From 9ad9b97298e04be7ae1e6ece7fe3aae0d0637fa6 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 18 Jan 2024 23:35:54 +0100 Subject: [PATCH] router0-dmz0: lots of formattign and exposed host fixes --- nix/os/devices/router0-dmz0/configuration.nix | 911 +++++++++--------- nix/os/devices/steveej-t14/hw.nix | 41 +- 2 files changed, 491 insertions(+), 461 deletions(-) diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix index 75ca38f..434e3a7 100644 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -1,14 +1,14 @@ -{ - repoFlake, - pkgs, - lib, - config, - nodeFlake, - nodeName, - localDomainName, - system, - ... -}: let +{ repoFlake +, pkgs +, lib +, config +, nodeFlake +, nodeName +, localDomainName +, system +, ... +}: +let inherit (nodeFlake.inputs) bpir3 @@ -16,21 +16,22 @@ ; vlanRangeStart = builtins.head vlanRange; - vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange)-1); + vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange) - 1); vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans); vlanRangeWith0 = [ 0 ] ++ vlanRange; - mkVlanIpv4HostAddr = { vlanid, host, thirdIpv4SegmentMin ? 20, cidr ? true }: let - # reserve the first subnet for vlanid == 0 - # number the other subnets continously from there - offset = - if vlanid == 0 - then thirdIpv4SegmentMin - else thirdIpv4SegmentMin + 1 - vlanRangeStart; + mkVlanIpv4HostAddr = { vlanid, host, thirdIpv4SegmentMin ? 20, cidr ? true }: + let + # reserve the first subnet for vlanid == 0 + # number the other subnets continously from there + offset = + if vlanid == 0 + then thirdIpv4SegmentMin + else thirdIpv4SegmentMin + 1 - vlanRangeStart; - in + in builtins.concatStringsSep "." - [ "192" "168" (toString (vlanid + offset)) "${toString host}${lib.strings.optionalString cidr "/24"}" ]; + [ "192" "168" (toString (vlanid + offset)) "${toString host}${lib.strings.optionalString cidr "/24"}" ]; defaultVlan = { name = "${localDomainName}"; @@ -57,11 +58,13 @@ "15".packet_priority = -10; }; - vlansByName = lib.attrsets.mapAttrs' (vlanid': attrs: - lib.attrsets.nameValuePair - attrs.name - (attrs // { id = lib.strings.toInt vlanid'; id' = vlanid';}) - ) vlans; + vlansByName = lib.attrsets.mapAttrs' + (vlanid': attrs: + lib.attrsets.nameValuePair + attrs.name + (attrs // { id = lib.strings.toInt vlanid'; id' = vlanid'; }) + ) + vlans; getVlanDomain = { vlanid }: if vlanid == 0 @@ -69,15 +72,18 @@ defaultVlan.name else vlans."${toString vlanid}".name + "." + defaultVlan.name - ; + ; bridgeInterfaceName = "br-lan"; mkInterfaceName = { vlanid }: if vlanid == 0 then bridgeInterfaceName else "${bridgeInterfaceName}.${toString vlanid}" - ; -in { + ; + + exposedHost = "sj-srv1.dmz.internal"; +in +{ imports = [ repoFlake.inputs.sops-nix.nixosModules.sops @@ -174,132 +180,146 @@ in { # TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority) nftables = - { - enable = true; - stopRuleset = ""; - - chains = { - prerouting = { - "redirectweb" = { - after = ["hook"]; - rules = let - wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; - exposedHost = "srv0-dmz0.dmz.internal"; - in [ - "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" - # TODO: if this hostname doesn't resolve it'll break the whole ruleset - # "iifname { ${wanInterfaces} } dnat ip to ${exposedHost}" - ]; - }; - }; - }; - - firewall = { + { enable = true; - zones = { - lan.interfaces = [ (mkInterfaceName {vlanid = 0;}) ]; - vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange; - # lan.ipv4Addresses = ["192.168.0.0/16"]; - wan.interfaces = ["wan" "lan0"]; - } // - # generate a zone for