diff --git a/.sops.yaml b/.sops.yaml index 4ff660e..eb17a55 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,4 +1,4 @@ -# This example uses YAML anchors which allows reuse of multiple keys +# This example uses YAML anchors which allows reuse of multiple keys # without having to repeat yourself. # Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml # for a more complex example. @@ -72,4 +72,4 @@ creation_rules: - pgp: - *steveej age: - - *sj-bm-hostkey0 \ No newline at end of file + - *sj-bm-hostkey0 diff --git a/.vscode/settings.json b/.vscode/settings.json index df4ca93..0691bf9 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,6 +1,6 @@ { "nixEnvSelector.nixFile": "${workspaceRoot}/shell.nix", "[nix]": { - "editor.defaultFormatter": "kamadorueda.alejandra" + "editor.defaultFormatter": "jnoortheen.nix-ide" }, } diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix index 632be00..71d3873 100644 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -15,13 +15,34 @@ bpir3 nixos-nftables-firewall ; -in { - disabledModules = [ - # "services/networking/hostapd.nix" - ]; + mkVlanIpv4HostAddr = { vlanid, host, ipv4Offset ? 20, cidr ? true }: + builtins.concatStringsSep "." + [ "192" "168" (toString (ipv4Offset + vlanid)) "${toString host}${lib.strings.optionalString cidr "/24"}" ]; + + # vlanRangeStart = 1; + # vlanRangeEnd = 20; + # vlanRange = (lib.lists.range vlanRangeStart vlanRangeEnd); + vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans); + vlanRangeWith0 = [ 0 ] ++ vlanRange; + + defaultVlan = { + name = "internal"; + packet_priority = 0; + }; + vlans = { + "1".name = "dmz.${defaultVlan.name}"; + "1".packet_priority = 0; + "2".name = "iot.${defaultVlan.name}"; + "2".packet_priority = -10; + "3".name = "office.${defaultVlan.name}"; + "3".packet_priority = -5; + "4".name = "guests.${defaultVlan.name}"; + "4".packet_priority = 10; + }; + getVlanDomain = { vlanid }: vlans."${toString vlanid}".name or defaultVlan.name; +in { imports = [ - # nodeFlake.inputs.disko.nixosModules.disko repoFlake.inputs.sops-nix.nixosModules.sops ../../profiles/common/user.nix @@ -30,6 +51,17 @@ in { nixos-nftables-firewall.nixosModules.default + { + nix.nixPath = [ + "nixpkgs=${pkgs.path}" + ]; + + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + } + # TODO # ./network.nix # ./monitoring.nix @@ -43,11 +75,13 @@ in { rootPasswordFile = config.sops.secrets.passwords-root.path; }; - sops.secrets.passwords-root = { - sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - neededForUsers = true; - format = "yaml"; - }; + sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + sops.secrets.passwords-root.neededForUsers = true; + + sops.secrets.wlan0_saePasswordsFile = { }; + sops.secrets.wlan0_wpaPskFile = { }; } ]; @@ -101,6 +135,8 @@ in { # Use the nftables firewall instead of the base nixos scripted rules. # This flake provides a similar utility to the base nixos scripting. # https://github.com/thelegy/nixos-nftables-firewall/tree/main + + # TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority) nftables = { enable = true; stopRuleset = ""; @@ -108,26 +144,69 @@ in { enable = true; zones = { lan.interfaces = ["br-lan"]; + vlan.interfaces = builtins.map (vlanid: "br-vlan.