liminix/examples/rotuer.nix

# This is an example that uses the "gateway" profile to create a
# "typical home wireless router" configuration suitable for a Gl.inet
# gl-ar750 router. It should be fairly simple to edit it for other
# devices: mostly you will need to attend to the number of wlan and lan
# interfaces

{
  config,
  pkgs,
  lib,
  modulesPath,
  ...
}:
let
  secrets = {
    domainName = "fake.liminix.org";
    firewallRules = { };
  } // (import ./rotuer-secrets.nix);
  svc = config.system.service;
  wirelessConfig = {
    country_code = "GB";
    inherit (secrets) wpa_passphrase;
    wmm_enabled = 1;
  };

in
rec {
  boot = {
    tftp = {
      freeSpaceBytes = 3 * 1024 * 1024;
      serverip = "10.0.0.1";
      ipaddr = "10.0.0.8";
    };
  };

  imports = [
    "${modulesPath}/profiles/gateway.nix"
  ];
  hostname = "rotuer";

  profile.gateway = {
    lan = {
      interfaces = with config.hardware.networkInterfaces; [
        # EDIT: these are the interfaces exposed by the gl.inet gl-ar750:
        # if your device has more or differently named lan interfaces,
        # specify them here
        wlan
        wlan5
        lan
      ];
      inherit (secrets.lan) prefix;
      address = {
        family = "inet";
        address = "${secrets.lan.prefix}.1";
        prefixLength = 24;
      };
      dhcp = {
        start = 10;
        end = 240;
        hosts =
          { }
          // lib.optionalAttrs (builtins.pathExists ./static-leases.nix) (import ./static-leases.nix);
        localDomain = "lan";
      };
    };
    wan = {
      # wan interface depends on your upstream - could be dhcp, static
      # ethernet, a pppoe, ppp over serial, a complicated bonded
      # failover ... who knows what else?
      interface = svc.pppoe.build {
        interface = config.hardware.networkInterfaces.wan;
        username = secrets.l2tp.name;
        password = secrets.l2tp.password;
      };
      # once the wan has ipv4 connnectivity, should we run dhcp6
      # client to potentially get an address range ("prefix
      # delegation")
      dhcp6.enable = true;
    };
    firewall = {
      enable = true;
      rules = secrets.firewallRules;
    };
    wireless.networks = {
      # EDIT: if you have more or fewer wireless radios, here is where
      # you need to say so.  hostapd tuning is hardware-specific and
      # left as an exercise for the reader :-).

      "${secrets.ssid}" = {
        interface = config.hardware.networkInterfaces.wlan;
        hw_mode = "g";
        channel = "2";
        ieee80211n = 1;
      } // wirelessConfig;
      "${secrets.ssid}5" = rec {
        interface = config.hardware.networkInterfaces.wlan5;
        hw_mode = "a";
        channel = 36;
        ht_capab = "[HT40+]";
        vht_oper_chwidth = 1;
        vht_oper_centr_freq_seg0_idx = channel + 6;
        ieee80211n = 1;
        ieee80211ac = 1;
      } // wirelessConfig;
    };
  };

  services.ntp = svc.ntp.build {
    pools = {
      "pool.ntp.org" = [ "iburst" ];
    };
    makestep = {
      threshold = 1.0;
      limit = 3;
    };
  };

  services.sshd = svc.ssh.build { };

  users.root = secrets.root;

  defaultProfile.packages = with pkgs; [
    min-collect-garbage
    nftables
    strace
    tcpdump
    s6
  ];