each vlan - lib.attrsets.mapAttrs (key: value: { - interfaces = [ (mkInterfaceName { vlanid = value.id; }) ]; - }) - vlansByName - ; - rules = let - ipv6IcmpTypes = [ - "destination-unreachable" "echo-reply" "echo-request" - "packet-too-big" "parameter-problem" "time-exceeded" + stopRuleset = ""; - # Without the nd-* ones ipv6 will not work. - "nd-neighbor-solicit" "nd-router-advert" "nd-neighbor-advert" - ]; - ipv4IcmpTypes = [ - "destination-unreachable" "echo-reply" "echo-request" "source-quench" "time-exceeded" - "router-advertisement" - ]; - allowIcmpLines = [ - "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" - "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" - ]; - in { - fw = { - from = ["fw"]; - verdict = "accept"; - }; - - office-to-dmz = { - from = ["office"]; - to = ["dmz"]; - verdict = "accept"; - }; - - lan-to-fw = { - from = ["lan"]; - to = ["fw" "lan"]; - verdict = "accept"; - }; - - lan-to-wan = { - from = ["lan"]; - to = ["wan"]; - verdict = "accept"; - }; - - vlan-to-wan = { - from = ["vlan"]; - to = ["wan"]; - verdict = "accept"; - }; - - vlan-to-fw = { - allowedUDPPortRanges = [ - { from = 67; to = 68; } - { from = 53; to = 53; } - ]; - allowedTCPPortRanges = [ - { from = 22; to = 22; } - { from = 53; to = 53; } - { from = 5201; to = 5201; } - ]; - from = ["vlan"]; - to = ["fw"]; - extraLines = allowIcmpLines ++ [ - "drop" - ]; - }; - - to-wan-nat = { - from = ["lan" "vlan"]; - to = ["wan"]; - masquerade = true; - verdict = "accept"; - }; - - wan-to-dmz = { - from = ["wan"]; - to = ["dmz"]; - verdict = "accept"; - }; - - wan-to-fw = { - from = ["wan"]; - to = ["fw"]; - allowedTCPPortRanges = [ - { - from = 22; - to = 22; - } - ]; - extraLines = allowIcmpLines ++ [ - "drop" - ]; + chains = { + prerouting = { + "exposeHost" = { + after = [ "hook" ]; + rules = + let + wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; + in + # TODO: if this hostname doesn't resolve it'll break the whole ruleset + [ + "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" + "iifname { ${wanInterfaces} } dnat ip to ${exposedHost}" + ]; + }; }; }; + + firewall = { + enable = true; + zones = { + lan.interfaces = [ (mkInterfaceName { vlanid = 0; }) ]; + vlan.interfaces = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; + # lan.ipv4Addresses = ["192.168.0.0/16"]; + wan.interfaces = [ "wan" "lan0" ]; + } // + # generate a zone for each vlan + lib.attrsets.mapAttrs + (key: value: { + interfaces = [ (mkInterfaceName { vlanid = value.id; }) ]; + }) + vlansByName + ; + rules = + let + ipv6IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "packet-too-big" + "parameter-problem" + "time-exceeded" + + # Without the nd-* ones ipv6 will not work. + "nd-neighbor-solicit" + "nd-router-advert" + "nd-neighbor-advert" + ]; + ipv4IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "source-quench" + "time-exceeded" + "router-advertisement" + ]; + allowIcmpLines = [ + "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" + "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" + ]; + in + { + fw = { + from = [ "fw" ]; + verdict = "accept"; + }; + + office-to-dmz = { + from = [ "office" ]; + to = [ "dmz" ]; + verdict = "accept"; + }; + + lan-to-fw = { + from = [ "lan" ]; + to = [ "fw" "lan" ]; + verdict = "accept"; + }; + + lan-to-wan = { + from = [ "lan" ]; + to = [ "wan" ]; + verdict = "accept"; + }; + + vlan-to-wan = { + from = [ "vlan" ]; + to = [ "wan" ]; + verdict = "accept"; + }; + + vlan-to-fw = { + allowedUDPPortRanges = [ + { from = 67; to = 68; } + { from = 53; to = 53; } + ]; + allowedTCPPortRanges = [ + { from = 22; to = 22; } + { from = 53; to = 53; } + { from = 5201; to = 5201; } + ]; + from = [ "vlan" ]; + to = [ "fw" ]; + extraLines = allowIcmpLines ++ [ + "drop" + ]; + }; + + to-wan-nat = { + from = [ "lan" "vlan" ]; + to = [ "wan" ]; + masquerade = true; + verdict = "accept"; + }; + + wan-to-dmz = { + from = [ "wan" ]; + to = [ "dmz" ]; + verdict = "accept"; + }; + + wan-to-fw = { + from = [ "wan" ]; + to = [ "fw" ]; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + ]; + extraLines = allowIcmpLines ++ [ + "drop" + ]; + }; + }; + }; }; - }; }; systemd.network = { @@ -322,10 +342,10 @@ in { }; } - # generate the vlan devices. these will be tagged on the main bridge - // builtins.foldl' + # generate the vlan devices. these will be tagged on the main bridge + // builtins.foldl' (acc: cur: acc // cur) - {} + { } (builtins.map ({ vlanid, vlanid' }: { "20-${mkInterfaceName { inherit vlanid; }}" = { @@ -433,9 +453,9 @@ in { # Configure the bridge for its desired function "40-${bridgeInterfaceName}" = { matchConfig.Name = bridgeInterfaceName; - bridgeConfig = {}; + bridgeConfig = { }; address = [ - (mkVlanIpv4HostAddr { vlanid = 0; host = 1;}) + (mkVlanIpv4HostAddr { vlanid = 0; host = 1; }) ]; networkConfig = { ConfigureWithoutCarrier = true; @@ -466,72 +486,73 @@ in { # * vlan config for wlan interface // builtins.foldl' - (acc: cur: acc // cur) - {} - (builtins.map ({ vlanid, vlanid' }: { - # configure the tagged vlan device with an address and vlan filtering. - # dnsmasq is configured to serve the respective /24 range on each tagged device. - # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. - "41-${mkInterfaceName { inherit vlanid; }}" = { - matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; - address = [ - (mkVlanIpv4HostAddr { inherit vlanid; host = 1; }) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; - }; - - linkConfig.RequiredForOnline = "no"; - linkConfig.ActivationPolicy = "always-up"; - - bridgeVLANs = [ - { - bridgeVLANConfig = { - VLAN = vlanid; + (acc: cur: acc // cur) + { } + (builtins.map + ({ vlanid, vlanid' }: { + # configure the tagged vlan device with an address and vlan filtering. + # dnsmasq is configured to serve the respective /24 range on each tagged device. + # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. + "41-${mkInterfaceName { inherit vlanid; }}" = { + matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; + address = [ + (mkVlanIpv4HostAddr { inherit vlanid; host = 1; }) + ]; + networkConfig = { + ConfigureWithoutCarrier = true; }; - } - ]; - }; - # configure the wlan interface as a bridge member that - # * only gets traffic for vid 15 - # * untags traffic after receiving it - # * tags traffic that comes out of it - "41-wlan0.${vlanid'}" = { - matchConfig.Name = "wlan0.${vlanid'}"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; + linkConfig.RequiredForOnline = "no"; + linkConfig.ActivationPolicy = "always-up"; - linkConfig.RequiredForOnline = "no"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + VLAN = vlanid; + }; + } + ]; + }; - bridgeVLANs = [ - { - bridgeVLANConfig = { - VLAN = vlanid; - PVID = vlanid; - EgressUntagged = vlanid; + # configure the wlan interface as a bridge member that + # * only gets traffic for vid 15 + # * untags traffic after receiving it + # * tags traffic that comes out of it + "41-wlan0.${vlanid'}" = { + matchConfig.Name = "wlan0.