colmena-liminx-ng #176
19 changed files with 690 additions and 69 deletions
|
@ -1,4 +1,15 @@
|
||||||
jobs:
|
jobs:
|
||||||
|
ap01:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- env:
|
||||||
|
BUILD_NODE: ap01
|
||||||
|
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||||
|
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||||
|
STORE_USER: admin
|
||||||
|
name: Build and cache ap01
|
||||||
|
run: nix-shell -A eval-nodes --run cache-node
|
||||||
bridge01:
|
bridge01:
|
||||||
runs-on: nix
|
runs-on: nix
|
||||||
steps:
|
steps:
|
||||||
|
|
14
default.nix
14
default.nix
|
@ -112,6 +112,20 @@ in
|
||||||
}))
|
}))
|
||||||
pkgs.npins
|
pkgs.npins
|
||||||
|
|
||||||
|
pkgs.kanidm # for remote SSO operations
|
||||||
|
pkgs.freeradius # for radtest
|
||||||
|
pkgs.picocom
|
||||||
|
(pkgs.callPackage (sources.liminix + "/pkgs/min-copy-closure") {
|
||||||
|
nix = pkgs.lix;
|
||||||
|
})
|
||||||
|
(pkgs.callPackage (sources.liminix + "/pkgs/min-collect-garbage") {
|
||||||
|
nix = pkgs.lix;
|
||||||
|
})
|
||||||
|
(pkgs.callPackage (sources.liminix + "/pkgs/tufted")
|
||||||
|
{
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
|
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
|
||||||
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
|
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
|
||||||
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
|
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
|
||||||
|
|
142
hive.nix
142
hive.nix
|
@ -4,6 +4,8 @@ let
|
||||||
# Patch sources directly
|
# Patch sources directly
|
||||||
sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
|
sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
|
||||||
.applyPatches' sources';
|
.applyPatches' sources';
|
||||||
|
lib = import (sources.nix-lib + "/src/trivial.nix");
|
||||||
|
lib' = (import sources.nixos-unstable { }).lib;
|
||||||
|
|
||||||
nix-lib = import ./lib/nix-lib;
|
nix-lib = import ./lib/nix-lib;
|
||||||
|
|
||||||
|
@ -14,16 +16,29 @@ let
|
||||||
|
|
||||||
mkNode = node: {
|
mkNode = node: {
|
||||||
# Import the base configuration for each node
|
# Import the base configuration for each node
|
||||||
imports = [ ./machines/${node}/_configuration.nix ];
|
imports = builtins.map (lib.mkRel (./machines/${node})) [
|
||||||
|
"_configuration.nix"
|
||||||
|
"_hardware-configuration.nix"
|
||||||
|
];
|
||||||
|
|
||||||
|
deployment.systemType = systemType node;
|
||||||
};
|
};
|
||||||
|
|
||||||
nixpkgs' = import ./meta/nixpkgs.nix;
|
nixpkgs' = import ./meta/nixpkgs.nix;
|
||||||
|
|
||||||
# All supported nixpkgs versions, instanciated
|
# All supported nixpkgs versions, instanciated
|
||||||
nixpkgs = nix-lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;
|
nixpkgs = nix-lib.mapSingleFuse (
|
||||||
|
s: nix-lib.mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions.supported
|
||||||
|
) nixpkgs'.systems.supported;
|
||||||
|
|
||||||
# Get the configured nixos version for the node,
|
# Get the configured nixos version for the node,
|
||||||
# defaulting to the one defined in meta/nixpkgs
|
# defaulting to the one defined in meta/nixpkgs
|
||||||
version = node: nodes'.${node}.nixpkgs or nixpkgs'.default;
|
version = node: nodes'.${node}.nixpkgs or nixpkgs'.versions.default;
|
||||||
|
system = node: nodes'.${node}.system or nixpkgs'.systems.default;
|
||||||
|
systemType =
|
||||||
|
node:
|
||||||
|
nodes'.${node}.system
|
||||||
|
or (lib'.warn "Not specifying the `deployment.systemType` is deprecated!" "nixos");
|
||||||
|
|
||||||
# Builds a patched version of nixpkgs, only as the source
|
# Builds a patched version of nixpkgs, only as the source
|
||||||
mkNixpkgs' =
|
mkNixpkgs' =
|
||||||
|
@ -33,14 +48,48 @@ let
|
||||||
name = "nixos-${v}";
|
name = "nixos-${v}";
|
||||||
};
|
};
|
||||||
|
|
||||||
# Instanciates the required nixpkgs version
|
mkNixpkgsConfigPerSystem =
|
||||||
mkNixpkgs = version: import (mkNixpkgs' version) { };
|
system: _:
|
||||||
|
if system == "nixos" then
|
||||||
|
{ }
|
||||||
|
else
|
||||||
|
(import "${sources.liminix}/devices/${system}").system
|
||||||
|
// {
|
||||||
|
overlays = [ (import "${sources.liminix}/overlay.nix") ];
|
||||||
|
config = {
|
||||||
|
allowUnsupportedSystem = true; # mipsel
|
||||||
|
permittedInsecurePackages = [
|
||||||
|
"python-2.7.18.8" # Python < 3 is needed for kernel backports.
