colmena-liminx-ng #176

Closed
rlahfa wants to merge 29 commits from colmena-liminx-ng into main
19 changed files with 690 additions and 69 deletions

View file

@ -1,4 +1,15 @@
jobs: jobs:
ap01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: ap01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache ap01
run: nix-shell -A eval-nodes --run cache-node
bridge01: bridge01:
runs-on: nix runs-on: nix
steps: steps:

View file

@ -112,6 +112,20 @@ in
})) }))
pkgs.npins pkgs.npins
pkgs.kanidm # for remote SSO operations
pkgs.freeradius # for radtest
pkgs.picocom
(pkgs.callPackage (sources.liminix + "/pkgs/min-copy-closure") {
nix = pkgs.lix;
})
(pkgs.callPackage (sources.liminix + "/pkgs/min-collect-garbage") {
nix = pkgs.lix;
})
(pkgs.callPackage (sources.liminix + "/pkgs/tufted")
{
}
)
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; }) (pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { }) (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { }) (pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })

192
hive.nix
View file

@ -4,6 +4,8 @@ let
# Patch sources directly # Patch sources directly
sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; }) sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
.applyPatches' sources'; .applyPatches' sources';
lib = import (sources.nix-lib + "/src/trivial.nix");
lib' = (import sources.nixos-unstable { }).lib;
nix-lib = import ./lib/nix-lib; nix-lib = import ./lib/nix-lib;
@ -14,16 +16,29 @@ let
mkNode = node: { mkNode = node: {
# Import the base configuration for each node # Import the base configuration for each node
imports = [ ./machines/${node}/_configuration.nix ]; imports = builtins.map (lib.mkRel (./machines/${node})) [
"_configuration.nix"
"_hardware-configuration.nix"
];
deployment.systemType = systemType node;
}; };
nixpkgs' = import ./meta/nixpkgs.nix; nixpkgs' = import ./meta/nixpkgs.nix;
# All supported nixpkgs versions, instanciated # All supported nixpkgs versions, instanciated
nixpkgs = nix-lib.mapSingleFuse mkNixpkgs nixpkgs'.supported; nixpkgs = nix-lib.mapSingleFuse (
s: nix-lib.mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions.supported
) nixpkgs'.systems.supported;
# Get the configured nixos version for the node, # Get the configured nixos version for the node,
# defaulting to the one defined in meta/nixpkgs # defaulting to the one defined in meta/nixpkgs
version = node: nodes'.${node}.nixpkgs or nixpkgs'.default; version = node: nodes'.${node}.nixpkgs or nixpkgs'.versions.default;
system = node: nodes'.${node}.system or nixpkgs'.systems.default;
systemType =
node:
nodes'.${node}.system
or (lib'.warn "Not specifying the `deployment.systemType` is deprecated!" "nixos");
# Builds a patched version of nixpkgs, only as the source # Builds a patched version of nixpkgs, only as the source
mkNixpkgs' = mkNixpkgs' =
@ -33,26 +48,129 @@ let
name = "nixos-${v}"; name = "nixos-${v}";
}; };
# Instanciates the required nixpkgs version mkNixpkgsConfigPerSystem =
mkNixpkgs = version: import (mkNixpkgs' version) { }; system: _:
if system == "nixos" then
{ }
else
(import "${sources.liminix}/devices/${system}").system
// {
overlays = [ (import "${sources.liminix}/overlay.nix") ];
config = {
allowUnsupportedSystem = true; # mipsel
permittedInsecurePackages = [
"python-2.7.18.8" # Python < 3 is needed for kernel backports.
];
};
};
