liminix/examples/router-with-l2tp.nix

# A demonstration config for a home/soho router with PPPoE upstream
# and fallback to an L2TP tunnel over a USB WWAN device

{
  config,
  pkgs,
  lib,
  ...
}:
let
  secrets = import ./extneder-secrets.nix;
  rsecrets = import ./rotuer-secrets.nix;

  # https://support.aa.net.uk/Category:Incoming_L2TP says:
  # "Please use the DNS name (l2tp.aa.net.uk) instead of hardcoding an
  # IP address; IP addresses can and do change. If you have to use an
  # IP, use 194.4.172.12, but do check the DNS for l2tp.aa.net.uk in
  # case it changes."

  # but (1) we don't want to use the wwan stick's dns as our main
  # resolver: it's provided by some mobile ISP and they aren't
  # necessarily the best at providing unfettered services without
  # deciding to do something weird; (2) it's not simple to arrange
  # that xl2tpd gets a different resolver than every other process;
  # (3) there's no way to specify an lns address to xl2tpd at runtime
  # except by rewriting its config file. So what we will do is lookup
  # the lns hostname using the mobile ISP's dns server and then refuse
  # to start l2tp unless the expected lns address is one of the
  # addresses returned. I think this satisfies "do check the DNS"

  lns = {
    hostname = "l2tp.aaisp.net.uk";
    address = "194.4.172.12";
  };

  inherit (pkgs.liminix.services) oneshot longrun target;
  inherit (pkgs.liminix) outputRef;
  inherit (pkgs.pseudofile) dir symlink;
  inherit (pkgs) serviceFns;
  svc = config.system.service;
  wirelessConfig = {
    country_code = "GB";
    inherit (rsecrets) wpa_passphrase;
    wmm_enabled = 1;
  };
in
rec {
  boot = {
    tftp = {
      serverip = "10.0.0.1";
      ipaddr = "10.0.0.8";
    };
  };

  imports = [
    ../modules/wwan
    ../modules/network
    ../modules/ssh
    ../modules/usb.nix
    ../modules/ppp
    ../modules/round-robin
    ../modules/health-check
    ../modules/secrets
    ../modules/profiles/gateway.nix
  ];
  hostname = "thing";

  services.wan-address-for-secrets = svc.network.address.build {
    interface = config.hardware.networkInterfaces.wan;
    family = "inet";
    address = "10.0.0.10";
    prefixLength = 24;
  };

  services.secrets = svc.secrets.outboard.build {
    name = "secret-service";
    url = "http://10.0.0.1/liminix/examples/real-secrets.json";
    username = "demo";
    password = "demo";
    interval = 5;
    dependencies = [ services.wan-address-for-secrets ];
  };

  services.wwan = svc.wwan.huawei-e3372.build {
    apn = "data.uk";
    username = "user";
    password = "one2one";
    authType = "chap";
  };

  profile.gateway = {
    lan = {
      interfaces = with config.hardware.networkInterfaces; [
        # EDIT: these are the interfaces exposed by the gl.inet gl-ar750:
        # if your device has more or differently named lan interfaces,
        # specify them here
        wlan
        wlan5
        lan
      ];
      inherit (rsecrets.lan) prefix;
      address = {
        family = "inet";
        address = "${rsecrets.lan.prefix}.1";
        prefixLength = 24;
      };
      dhcp = {
        start = 10;
        end = 240;
        hosts =
          { }
          // lib.optionalAttrs (builtins.pathExists ./static-leases.nix) (import ./static-leases.nix);
        localDomain = "lan";
      };
    };
    wan =
      let
        secret = outputRef config.services.secrets;
        username = secret "ppp/username";
        password = secret "ppp/password";
      in
      {
        interface =
          let
            pppoe = svc.pppoe.build {
              interface = config.hardware.networkInterfaces.wan;
              debug = true;
              inherit username password;
            };