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Instanciate a specialized version of nixpkgs
|
||||||
|
mkSystemNixpkgs =
|
||||||
|
system: version:
|
||||||
|
let
|
||||||
|
args = mkNixpkgsConfigPerSystem system version;
|
||||||
|
in
|
||||||
|
import (mkNixpkgs' version) args;
|
||||||
|
|
||||||
###
|
###
|
||||||
# Function to create arguments based on the node
|
# Function to create arguments based on the node
|
||||||
#
|
#
|
||||||
mkArgs = node: rec {
|
mkArgs =
|
||||||
lib = nixpkgs.${version node}.lib // {
|
node:
|
||||||
|
let
|
||||||
|
pkgs = nixpkgs.${system node};
|
||||||
|
in
|
||||||
|
rec {
|
||||||
|
lib =
|
||||||
|
import sources.nix-lib {
|
||||||
|
inherit (pkgs.${version node}) lib;
|
||||||
|
|
||||||
|
nixpkgs = pkgs;
|
||||||
|
|
||||||
|
keysRoot = ./keys;
|
||||||
|
}
|
||||||
|
// {
|
||||||
extra = nix-lib;
|
extra = nix-lib;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -51,26 +100,43 @@ let
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
meta = {
|
registry = {
|
||||||
nodeNixpkgs = nix-lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;
|
zyxel-nwa50ax = {
|
||||||
|
evalConfig = import "${sources.liminix}/lib/eval-config.nix" {
|
||||||
specialArgs = {
|
nixpkgs = sources.nixos-unstable;
|
||||||
inherit nixpkgs sources;
|
|
||||||
|
|
||||||
dgn-keys = import ./keys;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
nodeSpecialArgs = nix-lib.mapSingleFuse mkArgs nodes;
|
defaults = _: {
|
||||||
|
nixpkgs = {
|
||||||
|
source = sources.nixos-unstable;
|
||||||
|
config = {
|
||||||
|
allowUnsupportedSystem = true; # mipsel
|
||||||
|
permittedInsecurePackages = [
|
||||||
|
"python-2.7.18.8" # Python < 3 is needed for kernel backports.
|
||||||
|
];
|
||||||
|
};
|
||||||
|
hostPlatform = {
|
||||||
|
config = "mipsel-unknown-linux-musl";
|
||||||
|
gcc = {
|
||||||
|
abi = "32";
|
||||||
|
arch = "mips32"; # mips32r2?
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# It's impure, but who cares?
|
||||||
|
# Can Flakes do that?
|
||||||
|
buildPlatform = builtins.currentSystem;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
nixos = {
|
||||||
|
evalConfig = import "${sources.nixos-unstable}/nixos/lib/eval-config.nix";
|
||||||
defaults =
|
defaults =
|
||||||
{ name, nodeMeta, ... }:
|
{ nodeMeta, name, ... }:
|
||||||
{
|
{
|
||||||
# Import the default modules
|
# Import the default modules
|
||||||
imports = [
|
imports = [ ./modules ];
|
||||||
./modules
|
|
||||||
(import "${sources.lix-module}/module.nix" { inherit (sources) lix; })
|
|
||||||
];
|
|
||||||
|
|
||||||
# Include default secrets
|
# Include default secrets
|
||||||
age-secrets.sources = [ ./machines/${name}/secrets ];
|
age-secrets.sources = [ ./machines/${name}/secrets ];
|
||||||
|
@ -98,5 +164,41 @@ in
|
||||||
inherit (nodeMeta) stateVersion;
|
inherit (nodeMeta) stateVersion;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
meta = {
|
||||||
|
nodeNixpkgs = nix-lib.mapSingleFuse (n: nixpkgs.${version n}) nodes // {
|
||||||
|
ap01 = apNixpkgs;
|
||||||
|
};
|
||||||
|
|
||||||
|
specialArgs = {
|
||||||
|
inherit nixpkgs sources;
|
||||||
|
|
||||||
|
dgn-keys = import ./keys;
|
||||||
|
};
|
||||||
|
|
||||||
|
nodeSpecialArgs = nix-lib.mapSingleFuse mkArgs nodes;
|
||||||
|
};
|
||||||
|
|
||||||
|
ap01 =
|
||||||
|
let
|
||||||
|
device = import "${sources.liminix}/devices/zyxel-nwa50ax";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
deployment.systemType = "liminix";
|
||||||
|
nixpkgs.hostPlatform = {
|
||||||
|
config = "mipsel-unknown-linux-musl";
|
||||||
|
gcc = {
|
||||||
|
abi = "32";
|
||||||
|
arch = "mips32"; # mips32r2?