  programs.busybox = {
    applets = [
      "fdisk"
      "sfdisk"
    ];
    options = {
      FEATURE_FANCY_TAIL = "y";
    };
  };
}
executive decision: rotuer example should build on gl-ar750 2024-07-16 20:32:29 +00:00			`# This is an example that uses the "gateway" profile to create a`
			`# "typical home wireless router" configuration suitable for a Gl.inet`
			`# gl-ar750 router. It should be fairly simple to edit it for other`
			`# devices: mostly you will need to attend to the number of wlan and lan`
			`# interfaces`
example config for ppoe router hard cases make bad law 2023-02-25 23:12:55 +00:00
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`{`
			`config,`
			`pkgs,`
			`lib,`
			`modulesPath,`
			`...`
			`}:`
example config for ppoe router hard cases make bad law 2023-02-25 23:12:55 +00:00			`let`
rotuer-secrets: remove root_password, add wifi ssid and domainName this is step one towards getting rid of rotuer-secrets completely and turning rotuer into a "profile" module that can be less hackily customised for other people's networks 2024-02-11 09:10:03 +00:00			`secrets = {`
			`domainName = "fake.liminix.org";`
cleanup whitespace and commas * [] is now [ ] * {} is now { } * commas in arglists go at end of line not beginning In short, I ran the whole thing through nixfmt-rfc-style but only accepted about 30% of its changes. I might grow accustomed to more of it over time 2024-06-30 15:58:29 +00:00			`firewallRules = { };`
rotuer-secrets: remove root_password, add wifi ssid and domainName this is step one towards getting rid of rotuer-secrets completely and turning rotuer into a "profile" module that can be less hackily customised for other people's networks 2024-02-11 09:10:03 +00:00			`} // (import ./rotuer-secrets.nix);`
alias config.system.service 2023-07-20 10:28:45 +00:00			`svc = config.system.service;`
cleanup whitespace and commas * [] is now [ ] * {} is now { } * commas in arglists go at end of line not beginning In short, I ran the whole thing through nixfmt-rfc-style but only accepted about 30% of its changes. I might grow accustomed to more of it over time 2024-06-30 15:58:29 +00:00			`wirelessConfig = {`
DRY up wireless config 2023-07-22 22:37:01 +00:00			`country_code = "GB";`
			`inherit (secrets) wpa_passphrase;`
			`wmm_enabled = 1;`
			`};`

nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`in`
			`rec {`
example config for ppoe router hard cases make bad law 2023-02-25 23:12:55 +00:00			`boot = {`
			`tftp = {`
tftpboot: allow padding image with freeSpaceBytes this is useful for writable filesystems so that there's more than an erase block of space to write into 2023-04-23 22:29:53 +00:00			`freeSpaceBytes = 3 * 1024 * 1024;`
example config for ppoe router hard cases make bad law 2023-02-25 23:12:55 +00:00			`serverip = "10.0.0.1";`
			`ipaddr = "10.0.0.8";`
			`};`
			`};`

			`imports = [`
create gateway profile by extracting from rotuer example 2024-03-18 00:05:43 +00:00			`"${modulesPath}/profiles/gateway.nix"`
example config for ppoe router hard cases make bad law 2023-02-25 23:12:55 +00:00			`];`
rotuer: set hostname 2023-05-20 21:34:57 +00:00			`hostname = "rotuer";`
example config for ppoe router hard cases make bad law 2023-02-25 23:12:55 +00:00
create gateway profile by extracting from rotuer example 2024-03-18 00:05:43 +00:00			`profile.gateway = {`
			`lan = {`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`interfaces = with config.hardware.networkInterfaces; [`
			`# EDIT: these are the interfaces exposed by the gl.inet gl-ar750:`
			`# if your device has more or differently named lan interfaces,`
			`# specify them here`
			`wlan`
			`wlan5`
			`lan`
			`];`
create gateway profile by extracting from rotuer example 2024-03-18 00:05:43 +00:00			`inherit (secrets.lan) prefix;`
			`address = {`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`family = "inet";`
			`address = "${secrets.lan.prefix}.1";`
			`prefixLength = 24;`
create gateway profile by extracting from rotuer example 2024-03-18 00:05:43 +00:00			`};`
			`dhcp = {`
			`start = 10;`
			`end = 240;`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`hosts =`
			`{ }`
			`// lib.optionalAttrs (builtins.pathExists ./static-leases.nix) (import ./static-leases.nix);`
create gateway profile by extracting from rotuer example 2024-03-18 00:05:43 +00:00			`localDomain = "lan";`
			`};`
			`};`
			`wan = {`
generalise profile.gateway.wan so not just pppoe 2024-07-16 21:10:09 +00:00			`# wan interface depends on your upstream - could be dhcp, static`
			`# ethernet, a pppoe, ppp over serial, a complicated bonded`
			`# failover ... who knows what else?`
			`interface = svc.pppoe.build {`
			`interface = config.hardware.networkInterfaces.wan;`
			`username = secrets.l2tp.name;`
			`password = secrets.l2tp.password;`
			`};`
			`# once the wan has ipv4 connnectivity, should we run dhcp6`
			`# client to potentially get an address range ("prefix`
			`# delegation")`
create gateway profile by extracting from rotuer example 2024-03-18 00:05:43 +00:00			`dhcp6.enable = true;`
			`};`
			`firewall = {`
			`enable = true;`
firewall module: provide default rules and merge extraRules a firewall with no configuration will get a relatively sane ruleset. a firewall with `extraRules` will get them deep merged into the default rules. Specifying `rules` will override the defaults 2024-03-21 12:00:34 +00:00			`rules = secrets.firewallRules;`
create gateway profile by extracting from rotuer example 2024-03-18 00:05:43 +00:00			`};`
			`wireless.networks = {`
executive decision: rotuer example should build on gl-ar750 2024-07-16 20:32:29 +00:00			`# EDIT: if you have more or fewer wireless radios, here is where`
			`# you need to say so. hostapd tuning is hardware-specific and`
			`# left as an exercise for the reader :-).`