# Instanciate a specialized version of nixpkgs
mkSystemNixpkgs =
system: version:
let
args = mkNixpkgsConfigPerSystem system version;
in
import (mkNixpkgs' version) args;
### ###
# Function to create arguments based on the node # Function to create arguments based on the node
# #
mkArgs = node: rec { mkArgs =
lib = nixpkgs.${version node}.lib // { node:
extra = nix-lib; let
pkgs = nixpkgs.${system node};
in
rec {
lib =
import sources.nix-lib {
inherit (pkgs.${version node}) lib;
nixpkgs = pkgs;
keysRoot = ./keys;
}
// {
extra = nix-lib;
};
meta = (import ./meta) lib;
nodeMeta = meta.nodes.${node};
}; };
meta = (import ./meta) lib;
nodeMeta = meta.nodes.${node};
};
in in
{ {
registry = {
zyxel-nwa50ax = {
evalConfig = import "${sources.liminix}/lib/eval-config.nix" {
nixpkgs = sources.nixos-unstable;
};
defaults = _: {
nixpkgs = {
source = sources.nixos-unstable;
config = {
allowUnsupportedSystem = true; # mipsel
permittedInsecurePackages = [
"python-2.7.18.8" # Python < 3 is needed for kernel backports.
];
};
hostPlatform = {
config = "mipsel-unknown-linux-musl";
gcc = {
abi = "32";
arch = "mips32"; # mips32r2?
};
};
# It's impure, but who cares?
# Can Flakes do that?
buildPlatform = builtins.currentSystem;
};
};
};
nixos = {
evalConfig = import "${sources.nixos-unstable}/nixos/lib/eval-config.nix";
defaults =
{ nodeMeta, name, ... }:
{
# Import the default modules
imports = [ ./modules ];
# Include default secrets
age-secrets.sources = [ ./machines/${name}/secrets ];
# Deployment config is specified in meta.nodes.${node}.deployment
inherit (nodeMeta) deployment;
nix = {
# Set NIX_PATH to the patched version of nixpkgs
nixPath = [ "nixpkgs=${mkNixpkgs' (version name)}" ];
optimise.automatic = true;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Use the stateVersion declared in the metadata
system = {
inherit (nodeMeta) stateVersion;
};
};
};
};
meta = { meta = {
nodeNixpkgs = nix-lib.mapSingleFuse (n: nixpkgs.${version n}) nodes; nodeNixpkgs = nix-lib.mapSingleFuse (n: nixpkgs.${version n}) nodes // {
ap01 = apNixpkgs;
};
specialArgs = { specialArgs = {
inherit nixpkgs sources; inherit nixpkgs sources;
@ -63,40 +181,24 @@ in
nodeSpecialArgs = nix-lib.mapSingleFuse mkArgs nodes; nodeSpecialArgs = nix-lib.mapSingleFuse mkArgs nodes;
}; };
defaults = ap01 =
{ name, nodeMeta, ... }: let
device = import "${sources.liminix}/devices/zyxel-nwa50ax";
in
{ {
# Import the default modules deployment.systemType = "liminix";
imports = [ nixpkgs.hostPlatform = {
./modules config = "mipsel-unknown-linux-musl";
(import "${sources.lix-module}/module.nix" { inherit (sources) lix; }) gcc = {
]; abi = "32";
arch = "mips32"; # mips32r2?
# Include default secrets
age-secrets.sources = [ ./machines/${name}/secrets ];
# Deployment config is specified in meta.nodes.${node}.deployment
inherit (nodeMeta) deployment;
nix = {
# Set NIX_PATH to the patched version of nixpkgs
nixPath = [ "nixpkgs=${mkNixpkgs' (version name)}" ];
optimise.automatic = true;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
}; };
}; };
nixpkgs.buildPlatform = "x86_64-linux";
# Allow unfree packages imports = [
nixpkgs.config.allowUnfree = true; ./machines/ap/configuration.nix
device.module
# Use the stateVersion declared in the metadata ];
system = {
inherit (nodeMeta) stateVersion;
};
}; };
} }
// (nix-lib.mapSingleFuse mkNode nodes) // (nix-lib.mapSingleFuse mkNode nodes)