|
||||||
|
};
|
||||||
|
};
|
||||||
|
nixpkgs.buildPlatform = "x86_64-linux";
|
||||||
|
imports = [
|
||||||
|
./machines/ap/configuration.nix
|
||||||
|
device.module
|
||||||
|
];
|
||||||
|
};
|
||||||
}
|
}
|
||||||
// (nix-lib.mapSingleFuse mkNode nodes)
|
// (nix-lib.mapSingleFuse mkNode nodes)
|
||||||
|
|
18
keys/certs/dgnum-ap-server.crt
Normal file
18
keys/certs/dgnum-ap-server.crt
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIC6TCCAdECFEbjeqNNzKWyfs2GJekipWK+yO4uMA0GCSqGSIb3DQEBCwUAMHMx
|
||||||
|
NDAyBgNVBAMMK0RHTnVtIFRlc3QgQVAgQ0EgLS0gRE8gTk9UIFVTRSBPUiBHRVQg
|
||||||
|
RklSRUQxCzAJBgNVBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwGA1UEBwwFUGFy
|
||||||
|
aXMxDjAMBgNVBAoMBURHTnVtMB4XDTI0MDgyNjE5MDQxMFoXDTI2MDgyNjE5MDQx
|
||||||
|
MFowdzE4MDYGA1UEAwwvREdOdW0gVGVzdCBBUCBzZXJ2ZXIgLS0gRE8gTk9UIFVT
|
||||||
|
RSBPUiBHRVQgRklSRUQxCzAJBgNVBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwG
|
||||||
|
A1UEBwwFUGFyaXMxDjAMBgNVBAoMBURHTnVtMIGbMBAGByqGSM49AgEGBSuBBAAj
|
||||||
|
A4GGAAQBDrTf0SH/YOkOfvOSnB3BbICb80jSsxwQH50y4jylbXcrUZnegLYjW/lF
|
||||||
|
QknuMBzzE5fnE9lAeOxqsn0ec+sL3zEBrV0LSG2LgxhAkahZS9U4Spt9Qc84U7cG
|
||||||
|
AFQ3GXDMTEb/COHJSu7sIfV4gFRVesFez30gb94lMxckkq/6nkXXaEUwDQYJKoZI
|
||||||
|
hvcNAQELBQADggEBAEfPHMAXwftYQ0lDYPlr9b+GZDl7/JAavEfBXKzj1U8O0sJz
|
||||||
|
daNOHEX3a5ZOaQoean2zmBLROgQpDlwsjAFNA9dg0ef2f4RgJvr/l2fspHwG0Uaq
|
||||||
|
4JEOKTj3htd8aZX2i6AR02UC2oxCtf7ZVa+a6NOeeKl53QPzjduPO60ruz8tD2Xr
|
||||||
|
YnQwVinQX0fJo7TmyQKDIxwld/Q5pMoDMfVlS71M/vISFfQ/Rx1PqYvBQyG1dvIA
|
||||||
|
qn9cNNVnjEGrk7zXjCfehMYiCtDZ+D3VyXeZ6A7YZNpc6RUj8rbWcOtKLayRFlwf
|
||||||
|
DTjV3/nPqV0M2nU6jXFBMfQ47VSfB7ibINt94xo=
|
||||||
|
-----END CERTIFICATE-----
|
23
keys/certs/dgnum-test-ap-ca.crt
Normal file
23
keys/certs/dgnum-test-ap-ca.crt
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDxzCCAq+gAwIBAgIUPuHEZeZoCidp+w5ME2CrkZEn3T8wDQYJKoZIhvcNAQEL
|
||||||
|
BQAwczE0MDIGA1UEAwwrREdOdW0gVGVzdCBBUCBDQSAtLSBETyBOT1QgVVNFIE9S
|
||||||
|
IEdFVCBGSVJFRDELMAkGA1UEBhMCRlIxDjAMBgNVBAgMBVBhcmlzMQ4wDAYDVQQH
|
||||||
|
DAVQYXJpczEOMAwGA1UECgwFREdOdW0wHhcNMjQwODI2MTg1ODQ4WhcNMjkwODI2
|
||||||
|
MTg1ODQ4WjBzMTQwMgYDVQQDDCtER051bSBUZXN0IEFQIENBIC0tIERPIE5PVCBV
|
||||||
|
U0UgT1IgR0VUIEZJUkVEMQswCQYDVQQGEwJGUjEOMAwGA1UECAwFUGFyaXMxDjAM
|
||||||
|
BgNVBAcMBVBhcmlzMQ4wDAYDVQQKDAVER051bTCCASIwDQYJKoZIhvcNAQEBBQAD
|
||||||
|
ggEPADCCAQoCggEBAKLgCNXLI6FQWJY5JQDqZcO1hmZpp0upT59/JvJXmEl4St1O
|
||||||
|
FF3frSAoFcgn2Bv3kYQQ6wEhD3S7JBxRmoDtx/7sqsXthNpBaymVdphb9XhnVOC2
|
||||||
|
NDBKV4WH06Hr06oKVfDSBhIldPJr1vfQLehOnz6uqK7walqPvid3tMv0lwt7mHZ9
|
||||||
|
qQpgC2C/tkHwD1kh1RszoIZKIQWDnSNXPhYnB3X/DMCUWIKiz6P/0rVANEDDZER6
|
||||||
|
b6eJRjv2l8jPlOt7CUTAOrsoJGCnSg2SV4lgr1u3mE/2AvmLdO0l5Dz0qCuQNbb3
|
||||||
|
uWqYUonooR8rox171On/Rd0zvtihycSDxofVJ+MCAwEAAaNTMFEwHQYDVR0OBBYE
|
||||||
|
FIPUT3v8AoeBS6VbcEvgVc1dC38hMB8GA1UdIwQYMBaAFIPUT3v8AoeBS6VbcEvg
|
||||||
|
Vc1dC38hMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACX1aqYU
|
||||||
|
9PIwZ/dBS7cpsBsCm9M0ueInTlQpvv6xioKuPhIet40YgawTRakxniAr0WXHTBV5
|
||||||
|
a8ZQ4ff4uI+sdaxN7Ueufr4ltWVLuSc9DfIxjLVZ+41G6Ehy9Xc2zoDBfYURrXjd
|
||||||
|
ISvPSXIKjM0yuS/249C77HOdzwbliS65Io2zubQStGfSaZ3sLAfPJoig+QiVyOtG
|
||||||
|
sPoYzzrjXDBym+plfGTWqHv+gwo6DZarXrK4yaMn4hYkkf95NsY2ywwHzcy/4hsu
|
||||||
|
+bMm4IeCrB9uNOZtQrqW81/+4oxjGiKLbhnFPNQOg2pzb+iOJTPKVicAqKDSCnou
|
||||||
|
WXG5pjBKzojPvxU=
|
||||||
|
-----END CERTIFICATE-----
|
1
liminix-rebuild.nix
Normal file
1
liminix-rebuild.nix
Normal file
|
@ -0,0 +1 @@
|
||||||
|
{ liminix-system }: (import ./liminix-hive.nix { }).${liminix-system}.primary
