From f88c89d28baadb542e1cd90682d6a2b437339de8 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 9 Jan 2022 21:50:55 +0100 Subject: [PATCH] add fwhost2 --- nix/os/devices/fwhost2/boot.nix | 8 ++ nix/os/devices/fwhost2/configuration.nix | 13 +++ nix/os/devices/fwhost2/hw.nix | 17 ++++ nix/os/devices/fwhost2/pkg.nix | 18 ++++ nix/os/devices/fwhost2/system.nix | 104 +++++++++++++++++++++++ nix/os/devices/fwhost2/user.nix | 15 ++++ nix/os/devices/fwhost2/versions.nix | 31 +++++++ nix/os/devices/fwhost2/versions.tmpl.nix | 31 +++++++ 8 files changed, 237 insertions(+) create mode 100644 nix/os/devices/fwhost2/boot.nix create mode 100644 nix/os/devices/fwhost2/configuration.nix create mode 100644 nix/os/devices/fwhost2/hw.nix create mode 100644 nix/os/devices/fwhost2/pkg.nix create mode 100644 nix/os/devices/fwhost2/system.nix create mode 100644 nix/os/devices/fwhost2/user.nix create mode 100644 nix/os/devices/fwhost2/versions.nix create mode 100644 nix/os/devices/fwhost2/versions.tmpl.nix diff --git a/nix/os/devices/fwhost2/boot.nix b/nix/os/devices/fwhost2/boot.nix new file mode 100644 index 0000000..2f5f8ea --- /dev/null +++ b/nix/os/devices/fwhost2/boot.nix @@ -0,0 +1,8 @@ +{ lib +, ... +}: + +{ + boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; + boot.loader.efi.canTouchEfiVariables = lib.mkForce false; +} diff --git a/nix/os/devices/fwhost2/configuration.nix b/nix/os/devices/fwhost2/configuration.nix new file mode 100644 index 0000000..eedc768 --- /dev/null +++ b/nix/os/devices/fwhost2/configuration.nix @@ -0,0 +1,13 @@ +{ ... }: + +{ + imports = [ + ../../profiles/common/configuration.nix + ../../modules/opinionatedDisk.nix + + ./system.nix + ./hw.nix + ./pkg.nix + ./user.nix + ]; +} diff --git a/nix/os/devices/fwhost2/hw.nix b/nix/os/devices/fwhost2/hw.nix new file mode 100644 index 0000000..95959b4 --- /dev/null +++ b/nix/os/devices/fwhost2/hw.nix @@ -0,0 +1,17 @@ +{ ... }: + +let + +in +{ + # TASK: new device + hardware.opinionatedDisk = { + enable = true; + encrypted = false; + diskId = "ata-ST9500325AS_S2WGAP8C"; + }; + + hardware.enableRedistributableFirmware = true; + boot.extraModprobeConfig = '' + ''; +} diff --git a/nix/os/devices/fwhost2/pkg.nix b/nix/os/devices/fwhost2/pkg.nix new file mode 100644 index 0000000..8f3b69f --- /dev/null +++ b/nix/os/devices/fwhost2/pkg.nix @@ -0,0 +1,18 @@ +{ pkgs +, ... +}: + +{ + nixpkgs.config.packageOverrides = pkgs: with pkgs; { + nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; + }; + home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; + + + environment.systemPackages = with pkgs; [ + iw + wirelesstools + ]; + + system.stateVersion = "21.11"; +} diff --git a/nix/os/devices/fwhost2/system.nix b/nix/os/devices/fwhost2/system.nix new file mode 100644 index 0000000..06b99f2 --- /dev/null +++ b/nix/os/devices/fwhost2/system.nix @@ -0,0 +1,104 @@ +{ pkgs +, lib +, config +, ... }: + +let + keys = import ../../../variables/keys.nix; +in { + + # TASK: new device + networking.hostName = "fwhost2"; # Define your hostname. + + networking.useDHCP = false; + + networking.firewall.enable = lib.mkForce false; + networking.firewall.allowedTCPPorts = [ + # iperf3 + 5201 + ]; + + networking.firewall.logRefusedConnections = false; + networking.usePredictableInterfaceNames = false; + + networking.bridges = { + breth.interfaces = [ "eth0" "eth1" ]; + brlan.interfaces = [ + "lan" + # "wllan" + ]; + brdmz.interfaces = [ + "dmz" + # "wldmz" + ]; + brfamily.interfaces = [ + "family" + # "wlfamily" + ]; + brguests.interfaces = [ + "guests" + "wlguests" + ]; + }; + + networking.defaultGateway.address = "172.172.171.10"; + networking.nameservers = [ + "172.172.171.10" + ]; + + # WAN