${toString vlanid}") vlanRange; + # lan.ipv4Addresses = ["192.168.0.0/16"]; wan.interfaces = ["wan" "lan0"]; }; - rules = { - lan = { + rules = let + ipv6IcmpTypes = [ + "destination-unreachable" "echo-reply" "echo-request" + "packet-too-big" "parameter-problem" "time-exceeded" + + # Without the nd-* ones ipv6 will not work. + "nd-neighbor-solicit" "nd-router-advert" "nd-neighbor-advert" + ]; + ipv4IcmpTypes = [ + "destination-unreachable" "echo-reply" "echo-request" "source-quench" "time-exceeded" + "router-advertisement" + ]; + allowIcmpLines = [ + "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" + "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" + ]; + in { + lan-to-fw = { from = ["lan"]; to = ["fw"]; verdict = "accept"; }; - outbound = { - from = ["lan"]; - to = ["lan" "wan"]; - verdict = "accept"; - }; - nat = { + + lan-to-wan = { from = ["lan"]; to = ["wan"]; - masquerade = true; + verdict = "accept"; }; - incoming-wan = { + vlan-to-wan = { + from = ["vlan"]; + to = ["wan"]; + verdict = "accept"; + }; + + vlan-to-fw = { + allowedUDPPortRanges = [ + { from = 67; to = 68; } + { from = 53; to = 53; } + ]; + allowedTCPPortRanges = [ + { from = 22; to = 22; } + { from = 53; to = 53; } + ]; + from = ["vlan"]; + to = ["fw"]; + extraLines = allowIcmpLines ++ [ + "drop" + ]; + }; + + to-wan-nat = { + from = ["lan" "vlan"]; + to = ["wan"]; + masquerade = true; + verdict = "accept"; + }; + + wan-to-fw = { from = ["wan"]; to = ["fw"]; allowedTCPPortRanges = [ @@ -136,7 +215,9 @@ in { to = 22; } ]; - verdict = "drop"; + extraLines = allowIcmpLines ++ [ + "drop" + ]; }; }; }; @@ -157,50 +238,12 @@ in { extraConfig = '' [Bridge] STP=true - VLANFiltering=yes - DefaultPVID=none + # VLANFiltering=yes + # DefaultPVID=1 ''; }; }; networks = { - # Connect the bridge ports to the bridge - "30-lan1" = { - matchConfig.Name = "lan1"; - networkConfig = { - Bridge = "br-lan"; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - }; - "30-lan2" = { - matchConfig.Name = "lan2"; - networkConfig = { - Bridge = "br-lan"; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - }; - "30-lan3" = { - matchConfig.Name = "lan3"; - networkConfig = { - Bridge = "br-lan"; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - }; - # Configure the bridge for its desired function - "40-br-lan" = { - matchConfig.Name = "br-lan"; - bridgeConfig = {}; - address = [ - "192.168.10.1/24" - ]; - networkConfig = { - ConfigureWithoutCarrier = true; - }; - # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min - linkConfig.RequiredForOnline = "no"; - }; # use lan0 as secondary WAN interface "10-lan0-wan" = { matchConfig.Name = "lan0"; @@ -232,15 +275,88 @@ in { # make routing on this interface a dependency for network-online.target linkConfig.RequiredForOnline = "routable"; }; - }; + + # Connect the bridge ports to the bridge + "30-lan1" = { + matchConfig.Name = "lan1"; + networkConfig = { + Bridge = "br-lan"; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + }; + "30-lan2" = { + matchConfig.Name = "lan2"; + networkConfig = { + Bridge = "br-lan"; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + }; + "30-lan3" = { + matchConfig.Name = "lan3"; + networkConfig = { + Bridge = "br-lan"; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + }; + # Configure the bridge for its desired function + "40-br-lan" = { + matchConfig.Name = "br-lan"; + bridgeConfig = {}; + address = [ + (mkVlanIpv4HostAddr { vlanid = 0; host = 1;}) + ]; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min + linkConfig.RequiredForOnline = "no"; + + # TODO: understand when this would be needed + # bridgeVLANs = [ + # { + # bridgeVLANConfig = { + # VLAN = "${vlanRangeStart}-${vlanRangeEnd}"; + # }; + # } + # ]; + }; + } + # VLAN interface addresses + // + lib.attrsets.foldlAttrs + (acc: _: value: acc // value) + {} + (lib.attrsets.genAttrs + (builtins.map + builtins.toString + vlanRange + ) + (vlanid: { + "50-br-vlan.${vlanid}" = { + matchConfig.Name = "br-vlan.${toString vlanid}"; + address = [ + (mkVlanIpv4HostAddr { vlanid = (lib.strings.toInt vlanid); host = 1; }) + ]; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min + linkConfig.RequiredForOnline = "no"; + }; + }) + ); }; # wireless access point services.hostapd = { enable = true; + package = nodeFlake.packages.hostapd_main; radios = let - mkBssid = i: # generated with https://miniwebtool.com/mac-address-generator/ - "34:56:ce:0f:ed:4${builtins.toString i}"; + # generated with https://miniwebtool.com/mac-address-generator/ + mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; in { wlan0 = { band = "2g"; @@ -254,64 +370,68 @@ in { }; networks = { wlan0 = { - ssid = "justtestingwifi-wpa3"; - authentication = { - mode = "wpa3-sae"; - # saePasswordsFile = config.sops.secrets.wifiPassword.path; - saePasswords = [ - { - password = "normalnormal"; - } - { - password = "vlanvlan"; - vlanid = 1; - } - ]; - }; - + ssid = "mlsia"; bssid = mkBssid 0; - settings = { - bridge = "br-lan"; - }; - }; - wlan0-1 = { - ssid = "justtestingwifi-compat"; - authentication = { - mode = "wpa3-sae-transition"; - # saePasswordsFile = config.sops.secrets.wifiPassword.path; - saePasswords = [ - { - password = "normalnormal"; - } - { - password = "vlanvlan"; - vlanid = 1; - } - ]; - wpaPskFile = pkgs.writeText "wpa_psk" '' - 00:00:00:00:00:00 normalnormal - vlanid=1 00:00:00:00:00:00 vlanvlan - ''; - }; + # manually configure something close to wpa3-sae-transition + authentication.mode = "none"; + # authentication.saePasswordsFile = config.sops.secrets.wlan0_saePasswordsFile.path; - bssid = mkBssid 1; settings = { - bridge = "br-lan"; + # bridge = "br-lan"; + + logger_stdout_level= lib.mkForce 1; + logger_syslog_level= lib.mkForce 1; # resources on vlan tagging # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 - vlan_tagged_interface = "br-lan"; - vlan_bridge = "br-vlan"; + vlan_naming = 1; + vlan_bridge = "br-vlan."; dynamic_vlan = 1; - vlan_file = builtins.toString (pkgs.writeText "hostapd.vlan" '' - * wlan0-1.# + vlan_file = toString (pkgs.writeText "hostapd.vlan" '' + * wlan0.# ''); + + wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; + sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; + + ieee80211w=1; + auth_algs = 3; + sae_require_mfp = 0; + sae_groups = "19 20 21"; + wpa = 2; + wpa_key_mgmt = "WPA-PSK WPA-PSK-SHA256 SAE"; + + # worked above here + # testing below here + + # ieee80211w = 2; + + # IEEE 802.11i (authentication) related configuration + # Encrypt management frames to protect against deauthentication and similar attacks + # ieee80211w = mkDefault 1; + # sae_require_mfp = mkDefault 1; + + # sae_require_mfp = 1; + # sae_groups = "19 20 21"; }; }; + # wlan0-1 = { + # ssid = "justtestingwifi-wpa3"; + # authentication = { + # mode = "wpa3-sae"; + # saePasswordsFile = config.sops.secrets.wlan0_1_saePasswordFile.path; + # }; + + # bssid = mkBssid 1; + # settings = { + # bridge = "br-lan"; + # }; + # }; + # Uncomment when needed otherwise remove # wlan0-1 = { # ssid = "koteczkowo3"; @@ -423,94 +543,75 @@ in { services.resolved.enable = false; - services.dnsmasq = { + services.dnsmasq = let + mkIfName = { vlanid }: if vlanid == 0 then "br-lan" else "br-vlan.${toString vlanid}"; + in { enable = true; settings = { - # upstream DNS servers - server = ["9.9.9.9" "8.8.8.8" "1.1.1.1"]; # sensible behaviours domain-needed = true; bogus-priv = true; no-resolv = true; - dhcp-range = [ - # "br-lan,192.168.10.50,192.168.10.100,24h" - "192.168.10.50,192.168.10.100,24h" - ]; + dhcp-range = let + mkDhcpRange = { tag, vlanid }: builtins.concatStringsSep "," [ + tag + (mkVlanIpv4HostAddr { inherit vlanid; host = 100; cidr = false; }) + (mkVlanIpv4HostAddr { inherit vlanid; host = 199; cidr = false; }) + "5m" + ]; + in + builtins.map + (vlanid: + mkDhcpRange { tag = mkIfName {inherit vlanid;}; inherit vlanid; } + ) + vlanRange + ; # interface = "br-lan"; # bind-interfaces = true; - # dhcp-host = "192.168.10.1"; # local domains - local = "/lan/"; - domain = "lan"; + # local = "/${getVlanDomain {vlanid = 0;}/"; + # domain = getVlanDomain {vlanid = 0;}; expand-hosts = true; # don't use /etc/hosts as this would advertise ${nodeName} as localhost no-hosts = true; - address = "/${nodeName}.lan/192.168.10.1"; + + # address = "/${nodeName}.lan/${fwLanHostAddr}"; + server = [ + # upstream DNS servers + "9.9.9.9" "8.8.8.8" "1.1.1.1" + ] ++ builtins.map + (vlanid: "/${nodeName}.${getVlanDomain {inherit vlanid;}}/") + vlanRangeWith0 + ; + + # TODO: compare this to using `interface-name` + dynamic-host = [ + ] ++ builtins.map + (vlanid: + builtins.concatStringsSep "," [ + "${nodeName}.${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkIfName {inherit vlanid;}) + ] + ) + vlanRangeWith0 + ; + + dhcp-option-force = builtins.map + (vlanid: "option:domain-search,${getVlanDomain{inherit vlanid;}}") + vlanRangeWith0 + ; + + localise-queries = true; }; }; # The service irqbalance is useful as it assigns certain IRQ calls to specific CPUs instead of letting the first CPU core to handle everything. This is supposed to increase performance by hitting CPU cache more often. services.irqbalance.enable = true; - # disko.devices = { - # disk = { - # nvme0n1 = { - # device = "/dev/nvme0n1"; - # type = "disk"; - # content = { - # type = "table"; - # format = "gpt"; - # partitions = [ - # { - # name = "var-log"; - # start = "1MiB"; - # end = "20G"; - # content = { - # type = "filesystem"; - # format = "ext4"; - # mountpoint = "/var/log"; - # }; - # } - # { - # name = "tmp"; - # start = "20G"; - # end = "60G"; - # content = { - # type = "filesystem"; - # format = "ext4"; - # mountpoint = "/tmp"; - # }; - # } - # { - # name = "var"; - # start = "60G"; - # end = "100G"; - # content = { - # type = "filesystem"; - # format = "ext4"; - # mountpoint = "/var"; - # }; - # } - # { - # name = "swap"; - # start = "100G"; - # end = "100%"; - # content = { - # type = "swap"; - # randomEncryption = false; - # }; - # } - # ]; - # }; - # }; - # }; - # }; - system.stateVersion = "23.05"; boot.kernelPackages = pkgs.linuxPackages_bpir3; diff --git a/nix/os/devices/router0-dmz0/default.nix b/nix/os/devices/router0-dmz0/default.nix index e8d521a..59652be 100644 --- a/nix/os/devices/router0-dmz0/default.nix +++ b/nix/os/devices/router0-dmz0/default.nix @@ -9,6 +9,7 @@ in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake system; packages' = repoFlake.packages.