|
259
machines/ap01/_configuration.nix
Normal file
259
machines/ap01/_configuration.nix
Normal file
|
@ -0,0 +1,259 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
modulesPath,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
inherit (pkgs.liminix.services) oneshot;
|
||||||
|
inherit (pkgs.pseudofile) symlink dir;
|
||||||
|
inherit (pkgs) serviceFns;
|
||||||
|
svc = config.system.service;
|
||||||
|
secrets-1 = {
|
||||||
|
ssid = "DGNum 2G prototype (N)";
|
||||||
|
};
|
||||||
|
secrets-2 = {
|
||||||
|
ssid = "DGNum 5G prototype (AX)";
|
||||||
|
};
|
||||||
|
baseParams = {
|
||||||
|
country_code = "FR";
|
||||||
|
hw_mode = "g";
|
||||||
|
channel = 6;
|
||||||
|
wmm_enabled = 1;
|
||||||
|
ieee80211n = 1;
|
||||||
|
ht_capab = "[LDPC][GF][HT40-][HT40+][SHORT-GI-40][MAX-AMSDU-7935][TX-STBC]";
|
||||||
|
auth_algs = 1;
|
||||||
|
wpa = 2;
|
||||||
|
wpa_pairwise = "TKIP CCMP";
|
||||||
|
rsn_pairwise = "CCMP";
|
||||||
|
};
|
||||||
|
|
||||||
|
radiusKeyMgmt = {
|
||||||
|
wpa_key_mgmt = "WPA-EAP";
|
||||||
|
};
|
||||||
|
|
||||||
|
modernParams = {
|
||||||
|
hw_mode = "a";
|
||||||
|
he_su_beamformer = 1;
|
||||||
|
he_su_beamformee = 1;
|
||||||
|
he_mu_beamformer = 1;
|
||||||
|
preamble = 1;
|
||||||
|
# Allow radar detection.
|
||||||
|
ieee80211d = 1;
|
||||||
|
ieee80211h = 1;
|
||||||
|
ieee80211ac = 1;
|
||||||
|
ieee80211ax = 1;
|
||||||
|
vht_capab = "[MAX-MPDU-7991][SU-BEAMFORMEE][SU-BEAMFORMER][RXLDPC][SHORT-GI-80][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][TX-STBC-2BY1][RX-STBC-1][MU-BEAMFORMER]";
|
||||||
|
vht_oper_chwidth = 1;
|
||||||
|
he_oper_chwidth = 1;
|
||||||
|
channel = 36;
|
||||||
|
vht_oper_centr_freq_seg0_idx = 42;
|
||||||
|
he_oper_centr_freq_seg0_idx = 42;
|
||||||
|
require_vht = 1;
|
||||||
|
};
|
||||||
|
|
||||||
|
clientRadius = {
|
||||||
|
ieee8021x = 1;
|
||||||
|
eapol_version = 2;
|
||||||
|
use_pae_group_addr = 1;
|
||||||
|
dynamic_vlan = 0;
|
||||||
|
vlan_tagged_interface = "lan";
|
||||||
|
};
|
||||||
|
|
||||||
|
externalRadius = {
|
||||||
|
# TODO: when we have proper IPAM, set the right value here.
|
||||||
|
own_ip_addr = "127.0.0.1";
|
||||||
|
nas_identifier = "ap01.dgnum.eu";
|
||||||
|
|
||||||
|
# No DNS here, hostapd do not support this mode.
|
||||||
|
auth_server_addr = "129.199.195.129";
|
||||||
|
auth_server_port = 1812;
|
||||||
|
auth_server_shared_secret = "read it online";
|
||||||
|
};
|
||||||
|
|
||||||
|
mkWifiSta =
|
||||||
|
params: interface: secrets:
|
||||||
|
svc.hostapd.build {
|
||||||
|
inherit interface;
|
||||||
|
package = pkgs.hostapd-radius;
|
||||||
|
params = params // secrets;
|
||||||
|
dependencies = [ config.services.jitter ];
|
||||||
|
};
|
||||||
|
in
|
||||||
|
rec {
|
||||||
|
imports = [
|
||||||
|
"${modulesPath}/wlan.nix"
|
||||||
|
"${modulesPath}/network"
|
||||||
|
"${modulesPath}/dhcp6c"
|
||||||
|
"${modulesPath}/hostapd"
|
||||||
|
"${modulesPath}/ssh"
|
||||||
|
"${modulesPath}/ntp"
|
||||||
|
"${modulesPath}/vlan"
|
||||||
|
"${modulesPath}/bridge"
|
||||||
|
"${modulesPath}/jitter-rng"
|
||||||
|
"${modulesPath}/pki"
|
||||||
|
"${modulesPath}/ubus"
|
||||||
|
../../modules/dgn-access-control.nix
|
||||||
|
# TODO: god that's so a fucking hack.
|
||||||
|
(import "${modulesPath}/../devices/zyxel-nwa50ax").module
|
||||||
|
];
|
||||||
|
|
||||||
|
hostname = "ap01-prototype";
|
||||||
|
|
||||||
|
# Get moar random please
|
||||||
|
services.jitter = svc.jitter-rng.build { };
|
||||||
|
services.ubus = svc.ubus.build { };
