModules = ["nvme"];
  boot.kernelParams = ["console=ttyS0,115200"];
  hardware.enableRedistributableFirmware = true;
  # Wireless hardware exists, regulatory database is essential.
  hardware.wirelessRegulatoryDatabase = true;
  # Extlinux compatible with custom uboot patches in this repo, which also provide unique
  # MAC addresses instead of the non-unique one that gets used by a lot of MTK devices...
  boot.loader.grub.enable = false;
  boot.loader.generic-extlinux-compatible.enable = true;
  # Known to work with u-boot; bz2, lzma, and lz4 should be safe too, need to test.
  boot.initrd.compressor = "gzip";
  hardware.deviceTree.filter = "mt7986a-bananapi-bpi-r3.dtb";
  hardware.deviceTree.overlays = [
    {
      name = "bpir3-sd-enable";
      dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-sd.dts";
    }
    {
      name = "bpir3-nand-enable";
      dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-nand.dts";
    }
    {
      name = "bpi-r3 wifi training data";
      dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-wirless.dts";
    }
    {
      name = "reset button disable";
      dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-pcie-button.dts";
    }
    {
      name = "mt7986a efuses";
      dtsFile = "${bpir3}/bpir3-dts/mt7986a-efuse-device-tree-node.dts";
    }
  ];
  boot.initrd.preDeviceCommands = ''
    if [ ! -d /sys/bus/pci/devices/0000:01:00.0 ]; then
      if [ -d /sys/bus/pci/devices/0000:00:00.0 ]; then
        # Remove PCI bridge, then rescan.  NVMe init crashes if PCI bridge not removed first
        echo 1 > /sys/bus/pci/devices/0000:00:00.0/remove
        # Rescan brings PCI root back and brings the NVMe device in.
        echo 1 > /sys/bus/pci/rescan
      else
        info "PCIe bridge missing"
      fi
    fi
  '';
  environment.systemPackages = [
    pkgs.ethtool
--- a/nix/os/devices/router0-dmz0/flake.lock
+++ b/nix/os/devices/router0-dmz0/flake.lock
@ -84,16 +84,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1714043624,
+        "lastModified": 1716736833,
-        "narHash": "sha256-Xn2r0Jv95TswvPlvamCC46wwNo8ALjRCMBJbGykdhcM=",
+        "narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "86853e31dc1b62c6eeed11c667e8cdd0285d4411",
+        "rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-23.11",
+        "ref": "release-24.05",
        "repo": "home-manager",
        "type": "github"
      }
@ -135,18 +135,55 @@
        "type": "github"
      }
    },
    "nixos-sbc": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1717352972,
        "narHash": "sha256-nMLhyLen1Q7+8Bchr4rxC6dGze2+Bxm2jIxuAAKrC7w=",
        "owner": "steveej-forks",
        "repo": "nakato_nixos-sbc",
        "rev": "b04407e73daf3ac9f6eea161b74f8cf990666fe0",
        "type": "github"
      },
      "original": {
        "owner": "steveej-forks",
        "ref": "kernel-6.9_and_cross-compile",
        "repo": "nakato_nixos-sbc",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1714409183,
+        "lastModified": 1717144377,
-        "narHash": "sha256-Wacm/DrzLD7mjFGnSxxyGkJgg2unU/dNdNgdngBH+RU=",
+        "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "576ecd43d3b864966b4423a853412d6177775e8b",
+        "rev": "805a384895c696f802a9bf5bf4720f37385df547",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-23.11",
+        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1716948383,
        "narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "ad57eef4ef0659193044870c731987a6df5cf56b",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -177,7 +214,9 @@
        "home-manager": "home-manager",
        "hostapd": "hostapd",
        "nixos-nftables-firewall": "nixos-nftables-firewall",
        "nixos-sbc": "nixos-sbc",
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "openwrt": "openwrt",
        "srvos": "srvos"
      }
--- a/nix/os/devices/router0-dmz0/flake.nix
+++ b/nix/os/devices/router0-dmz0/flake.nix
@ -1,10 +1,11 @@
 {
  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
    get-flake.url = "github:ursi/get-flake";
-    home-manager.url = "github:nix-community/home-manager/release-23.11";
+    home-manager.url = "github:nix-community/home-manager/release-24.05";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    disko.url = "github:nix-community/disko";
@ -19,6 +20,9 @@
    bpir3.inputs.nixpkgs.follows = "nixpkgs";
    nixos-sbc.url = "github:steveej-forks/nakato_nixos-sbc/kernel-6.9_and_cross-compile";
    nixos-sbc.inputs.nixpkgs.follows = "nixpkgs";
    nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall";
    nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs";
@ -40,7 +44,7 @@
    self,
    get-flake,
    nixpkgs,
-    bpir3,
+    nixos-sbc,
    ...
  }: let
    nativeSystem = "aarch64-linux";
@ -77,23 +81,9 @@
              # flake registry
              {
                nixpkgs.overlays = builtins.attrValues self.overlays;
                nix.registry.nixpkgs.flake = nixpkgs;
              }
              {
                nixpkgs.overlays = [
                  (final: previous: let
                    bpir3Pkgs = previous.callPackage "${bpir3}/pkgs" {};
                  in {
                    inherit
                      (bpir3Pkgs)
                      linuxPackages_bpir3
                      linuxPackages_bpir3_6_6
                      linuxPackages_bpir3_latest
                      ;
                  })
                ];
              }
            ]
            ++ extraModules;
        }
@ -114,23 +104,14 @@
      };
    };
-    packages = let
+    overlays.default = final: previous: {
-      mkPatchedHostapd = pkgs:
+      hostapd = previous.hostapd.overrideDerivation (attrs: {
-        pkgs.hostapd.overrideDerivation (attrs: {
+        patches =
-          patches =
+          attrs.patches
-            attrs.patches
+          ++ [
-            ++ [
+            "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch"
-              "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch"
+          ];
-            ];
+      });
        });
    in {
      "${nativeSystem}" = {
        hostapd_patched = mkPatchedHostapd pkgs;
      };
      cross = {
        hostapd_patched = mkPatchedHostapd pkgsCross;
      };
    };
  };
 }