${system}; + nodePackages' = nodeFlake.packages.${system}; inherit (nodeFlake.inputs.bpir3.packages.${system}) diff --git a/nix/os/devices/router0-dmz0/flake.lock b/nix/os/devices/router0-dmz0/flake.lock index 06e3d64..345a940 100644 --- a/nix/os/devices/router0-dmz0/flake.lock +++ b/nix/os/devices/router0-dmz0/flake.lock @@ -7,10 +7,11 @@ ] }, "locked": { - "dirtyRev": "4210480bdebbf3a7953e22d5d9f183f47b725bff-dirty", - "dirtyShortRev": "4210480-dirty", - "lastModified": 1688620001, - "narHash": "sha256-INxwGchokdU3ESpnvmfkMWZhocM134FmhWQoyPqtg60=", + "lastModified": 1703182100, + "narHash": "sha256-zl2G9ex86b8G6J9+QT4n9g26G8dtandIt1LlFhZiaxE=", + "ref": "refs/heads/linux-6.6", + "rev": "953a04e6792c412a664212db6a64bbaaa35bff0a", + "revCount": 31, "type": "git", "url": "file:///home/steveej/src/steveej/nixos-bpir3" }, @@ -47,11 +48,11 @@ ] }, "locked": { - "lastModified": 1702569759, - "narHash": "sha256-Ze3AdEEsVZBRJ4wn13EZpV1Uubkzi59TkC4j2G9xoFI=", + "lastModified": 1703162528, + "narHash": "sha256-pQ41wN6JlStkZOhRTIHEpuwVywLdh+xzZQW1+FzdjVs=", "owner": "nix-community", "repo": "disko", - "rev": "98ab91109716871f50ea8cb0e0ac7cc1e1e14714", + "rev": "a050895e4eb06e0738680021a701ea05dc8dbfc9", "type": "github" }, "original": { @@ -82,11 +83,11 @@ ] }, "locked": { - "lastModified": 1702814335, - "narHash": "sha256-Qck7BAMi3eydzT1WFOzp/SgECetyPpOn1dLgmxH2ebQ=", + "lastModified": 1703368619, + "narHash": "sha256-ZGPMYL7FMA6enhuwby961bBANmoFX14EA86m2/Jw5Jo=", "owner": "nix-community", "repo": "home-manager", - "rev": "e4dba0bd01956170667458be7b45f68170a63651", + "rev": "a2523ea0343b056ba240abbac90ab5f116a7aa7b", "type": "github" }, "original": { @@ -96,6 +97,22 @@ "type": "github" } }, + "hostapd": { + "flake": false, + "locked": { + "lastModified": 1703346062, + "narHash": "sha256-SHSBKIgKc5zEGhKDT2v+yGERTJHf8pe+9ZPUwJBTJKQ=", + "ref": "refs/heads/main", + "rev": "196d6c83b9cb7d298fdc92684dc37115348b159e", + "revCount": 19119, + "type": "git", + "url": "git://w1.fi/hostap.git?branch=main" + }, + "original": { + "type": "git", + "url": "git://w1.fi/hostap.git?branch=main" + } + }, "nixos-nftables-firewall": { "inputs": { "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", @@ -104,11 +121,11 @@ ] }, "locked": { - "lastModified": 1702744409, - "narHash": "sha256-dcDkc+6TF9EvfWpsLdmGz4hhrNVbQZDgFwvk5SOjYTI=", + "lastModified": 1703279052, + "narHash": "sha256-0rbG/9SwaWtXT7ZuifMq+7wvfxDpZrjr0zdMcM4KK+E=", "owner": "thelegy", "repo": "nixos-nftables-firewall", - "rev": "a33df9d2f586b85e8e7e546d9b99b39f3187c382", + "rev": "3bf23aeb346e772d157816e6b72a742a6c97db80", "type": "github" }, "original": { @@ -119,11 +136,11 @@ }, "nixos-stable": { "locked": { - "lastModified": 1702346276, - "narHash": "sha256-eAQgwIWApFQ40ipeOjVSoK4TEHVd6nbSd9fApiHIw5A=", + "lastModified": 