|
||||||
|
|
||||||
|
# SSH keys are handled by the access control module.
|
||||||
|
dgn-access-control.enable = true;
|
||||||
|
users.root = {
|
||||||
|
passwd = "$6$jVXFFOp8HBYmgINR$lutB4kvw.W1jlXRby9ZYAgBitQ32RxQdYAGN.s2x4ris8J07vM6tzlRBQoeLELOIEMClDzbciQV0itfHQnTqd1";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.int = svc.bridge.primary.build {
|
||||||
|
ifname = "int";
|
||||||
|
macAddressFromInterface = config.hardware.networkInterfaces.lan;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.bridge = svc.bridge.members.build {
|
||||||
|
primary = services.int;
|
||||||
|
members = {
|
||||||
|
lan.member = config.hardware.networkInterfaces.lan;
|
||||||
|
wlan0 = {
|
||||||
|
member = config.hardware.networkInterfaces.wlan0;
|
||||||
|
# Bridge only once hostapd is ready.
|
||||||
|
dependencies = [ config.services.hostap-1-ready ];
|
||||||
|
};
|
||||||
|
wlan1 = {
|
||||||
|
member = config.hardware.networkInterfaces.wlan1;
|
||||||
|
# Bridge only once hostapd is ready.
|
||||||
|
dependencies = [ config.services.hostap-2-ready ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.resolvconf = oneshot rec {
|
||||||
|
name = "resolvconf";
|
||||||
|
up = ''
|
||||||
|
. ${serviceFns}
|
||||||
|
( in_outputs ${name}
|
||||||
|
for i in $(output ${services.dhcpv4} dns); do
|
||||||
|
echo "nameserver $i" >> resolv.conf
|
||||||
|
done
|
||||||
|
)
|
||||||
|
'';
|
||||||
|
|
||||||
|
dependencies = [
|
||||||
|
config.services.dhcpv4
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
filesystem = dir {
|
||||||
|
etc = dir {
|
||||||
|
"resolv.conf" = symlink "${config.services.resolvconf}/.outputs/resolv.conf";
|
||||||
|
"nixpkgs.version" = {
|
||||||
|
type = "f";
|
||||||
|
file = "${pkgs.lib.version}";
|
||||||
|
mode = "0444";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.dhcpv4 = svc.network.dhcp.client.build {
|
||||||
|
interface = config.services.int;
|
||||||
|
dependencies = [
|
||||||
|
config.services.hostname
|
||||||
|
config.services.bridge.components.lan
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# TODO(raito): these won't work with RAs
|
||||||
|
# fix them in Liminix directly and re-enable.
|
||||||
|
# services.dhcpv6 = svc.dhcp6c.client.build {
|
||||||
|
# interface = config.services.int;
|
||||||
|
# dependencies = [
|
||||||
|
# config.services.hostname
|
||||||
|
# config.services.bridge
|
||||||
|
# ];
|
||||||
|
# };
|
||||||
|
|
||||||
|
# services.ipv6 = svc.dhcp6c.address.build {
|
||||||
|
# interface = config.services.int;
|
||||||
|
# client = config.services.dhcpv6;
|
||||||
|
# dependencies = [ config.services.hostname ];
|
||||||
|
# };
|
||||||
|
|
||||||
|
services.defaultroute4 = svc.network.route.build {
|
||||||
|
via = "$(output ${services.dhcpv4} router)";
|
||||||
|
target = "default";
|
||||||
|
dependencies = [ services.dhcpv4 ];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.packet_forwarding = svc.network.forward.build { };
|
||||||
|
services.sshd = svc.ssh.build { allowRoot = true; };
|
||||||
|
|
||||||
|
services.ntp = config.system.service.ntp.build {
|
||||||
|
pools = {
|
||||||
|
"pool.ntp.org" = [ "iburst" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
dependencies = [ config.services.jitter ];
|
||||||
|
};
|
||||||
|
|
||||||
|
boot.tftp = {
|
||||||
|
serverip = "192.0.2.10";
|
||||||
|
ipaddr = "192.0.2.12";
|
||||||
|
};
|
||||||
|
|
||||||
|
# wlan0 is the 2.4GHz interface.
|
||||||
|
services.hostap-1 = mkWifiSta (
|
||||||
|
baseParams // radiusKeyMgmt
|
||||||
|
) config.hardware.networkInterfaces.wlan0 secrets-1;
|
||||||
|
services.hostap-1-ready = svc.hostapd-ready.build {
|
||||||
|
interface = config.hardware.networkInterfaces.wlan0;
|
||||||
|
};
|
||||||
|
# wlan1 is the 5GHz interface, e.g. AX capable.
|
||||||
|
services.hostap-2 = mkWifiSta (
|
||||||
|
baseParams // clientRadius // externalRadius // radiusKeyMgmt // modernParams
|
||||||
|
) config.hardware.networkInterfaces.wlan1 secrets-2;
|
||||||
|
# Oneshot that waits until the hostapd has set the interface in operational state.
|
||||||
|
services.hostap-2-ready = svc.hostapd-ready.build {
|
||||||
|
interface = config.hardware.networkInterfaces.wlan1;
|
||||||
|
};