View file

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC6TCCAdECFEbjeqNNzKWyfs2GJekipWK+yO4uMA0GCSqGSIb3DQEBCwUAMHMx
NDAyBgNVBAMMK0RHTnVtIFRlc3QgQVAgQ0EgLS0gRE8gTk9UIFVTRSBPUiBHRVQg
RklSRUQxCzAJBgNVBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwGA1UEBwwFUGFy
aXMxDjAMBgNVBAoMBURHTnVtMB4XDTI0MDgyNjE5MDQxMFoXDTI2MDgyNjE5MDQx
MFowdzE4MDYGA1UEAwwvREdOdW0gVGVzdCBBUCBzZXJ2ZXIgLS0gRE8gTk9UIFVT
RSBPUiBHRVQgRklSRUQxCzAJBgNVBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwG
A1UEBwwFUGFyaXMxDjAMBgNVBAoMBURHTnVtMIGbMBAGByqGSM49AgEGBSuBBAAj
A4GGAAQBDrTf0SH/YOkOfvOSnB3BbICb80jSsxwQH50y4jylbXcrUZnegLYjW/lF
QknuMBzzE5fnE9lAeOxqsn0ec+sL3zEBrV0LSG2LgxhAkahZS9U4Spt9Qc84U7cG
AFQ3GXDMTEb/COHJSu7sIfV4gFRVesFez30gb94lMxckkq/6nkXXaEUwDQYJKoZI
hvcNAQELBQADggEBAEfPHMAXwftYQ0lDYPlr9b+GZDl7/JAavEfBXKzj1U8O0sJz
daNOHEX3a5ZOaQoean2zmBLROgQpDlwsjAFNA9dg0ef2f4RgJvr/l2fspHwG0Uaq
4JEOKTj3htd8aZX2i6AR02UC2oxCtf7ZVa+a6NOeeKl53QPzjduPO60ruz8tD2Xr
YnQwVinQX0fJo7TmyQKDIxwld/Q5pMoDMfVlS71M/vISFfQ/Rx1PqYvBQyG1dvIA
qn9cNNVnjEGrk7zXjCfehMYiCtDZ+D3VyXeZ6A7YZNpc6RUj8rbWcOtKLayRFlwf
DTjV3/nPqV0M2nU6jXFBMfQ47VSfB7ibINt94xo=
-----END CERTIFICATE-----

View file

@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIIDxzCCAq+gAwIBAgIUPuHEZeZoCidp+w5ME2CrkZEn3T8wDQYJKoZIhvcNAQEL
BQAwczE0MDIGA1UEAwwrREdOdW0gVGVzdCBBUCBDQSAtLSBETyBOT1QgVVNFIE9S
IEdFVCBGSVJFRDELMAkGA1UEBhMCRlIxDjAMBgNVBAgMBVBhcmlzMQ4wDAYDVQQH
DAVQYXJpczEOMAwGA1UECgwFREdOdW0wHhcNMjQwODI2MTg1ODQ4WhcNMjkwODI2
MTg1ODQ4WjBzMTQwMgYDVQQDDCtER051bSBUZXN0IEFQIENBIC0tIERPIE5PVCBV
U0UgT1IgR0VUIEZJUkVEMQswCQYDVQQGEwJGUjEOMAwGA1UECAwFUGFyaXMxDjAM
BgNVBAcMBVBhcmlzMQ4wDAYDVQQKDAVER051bTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAKLgCNXLI6FQWJY5JQDqZcO1hmZpp0upT59/JvJXmEl4St1O
FF3frSAoFcgn2Bv3kYQQ6wEhD3S7JBxRmoDtx/7sqsXthNpBaymVdphb9XhnVOC2
NDBKV4WH06Hr06oKVfDSBhIldPJr1vfQLehOnz6uqK7walqPvid3tMv0lwt7mHZ9
qQpgC2C/tkHwD1kh1RszoIZKIQWDnSNXPhYnB3X/DMCUWIKiz6P/0rVANEDDZER6
b6eJRjv2l8jPlOt7CUTAOrsoJGCnSg2SV4lgr1u3mE/2AvmLdO0l5Dz0qCuQNbb3
uWqYUonooR8rox171On/Rd0zvtihycSDxofVJ+MCAwEAAaNTMFEwHQYDVR0OBBYE
FIPUT3v8AoeBS6VbcEvgVc1dC38hMB8GA1UdIwQYMBaAFIPUT3v8AoeBS6VbcEvg
Vc1dC38hMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACX1aqYU
9PIwZ/dBS7cpsBsCm9M0ueInTlQpvv6xioKuPhIet40YgawTRakxniAr0WXHTBV5
a8ZQ4ff4uI+sdaxN7Ueufr4ltWVLuSc9DfIxjLVZ+41G6Ehy9Xc2zoDBfYURrXjd
ISvPSXIKjM0yuS/249C77HOdzwbliS65Io2zubQStGfSaZ3sLAfPJoig+QiVyOtG
sPoYzzrjXDBym+plfGTWqHv+gwo6DZarXrK4yaMn4hYkkf95NsY2ywwHzcy/4hsu
+bMm4IeCrB9uNOZtQrqW81/+4oxjGiKLbhnFPNQOg2pzb+iOJTPKVicAqKDSCnou
WXG5pjBKzojPvxU=
-----END CERTIFICATE-----