            l2tp =
              let
                check-address = oneshot rec {
                  name = "check-lns-address";
                  up = "grep -Fx ${lns.address} $(output_path ${services.lns-address} addresses)";
                  dependencies = [ services.lns-address ];
                };
                route = svc.network.route.build {
                  via = "$(output ${services.bootstrap-dhcpc} router)";
                  target = lns.address;
                  dependencies = [
                    services.bootstrap-dhcpc
                    check-address
                  ];
                };
                l2tpd = svc.l2tp.build {
                  lns = lns.address;
                  inherit username password;
                  dependencies = [
                    config.services.lns-address
                    route
                    check-address
                  ];
                };
              in
              svc.health-check.build {
                service = l2tpd;
                threshold = 3;
                interval = 2;
                healthCheck = pkgs.writeAshScript "ping-check" { } "ping 1.1.1.1";
              };
          in
          svc.round-robin.build {
            name = "wan";
            services = [
              pppoe
              l2tp
            ];
          };
        dhcp6.enable = true;
      };

    wireless.networks = {
      "${rsecrets.ssid}" =
        {
          interface = config.hardware.networkInterfaces.wlan;
          hw_mode = "g";
          channel = "6";
          ieee80211n = 1;
        }
        // wirelessConfig
        // {
          wpa_passphrase = outputRef config.services.secrets "wpa_passphrase";
        };

      "${rsecrets.ssid}5" =
        rec {
          interface = config.hardware.networkInterfaces.wlan5;
          hw_mode = "a";
          channel = 36;
          ht_capab = "[HT40+]";
          vht_oper_chwidth = 1;
          vht_oper_centr_freq_seg0_idx = channel + 6;
          ieee80211n = 1;
          ieee80211ac = 1;
        }
        // wirelessConfig
        // {
          wpa_passphrase = outputRef config.services.secrets "wpa_passphrase";
        };
    };
  };

  services.bootstrap-dhcpc = svc.network.dhcp.client.build {
    interface = config.services.wwan;
    dependencies = [ config.services.hostname ];
  };

  services.sshd = svc.ssh.build {
    authorizedKeys = outputRef config.services.secrets "ssh/authorizedKeys";
  };

  services.lns-address =
    let
      ns = "$(output_word ${services.bootstrap-dhcpc} dns 1)";
      route-to-bootstrap-nameserver = svc.network.route.build {
        via = "$(output ${services.bootstrap-dhcpc} router)";
        target = ns;
        dependencies = [ services.bootstrap-dhcpc ];
      };
    in
    oneshot rec {
      name = "resolve-l2tp-server";
      dependencies = [
        services.bootstrap-dhcpc
        route-to-bootstrap-nameserver
      ];
      up = ''
        (in_outputs ${name}
         DNSCACHEIP="${ns}" ${pkgs.s6-dns}/bin/s6-dnsip4 ${lns.hostname} \
          > addresses
        )
      '';
    };

  users.root = rsecrets.root;

  programs.busybox.options = {
    FEATURE_FANCY_TAIL = "y";
  };

}
add the example used in the video 2024-08-08 18:24:58 +00:00			`# A demonstration config for a home/soho router with PPPoE upstream`
			`# and fallback to an L2TP tunnel over a USB WWAN device`

add rudimentary l2tp service module 2024-05-11 21:48:06 +00:00			`{`
			`config,`
			`pkgs,`
			`lib,`
			`...`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`}:`
			`let`
add rudimentary l2tp service module 2024-05-11 21:48:06 +00:00			`secrets = import ./extneder-secrets.nix;`
			`rsecrets = import ./rotuer-secrets.nix;`
working l2tp-over-wwan stick example 2024-06-20 09:15:54 +00:00
			`# https://support.aa.net.uk/Category:Incoming_L2TP says:`
			`# "Please use the DNS name (l2tp.aa.net.uk) instead of hardcoding an`
			`# IP address; IP addresses can and do change. If you have to use an`
			`# IP, use 194.4.172.12, but do check the DNS for l2tp.aa.net.uk in`
			`# case it changes."`