|
||||||
|
|
||||||
|
defaultProfile.packages = with pkgs; [
|
||||||
|
zyxel-bootconfig
|
||||||
|
min-collect-garbage
|
||||||
|
iwinfo
|
||||||
|
ifwait
|
||||||
|
# Levitate enable us to mass-reinstall the system on the fly.
|
||||||
|
(levitate.override {
|
||||||
|
config = {
|
||||||
|
imports = [
|
||||||
|
"${modulesPath}/network"
|
||||||
|
"${modulesPath}/ssh"
|
||||||
|
"${modulesPath}/hardware.nix"
|
||||||
|
"${modulesPath}/kernel"
|
||||||
|
"${modulesPath}/outputs/tftpboot.nix"
|
||||||
|
"${modulesPath}/outputs.nix"
|
||||||
|
];
|
||||||
|
services = {
|
||||||
|
# Simplest DHCPv4 we can find.
|
||||||
|
dhcpv4 = svc.network.dhcp.client.build {
|
||||||
|
interface = config.hardware.networkInterfaces.lan;
|
||||||
|
};
|
||||||
|
inherit (config.services) sshd;
|
||||||
|
defaultroute4 = svc.network.route.build {
|
||||||
|
via = "$(output ${services.dhcpv4} router)";
|
||||||
|
target = "default";
|
||||||
|
dependencies = [ config.services.dhcpv4 ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
defaultProfile.packages = [ mtdutils ];
|
||||||
|
# Only keep root, which should inherit from DGN access control's root permissions.
|
||||||
|
users.root = config.users.root;
|
||||||
|
};
|
||||||
|
})
|
||||||
|
];
|
||||||
|
}
|
1
machines/ap01/_hardware-configuration.nix
Normal file
1
machines/ap01/_hardware-configuration.nix
Normal file
|
@ -0,0 +1 @@
|
||||||
|
{ }
|
|
@ -1,4 +1,5 @@
|
||||||
{
|
{
|
||||||
|
versions = {
|
||||||
# Default version of nixpkgs to use
|
# Default version of nixpkgs to use
|
||||||
default = "24.05";
|
default = "24.05";
|
||||||
|
|
||||||
|
@ -8,4 +9,16 @@
|
||||||
"23.11"
|
"23.11"
|
||||||
"24.05"
|
"24.05"
|
||||||
];
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
systems = {
|
||||||
|
# Default target system
|
||||||
|
default = "nixos";
|
||||||
|
|
||||||
|
# Supported target systems
|
||||||
|
supported = [
|
||||||
|
"nixos"
|
||||||
|
"zyxel-nwa50ax"
|
||||||
|
];
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -136,4 +136,12 @@
|
||||||
nixpkgs = "unstable";
|
nixpkgs = "unstable";
|
||||||
vm-cluster = "Hyperviseur NPS";
|
vm-cluster = "Hyperviseur NPS";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Access points definition
|
||||||
|
ap01 = {
|
||||||
|
site = "unknown";
|
||||||
|
adminGroups = [ "fai" ];
|
||||||
|
|
||||||
|
system = "zyxel-nwa50ax";
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -11,6 +11,7 @@ let
|
||||||
inherit (lib.types)
|
inherit (lib.types)
|
||||||
attrs
|
attrs
|
||||||
attrsOf
|
attrsOf
|
||||||
|
enum
|
||||||
ints
|
ints
|
||||||
listOf
|
listOf
|
||||||
nullOr
|
nullOr
|
||||||
|
@ -35,6 +36,7 @@ let
|
||||||
};
|
};
|
||||||
|
|
||||||
org = config.organization;
|
org = config.organization;
|
||||||
|
nixpkgs = import ./nixpkgs.nix;
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
|
@ -138,8 +140,8 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
nixpkgs = mkOption {
|
nixpkgs = mkOption {
|
||||||
type = str;
|
type = enum nixpkgs.versions.supported;
|
||||||
inherit (import ./nixpkgs.nix) default;
|
inherit (nixpkgs.versions) default;
|
||||||
description = ''
|
description = ''
|
||||||
Version of nixpkgs to use.
|
Version of nixpkgs to use.
|
||||||
'';
|
'';
|
||||||
|
@ -188,6 +190,14 @@ in
|
||||||
default = null;
|
default = null;
|
||||||
description = "VM cluster where the VM is located";
|
description = "VM cluster where the VM is located";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
system = mkOption {
|
||||||
|
type = enum nixpkgs.systems.supported;
|
||||||
|
inherit (nixpkgs.systems) default;
|
||||||
|
description = ''
|
||||||
|
Type of system for the node, will impact how it is evaluated and deployed.