1
liminix-rebuild.nix Normal file
View file

@ -0,0 +1 @@
{ liminix-system }: (import ./liminix-hive.nix { }).${liminix-system}.primary

View file

@ -0,0 +1,259 @@
{
config,
pkgs,
modulesPath,
...
}:
let
inherit (pkgs.liminix.services) oneshot;
inherit (pkgs.pseudofile) symlink dir;
inherit (pkgs) serviceFns;
svc = config.system.service;
secrets-1 = {
ssid = "DGNum 2G prototype (N)";
};
secrets-2 = {
ssid = "DGNum 5G prototype (AX)";
};
baseParams = {
country_code = "FR";
hw_mode = "g";
channel = 6;
wmm_enabled = 1;
ieee80211n = 1;
ht_capab = "[LDPC][GF][HT40-][HT40+][SHORT-GI-40][MAX-AMSDU-7935][TX-STBC]";
auth_algs = 1;
wpa = 2;
wpa_pairwise = "TKIP CCMP";
rsn_pairwise = "CCMP";
};
radiusKeyMgmt = {
wpa_key_mgmt = "WPA-EAP";
};
modernParams = {
hw_mode = "a";
he_su_beamformer = 1;
he_su_beamformee = 1;
he_mu_beamformer = 1;
preamble = 1;
# Allow radar detection.
ieee80211d = 1;
ieee80211h = 1;
ieee80211ac = 1;
ieee80211ax = 1;
vht_capab = "[MAX-MPDU-7991][SU-BEAMFORMEE][SU-BEAMFORMER][RXLDPC][SHORT-GI-80][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][TX-STBC-2BY1][RX-STBC-1][MU-BEAMFORMER]";
vht_oper_chwidth = 1;
he_oper_chwidth = 1;
channel = 36;
vht_oper_centr_freq_seg0_idx = 42;
he_oper_centr_freq_seg0_idx = 42;
require_vht = 1;
};
clientRadius = {
ieee8021x = 1;
eapol_version = 2;
use_pae_group_addr = 1;
dynamic_vlan = 0;
vlan_tagged_interface = "lan";
};
externalRadius = {
# TODO: when we have proper IPAM, set the right value here.
own_ip_addr = "127.0.0.1";
nas_identifier = "ap01.dgnum.eu";
# No DNS here, hostapd do not support this mode.
auth_server_addr = "129.199.195.129";
auth_server_port = 1812;
auth_server_shared_secret = "read it online";
};
mkWifiSta =
params: interface: secrets:
svc.hostapd.build {
inherit interface;
package = pkgs.hostapd-radius;
params = params // secrets;
dependencies = [ config.services.jitter ];
};
in
rec {
imports = [
"${modulesPath}/wlan.nix"
"${modulesPath}/network"
"${modulesPath}/dhcp6c"
"${modulesPath}/hostapd"
"${modulesPath}/ssh"
"${modulesPath}/ntp"
"${modulesPath}/vlan"
"${modulesPath}/bridge"
"${modulesPath}/jitter-rng"
"${modulesPath}/pki"
"${modulesPath}/ubus"
../../modules/dgn-access-control.nix
# TODO: god that's so a fucking hack.
(import "${modulesPath}/../devices/zyxel-nwa50ax").module
];
hostname = "ap01-prototype";
# Get moar random please
services.jitter = svc.jitter-rng.build { };
services.ubus = svc.ubus.build { };
# SSH keys are handled by the access control module.
dgn-access-control.enable = true;
users.root = {
passwd = "$6$jVXFFOp8HBYmgINR$lutB4kvw.W1jlXRby9ZYAgBitQ32RxQdYAGN.s2x4ris8J07vM6tzlRBQoeLELOIEMClDzbciQV0itfHQnTqd1";
};
services.int = svc.bridge.primary.build {
ifname = "int";
macAddressFromInterface = config.hardware.networkInterfaces.lan;
};
services.bridge = svc.bridge.members.build {
primary = services.int;
members = {
lan.member = config.hardware.networkInterfaces.lan;
wlan0 = {
member = config.hardware.networkInterfaces.wlan0;
# Bridge only once hostapd is ready.
dependencies = [ config.services.hostap-1-ready ];
};
wlan1 = {
member = config.hardware.networkInterfaces.wlan1;