			`# but (1) we don't want to use the wwan stick's dns as our main`
			`# resolver: it's provided by some mobile ISP and they aren't`
			`# necessarily the best at providing unfettered services without`
			`# deciding to do something weird; (2) it's not simple to arrange`
			`# that xl2tpd gets a different resolver than every other process;`
			`# (3) there's no way to specify an lns address to xl2tpd at runtime`
			`# except by rewriting its config file. So what we will do is lookup`
			`# the lns hostname using the mobile ISP's dns server and then refuse`
			`# to start l2tp unless the expected lns address is one of the`
			`# addresses returned. I think this satisfies "do check the DNS"`

nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`lns = {`
			`hostname = "l2tp.aaisp.net.uk";`
			`address = "194.4.172.12";`
			`};`
working l2tp-over-wwan stick example 2024-06-20 09:15:54 +00:00
use round-robin failiover in l2tp example 2024-07-08 21:01:54 +00:00			`inherit (pkgs.liminix.services) oneshot longrun target;`
change output references from attrset to lambda this is so that we can distinguish a ref from a literal parameter that might be a attrset 2024-08-23 21:25:57 +00:00			`inherit (pkgs.liminix) outputRef;`
add rudimentary l2tp service module 2024-05-11 21:48:06 +00:00			`inherit (pkgs.pseudofile) dir symlink;`
remove dead code (run deadnix) 2024-06-29 21:59:27 +00:00			`inherit (pkgs) serviceFns;`
add rudimentary l2tp service module 2024-05-11 21:48:06 +00:00			`svc = config.system.service;`
convert l2tp example to use gateway profile 2024-07-23 08:30:25 +00:00			`wirelessConfig = {`
			`country_code = "GB";`
			`inherit (rsecrets) wpa_passphrase;`
			`wmm_enabled = 1;`
			`};`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`in`
			`rec {`
add rudimentary l2tp service module 2024-05-11 21:48:06 +00:00			`boot = {`
			`tftp = {`
			`serverip = "10.0.0.1";`
			`ipaddr = "10.0.0.8";`
			`};`
			`};`

			`imports = [`
rename wwan-related modules/services we only currently support huawei e3372/cdc ncm so let's make that explicit in the naming 2024-07-14 10:53:45 +00:00			`../modules/wwan`
add rudimentary l2tp service module 2024-05-11 21:48:06 +00:00			`../modules/network`
			`../modules/ssh`
			`../modules/usb.nix`
			`../modules/ppp`
create a module for round-robin 2024-07-15 21:37:37 +00:00			`../modules/round-robin`
add health check service and example that uses it 2024-07-30 21:37:43 +00:00			`../modules/health-check`
first pass at outboard secrets - a module to fetch them with http(s) - a service using templating to consume them - update an example to use it needs service restarts needs other services to use the template mechanism needs tidying up 2024-08-12 21:57:21 +00:00			`../modules/secrets`
convert l2tp example to use gateway profile 2024-07-23 08:30:25 +00:00			`../modules/profiles/gateway.nix`
add rudimentary l2tp service module 2024-05-11 21:48:06 +00:00			`];`
			`hostname = "thing";`

first pass at outboard secrets - a module to fetch them with http(s) - a service using templating to consume them - update an example to use it needs service restarts needs other services to use the template mechanism needs tidying up 2024-08-12 21:57:21 +00:00			`services.wan-address-for-secrets = svc.network.address.build {`
			`interface = config.hardware.networkInterfaces.wan;`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`family = "inet";`
			`address = "10.0.0.10";`
			`prefixLength = 24;`
first pass at outboard secrets - a module to fetch them with http(s) - a service using templating to consume them - update an example to use it needs service restarts needs other services to use the template mechanism needs tidying up 2024-08-12 21:57:21 +00:00			`};`

			`services.secrets = svc.secrets.outboard.build {`
			`name = "secret-service";`
in router-with-l2tp use secrets for ppp username/password 2024-08-20 23:17:53 +00:00			`url = "http://10.0.0.1/liminix/examples/real-secrets.json";`
(untested) http basic auth for outboard secrets 2024-08-28 19:53:59 +00:00			`username = "demo";`
			`password = "demo";`
first pass at outboard secrets - a module to fetch them with http(s) - a service using templating to consume them - update an example to use it needs service restarts needs other services to use the template mechanism needs tidying up 2024-08-12 21:57:21 +00:00			`interval = 5;`
			`dependencies = [ services.wan-address-for-secrets ];`
			`};`

