liminix/examples/l2tp.nix

{
  config,
  pkgs,
  lib,
  ...
}: let
  secrets = import ./extneder-secrets.nix;
  rsecrets = import ./rotuer-secrets.nix;
  lns = "l2tp.aaisp.net.uk";
  inherit (pkgs.liminix.services) oneshot longrun bundle target;
  inherit (pkgs.pseudofile) dir symlink;
  inherit (pkgs) writeText dropbear ifwait serviceFns;
  svc = config.system.service;
in rec {
  boot = {
    tftp = {
      serverip = "10.0.0.1";
      ipaddr = "10.0.0.8";
    };
  };

  imports = [
    ../modules/cdc-ncm
    ../modules/network
    ../modules/vlan
    ../modules/ssh
    ../modules/usb.nix
    ../modules/watchdog
    ../modules/mount
    ../modules/ppp
    ../modules/round-robin
    ../modules/health-check
    ../modules/profiles/gateway.nix
  ];
  hostname = "thing";

  services.wwan = svc.wwan.build {
    apn = "data.uk";
    username = "user";
    password = "one2one";
    authType = "chap";
  };

  profile.gateway = {
    lan = {
      interfaces =  with config.hardware.networkInterfaces;
        [
          # EDIT: these are the interfaces exposed by the gl.inet gl-ar750:
          # if your device has more or differently named lan interfaces,
          # specify them here
          wlan wlan5
          lan
        ];
      inherit (rsecrets.lan) prefix;
      address = {
        family = "inet"; address ="${rsecrets.lan.prefix}.1"; prefixLength = 24;
      };
      dhcp = {
        start = 10;
        end = 240;
        hosts = { } // lib.optionalAttrs (builtins.pathExists ./static-leases.nix) (import ./static-leases.nix);
        localDomain = "lan";
      };
    };
    wan = {
      interface = let
        pppoe = svc.pppoe.build {
          interface = config.hardware.networkInterfaces.wan;
          debug = true;
          username = rsecrets.l2tp.name;
          password = rsecrets.l2tp.password;
        };

        l2tp =
          let
            check-address = oneshot rec {
              name = "check-lns-address";
              up = "grep -Fx ${lns.address} $(output_path ${services.lns-address} addresses)";
              dependencies = [ services.lns-address ];
            };
            route = svc.network.route.build {
              via = "$(output ${services.bootstrap-dhcpc} router)";
              target = lns.address;
              dependencies = [services.bootstrap-dhcpc check-address];
            };
            l2tpd= svc.l2tp.build {
              lns = lns.address;
              ppp-options = [
                "debug" "+ipv6" "noauth"
                "name" rsecrets.l2tp.name
                "password" rsecrets.l2tp.password
              ];
              dependencies = [config.services.lns-address route check-address];
            };
          in
            svc.health-check.build {
              service = l2tpd;
              threshold = 3;
              interval = 2;
              healthCheck = pkgs.writeAshScript "ping-check" {} "ping 1.1.1.1";
            };
      in svc.round-robin.build {
        name = "wan";
        services = [
          pppoe
          l2tp
        ];
      };
      dhcp6.enable = true;
    };

    wireless.networks = {
      "${rsecrets.ssid}" = {
        interface = config.hardware.networkInterfaces.wlan;
        hw_mode = "g";
        channel = "6";
        ieee80211n = 1;
      } // wirelessConfig;
      "${rsecrets.ssid}5" = rec {
        interface = config.hardware.networkInterfaces.wlan5;
        hw_mode = "a";
        channel = 36;
        ht_capab = "[HT40+]";
        vht_oper_chwidth = 1;
        vht_oper_centr_freq_seg0_idx = channel + 6;
        ieee80211n = 1;
        ieee80211ac = 1;
      } // wirelessConfig;
    };
  };

  services.bootstrap-dhcpc = svc.network.dhcp.client.build {
    interface = config.services.wwan;
    dependencies = [ config.services.hostname ];
  };

  services.sshd = svc.ssh.build { };

  services.resolvconf = oneshot rec {
    dependencies = [ services.dhcpc ];
    name = "resolvconf";
    up = ''
      . ${serviceFns}
      ( in_outputs ${name}
      for i in $(output ${services.dhcpc} dns); do
        echo "nameserver $i" > resolv.conf
      done
      )
    '';
  };
  filesystem = dir {
    etc = dir {
      "resolv.conf" = symlink "${services.resolvconf}/.outputs/resolv.conf";
    };
    srv = dir {};
  };

  services.lnsroute = svc.network.route.build {
    via = "$(output ${services.dhcpc} router)";
    target = lns;
    dependencies = [services.dhcpc];
  };

  services.l2tp = svc.l2tp.build {
    inherit lns;
    ppp-options = [
      "debug" "+ipv6" "noauth"
      "name" rsecrets.l2tp.name
      "password" rsecrets.l2tp.password
    ];
    dependencies = [ services.lnsroute ];
  };

  services.defaultroute4 = svc.network.route.build {
    via = "$(output ${services.l2tp} router)";
    target = "default";
    dependencies = [services.l2tp];
  };

  users.root = {
    passwd = lib.mkForce secrets.root.passwd;
    openssh.authorizedKeys.keys = secrets.root.keys;
  };
}