1702921762, + "narHash": "sha256-O/rP7gulApQAB47u6szEd8Pn8Biw0d84j5iuP2tcxzY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cf28ee258fd5f9a52de6b9865cdb93a1f96d09b7", + "rev": "d02ffbbe834b5599fc5f134e644e49397eb07188", "type": "github" }, "original": { @@ -135,11 +152,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1702312524, - "narHash": "sha256-gkZJRDBUCpTPBvQk25G0B7vfbpEYM5s5OZqghkjZsnE=", + "lastModified": 1703255338, + "narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a9bf124c46ef298113270b1f84a164865987a91c", + "rev": "6df37dc6a77654682fe9f071c62b4242b5342e04", "type": "github" }, "original": { @@ -155,6 +172,7 @@ "disko": "disko", "get-flake": "get-flake", "home-manager": "home-manager", + "hostapd": "hostapd", "nixos-nftables-firewall": "nixos-nftables-firewall", "nixpkgs": "nixpkgs", "srvos": "srvos" @@ -168,11 +186,11 @@ ] }, "locked": { - "lastModified": 1702518612, - "narHash": "sha256-AGqIpvEMqo0FKXslmKL8ydt01pJFs8q3nUtz7gksoig=", + "lastModified": 1703258052, + "narHash": "sha256-gWGQxht/xRJRnA+35aHtpmev7snsM+2GBdaPyarXNqU=", "owner": "numtide", "repo": "srvos", - "rev": "cd802e2933c567ea91de48dbe8968f41a5d9a642", + "rev": "0c7eefd13776730f33ea28fb984dd95cb5357e8e", "type": "github" }, "original": { diff --git a/nix/os/devices/router0-dmz0/flake.nix b/nix/os/devices/router0-dmz0/flake.nix index 9a714b9..24f5f16 100644 --- a/nix/os/devices/router0-dmz0/flake.nix +++ b/nix/os/devices/router0-dmz0/flake.nix @@ -19,9 +19,10 @@ nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; - }; - # outputs = _: {}; + hostapd.url = "git://w1.fi/hostap.git?branch=main"; + hostapd.flake = false; + }; outputs = { self, @@ -32,6 +33,7 @@ } @ attrs: let system = "aarch64-linux"; nodeName = "router0-dmz0"; + pkgs = nixpkgs.legacyPackages.${system}; mkNixosConfiguration = {extraModules ? [], ...} @ attrs: nixpkgs.lib.nixosSystem ( @@ -67,6 +69,7 @@ linuxPackages_bpir3 ; }) + ]; } ] @@ -88,5 +91,12 @@ ]; }; }; + + packages = { + hostapd_main = pkgs.hostapd.overrideDerivation(attrs: { + src = self.inputs.hostapd; + version = self.inputs.hostapd.rev; + }); + }; }; } diff --git a/secrets/router0-dmz0/secrets.yaml b/secrets/router0-dmz0/secrets.yaml index ee184e9..ade560c 100644 --- a/secrets/router0-dmz0/secrets.yaml +++ b/secrets/router0-dmz0/secrets.yaml @@ -4,6 +4,8 @@ ssh_host_ed25519_key: ENC[AES256_GCM,data:XQjTqNADLhisxPBIJ7x0bs3qgQk0u4q9HKSDuk ssh_host_ed25519_key_pub: ENC[AES256_GCM,data:MQ0q/I6clKNz6uzoztGA06vOjIbpK6Dsf3WbgddRA0B8nEJ4EUmRBT0KkX3o+LZmQPhmURHWWFtOSqvAzkyoxAoBZEh98H3IDsLE5PgcNbxK3dAh36+AAMPLzVFnHLyaWLQW,iv:9XIw29PkSHCeU7C2GuSJ+J+mBrwOrbSMmm7kOtCkiyI=,tag:x3JqFF08f2eVfOrrQ1gzYw==,type:str] ssh_host_rsa_key: ENC[AES256_GCM,data:tFGQ77X5Y1TRR2F0EJ4hmauE9ABILP6V0CSmzb1QLaH6VlhriXSE1UQcQ2Rc73CR7+JLjLbggL7RKpkA8gJQq/ubhiXHJokBEo6rfBXETVepv0HlyX5UvzWhi6iKBE5YsYyyBI1VWDcx+oTR8+daqnKwbbqPeDUpC2coT3S9svEsKXeb3YOMxJ9X/Rvh96UtMmlk7WeZa2JvOP3k62HROVo8QRYXeQWTO87TCzVdU7OWnbRIuC6bu+32Uy70AsIu39fazX7WqIUxaeO/oNHsay0/TBXKNu2El0JRG8tHCHdXe1tahniGbGH5xeEZmgLTOjHntw5UIdxZbgvcbxmt9seDXUxjhhEMS8eHWaxnRDSI7n2KOb/3UaBQ3BHnYpuRjW++uFBgRHxxANlYfpfEdz/LNexdPb9+QCw80r38uZxP8yD5/PxFV/Y+gSX+WnNE0YQnBDtHFjKhHpqpm2P4Ek3hLzjXh6CPzUZru6LAO/FklcLCGaq94fDC5wW3K0x1UvyfMjBwwyeSymcV95YcZu8Ty280jRhG8l719KkEJjnBdnB25PQ5gEwc34dG5xH5HwVUDPIM9v9m+cXtldUIk3BH4PiTEI1aZsZx50BtBhxybAxhTqNElrP+/2W73muTSQboDIB1Xb2NhArLB6XnnVhVUD/Pg/9wiDUY0mYyr0eIp9AmBfSmSIDjFyVUB9o+gv/B+LpxwxPKmsPt3MRKWoZw+bIGTI82UqBv0eX6Xqq71H4DYFnJ3J+n+Jzp5ww5mSPPHffZZFSBbZSpTk8El4L5II/hyyxk7yJopt19AAsw+UgLJDO31XnyiGAEbbDdwjuCWQMmuzKJ6H7c7UGDXLO92jAlXwEWT5fwzG6Wvu5+n/OToz3CN1Cv40uwVb/fOqmzep9hoOrXeuzmnGULfGmwItjuJoMkfmPUq8obAuj5ml0YduU2eLbe15OlD2Vg2I+BH0WuCPYnnCrLyX8ixhJEuGGDkhGhaKMHaMjNuMOGmDQ6oRCVU8BA/zDgnF/GrcHgIe742Yh68PyaH2j+iX6/5YvUB+R1sDnrgfXlgET1V+nny+fD4GBnP+RKYtdGG0P4y3AYlACQE9sJ6Nkb8CTVb2Va6L3rXzeyJG2FtYkUKxxwDUv/KyieclHiJpdawunOLVkmI6p/iaZIThrdGA5p7b01/WOyJFA9aI3oU2f2rMYBLGHYirrRs3WtS7ExhKriHpgax574UIcW0mecFto9dHkGlBOTQy+Zp1GARnePXKZcyKm2qhTIjw0ho/DUe3+t1knbR6WJCwl1LDtfpPD2KPDDH+HpHm3EoiA1mDSp6lYMVxwBr2eBmFPKuPkkAL/3Bf6SKlEp1UCDee7BPlzS9kwmIEt/EuIohbMDdyaHtulW31Hdrsai8fCxc7AAzgsmoMBp2Smwoe3C8K5K8RaNp6v4boY8WBH3rLjAFTmOPB7TiZfplQjV8triZS3JFopNjvCglfZSXxSs+RjZUgSgL/1fFLT2m0Mp1XPMvGZlD73TzJ5RH5WWlxliaau42Q4vXRFUK+ZFx0SvwOO5xZvRNtAOfipEoqscKOopV+HHl74DJEk/xLibWJmkEBqoVbf1BFDUAiRSSb/0RdfCAGaj1mqV68szVtLt3jB1AJm9iu9RNU047HHQeOi++8g6lOpHmhsksfQLAucLVtLTrXpHDEAugDbSXrwPkhWa2Ej+Iva1p2vteIExcT+8h3WiXkamDBZALpJcLkDSazgAmmrB+6u6odsyin9Z5zB55EN2iz24nGNgyylt9FehC4/2SNHMX42hZ/JPQw51+vZQLoLQv+oOJAVXGBHeDy3kDl60fL6Fr5jZ0YOfO+rFGk4bDpXYjq27ahLv763tVs8SrgMseNWNWTakZUAXuYPbP3GBFEjTPHM4216WABj2cC3zSmrnbEyNRMWTdsm46ASZvhZo4wO8eTrndvy44Q2UKOFOh1sYCY4jjCWCI74pEV3rRcBJASuUipep65ZwXOlFOXu7uiaG01/KWofn4JzzrlX3MfhKsUBaEDTUXwDGw0RAEHQXb3rvfiIjCQBcpy8kM1fBR97K5LFJzZ2/qf2bPGs0yxma1O0Z6TT/2Uk2n62jK2xIM7gvTjPOVDP2etHKVxMpMjhTAbRj4K3568HZM/POBC5AORLAtBAo14CNxRMN8f05Gs13wn9ZI+pqiaOpTTnfH1xL9fd/6I03utzMKnoR8IVhrQLDLT6OAIkdeJX8s99R/J/nTOApk3XACWqjmMTcWtwt6g3x2iTk/1jTTn70rYVr8JLHHCt+bd5H/eDUiq9HpG1oFEZPXuvgATOovru0YVtmVx+yea0jWpJOsK+/SZjYAfvAKh0ZNr8dKHug/gGEpp6SfFBI+c4ywR1kM83OUHLaI/dOU9rLeCKktB+UcvTPoLhHLbTAlTrizeRmYY16Z1a+47LvwX944js3TZZkxqylz73cekWidYiiLNbiHwACftOK/GwZCG0WrVfcSi6pJYDgPgbcqFohaKI7ltKZgTlHGT1mZr1IH1RnauZmN/MkBEKVHO3E/PFgKkWNcXQi4uV2P3j8aHHc0RJrxx7qAFFXCYEwu02pv9nmul/HClLMmDYHDY1lHZvIIyPcsmr1ZkCFRV4UtnZRtXhHNAZCGFRX+y5HQXnubjPmV5I2R/gcLLi//2vIE6V2i8SpEJZlVweLpjRYwb6H6xFTuvHN+9Y5pd3rFx2BapR0AzYdOXUVqKF5ewrfE/1iitsEeDJj8OqmNzpmLBrnROnPyPh/+KGWBG5Nm4QKVMhP7XN1F+Fr7sTxw1ignXsfSwH8v/ELMzxVLu3ijWxvmk3/eOsrKYB/x3h6I1SFWZUoTjVPAmlNAnYl90Xf+FMPiII11+zrYwsJbCh25gmSvtKR+hmoTxXbJ2w5E2cFoVHMBOmS8Uo8L0BDOUzUE64cPl/v119BafVUOohLF1l3Ob19td+sMvqX8OHLGgB+/r6jKmUPnNNEzbDAogMydcVVjtPRIoDScw4ExxuxILN4/V+VulyAgU29OvFWS6+r5Y+bjqgqMg55Of0le3HUqt65qMuqiaUR5P/9WP+H666GsYTSg5I5gPJv0FF6tqXCWE9mpQ4sk2/BiWWaNeojxyhyH/cv4fbUmcee6K3+P+liXyFGGAWdBP5uGb+BzIfSaXVN3xEBPWAAe+BMkJrxbc6FSS12Wkh+bLM+NJH7XaoDl6+8LtF3bstsCoXvQgNlXHlbt4/aIIFEBShlYSQwLMDcey1VB4pu4SBv2HXwaX9zXPd+MGH77DeQU4yBkrElly51/68yzdSGpe6mNFy57Hc3UJBW1pNbds5Gxu+jFbQ6Phxvn38u9V8cphjxzgig0uZjkKHYx0EwFjBqmfrP0hQDnpcyg5QCPhnXOthmVL4jkJs3OrRHhoYRgbXpaVRMpVMLFeeSqcQABaRK5ibpB81WP8yCJPIMsbWW7sDTCiIyLq6qW5pKNq8/l3sq042+6bJgJ3CfDYdNKJCTF/09F5JKkpXeIxL4MGqvg5nOoyiahDQsUzMT3dwGg7IWqxQidcJ576XSBkR2qNwUrl6qq87JP+Zo3RJbA5bpPubm6sUonWE3hRGg4LWceVBO34J/wutWVt4W7dXnK5WVhJv8UHJcbgWR9dMpWkbeMpakqlRRLOTibztMFkx3xyIMmZS+cNyhRyatw+DwX/opuY+bl8X4yKgNOuW/w6r06r4MrL78MTjqZDQ4xkCSL3x3KWr2Tf4lAX6sdwKTzdBdzvFuLeuijngrvRYRyk/3jk/o4ujfHMdrergMjlP5Js7ICZSLhXHHOc2Hc5oPaBIx59r6FynA+W6ROmk5kVF2BNkRlP6/oV5Apn3MMUnDc4YjHaowt8UVkIHZOEL8hxymYDR4g9y1wOoIwKCorBQa5jsXH+AEop3hlsv4uqzrrcGGQhfQEW0Vb1fG4N0VAyWEodaw7wOY3XCrW7yHjIgRM3Is+juT7jMeACW+OQuvQHTS/9bc9n9