rename wwan-related modules/services we only currently support huawei e3372/cdc ncm so let's make that explicit in the naming 2024-07-14 10:53:45 +00:00			`services.wwan = svc.wwan.huawei-e3372.build {`
make a serviceDefn for wwan 2024-05-15 16:36:16 +00:00			`apn = "data.uk";`
			`username = "user";`
			`password = "one2one";`
			`authType = "chap";`
Revert "wwan gets address from ppp ipcp not dhcp" This reverts commit be13ab23ca2f31189c79d5edfbc62f5ae8781ed3. 2024-06-15 14:04:33 +00:00			`};`

convert l2tp example to use gateway profile 2024-07-23 08:30:25 +00:00			`profile.gateway = {`
			`lan = {`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`interfaces = with config.hardware.networkInterfaces; [`
			`# EDIT: these are the interfaces exposed by the gl.inet gl-ar750:`
			`# if your device has more or differently named lan interfaces,`
			`# specify them here`
			`wlan`
			`wlan5`
			`lan`
			`];`
convert l2tp example to use gateway profile 2024-07-23 08:30:25 +00:00			`inherit (rsecrets.lan) prefix;`
			`address = {`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`family = "inet";`
			`address = "${rsecrets.lan.prefix}.1";`
			`prefixLength = 24;`
convert l2tp example to use gateway profile 2024-07-23 08:30:25 +00:00			`};`
			`dhcp = {`
			`start = 10;`
			`end = 240;`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`hosts =`
			`{ }`
			`// lib.optionalAttrs (builtins.pathExists ./static-leases.nix) (import ./static-leases.nix);`
convert l2tp example to use gateway profile 2024-07-23 08:30:25 +00:00			`localDomain = "lan";`
create a module for round-robin 2024-07-15 21:37:37 +00:00			`};`
convert l2tp example to use gateway profile 2024-07-23 08:30:25 +00:00			`};`
change output references from attrset to lambda this is so that we can distinguish a ref from a literal parameter that might be a attrset 2024-08-23 21:25:57 +00:00			`wan =`
			`let`
			`secret = outputRef config.services.secrets;`
			`username = secret "ppp/username";`
			`password = secret "ppp/password";`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`in`
			`{`
change output references from attrset to lambda this is so that we can distinguish a ref from a literal parameter that might be a attrset 2024-08-23 21:25:57 +00:00			`interface =`
convert l2tp example to use gateway profile 2024-07-23 08:30:25 +00:00			`let`
change output references from attrset to lambda this is so that we can distinguish a ref from a literal parameter that might be a attrset 2024-08-23 21:25:57 +00:00			`pppoe = svc.pppoe.build {`
			`interface = config.hardware.networkInterfaces.wan;`
			`debug = true;`
			`inherit username password;`
convert l2tp example to use gateway profile 2024-07-23 08:30:25 +00:00			`};`
change output references from attrset to lambda this is so that we can distinguish a ref from a literal parameter that might be a attrset 2024-08-23 21:25:57 +00:00
			`l2tp =`
			`let`
			`check-address = oneshot rec {`
			`name = "check-lns-address";`
			`up = "grep -Fx ${lns.address} $(output_path ${services.lns-address} addresses)";`
			`dependencies = [ services.lns-address ];`
			`};`
			`route = svc.network.route.build {`
			`via = "$(output ${services.bootstrap-dhcpc} router)";`
			`target = lns.address;`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`dependencies = [`
			`services.bootstrap-dhcpc`
			`check-address`
			`];`
change output references from attrset to lambda this is so that we can distinguish a ref from a literal parameter that might be a attrset 2024-08-23 21:25:57 +00:00			`};`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`l2tpd = svc.l2tp.build {`
change output references from attrset to lambda this is so that we can distinguish a ref from a literal parameter that might be a attrset 2024-08-23 21:25:57 +00:00			`lns = lns.address;`
			`inherit username password;`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`dependencies = [`
			`config.services.lns-address`
			`route`
			`check-address`
			`];`
change output references from attrset to lambda this is so that we can distinguish a ref from a literal parameter that might be a attrset 2024-08-23 21:25:57 +00:00			`};`
			`in`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`svc.health-check.build {`
			`service = l2tpd;`
			`threshold = 3;`
			`interval = 2;`
			`healthCheck = pkgs.writeAshScript "ping-check" { } "ping 1.1.1.1";`
			`};`
			`in`
			`svc.round-robin.build {`
change output references from attrset to lambda this is so that we can distinguish a ref from a literal parameter that might be a attrset 2024-08-23 21:25:57 +00:00			`name = "wan";`
			`services = [`
			`pppoe`
			`l2tp`
			`];`
			`};`
			`dhcp6.enable = true;`
convert l2tp example to use gateway profile 2024-07-23 08:30:25 +00:00			`};`
add rudimentary l2tp service module 2024-05-11 21:48:06 +00:00
convert l2tp example to use gateway profile 2024-07-23 08:30:25 +00:00			`wireless.networks = {`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`"${rsecrets.ssid}" =`
			`{`
			`interface = config.hardware.networkInterfaces.wlan;`
			`hw_mode = "g";`
			`channel = "6";`
			`ieee80211n = 1;`
			`}`
			`// wirelessConfig`
			`// {`
			`wpa_passphrase = outputRef config.services.secrets "wpa_passphrase";`
			`};`