interfaces, currently unused because the OPNsense guest acts as a router. + networking.vlans.wan1.id = 3; + networking.vlans.wan1.interface= "breth"; + networking.interfaces.wan1.ipv4.addresses = [{ address = "192.168.0.16"; prefixLength = 24; } ]; + + networking.vlans.wan2.id = 4; + networking.vlans.wan2.interface= "breth"; + networking.interfaces.wan2.ipv4.addresses = [{ address = "172.16.0.16"; prefixLength = 12; } ]; + + + # Local interfaces + networking.vlans.lan.id = 1; + networking.vlans.lan.interface= "breth"; + networking.interfaces.brlan.ipv4.addresses = [{ address = "172.172.171.16"; prefixLength = 24; } ]; + + networking.vlans.dmz.id = 5; + networking.vlans.dmz.interface= "breth"; + networking.interfaces.brdmz.ipv4.addresses = [{ address = "172.172.175.16"; prefixLength = 24; } ]; + + networking.vlans.family.id = 6; + networking.vlans.family.interface= "breth"; + networking.interfaces.brfamily.ipv4.addresses = [{ address = "172.172.176.16"; prefixLength = 24; } ]; + + networking.vlans.guests.id = 7; + networking.vlans.guests.interface= "breth"; + networking.interfaces.brguests.ipv4.addresses = [{ address = "172.172.177.16"; prefixLength = 24; } ]; + + networking.wlanInterfaces = { + wllan.device = "wlan0"; + wldmz.device = "wlan0"; + wlfamily.device = "wlan0"; + wlguests.device = "wlan0"; + }; + + services.hostapd = { + enable = true; + hwMode = "g"; + interface = "wlguests"; + ssid = "noowhere-guests"; + wpaPassphrase = "the_sekrettt"; + }; + + virtualisation = { + libvirtd = { + onShutdown = "shutdown"; + enable = true; + }; + + docker = { + enable = true; + extraOptions = "--experimental"; + }; + }; + + boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; +} diff --git a/nix/os/devices/fwhost2/user.nix b/nix/os/devices/fwhost2/user.nix new file mode 100644 index 0000000..1c33f83 --- /dev/null +++ b/nix/os/devices/fwhost2/user.nix @@ -0,0 +1,15 @@ +{ config +, pkgs +, ... }: + +let + passwords = import ../../../variables/passwords.crypt.nix; + keys = import ../../../variables/keys.nix; + inherit (import ../../lib/default.nix { }) mkUser; + +in { + # users.extraUsers.steveej2 = mkUser { + # uid = 1001; + # openssh.authorizedKeys.keys = keys.users.steveej.openssh; + # }; +} diff --git a/nix/os/devices/fwhost2/versions.nix b/nix/os/devices/fwhost2/versions.nix new file mode 100644 index 0000000..f241adb --- /dev/null +++ b/nix/os/devices/fwhost2/versions.nix @@ -0,0 +1,31 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-21.11"; + rev = "00acdb2aa817048fbe1f91ece18fe7de09762531"; + }; +in + +{ + inherit nixpkgs; + nixos = nixpkgs // { + suffix = "/nixos"; + }; + "channels-nixos-stable" = nixpkgs; + + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = "ff377a78794d412a35245e05428c8f95fef3951f"; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = "2ac65dd85b7fbe81b88e3c2a80d351aba4c4a9d8"; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-21.11"; + rev = "697cc8c68ed6a606296efbbe9614c32537078756"; + }; +} diff --git a/nix/os/devices/fwhost2/versions.tmpl.nix b/nix/os/devices/fwhost2/versions.tmpl.nix new file mode 100644 index 0000000..37c2853 --- /dev/null +++ b/nix/os/devices/fwhost2/versions.tmpl.nix @@ -0,0 +1,31 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-21.11"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; +in + +{ + inherit nixpkgs; + nixos = nixpkgs // { + suffix = "/nixos"; + }; + "channels-nixos-stable" = nixpkgs; + + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = "<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-21.11"; + rev = "<% git ls-remote https://github.com/nix-community/home-manager.git release-21.11 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; +}