# Bridge only once hostapd is ready.
dependencies = [ config.services.hostap-2-ready ];
};
};
};
services.resolvconf = oneshot rec {
name = "resolvconf";
up = ''
. ${serviceFns}
( in_outputs ${name}
for i in $(output ${services.dhcpv4} dns); do
echo "nameserver $i" >> resolv.conf
done
)
'';
dependencies = [
config.services.dhcpv4
];
};
filesystem = dir {
etc = dir {
"resolv.conf" = symlink "${config.services.resolvconf}/.outputs/resolv.conf";
"nixpkgs.version" = {
type = "f";
file = "${pkgs.lib.version}";
mode = "0444";
};
};
};
services.dhcpv4 = svc.network.dhcp.client.build {
interface = config.services.int;
dependencies = [
config.services.hostname
config.services.bridge.components.lan
];
};
# TODO(raito): these won't work with RAs
# fix them in Liminix directly and re-enable.
# services.dhcpv6 = svc.dhcp6c.client.build {
# interface = config.services.int;
# dependencies = [
# config.services.hostname
# config.services.bridge
# ];
# };
# services.ipv6 = svc.dhcp6c.address.build {
# interface = config.services.int;
# client = config.services.dhcpv6;
# dependencies = [ config.services.hostname ];
# };
services.defaultroute4 = svc.network.route.build {
via = "$(output ${services.dhcpv4} router)";
target = "default";
dependencies = [ services.dhcpv4 ];
};
services.packet_forwarding = svc.network.forward.build { };
services.sshd = svc.ssh.build { allowRoot = true; };
services.ntp = config.system.service.ntp.build {
pools = {
"pool.ntp.org" = [ "iburst" ];
};
dependencies = [ config.services.jitter ];
};
boot.tftp = {
serverip = "192.0.2.10";
ipaddr = "192.0.2.12";
};
# wlan0 is the 2.4GHz interface.
services.hostap-1 = mkWifiSta (
baseParams // radiusKeyMgmt
) config.hardware.networkInterfaces.wlan0 secrets-1;
services.hostap-1-ready = svc.hostapd-ready.build {
interface = config.hardware.networkInterfaces.wlan0;
};
# wlan1 is the 5GHz interface, e.g. AX capable.
services.hostap-2 = mkWifiSta (
baseParams // clientRadius // externalRadius // radiusKeyMgmt // modernParams
) config.hardware.networkInterfaces.wlan1 secrets-2;
# Oneshot that waits until the hostapd has set the interface in operational state.
services.hostap-2-ready = svc.hostapd-ready.build {
interface = config.hardware.networkInterfaces.wlan1;
};
defaultProfile.packages = with pkgs; [
zyxel-bootconfig
min-collect-garbage
iwinfo
ifwait
# Levitate enable us to mass-reinstall the system on the fly.
(levitate.override {
config = {
imports = [
"${modulesPath}/network"
"${modulesPath}/ssh"
"${modulesPath}/hardware.nix"
"${modulesPath}/kernel"
"${modulesPath}/outputs/tftpboot.nix"
"${modulesPath}/outputs.nix"
];
services = {
# Simplest DHCPv4 we can find.
dhcpv4 = svc.network.dhcp.client.build {
interface = config.hardware.networkInterfaces.lan;
};
inherit (config.services) sshd;
defaultroute4 = svc.network.route.build {
via = "$(output ${services.dhcpv4} router)";
target = "default";
dependencies = [ config.services.dhcpv4 ];
};
};
defaultProfile.packages = [ mtdutils ];
# Only keep root, which should inherit from DGN access control's root permissions.
users.root = config.users.root;
};
})
];
}