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
|
|
|
@ -114,6 +114,12 @@
|
||||||
"fai"
|
"fai"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
# AP administration DGNum
|
||||||
|
ap.adminGroups = [
|
||||||
|
"root"
|
||||||
|
"fai"
|
||||||
|
];
|
||||||
|
|
||||||
# Videos DGNum
|
# Videos DGNum
|
||||||
peertube.admins = [ "thubrecht" ];
|
peertube.admins = [ "thubrecht" ];
|
||||||
};
|
};
|
||||||
|
|
|
@ -84,18 +84,24 @@ in
|
||||||
{
|
{
|
||||||
# Admins have root access to the node
|
# Admins have root access to the node
|
||||||
dgn-access-control.users.root = mkDefault admins;
|
dgn-access-control.users.root = mkDefault admins;
|
||||||
|
|
||||||
users.users = builtins.mapAttrs (_: members: {
|
|
||||||
openssh.authorizedKeys.keys = dgn-keys.getKeys members;
|
|
||||||
}) cfg.users;
|
|
||||||
}
|
}
|
||||||
{
|
(mkIf (nodeMeta.system == "nixos") {
|
||||||
users = {
|
users = {
|
||||||
mutableUsers = false;
|
mutableUsers = false;
|
||||||
users.root = {
|
users.root = {
|
||||||
inherit (nodeMeta) hashedPassword;
|
inherit (nodeMeta) hashedPassword;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
})
|
||||||
|
(mkIf (nodeMeta.system == "nixos") {
|
||||||
|
users.users = builtins.mapAttrs (_: members: {
|
||||||
|
openssh.authorizedKeys.keys = dgn-keys.getKeys members;
|
||||||
|
}) cfg.users;
|
||||||
|
})
|
||||||
|
(mkIf (nodeMeta.system == "zyxel-nwa50ax") {
|
||||||
|
users = builtins.mapAttrs (_: members: {
|
||||||
|
openssh.authorizedKeys.keys = dgn-keys.getKeys members;
|
||||||
|
}) cfg.users;
|
||||||
|
})
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
|
|
|
@ -42,6 +42,7 @@ let
|
||||||
builtins.fetchGit {
|
builtins.fetchGit {
|
||||||
inherit (repository) url;
|
inherit (repository) url;
|
||||||
rev = revision;
|
rev = revision;
|
||||||
|
allRefs = true;
|
||||||
# hash = hash;
|
# hash = hash;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -49,6 +49,17 @@
|
||||||
"url": null,
|
"url": null,
|
||||||
"hash": "0b1pmfzckdbha9j7bvnkvqccf62dqyll8ip6mrdm90m0y8kdkzvg"
|
"hash": "0b1pmfzckdbha9j7bvnkvqccf62dqyll8ip6mrdm90m0y8kdkzvg"
|
||||||
},
|
},
|
||||||
|
"colmena": {
|
||||||
|
"type": "Git",
|
||||||
|
"repository": {
|
||||||
|
"type": "Git",
|
||||||
|
"url": "https://git.dgnum.eu/DGNum/colmena.git"
|
||||||
|
},
|
||||||
|
"branch": "custom-activation",
|
||||||
|
"revision": "1037471d800d3db42ec85b89787bec5472f5e574",
|
||||||
|
"url": null,
|
||||||
|
"hash": "0k287292yr78zymdglppa8jd0b4kh0x277d4bycwcdsqprw00a4x"
|
||||||
|
},
|
||||||
"disko": {
|
"disko": {
|
||||||
"type": "GitRelease",
|
"type": "GitRelease",
|
||||||
"repository": {
|
"repository": {
|
||||||
|
@ -116,14 +127,13 @@
|
||||||
"liminix": {
|
"liminix": {
|
||||||
"type": "Git",
|
"type": "Git",
|
||||||
"repository": {
|
"repository": {
|
||||||
"type": "GitHub",
|
"type": "Git",
|
||||||
"owner": "RaitoBezarius",
|
"url": "https://git.dgnum.eu/DGNum/liminix.git"
|
||||||
"repo": "liminix"
|
|
||||||
},
|
},
|
||||||
"branch": "nwa50ax",
|
"branch": "main",
|
||||||
"revision": "a4aa10dcc30225a8bb8eb465abfe908629175f2c",
|
"revision": "6970d811e87a3a99a093705cb089a5a63961cfe7",
|
||||||
"url": "https://github.com/RaitoBezarius/liminix/archive/a4aa10dcc30225a8bb8eb465abfe908629175f2c.tar.gz",
|
"url": null,
|
||||||
"hash": "1m1sc6agg5z65lmyjl48i7sddlwm8d0zgvs8z81iammfy4jpy7qd"
|
"hash": "08fwry3zkhlkcl1lrqhhhqj3a47mgc41bvfv518zg8xhwzg7ifnz"
|
||||||
},
|
},
|
||||||
"linkal": {
|
"linkal": {
|
||||||
"type": "Git",
|
"type": "Git",
|
||||||
|
|
62
scripts/android-profile-template.xml
Normal file
62
scripts/android-profile-template.xml
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
<?xml version="1.0" encoding="US-ASCII"?>
|
||||||
|
<WLANProfile xmlns="https://www.microsoft.com/networking/WLAN/profile/v1">
|
||||||
|
<name>DGNumRadius</name>
|
||||||
|
<SSIDConfig>
|
||||||
|
<SSID>
|
||||||
|
<name>@SSID@</name>
|
||||||
|
</SSID>
|
||||||
|
</SSIDConfig>
|
||||||
|
<connectionType>ESS</connectionType>
|
||||||
|
<connectionMode>auto</connectionMode>
|
||||||
|
<MSM>
|
||||||
|
<security>
|
||||||
|
<authEncryption>
|
||||||
|
<authentication>WPA2</authentication>
|
||||||
|
<encryption>AES</encryption>
|
||||||
|
<useOneX>true</useOneX>
|
||||||
|
</authEncryption>
|
||||||
|
<OneX xmlns="https://www.microsoft.com/networking/OneX/v1">
|
||||||
|
<EAPConfig>
|
||||||
|
<EapHostConfig xmlns="https://www.microsoft.com/provisioning/EapHostConfig"
|
||||||
|
xmlns:eapCommon="https://www.microsoft.com/provisioning/EapCommon"
|
||||||
|
xmlns:baseEap="https://www.microsoft.com/provisioning/BaseEapMethodConfig">
|
||||||
|
<EapMethod>