${vlanid'}"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; }; - } - ]; - }; - "50-${mkInterfaceName { inherit vlanid; }}" = { - matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; - address = [ - (mkVlanIpv4HostAddr { inherit vlanid; host = 1; }) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "no"; - }; - }) - (builtins.map - (vlanid: { inherit vlanid; vlanid' = builtins.toString vlanid; }) - vlanRange - )) + linkConfig.RequiredForOnline = "no"; + + bridgeVLANs = [ + { + bridgeVLANConfig = { + VLAN = vlanid; + PVID = vlanid; + EgressUntagged = vlanid; + }; + } + ]; + }; + + "50-${mkInterfaceName { inherit vlanid; }}" = { + matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; + address = [ + (mkVlanIpv4HostAddr { inherit vlanid; host = 1; }) + ]; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "no"; + }; + }) + (builtins.map + (vlanid: { inherit vlanid; vlanid' = builtins.toString vlanid; }) + vlanRange + )) ; }; @@ -539,240 +560,248 @@ in { services.hostapd = { enable = true; package = nodeFlake.packages.${system}.hostapd_patched; - radios = let - # generated with https://miniwebtool.com/mac-address-generator/ - mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; - in { - wlan0 = { - band = "2g"; - countryCode = "CH"; - channel = 0; # ACS + radios = + let + # generated with https://miniwebtool.com/mac-address-generator/ + mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; + in + { + wlan0 = { + band = "2g"; + countryCode = "CH"; + channel = 0; # ACS - # use 'iw phy#1 info' to determine your VHT capabilities - wifi4 = { - enable = true; - capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; - }; - networks = { - wlan0 = let - iface = "wlan0"; - in { - ssid = "mlsia"; - bssid = mkBssid 0; + # use 'iw phy#1 info' to determine your VHT capabilities + wifi4 = { + enable = true; + capabilities = [ "HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" ]; + }; + networks = { + wlan0 = + let + iface = "wlan0"; + in + { + ssid = "mlsia"; + bssid = mkBssid 0; - # authentication.mode = "wpa3-sae"; - authentication.mode = "wpa3-sae-transition"; + # authentication.mode = "wpa3-sae"; + authentication.mode = "wpa3-sae-transition"; - authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; - authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; + authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; + authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; - # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference - settings = { - # bridge = bridgeInterfaceName; + # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference + settings = { + # bridge = bridgeInterfaceName; - # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; - # not yet supported on hostapd 2.10 - # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; + # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; + # not yet supported on hostapd 2.10 + # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; - # enables debug logging - logger_stdout_level= lib.mkForce 0; - logger_stdout = -1; - # logger_syslog_level= lib.mkForce 0; + # enables debug logging + logger_stdout_level = lib.mkForce 0; + logger_stdout = -1; + # logger_syslog_level= lib.mkForce 0; - # resources on vlan tagging - # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging - # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 + # resources on vlan tagging + # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging + # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 - dynamic_vlan = 1; + dynamic_vlan = 1; - # this option currently requires a patch to hostapd - vlan_no_bridge = 1; + # this option currently requires a patch to hostapd + vlan_no_bridge = 1; - /* not used due to the above vlan_no_bridge setting + /* not used due to the above vlan_no_bridge setting vlan_tagged_interface = bridgeInterfaceName; vlan_naming = 1; vlan_bridge = "br-${iface}."; - */ + */ - vlan_file = let - generated = builtins.map (vlanid: - "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" - ) vlanRange - ; + vlan_file = + let + generated = builtins.map + (vlanid: + "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" + ) + vlanRange + ; - wildcard = [ - # Optional wildcard entry matching all VLAN IDs. The first # in the interface - # name will be replaced with the VLAN ID. The network interfaces are created - # (and removed) dynamically based on the use. - # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan - "* ${iface}.#" - ]; + wildcard = [ + # Optional wildcard entry matching all VLAN IDs. The first # in the interface + # name will be replaced with the VLAN ID. The network interfaces are created + # (and removed) dynamically based on the use. + # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan + "* ${iface}.#" + ]; - file = pkgs.writeText "hostapd.vlan" - (builtins.concatStringsSep "\n" (generated ++ wildcard)); - filePath = toString file; - in filePath; + file = pkgs.writeText "hostapd.vlan" + (builtins.concatStringsSep "\n" (generated ++ wildcard)); + filePath = toString file; + in + filePath; - wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [ - "WPA-PSK" + wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [ + "WPA-PSK" - # TODO: the printer can't connect when this is on - # "WPA-PSK-SHA256" + # TODO: the printer can't connect when this is on + # "WPA-PSK-SHA256" - # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them - # "SAE" - ]); + # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them + # "SAE" + ]); - # wpa_psk_radius = 0; - wpa_pairwise = "CCMP"; - wmm_enabled = 1; + # wpa_psk_radius = 0; + wpa_pairwise = "CCMP"; + wmm_enabled = 1; - # IEEE 802.11i (authentication) related configuration - # Encrypt management frames to protect against deauthentication and similar attacks - ieee80211w = 1; - sae_require_mfp = 1; - sae_groups = "19 20 21"; + # IEEE 802.11i (authentication) related configuration + # Encrypt management frames to protect against deauthentication and similar attacks + ieee80211w = 1; + sae_require_mfp = 1; + sae_groups = "19 20 21"; - # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) - tls_flags= "[ENABLE-TLSv1.3]"; + # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) + tls_flags = "[ENABLE-TLSv1.3]"; - ieee8021x=0; - eap_server=0; - }; + ieee8021x = 0; + eap_server = 0; + }; + }; + + # wlan0-1 = { + # ssid = "mlsia-testing"; + # authentication = { + # mode = "wpa3-sae-transition"; + # }; + + # bssid = mkBssid 1; + # settings = { + # bridge = bridgeInterfaceName; + # }; + # }; + + # wlan0-1 = { + # ssid = "justtestingwifi-wpa3"; + # authentication = { + # mode = "wpa3-sae"; + # saePasswordsFile = config.sops.secrets.wlan0_1_saePasswordFile.path; + # }; + + # bssid = mkBssid 1; + # settings = { + # bridge = bridgeInterfaceName; + # }; + # }; + + # Uncomment when needed otherwise remove + # wlan0-1 = { + # ssid = "koteczkowo3"; + # authentication = { + # mode = "none"; # this is overriden by settings + # }; + # managementFrameProtection = "optional"; + # bssid = "e6:02:43:07:00:00"; + # settings = { + # bridge = bridgeInterfaceName; + # wpa = lib.mkForce 2; + # wpa_key_mgmt = "WPA-PSK"; + # wpa_pairwise = "CCMP"; + # wpa_psk_file = config.sops.secrets.legacyWifiPassword.path; + # }; + # }; }; - - # wlan0-1 = { - # ssid = "mlsia-testing"; - # authentication = { - # mode = "wpa3-sae-transition"; - # }; - - # bssid = mkBssid 1; - # settings = { - # bridge = bridgeInterfaceName; - # }; - # }; - - # wlan0-1 = { - # ssid = "justtestingwifi-wpa3"; - # authentication = { - # mode = "wpa3-sae"; - # saePasswordsFile = config.sops.secrets.wlan0_1_saePasswordFile.path; - # }; - - # bssid = mkBssid 1; - # settings = { - # bridge = bridgeInterfaceName; - # }; - # }; - - # Uncomment when needed otherwise remove - # wlan0-1 = { - # ssid = "koteczkowo3"; - # authentication = { - # mode = "none"; # this is overriden by settings - # }; - # managementFrameProtection = "optional"; - # bssid = "e6:02:43:07:00:00"; - # settings = { - # bridge = bridgeInterfaceName; - # wpa = lib.mkForce 2; - # wpa_key_mgmt = "WPA-PSK"; - # wpa_pairwise = "CCMP"; - # wpa_psk_file = config.sops.secrets.legacyWifiPassword.path; - # }; - # }; }; + + # wlan1 = { + # band = "5g"; + # # channels with 160 MHz width in Poland: 36, 52, 100 i 116 + # channel = 0; # ACS + # countryCode = "PL"; + + # # use 'iw phy#1 info' to determine your VHT capabilities + # wifi4 = { + # enable = true; + # capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; + # }; + # wifi5 = { + # enable = true; + # operatingChannelWidth = "160"; + # capabilities = ["RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-4" "BF-ANTENNA-4" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7"]; + # }; + # wifi6 = { + # enable = true; + # singleUserBeamformer = true; + # singleUserBeamformee = true; + # multiUserBeamformer = true; + # operatingChannelWidth = "160"; + # }; + # settings = { + # # these two are mandatory for wifi 5 & 6 to work + # vht_oper_centr_freq_seg0_idx = 50; + # he_oper_centr_freq_seg0_idx = 50; + + # # The "tx_queue_data2_burst" parameter in Linux refers to the burst size for + # # transmitting data packets from the second data queue of a network interface. + # # It determines the number of packets that can be sent in a burst. + # # Adjusting this parameter can impact network throughput and latency. + # tx_queue_data2_burst = 2; + + # # The "he_bss_color" parameter in Wi-Fi 6 (802.11ax) refers to the BSS Color field in the HE (High Efficiency) MAC header. + # # BSS Color is a mechanism introduced in Wi-Fi 6 to mitigate interference and improve network efficiency in dense deployment scenarios. + # # It allows multiple overlapping Basic Service Sets (BSS) to differentiate and coexist in the same area without causing excessive interference. + # he_bss_color = 63; # was set to 128 by openwrt but range of possible values in 2.10 is 1-63 + + # # Magic values that were set by openwrt but I didn't bother inspecting every single one + # he_spr_sr_control = 3; + # he_default_pe_duration = 4; + # he_rts_threshold = 1023; + + # he_mu_edca_qos_info_param_count = 0; + # he_mu_edca_qos_info_q_ack = 0; + # he_mu_edca_qos_info_queue_request = 0; + # he_mu_edca_qos_info_txop_request = 0; + + # # he_mu_edca_ac_be_aci=0; missing in 2.10 + # he_mu_edca_ac_be_aifsn = 8; + # he_mu_edca_ac_be_ecwmin = 9; + # he_mu_edca_ac_be_ecwmax = 10; + # he_mu_edca_ac_be_timer = 255; + + # he_mu_edca_ac_bk_aifsn = 15; + # he_mu_edca_ac_bk_aci = 1; + # he_mu_edca_ac_bk_ecwmin = 9; + # he_mu_edca_ac_bk_ecwmax = 10; + # he_mu_edca_ac_bk_timer = 255; + + # he_mu_edca_ac_vi_ecwmin = 5; + # he_mu_edca_ac_vi_ecwmax = 7; + # he_mu_edca_ac_vi_aifsn = 5; + # he_mu_edca_ac_vi_aci = 2; + # he_mu_edca_ac_vi_timer = 255; + + # he_mu_edca_ac_vo_aifsn = 5; + # he_mu_edca_ac_vo_aci = 3; + # he_mu_edca_ac_vo_ecwmin = 5; + # he_mu_edca_ac_vo_ecwmax = 7; + # he_mu_edca_ac_vo_timer = 255; + # }; + # networks = { + # wlan1 = { + # ssid = "koteczkowo5"; + # authentication = { + # mode = "wpa3-sae"; + # saePasswordsFile = config.sops.secrets.wifiPassword.path; # Use saePasswordsFile if possible. + # }; + # bssid = "36:b9:02:21:08:a2"; + # settings = { + # bridge = bridgeInterfaceName; + # }; + # }; + # }; + # }; }; - - # wlan1 = { - # band = "5g"; - # # channels with 160 MHz width in Poland: 36, 52, 100 i 116 - # channel = 0; # ACS - # countryCode = "PL"; - - # # use 'iw phy#1 info' to determine your VHT capabilities - # wifi4 = { - # enable = true; - # capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; - # }; - # wifi5 = { - # enable = true; - # operatingChannelWidth = "160"; - # capabilities = ["RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-4" "BF-ANTENNA-4" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7"]; - # }; - # wifi6 = { - # enable = true; - # singleUserBeamformer = true; - # singleUserBeamformee = true; - # multiUserBeamformer = true; - # operatingChannelWidth = "160"; - # }; - # settings = { - # # these two are mandatory for wifi 5 & 6 to work - # vht_oper_centr_freq_seg0_idx = 50; - # he_oper_centr_freq_seg0_idx = 50; - - # # The "tx_queue_data2_burst" parameter in Linux refers to the burst size for - # # transmitting data packets from the second data queue of a network interface. - # # It determines the number of packets that can be sent in a burst. - # # Adjusting this parameter can impact network throughput and latency. - # tx_queue_data2_burst = 2; - - # # The "he_bss_color" parameter in Wi-Fi 6 (802.11ax) refers to the BSS Color field in the HE (High Efficiency) MAC header. - # # BSS Color is a mechanism introduced in Wi-Fi 6 to mitigate interference and improve network efficiency in dense deployment scenarios. - # # It allows multiple overlapping Basic Service Sets (BSS) to differentiate and coexist in the same area without causing excessive interference. - # he_bss_color = 63; # was set to 128 by openwrt but range of possible values in 2.10 is 1-63 - - # # Magic values that were set by openwrt but I didn't bother inspecting every single one - # he_spr_sr_control = 3; - # he_default_pe_duration = 4; - # he_rts_threshold = 1023; - - # he_mu_edca_qos_info_param_count = 0; - # he_mu_edca_qos_info_q_ack = 0; - # he_mu_edca_qos_info_queue_request = 0; - # he_mu_edca_qos_info_txop_request = 0; - - # # he_mu_edca_ac_be_aci=0; missing in 2.10 - # he_mu_edca_ac_be_aifsn = 8; - # he_mu_edca_ac_be_ecwmin = 9; - # he_mu_edca_ac_be_ecwmax = 10; - # he_mu_edca_ac_be_timer = 255; - - # he_mu_edca_ac_bk_aifsn = 15; - # he_mu_edca_ac_bk_aci = 1; - # he_mu_edca_ac_bk_ecwmin = 9; - # he_mu_edca_ac_bk_ecwmax = 10; - # he_mu_edca_ac_bk_timer = 255; - - # he_mu_edca_ac_vi_ecwmin = 5; - # he_mu_edca_ac_vi_ecwmax = 7; - # he_mu_edca_ac_vi_aifsn = 5; - # he_mu_edca_ac_vi_aci = 2; - # he_mu_edca_ac_vi_timer = 255; - - # he_mu_edca_ac_vo_aifsn = 5; - # he_mu_edca_ac_vo_aci = 3; - # he_mu_edca_ac_vo_ecwmin = 5; - # he_mu_edca_ac_vo_ecwmax = 7; - # he_mu_edca_ac_vo_timer = 255; - # }; - # networks = { - # wlan1 = { - # ssid = "koteczkowo5"; - # authentication = { - # mode = "wpa3-sae"; - # saePasswordsFile = config.sops.secrets.wifiPassword.path; # Use saePasswordsFile if possible. - # }; - # bssid = "36:b9:02:21:08:a2"; - # settings = { - # bridge = bridgeInterfaceName; - # }; - # }; - # }; - # }; - }; }; services.resolved.enable = false; @@ -797,20 +826,21 @@ in { local-ttl = 0; dhcp-ttl = 0; - dhcp-range = let - mkDhcpRange = { tag, vlanid }: builtins.concatStringsSep "," [ - tag - (mkVlanIpv4HostAddr { inherit