create gateway profile by extracting from rotuer example 2024-03-18 00:05:43 +00:00			`"${secrets.ssid}" = {`
			`interface = config.hardware.networkInterfaces.wlan;`
cleanup whitespace and commas * [] is now [ ] * {} is now { } * commas in arglists go at end of line not beginning In short, I ran the whole thing through nixfmt-rfc-style but only accepted about 30% of its changes. I might grow accustomed to more of it over time 2024-06-30 15:58:29 +00:00			`hw_mode = "g";`
create gateway profile by extracting from rotuer example 2024-03-18 00:05:43 +00:00			`channel = "2";`
			`ieee80211n = 1;`
			`} // wirelessConfig;`
			`"${secrets.ssid}5" = rec {`
			`interface = config.hardware.networkInterfaces.wlan5;`
cleanup whitespace and commas * [] is now [ ] * {} is now { } * commas in arglists go at end of line not beginning In short, I ran the whole thing through nixfmt-rfc-style but only accepted about 30% of its changes. I might grow accustomed to more of it over time 2024-06-30 15:58:29 +00:00			`hw_mode = "a";`
create gateway profile by extracting from rotuer example 2024-03-18 00:05:43 +00:00			`channel = 36;`
			`ht_capab = "[HT40+]";`
			`vht_oper_chwidth = 1;`
			`vht_oper_centr_freq_seg0_idx = channel + 6;`
			`ieee80211n = 1;`
			`ieee80211ac = 1;`
			`} // wirelessConfig;`
			`};`
convert network link/address to module-based-service ... and make bridge use it. We also had to convert bridge back into a pair of services. Downstreams want to depend on the bridge it self being configured even if not necessarily all the members are up. e.g. don't want to break ssh on lan if there's a misconfigured wlan device 2023-08-27 22:45:27 +00:00			`};`
WIP push to see what passes 2023-03-01 22:24:58 +00:00
convert ntp to serviceDefn 2023-08-05 13:16:54 +00:00			`services.ntp = svc.ntp.build {`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`pools = {`
			`"pool.ntp.org" = [ "iburst" ];`
			`};`
			`makestep = {`
			`threshold = 1.0;`
			`limit = 3;`
			`};`
add first version of ntp module 2023-07-22 22:22:45 +00:00			`};`
rotuer; run chronyd for accurate time 2023-04-23 17:22:39 +00:00
add ssh module 2023-08-10 21:53:21 +00:00			`services.sshd = svc.ssh.build { };`
ssh service - dropbear - generate host keys on first use - mount /dev/pts It's not ideal having the host key disappear when the device is reboot, but without persistent storage the alternative is generating it at build time. Deferring this problem to another time 2023-03-04 00:39:54 +00:00
cruft 2023-05-20 21:48:30 +00:00			`users.root = secrets.root;`
ssh service - dropbear - generate host keys on first use - mount /dev/pts It's not ideal having the host key disappear when the device is reboot, but without persistent storage the alternative is generating it at build time. Deferring this problem to another time 2023-03-04 00:39:54 +00:00
remove unused packages 2023-06-20 19:13:59 +00:00			`defaultProfile.packages = with pkgs; [`
			`min-collect-garbage`
rotuer: network debugging tools 2024-02-11 23:30:46 +00:00			`nftables`
			`strace`
			`tcpdump`
tail -F for rotuer 2024-02-16 18:30:24 +00:00			`s6`
remove unused packages 2023-06-20 19:13:59 +00:00			`];`
WIP 2023-12-13 21:54:15 +00:00
tail -F for rotuer 2024-02-16 18:30:24 +00:00			`programs.busybox = {`
			`applets = [`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`"fdisk"`
			`"sfdisk"`
tail -F for rotuer 2024-02-16 18:30:24 +00:00			`];`
			`options = {`
			`FEATURE_FANCY_TAIL = "y";`
			`};`
			`};`
example config for ppoe router hard cases make bad law 2023-02-25 23:12:55 +00:00			`}`