liminix-fork/examples/rotuer.nix

336 lines
8.5 KiB
Nix
Raw Normal View History

# This is not part of Liminix per se. This is my "scratchpad"
# configuration for the device I'm testing with.
#
# Parts of it do do things that Liminix eventually needs to do, but
# don't look in here for solutions - just for identifying the
# problems.
{ config, pkgs, lib, ... } :
let
secrets = import ./rotuer-secrets.nix;
inherit (pkgs.liminix.networking)
address
dnsmasq
hostapd
interface
route;
inherit (pkgs.liminix.services) oneshot longrun bundle target;
inherit (pkgs)
dropbear
ifwait
2023-04-23 19:22:39 +02:00
writeText
writeFennelScript
2023-03-03 21:07:39 +01:00
serviceFns;
in rec {
boot = {
tftp = {
freeSpaceBytes = 3 * 1024 * 1024;
serverip = "10.0.0.1";
ipaddr = "10.0.0.8";
};
};
imports = [
2023-04-23 13:58:51 +02:00
../modules/wlan.nix
../modules/standard.nix
../modules/ppp
];
2023-04-23 13:58:51 +02:00
rootfsType = "jffs2";
2023-05-20 23:34:57 +02:00
hostname = "rotuer";
kernel = {
config = {
BRIDGE = "y";
NETFILTER_XT_MATCH_CONNTRACK = "y";
IP6_NF_IPTABLES= "y"; # do we still need these
IP_NF_IPTABLES= "y"; # if using nftables directly
IP_NF_NAT = "y";
IP_NF_TARGET_MASQUERADE = "y";
NETFILTER = "y";
NETFILTER_ADVANCED = "y";
NETFILTER_XTABLES = "y";
NFT_COMPAT = "y";
NFT_CT = "y";
NFT_LOG = "y";
NFT_MASQ = "y";
NFT_NAT = "y";
NFT_REJECT = "y";
NFT_REJECT_INET = "y";
NF_CONNTRACK = "y";
NF_NAT = "y";
NF_NAT_MASQUERADE = "y";
NF_TABLES= "y";
NF_TABLES_INET = "y";
NF_TABLES_IPV4 = "y";
NF_TABLES_IPV6 = "y";
};
};
services.hostap = hostapd (config.hardware.networkInterfaces.wlan_24) {
params = {
ssid = "liminix";
country_code = "GB";
hw_mode="g";
channel = "2";
wmm_enabled = 1;
ieee80211n = 1;
inherit (secrets) wpa_passphrase;
auth_algs = 1; # 1=wpa2, 2=wep, 3=both
wpa = 2; # 1=wpa, 2=wpa2, 3=both
wpa_key_mgmt = "WPA-PSK";
wpa_pairwise = "TKIP CCMP"; # auth for wpa (may not need this?)
rsn_pairwise = "CCMP"; # auth for wpa2
};
};
services.hostap5 = hostapd (config.hardware.networkInterfaces.wlan_5) {
2023-03-01 23:24:58 +01:00
params = rec {
ssid = "liminix_5";
country_code = "GB";
hw_mode="a";
channel = 36;
ht_capab = "[HT40+]";
vht_oper_chwidth = 1;
vht_oper_centr_freq_seg0_idx = channel + 6;
ieee80211ac = 1;
wmm_enabled = 1;
inherit (secrets) wpa_passphrase;
auth_algs = 1; # 1=wpa2, 2=wep, 3=both
wpa = 2; # 1=wpa, 2=wpa2, 3=both
wpa_key_mgmt = "WPA-PSK";
wpa_pairwise = "TKIP CCMP"; # auth for wpa (may not need this?)
rsn_pairwise = "CCMP"; # auth for wpa2
};
};
services.int =
let iface = interface {
type = "bridge";
device = "int";
};
in address iface {
family = "inet4"; address ="10.8.0.1"; prefixLength = 16;
};
2023-03-01 23:24:58 +01:00
services.bridge =
let
primary = services.int;
addif = dev: oneshot {
name = "add-${dev.device}-to-bridge";
up = "${ifwait}/bin/ifwait -v ${dev.device} running && ip link set dev ${dev.device} master ${primary.device}";
down = "ip link set dev ${dev} nomaster";
dependencies = [ primary dev ];
};
in bundle {
name = "bridge-members";
contents = with config.hardware.networkInterfaces; map addif [
wlan_24 lan wlan_5
2023-03-01 23:24:58 +01:00
];
};
2023-04-23 19:22:39 +02:00
services.ntp =
let config = writeText "chrony.conf" ''
pool pool.ntp.org iburst
dumpdir /run/chrony
makestep 1.0 3
'';
in longrun {
name = "ntp";
run = "${pkgs.chrony}/bin/chronyd -f ${config} -d";
};
services.sshd = longrun {
name = "sshd";
# env -i clears the environment so we don't pass anything weird to
# ssh sessions. Dropbear params are
# -e pass environment to child
# -E log to stderr
# -R create hostkeys if needed
# -P pid-file
# -F don't fork into background
run = ''
if test -d /persist; then
mkdir -p /persist/secrets/dropbear
ln -s /persist/secrets/dropbear /run
fi
PATH=${lib.makeBinPath config.defaultProfile.packages}:/bin