View file

@ -0,0 +1 @@
{ }

View file

@ -1,11 +1,24 @@
{ {
# Default version of nixpkgs to use versions = {
default = "24.05"; # Default version of nixpkgs to use
default = "24.05";
# Supported nixpkgs versions # Supported nixpkgs versions
supported = [ supported = [
"unstable" "unstable"
"23.11" "23.11"
"24.05" "24.05"
]; ];
};
systems = {
# Default target system
default = "nixos";
# Supported target systems
supported = [
"nixos"
"zyxel-nwa50ax"
];
};
} }

View file

@ -136,4 +136,12 @@
nixpkgs = "unstable"; nixpkgs = "unstable";
vm-cluster = "Hyperviseur NPS"; vm-cluster = "Hyperviseur NPS";
}; };
# Access points definition
ap01 = {
site = "unknown";
adminGroups = [ "fai" ];
system = "zyxel-nwa50ax";
};
} }

View file

@ -11,6 +11,7 @@ let
inherit (lib.types) inherit (lib.types)
attrs attrs
attrsOf attrsOf
enum
ints ints
listOf listOf
nullOr nullOr
@ -35,6 +36,7 @@ let
}; };
org = config.organization; org = config.organization;
nixpkgs = import ./nixpkgs.nix;
in in
{ {
@ -138,8 +140,8 @@ in
}; };
nixpkgs = mkOption { nixpkgs = mkOption {
type = str; type = enum nixpkgs.versions.supported;
inherit (import ./nixpkgs.nix) default; inherit (nixpkgs.versions) default;
description = '' description = ''
Version of nixpkgs to use. Version of nixpkgs to use.
''; '';
@ -188,6 +190,14 @@ in
default = null; default = null;
description = "VM cluster where the VM is located"; description = "VM cluster where the VM is located";
}; };
system = mkOption {
type = enum nixpkgs.systems.supported;
inherit (nixpkgs.systems) default;
description = ''
Type of system for the node, will impact how it is evaluated and deployed.
'';
};
}; };
config = { config = {

View file

@ -114,6 +114,12 @@
"fai" "fai"
]; ];
# AP administration DGNum
ap.adminGroups = [
"root"
"fai"
];
# Videos DGNum # Videos DGNum
peertube.admins = [ "thubrecht" ]; peertube.admins = [ "thubrecht" ];
}; };