|
||||||
|
<eapCommon:Type>25</eapCommon:Type>
|
||||||
|
<eapCommon:AuthorId>0</eapCommon:AuthorId>
|
||||||
|
</EapMethod>
|
||||||
|
<Config xmlns:baseEap="https://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"
|
||||||
|
xmlns:msPeap="https://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"
|
||||||
|
xmlns:msChapV2="https://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"
|
||||||
|
xmlns:msChapV2User="https://www.microsoft.com/provisioning/MsChapV2UserPropertiesV1">
|
||||||
|
<baseEap:Eap>
|
||||||
|
<baseEap:Type>25</baseEap:Type>
|
||||||
|
<msPeap:EapType>
|
||||||
|
<msPeap:ServerValidation>
|
||||||
|
<msPeap:DisableUserPromptForServerValidation>false</msPeap:DisableUserPromptForServerValidation>
|
||||||
|
<msPeap:TrustedRootCA />
|
||||||
|
</msPeap:ServerValidation>
|
||||||
|
<msPeap:FastReconnect>true</msPeap:FastReconnect>
|
||||||
|
<msPeap:InnerEapOptional>0</msPeap:InnerEapOptional>
|
||||||
|
<msPeap:ServerNames>radius.dgnum.eu</msPeap:ServerNames>
|
||||||
|
<baseEap:Eap>
|
||||||
|
<baseEap:Type>26</baseEap:Type>
|
||||||
|
<msChapV2:EapType>
|
||||||
|
<msChapV2:UseWinLogonCredentials>false</msChapV2:UseWinLogonCredentials>
|
||||||
|
</msChapV2:EapType>
|
||||||
|
<msChapV2User:EapType>
|
||||||
|
<msChapV2User:Username>@USERNAME@</msChapV2User:Username>
|
||||||
|
<msChapV2User:Password>@PASSWORD@</msChapV2User:Password>
|
||||||
|
</msChapV2User>
|
||||||
|
</baseEap:Eap>
|
||||||
|
<msPeap:EnableQuarantineChecks>false</msPeap:EnableQuarantineChecks>
|
||||||
|
<msPeap:RequireCryptoBinding>false</msPeap:RequireCryptoBinding>
|
||||||
|
<msPeap:PeapExtensions />
|
||||||
|
</msPeap:EapType>
|
||||||
|
</baseEap:Eap>
|
||||||
|
</Config>
|
||||||
|
</EapHostConfig>
|
||||||
|
</EAPConfig>
|
||||||
|
</OneX>
|
||||||
|
</security>
|
||||||
|
</MSM>
|
||||||
|
</WLANProfile>
|
19
scripts/build-android-profile.nix
Normal file
19
scripts/build-android-profile.nix
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
{
|
||||||
|
pkgs ? import <nixpkgs> { },
|
||||||
|
username,
|
||||||
|
domain ? "sso.dgnum.eu",
|
||||||
|
ssid ? "DGNum 5G prototype (AX)",
|
||||||
|
password,
|
||||||
|
}:
|
||||||
|
pkgs.runCommand "connection-${username}-android-profile.xml"
|
||||||
|
{
|
||||||
|
SSID = ssid;
|
||||||
|
USERNAME = "${username}@${domain}";
|
||||||
|
PASSWORD = password;
|
||||||
|
}
|
||||||
|
''
|
||||||
|
substitute ${./android-profile-template.xml} $out \
|
||||||
|
--subst-var SSID \
|
||||||
|
--subst-var USERNAME \
|
||||||
|
--subst-var PASSWORD
|
||||||
|
''
|
12
scripts/extract-firmware-from-zyxel-nwa-fit.sh
Executable file
12
scripts/extract-firmware-from-zyxel-nwa-fit.sh
Executable file
|
@ -0,0 +1,12 @@
|
||||||
|
#!/usr/bin/env nix-shell
|
||||||
|
#!nix-shell -i bash -p ubootTools
|
||||||
|
|
||||||
|
usage() {
|
||||||
|
echo "extract the firmware part to write it manually from a Zyxel NWA FIT image"
|
||||||
|
echo "$0 <zyxel_nwa_fit_image_path> <firmware_output_file>"
|
||||||
|
}
|
||||||
|
|
||||||
|
ZYXEL_NWA_FIT="$1"
|
||||||
|
FIRMWARE_OUTPUT="$2"
|
||||||
|
|
||||||
|
dumpimage -T flat_dt -p 0 $ZYXEL_NWA_FIT -o $FIRMWARE_OUTPUT
|
45
scripts/liminix-rebuild.sh
Executable file
45
scripts/liminix-rebuild.sh
Executable file
|
@ -0,0 +1,45 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
set -Eeuo pipefail
|
||||||
|
|
||||||
|
ssh_command=${SSH_COMMAND-ssh}
|
||||||
|
root_prefix=${ROOT_PREFIX-/}
|
||||||
|
|
||||||
|
reboot="reboot"
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
"--no-reboot")
|
||||||
|
unset reboot
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
"--fast")
|
||||||
|
reboot="soft"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
target_host=$1
|
||||||
|
shift
|
||||||
|
|
||||||
|
if [ -z "$target_host" ] ; then
|
||||||
|
echo Usage: liminix-rebuild \[--no-reboot\] target-host params
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if toplevel="$(nom-build $(colmena eval -E "{ nodes, ... }: nodes.$@.config.system.outputs.systemConfiguration" --instantiate))"; then
|
||||||
|
echo systemConfiguration $toplevel aimed at $root_prefix
|
||||||
|
sleep 3
|
||||||
|
min-copy-closure --root "$root_prefix" $target_host $toplevel
|
||||||
|
$ssh_command $target_host "$root_prefix/$toplevel/bin/install" "$root_prefix"
|
||||||
|
case "$reboot" in
|
||||||
|
reboot)
|
||||||
|
$ssh_command $target_host "sync; source /etc/profile; reboot"
|
||||||
|
;;
|
||||||
|
soft)
|
||||||
|
$ssh_command $target_host $toplevel/bin/restart-services
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
else
|
||||||
|
echo Rebuild failed
|
||||||
|
fi
|
Loading…
Reference in a new issue