sXjjVwsvoHROLxsXMFO9HablXaEKzFL1oGXpnavYf/MuZMwALsPish2Mmj9fONNMBo1yYy/j+8GzHCqByDS1ZPnlzPQD0ztGNwNfOOhNOqamqaE9GNHv92yQIf/KKGhnjFH/I9IlzA28eaaSVql/1vdhRAI2G1WxpgyQ1ryRPLYHA/Qw9OYrb+jIxHj9uqfohShgIqnv6TCXRmByfyU6Te3oqKLyezKj7tPCqv1la1ostycmE4msAs4EI7pe1OZcRulPkUJrZCPkvo+EYTw8AfGmwHFb5foQ4wk8pkjTvo1zHmjy0GjMAZpcmDHfyHAyoaED6DUKAHRBbMdSqQJWmzhHkzn5oRCR6UlWSyxRZ1wBIKn+T+kcn28XiLlJrJVK3n2CQkE1c3EfFemnimo0Yc9yNQZygfZjr2W2TnmtAZ5jHiMmv7E8CPxBQBd/pf29z/uAEwQIqVFSHxkVaVjHW5wlhfWwOuj0xZFly,iv:mXE8xpXFBYSJce9pg+g3OedMS9+ZHOHHwydCY0NbGRQ=,tag:cEqbUu9Y1PFKXwaeqioXWA==,type:str] ssh_host_rsa_key_pub: ENC[AES256_GCM,data:N60bGf/6KNRhVUq1EIbPVo3aBDDKEpMBr5+Gt3+FMPt3uQEaKk8jBg5mOdxWMTPoLg1ZP/Pme8afoM+Skc0b50WnpErF3Ox1w+4eM0oMJYOhIvHLGURNM3Dba5MgA7YfhPdTsVdjD2yks2vYqhdtEvzTTgCJbFimVJlp+wDqE6czPgMjD03c7oJDtv38OBtc1vRMzVw3cIuyxz2yNnXQxiMgTR6pZN7+Brami2dfXOHEVgymmlU5PRE8Ykerq2fB36N5uqu4/xSPaHaM+/f2OA/TLlYYB+sGMDExZfbO/vsiRBLvTY/f4KG2mEkmH+IFH1bk6UF47xTFEe8tHN/TlLo+9OmjZTph221ZYnOsIqBY+F822ctZEe8Ikz9Ti4F1ApvxxRcWHajbgQnDJdDiHJvt3OHal4rNBtYwxxV/MDZtvKSVxmFwgx7nwNP0oKhAigQkU7Mvp1q5p3dZsdbGCUeFm2S5/qIxWPfr7wg4xocLNSsLW1EpGo6A2RUXWIV+lPuZd9dNEjGC5zKKAgMI94is6MtMXgqlFqTcZuQ9hvhoVDcFhVSJylu8pzk9d/tKviwcd98jHAhdfGpnc9eJbtyBU6/HvxLzQpsbFjwa3LGirEdtgxRZn2nJx++0U6XuLcbGwjOVAhkde6g2vFv5hsC6KaZQcp4AFvMvEdJyrnb0b2TOeOD8zEljb8u2q/eexCRSjGpobEINwu5qV+tF9eHIJ1YFzhCSmmLGKXjc7bC8uv5ffl39JmAbUrffd18zqae+Xpijd+QzwF425NG9+PksAt+PPzt4SDgGfKBIpMNFxIb18oo88z4YDLuNzRy/HVF90JV0LlAxES4ZOxoWUjJPrR6dGxNRANYOyFGmoN+yG3B9kd1NRGRNGh5P9EtZBxlPIi24djzF1n4GQSW1NFDgoGcxaXhk0PlpPxwuHK0X9FkFDDzQUYNBhx7py+hev5rBUCs7Yhj5xgcM88fdLRZi8MulNws=,iv:8c3hDcJ8wzTugmJ3Mhzx/qEXnnlpFefBmRTG/MqyeEg=,tag:uSz6+CYu9uQa0C2DXnHPUA==,type:str] +wlan0_saePasswordsFile: ENC[AES256_GCM,data:Lq81rCQNUmrZi047UxvFI+Sg6YfBzPaTkK23FTwyfEtMIgHlAtY7lrW7lqR1iDEafOlK0uX8dUkQXRZzjuIbhP3UP/WYUtZ/RxoQdoQI9HAFXBG8g3RgD3OsW/3RY6VLkNFD5p3PST8wGpO1iXZzjJC8UH9WeAg3CcKdtPK+,iv:5rcrcVsbYaDhUTseIIDIC6oFEonCFkx9kYsA5DhMu8I=,tag:QQ3jX6kPiAd9IJfS7TkuvA==,type:str] +wlan0_wpaPskFile: ENC[AES256_GCM,data:rgPROqPL6wd4RacWU1loCG6v0h4Rh30sWdVuDKu72byzh1wyufP5+hNdJkw4zb69IdVmQGRekt9HGX6sQ4DlZz2MrDTYPH1dj+IXpJEHxCPM07a2rwCm+X9mgEkOkr2NURXVVaf9H7EpVnyXYvcNYmAVn9ZwC7rbYS3Xg7Y5OzMOQ7zabtw/8C1EZiJ9hZAzN8jyE1Gu9bgWSaRqGjLI08zbh6UqiNiTTcZhH5Wr2Z3sIfqlr6QJoQp+rAD2yQm6qefOJZWM+1ZlPtv1VCW8AN6oGKiVVdlK,iv:jEnkYarguNECjO2cTjSSgshJMszCuRAjqLQpDzXyTxs=,tag:Rx1wR3L3LCErHMud9goY5g==,type:str] sops: kms: [] gcp_kms: [] @@ -19,8 +21,8 @@ sops: THRNR0tEUzhPdFFhWWxvZlpKYmZKM2MKxc5s1jsci8jPOrvZAoofVNvHT4o9P6yv J8rALQQXgql6obK51Q/Doyzvo1RJ0T7epiWEAZm5B3vDrf6KqbWBYw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-11T16:46:38Z" - mac: ENC[AES256_GCM,data:W9aRsPPRKro6rGbNvBV8bftPklQn6LN6Lq+G45vYTVRZs5t0F1qFqUpXDXKTrZ040mkYnECi7JSRWeJvyfGqHK5KPY1uWtBxDoghYfO/J7VXBNv+NbROO4KoAKYAoOpZSECVqXgm6U69G1GGu8yyrDPDFAcfbFXivXqH+e7t42A=,iv:uUndgDmUHBYCKvb2LHC9zRp+eBwcy6107ocaJFniV6o=,tag:VGKODnvz107hvEoCT0risw==,type:str] + lastmodified: "2023-12-24T18:56:12Z" + mac: ENC[AES256_GCM,data:PF4gJL0u0vbU5o79IYWByWo4bZgZ7qWw/+mJN+YNzG4Jti+2D7gwKOs9edCHUuSti8iVov1RciretQHfkis5JDydykjb03uMaV8r6lVCmB8i/JARHEr5Amq0wld30qHaCtCayTTWQNA05jdzZB4a2dSIAqJh/R5YTaJ7HY+eZ38=,iv:3ZEFA4YR5BfcOlA+0Zevk7MaLJN0zPbfLOP2Ci/I3bg=,tag:vLhoKPTNIE7U2VcGiH964Q==,type:str] pgp: - created_at: "2023-08-11T16:15:11Z" enc: |-