Daniel Barlow
7e2b0068e6
There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging
140 lines
3.3 KiB
Nix
140 lines
3.3 KiB
Nix
# This is an example that uses the "gateway" profile to create a
|
|
# "typical home wireless router" configuration suitable for a Gl.inet
|
|
# gl-ar750 router. It should be fairly simple to edit it for other
|
|
# devices: mostly you will need to attend to the number of wlan and lan
|
|
# interfaces
|
|
|
|
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
modulesPath,
|
|
...
|
|
}:
|
|
let
|
|
secrets = {
|
|
domainName = "fake.liminix.org";
|
|
firewallRules = { };
|
|
} // (import ./rotuer-secrets.nix);
|
|
svc = config.system.service;
|
|
wirelessConfig = {
|
|
country_code = "GB";
|
|
inherit (secrets) wpa_passphrase;
|
|
wmm_enabled = 1;
|
|
};
|
|
|
|
in
|
|
rec {
|
|
boot = {
|
|
tftp = {
|
|
freeSpaceBytes = 3 * 1024 * 1024;
|
|
serverip = "10.0.0.1";
|
|
ipaddr = "10.0.0.8";
|
|
};
|
|
};
|
|
|
|
imports = [
|
|
"${modulesPath}/profiles/gateway.nix"
|
|
];
|
|
hostname = "rotuer";
|
|
|
|
profile.gateway = {
|
|
lan = {
|
|
interfaces = with config.hardware.networkInterfaces; [
|
|
# EDIT: these are the interfaces exposed by the gl.inet gl-ar750:
|
|
# if your device has more or differently named lan interfaces,
|
|
# specify them here
|
|
wlan
|
|
wlan5
|
|
lan
|
|
];
|
|
inherit (secrets.lan) prefix;
|
|
address = {
|
|
family = "inet";
|
|
address = "${secrets.lan.prefix}.1";
|
|
prefixLength = 24;
|
|
};
|
|
dhcp = {
|
|
start = 10;
|
|
end = 240;
|
|
hosts =
|
|
{ }
|
|
// lib.optionalAttrs (builtins.pathExists ./static-leases.nix) (import ./static-leases.nix);
|
|
localDomain = "lan";
|
|
};
|
|
};
|
|
wan = {
|
|
# wan interface depends on your upstream - could be dhcp, static
|
|
# ethernet, a pppoe, ppp over serial, a complicated bonded
|
|
# failover ... who knows what else?
|
|
interface = svc.pppoe.build {
|
|
interface = config.hardware.networkInterfaces.wan;
|
|
username = secrets.l2tp.name;
|
|
password = secrets.l2tp.password;
|
|
};
|
|
# once the wan has ipv4 connnectivity, should we run dhcp6
|
|
# client to potentially get an address range ("prefix
|
|
# delegation")
|
|
dhcp6.enable = true;
|
|
};
|
|
firewall = {
|
|
enable = true;
|
|
rules = secrets.firewallRules;
|
|
};
|
|
wireless.networks = {
|
|
# EDIT: if you have more or fewer wireless radios, here is where
|
|
# you need to say so. hostapd tuning is hardware-specific and
|
|
# left as an exercise for the reader :-).
|
|
|
|
"${secrets.ssid}" = {
|
|
interface = config.hardware.networkInterfaces.wlan;
|
|
hw_mode = "g";
|
|
channel = "2";
|
|
ieee80211n = 1;
|
|
} // wirelessConfig;
|
|
"${secrets.ssid}5" = rec {
|
|
interface = config.hardware.networkInterfaces.wlan5;
|
|
hw_mode = "a";
|
|
channel = 36;
|
|
ht_capab = "[HT40+]";
|
|
vht_oper_chwidth = 1;
|
|
vht_oper_centr_freq_seg0_idx = channel + 6;
|
|
ieee80211n = 1;
|
|
ieee80211ac = 1;
|
|
} // wirelessConfig;
|
|
};
|
|
};
|
|
|
|
services.ntp = svc.ntp.build {
|
|
pools = {
|
|
"pool.ntp.org" = [ "iburst" ];
|
|
};
|
|
makestep = {
|
|
threshold = 1.0;
|
|
limit = 3;
|
|
};
|
|
};
|
|
|
|
services.sshd = svc.ssh.build { };
|
|
|
|
users.root = secrets.root;
|
|
|
|
defaultProfile.packages = with pkgs; [
|
|
min-collect-garbage
|
|
nftables
|
|
strace
|
|
tcpdump
|
|
s6
|
|
];
|
|
|
|
programs.busybox = {
|
|
applets = [
|
|
"fdisk"
|
|
"sfdisk"
|
|
];
|
|
options = {
|
|
FEATURE_FANCY_TAIL = "y";
|
|
};
|
|
};
|
|
}
|