			`"${rsecrets.ssid}5" =`
			`rec {`
			`interface = config.hardware.networkInterfaces.wlan5;`
			`hw_mode = "a";`
			`channel = 36;`
			`ht_capab = "[HT40+]";`
			`vht_oper_chwidth = 1;`
			`vht_oper_centr_freq_seg0_idx = channel + 6;`
			`ieee80211n = 1;`
			`ieee80211ac = 1;`
			`}`
			`// wirelessConfig`
			`// {`
			`wpa_passphrase = outputRef config.services.secrets "wpa_passphrase";`
			`};`
add rudimentary l2tp service module 2024-05-11 21:48:06 +00:00			`};`
			`};`

rename services.dhcpc in l2tp example it's only used to get the address of the l2tp server, not for name lookups in general 2024-07-23 08:26:36 +00:00			`services.bootstrap-dhcpc = svc.network.dhcp.client.build {`
use round-robin failiover in l2tp example 2024-07-08 21:01:54 +00:00			`interface = config.services.wwan;`
			`dependencies = [ config.services.hostname ];`
			`};`

add authorizedKeys option to ssh service this has no apparent use as it stands, but opens the door to having the keys managed by an external secrets service 2024-08-23 19:35:07 +00:00			`services.sshd = svc.ssh.build {`
sshd can use outputRef for authorized_keys 2024-08-25 15:35:50 +00:00			`authorizedKeys = outputRef config.services.secrets "ssh/authorizedKeys";`
add authorizedKeys option to ssh service this has no apparent use as it stands, but opens the door to having the keys managed by an external secrets service 2024-08-23 19:35:07 +00:00			`};`
convert l2tp example to use gateway profile 2024-07-23 08:30:25 +00:00
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`services.lns-address =`
			`let`
			`ns = "$(output_word ${services.bootstrap-dhcpc} dns 1)";`
			`route-to-bootstrap-nameserver = svc.network.route.build {`
			`via = "$(output ${services.bootstrap-dhcpc} router)";`
			`target = ns;`
			`dependencies = [ services.bootstrap-dhcpc ];`
			`};`
			`in`
			`oneshot rec {`
			`name = "resolve-l2tp-server";`
			`dependencies = [`
			`services.bootstrap-dhcpc`
			`route-to-bootstrap-nameserver`
			`];`
			`up = ''`
			`(in_outputs ${name}`
			`DNSCACHEIP="${ns}" ${pkgs.s6-dns}/bin/s6-dnsip4 ${lns.hostname} \`
			`> addresses`
			`)`
			`'';`
working l2tp-over-wwan stick example 2024-06-20 09:15:54 +00:00			`};`
l2tp set default route via tunnel 2024-05-14 11:52:50 +00:00
convert l2tp example to use gateway profile 2024-07-23 08:30:25 +00:00			`users.root = rsecrets.root;`
enable tail -F 2024-07-08 18:19:56 +00:00
			`programs.busybox.options = {`
			`FEATURE_FANCY_TAIL = "y";`
			`};`

add rudimentary l2tp service module 2024-05-11 21:48:06 +00:00			`}`