View file

@ -84,18 +84,24 @@ in
{ {
# Admins have root access to the node # Admins have root access to the node
dgn-access-control.users.root = mkDefault admins; dgn-access-control.users.root = mkDefault admins;
users.users = builtins.mapAttrs (_: members: {
openssh.authorizedKeys.keys = dgn-keys.getKeys members;
}) cfg.users;
} }
{ (mkIf (nodeMeta.system == "nixos") {
users = { users = {
mutableUsers = false; mutableUsers = false;
users.root = { users.root = {
inherit (nodeMeta) hashedPassword; inherit (nodeMeta) hashedPassword;
}; };
}; };
} })
(mkIf (nodeMeta.system == "nixos") {
users.users = builtins.mapAttrs (_: members: {
openssh.authorizedKeys.keys = dgn-keys.getKeys members;
}) cfg.users;
})
(mkIf (nodeMeta.system == "zyxel-nwa50ax") {
users = builtins.mapAttrs (_: members: {
openssh.authorizedKeys.keys = dgn-keys.getKeys members;
}) cfg.users;
})
]); ]);
} }

View file

@ -42,6 +42,7 @@ let
builtins.fetchGit { builtins.fetchGit {
inherit (repository) url; inherit (repository) url;
rev = revision; rev = revision;
allRefs = true;
# hash = hash; # hash = hash;
}; };

View file

@ -49,6 +49,17 @@
"url": null, "url": null,
"hash": "0b1pmfzckdbha9j7bvnkvqccf62dqyll8ip6mrdm90m0y8kdkzvg" "hash": "0b1pmfzckdbha9j7bvnkvqccf62dqyll8ip6mrdm90m0y8kdkzvg"
}, },
"colmena": {
"type": "Git",
"repository": {
"type": "Git",
"url": "https://git.dgnum.eu/DGNum/colmena.git"
},
"branch": "custom-activation",
"revision": "1037471d800d3db42ec85b89787bec5472f5e574",
"url": null,
"hash": "0k287292yr78zymdglppa8jd0b4kh0x277d4bycwcdsqprw00a4x"
},
"disko": { "disko": {
"type": "GitRelease", "type": "GitRelease",
"repository": { "repository": {
@ -116,14 +127,13 @@
"liminix": { "liminix": {
"type": "Git", "type": "Git",
"repository": { "repository": {
"type": "GitHub", "type": "Git",
"owner": "RaitoBezarius", "url": "https://git.dgnum.eu/DGNum/liminix.git"
"repo": "liminix"
}, },
"branch": "nwa50ax", "branch": "main",
"revision": "a4aa10dcc30225a8bb8eb465abfe908629175f2c", "revision": "6970d811e87a3a99a093705cb089a5a63961cfe7",
"url": "https://github.com/RaitoBezarius/liminix/archive/a4aa10dcc30225a8bb8eb465abfe908629175f2c.tar.gz", "url": null,
"hash": "1m1sc6agg5z65lmyjl48i7sddlwm8d0zgvs8z81iammfy4jpy7qd" "hash": "08fwry3zkhlkcl1lrqhhhqj3a47mgc41bvfv518zg8xhwzg7ifnz"
}, },
"linkal": { "linkal": {
"type": "Git", "type": "Git",
@ -322,4 +332,4 @@
} }
}, },
"version": 3 "version": 3
} }