exec env -i ENV=/etc/ashrc PATH=$PATH ${dropbear}/bin/dropbear -e -E -R -P /run/dropbear.pid -F
'';
};
users.dnsmasq = {
uid = 51; gid= 51; gecos = "DNS/DHCP service user";
dir = "/run/dnsmasq";
shell = "/bin/false";
};
2023-05-20 23:48:30 +02:00
users.root = secrets.root;
groups.dnsmasq = {
gid = 51; usernames = ["dnsmasq"];
};
groups.system.usernames = ["dnsmasq"];
services.dns =
let interface = services.int;
in dnsmasq {
resolvconf = services.resolvconf;
inherit interface;
ranges = [
"10.8.0.10,10.8.0.240"
"::,constructor:${interface.device},ra-stateless"
];
domain = "fake.liminix.org";
};
services.wan =
let iface = config.hardware.networkInterfaces.wan;
in config.system.service.pppoe {
interface = iface;
ppp-options = [
"debug" "+ipv6" "noauth"
"name" secrets.l2tp.name
"password" secrets.l2tp.password
];
};
services.resolvconf = oneshot rec {
dependencies = [ services.wan ];
name = "resolvconf";
up = ''
. ${serviceFns}
( in_outputs ${name}
echo "nameserver $(output ${services.wan} ns1)" > resolv.conf
echo "nameserver $(output ${services.wan} ns2)" >> resolv.conf
)
'';
down = ''
rm -rf /run/service-state/${name}/
'';
};
services.defaultroute4 = route {
name = "defaultroute4";
via = "$(output ${services.wan} address)";
target = "default";
dependencies = [ services.wan ];
};
services.defaultroute6 = route {
name = "defaultroute6";
via = "$(output ${services.wan} ipv6-peer-address)";
target = "default";
dev = "$(output ${services.wan} ifname)";
dependencies = [ services.wan ];
};
services.firewall =
let
script= pkgs.firewallgen "firewall.nft" (import ./rotuer-firewall.nix);
kmodules = pkgs.kernel-modules.override {
kernelSrc = config.system.outputs.kernel.src;
modulesupport = config.system.outputs.kernel.modulesupport;
kconfig = {
NFT_FIB_IPV4 = "m";
NFT_FIB_IPV6 = "m";
NF_TABLES = "m";
NF_CT_PROTO_DCCP = "y";
NF_CT_PROTO_SCTP = "y";
NF_CT_PROTO_UDPLITE = "y";
# NF_CONNTRACK_FTP = "m";
NFT_CT = "m";
};
targets = [
"nft_fib_ipv4"
"nft_fib_ipv6"
];
};
in oneshot {
name = "firewall";
up = ''
sh ${kmodules}/load.sh
${script};
'';
down = "${pkgs.nftables}/bin/nft flush ruleset";
};
services.packet_forwarding =
2023-06-28 23:31:01 +02:00
let
ip4 = "/proc/sys/net/ipv4/conf/all/forwarding";
ip6 = "/proc/sys/net/ipv6/conf/all/forwarding";
in oneshot {
name = "let-the-ip-flow";
up = ''
2023-06-28 23:31:01 +02:00
echo 1 > ${ip4}
echo 1 > ${ip6}
'';
down = ''
echo 0 > ${ip4};
echo 0 > ${ip6};
'';
dependencies = [ services.firewall ];
};
services.dhcp6 =
let
name = "dhcp6c.wan";
in longrun {
inherit name;
2023-05-26 19:36:44 +02:00
notification-fd = 10;
run = ''
export SERVICE_STATE=/run/service-state/${name}
2023-06-30 21:02:03 +02:00
${pkgs.odhcp6c}/bin/odhcp6c -s ${pkgs.odhcp-script} -e -v -p /run/${name}.pid -P 48 $(output ${services.wan} ifname)
)
'';
dependencies = [ services.wan ];
};
services.acquire-lan-prefix =
let script = pkgs.callPackage ./acquire-delegated-prefix.nix { };
in longrun {
name = "acquire-lan-prefix";
run = "${script} /run/service-state/dhcp6c.wan ${services.int.device}";
dependencies = [ services.dhcp6 ];
};
services.acquire-wan-address =
let script = pkgs.callPackage ./acquire-wan-address.nix { };
in longrun {
name = "acquire-wan-address";
run = "${script} /run/service-state/dhcp6c.wan $(output ${services.wan} ifname)";
dependencies = [ services.dhcp6 ];
};
services.default = target {
name = "default";
2023-05-20 23:34:57 +02:00
contents = with config.services; [
config.hardware.networkInterfaces.lo
config.hardware.networkInterfaces.lan
2023-03-01 23:24:58 +01:00
int
bridge
hostap
2023-03-01 23:24:58 +01:00
hostap5
2023-04-23 19:22:39 +02:00
ntp
defaultroute4
defaultroute6
packet_forwarding
dns
resolvconf
sshd
2023-05-20 23:34:57 +02:00
config.services.hostname
dhcp6
acquire-lan-prefix
acquire-wan-address
];
};
2023-06-20 21:13:59 +02:00
defaultProfile.packages = with pkgs; [
min-collect-garbage
];
}