vlanid; host = 100; cidr = false; }) - (mkVlanIpv4HostAddr { inherit vlanid; host = 199; cidr = false; }) - "12h" - ]; - in + dhcp-range = + let + mkDhcpRange = { tag, vlanid }: builtins.concatStringsSep "," [ + tag + (mkVlanIpv4HostAddr { inherit vlanid; host = 100; cidr = false; }) + (mkVlanIpv4HostAddr { inherit vlanid; host = 199; cidr = false; }) + "12h" + ]; + in builtins.map (vlanid: - mkDhcpRange { tag = mkInterfaceName {inherit vlanid;}; inherit vlanid; } + mkDhcpRange { tag = mkInterfaceName { inherit vlanid; }; inherit vlanid; } ) vlanRangeWith0 - ; + ; # interface = bridgeInterfaceName; # bind-interfaces = true; @@ -854,7 +884,9 @@ in { (vlanid: builtins.concatStringsSep "," [ # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) - "${nodeName}.${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) + "${nodeName}.${getVlanDomain{inherit vlanid;}}" + "0.0.0.1" + (mkInterfaceName { inherit vlanid; }) ] ) vlanRangeWith0 @@ -864,6 +896,11 @@ in { (vlanid: "${mkInterfaceName {inherit vlanid;}},option:domain-search,${getVlanDomain{inherit vlanid;}}") vlanRangeWith0 ; + + cname = [ + "mailserver.svc.stefanjunker.de,${exposedHost}" + "www.stefanjunker.de,${exposedHost}" + ]; }; }; @@ -881,10 +918,10 @@ in { # They fail to load properly, leaving the system without working ethernet, they'll oops on # remove. MTK-DSA parts and PCIe were observed to do this. boot.initrd.includeDefaultModules = false; - boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"]; - boot.initrd.availableKernelModules = ["nvme"]; + boot.initrd.kernelModules = [ "rfkill" "cfg80211" "mt7915e" ]; + boot.initrd.availableKernelModules = [ "nvme" ]; - boot.kernelParams = ["console=ttyS0,115200"]; + boot.kernelParams = [ "console=ttyS0,115200" ]; hardware.enableRedistributableFirmware = true; # Wireless hardware exists, regulatory database is essential. hardware.wirelessRegulatoryDatabase = true; diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix index 5c8c9b4..f60324f 100644 --- a/nix/os/devices/steveej-t14/hw.nix +++ b/nix/os/devices/steveej-t14/hw.nix @@ -1,4 +1,5 @@ -{lib, ...}: let +{ lib, ... }: +let stage1Modules = [ "aesni_intel" "kvm_amd" @@ -10,34 +11,26 @@ "usbcore" "xhci_hcd" - "usbnet" - "snd_usb_audio" "usbhid" - "snd_usbmidi_lib" - "cdc_mbim" - "cdc_ncm" "usb_storage" - "cdc_wdm" - "uvcvideo" - "btusb" "xhci_pci" - "cdc_ether" "uas" ]; -in { +in +{ # TASK: new device hardware.opinionatedDisk = { enable = true; encrypted = true; diskId = "nvme-WD_BLACK_SN850X_4000GB_2227DT443901"; - earlyDiskIdOverride = "usb-JMicron_Generic_0123456789ABCDEF-0:0"; + earlyDiskIdOverride = "usb-JMicron_Generic_0123456789ABCDEF-0:0"; }; # boot.loader.grub.device = lib.mkForce "/dev/disk/by-id/usb-JMicron_Generic_0123456789ABCDEF-0:0"; # see https://linrunner.de/tlp/ services.tlp = { - enable = true; + enable = false; settings = { CPU_DRIVER_OPMODE_ON_AC = "active"; CPU_DRIVER_OPMODE_ON_BAT = "passive"; @@ -81,7 +74,7 @@ in { # #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"; # #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"; - SATA_LINKPWR_ON_AC = "maax_performance"; + SATA_LINKPWR_ON_AC = "max_performance"; SATA_LINKPWR_ON_BAT = "min_power"; }; }; @@ -91,16 +84,16 @@ in { enable = true; levels = [ # ["level auto" 0 60] - [0 0 60] - [1 60 65] - [1 65 75] - [2 75 78] - [3 78 80] - [4 80 82] - [5 82 84] - [6 84 86] - [7 86 88] - ["level full-speed" 88 999] + [ 0 0 60 ] + [ 1 60 65 ] + [ 1 65 75 ] + [ 2 75 78 ] + [ 3 78 80 ] + [ 4 80 82 ] + [ 5 82 84 ] + [ 6 84 86 ] + [ 7 86 88 ] + [ "level full-speed" 88 999 ] ]; extraArgs = [