View file

@ -0,0 +1,62 @@
<?xml version="1.0" encoding="US-ASCII"?>
<WLANProfile xmlns="https://www.microsoft.com/networking/WLAN/profile/v1">
<name>DGNumRadius</name>
<SSIDConfig>
<SSID>
<name>@SSID@</name>
</SSID>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<MSM>
<security>
<authEncryption>
<authentication>WPA2</authentication>
<encryption>AES</encryption>
<useOneX>true</useOneX>
</authEncryption>
<OneX xmlns="https://www.microsoft.com/networking/OneX/v1">
<EAPConfig>
<EapHostConfig xmlns="https://www.microsoft.com/provisioning/EapHostConfig"
xmlns:eapCommon="https://www.microsoft.com/provisioning/EapCommon"
xmlns:baseEap="https://www.microsoft.com/provisioning/BaseEapMethodConfig">
<EapMethod>
<eapCommon:Type>25</eapCommon:Type>
<eapCommon:AuthorId>0</eapCommon:AuthorId>
</EapMethod>
<Config xmlns:baseEap="https://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"
xmlns:msPeap="https://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"
xmlns:msChapV2="https://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"
xmlns:msChapV2User="https://www.microsoft.com/provisioning/MsChapV2UserPropertiesV1">
<baseEap:Eap>
<baseEap:Type>25</baseEap:Type>
<msPeap:EapType>
<msPeap:ServerValidation>
<msPeap:DisableUserPromptForServerValidation>false</msPeap:DisableUserPromptForServerValidation>
<msPeap:TrustedRootCA />
</msPeap:ServerValidation>
<msPeap:FastReconnect>true</msPeap:FastReconnect>
<msPeap:InnerEapOptional>0</msPeap:InnerEapOptional>
<msPeap:ServerNames>radius.dgnum.eu</msPeap:ServerNames>
<baseEap:Eap>
<baseEap:Type>26</baseEap:Type>
<msChapV2:EapType>
<msChapV2:UseWinLogonCredentials>false</msChapV2:UseWinLogonCredentials>
</msChapV2:EapType>
<msChapV2User:EapType>
<msChapV2User:Username>@USERNAME@</msChapV2User:Username>
<msChapV2User:Password>@PASSWORD@</msChapV2User:Password>
</msChapV2User>
</baseEap:Eap>
<msPeap:EnableQuarantineChecks>false</msPeap:EnableQuarantineChecks>
<msPeap:RequireCryptoBinding>false</msPeap:RequireCryptoBinding>
<msPeap:PeapExtensions />
</msPeap:EapType>
</baseEap:Eap>
</Config>
</EapHostConfig>
</EAPConfig>
</OneX>
</security>
</MSM>
</WLANProfile>

View file

@ -0,0 +1,19 @@
{
pkgs ? import <nixpkgs> { },
username,
domain ? "sso.dgnum.eu",
ssid ? "DGNum 5G prototype (AX)",
password,
}:
pkgs.runCommand "connection-${username}-android-profile.xml"
{
SSID = ssid;
USERNAME = "${username}@${domain}";
PASSWORD = password;
}
''
substitute ${./android-profile-template.xml} $out \
--subst-var SSID \
--subst-var USERNAME \
--subst-var PASSWORD
''

View file

@ -0,0 +1,12 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p ubootTools
usage() {
echo "extract the firmware part to write it manually from a Zyxel NWA FIT image"
echo "$0 <zyxel_nwa_fit_image_path> <firmware_output_file>"
}
ZYXEL_NWA_FIT="$1"
FIRMWARE_OUTPUT="$2"
dumpimage -T flat_dt -p 0 $ZYXEL_NWA_FIT -o $FIRMWARE_OUTPUT

45
scripts/liminix-rebuild.sh Executable file
View file

@ -0,0 +1,45 @@
#!/usr/bin/env bash
set -Eeuo pipefail
ssh_command=${SSH_COMMAND-ssh}
root_prefix=${ROOT_PREFIX-/}
reboot="reboot"
case "$1" in
"--no-reboot")
unset reboot
shift
;;
"--fast")
reboot="soft"
shift
;;
esac
target_host=$1
shift
if [ -z "$target_host" ] ; then
echo Usage: liminix-rebuild \[--no-reboot\] target-host params
exit 1
fi
if toplevel="$(nom-build $(colmena eval -E "{ nodes, ... }: nodes.$@.config.system.outputs.systemConfiguration" --instantiate))"; then
echo systemConfiguration $toplevel aimed at $root_prefix
sleep 3
min-copy-closure --root "$root_prefix" $target_host $toplevel
$ssh_command $target_host "$root_prefix/$toplevel/bin/install" "$root_prefix"
case "$reboot" in
reboot)
$ssh_command $target_host "sync; source /etc/profile; reboot"
;;
soft)
$ssh_command $target_host $toplevel/bin/restart-services
;;
*)
;;
esac
else
echo Rebuild failed
fi