Switch router roles to services

2020-05-17 13:47:27 +00:00 · 2020-05-17 13:47:27 +00:00 · fad59bbb27
commit fad59bbb27
parent 1628359fbd
5 changed files with 892 additions and 761 deletions
--- a/hardware/wle600vx.nix
+++ b/hardware/wle600vx.nix
@ -1,5 +1,7 @@
 # Note: You can either use wel600vx.nix or wle900vx.nix
 { config, lib, pkgs, ... }: {
  #TODO!
-  services.hostapd5ghz.extraConfig = "";
+  services.hostapd5ghz.extraConfig = ''
    ht_capab=[LDPC][HT40][SMPS-STATIC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40]
  '';
 }
--- a/host/etzel.nix
+++ b/host/etzel.nix
@ -5,7 +5,40 @@
 { config, pkgs, ... }:
 {
-  imports = [ ../hardware/apu1.nix ../role/base ];
+  imports = [
    ../hardware/apu1.nix
    ../hardware/wel200vx.nix
    ../hardware/wle600vx.nix
    ../role/base
    ../role/router
    ../role/router-dhcp
    ../role/router-dns
    ../role/router-wireless-ap
  ];
  service.router  = {
    enable = true;
    wanInterface = "enp2s0";
    wirelessInterfaces = [ "wlp4s0" "wlp6s0" ];
    lanInterfaces = ["enp1s0", "enp3s0" ];
    internalRouterIP = "10.2.2.1";
    dhcp = {
      enable = true;
      localDomain = "test.rappi.fh2.ch";
      dhcpRange = "10.2.2.2,10.2.2.200";
    };
    recursiveDns = {
      enable = true;
      networkIdIp = "10.2.2.0";
    };
    wireless = {
      enable = true;
      wleInterface24Ghz = "wlp4s0";
      wleInterface5Ghz = "wlp6s0";
      ssid = "testnet";
      passphrase = "testnet";
  };
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
--- a/role/router-dhcp/default.nix
+++ b/role/router-dhcp/default.nix
@ -1,14 +1,47 @@
-{ internalRouterIP, localDomain, dhcpRange, routerHostName, internalBridgeInterfaceName? "lan", localDnsPort? 5553}:
+{ config, lib, pkgs, ... }:
-let pkgs = import <nixpkgs> { };
+with lib;
 let routerCfg = config.services.router;
    cfg = config.services.router.dhcp;
 in {
  options.services.router.dhcp = {
    enable = mkEnableOption "router dhcp service";
    localDomain = mkOption {
      type = types.str;
      example = "example.com";
      description = ''
        DNS-Domain of local network
      '';
    };
    dhcpRange = mkOption {
      type = types.str;
      example = "192.168.0.2,192.168.0.128";
      description = ''
        Range of IP-adresses to distribute via dhcp in dnsmasq format.
      '';
    };
    lanLocalDnsPort = mkOption {
      type = types.addCheck types.int (n: n >= 0 && n <= 65535);
      example = "router";
      default = 5553;
      description = ''
        Port to expose dns to. Note that, if you use the <literal>recursiveDns</literal> role,
        the recursive DNS server should use the default DNS port (<literal>53</literal>).
      '';
    };
  };
  config = mkIf cfg.enable {
    services.dnsmasq.enable = true;
    services.dnsmasq.extraConfig = ''
      # Listen on this specific port instead of the standard DNS port
      # (53). Setting this to zero completely disables DNS function,
      # leaving only DHCP and/or TFTP.
-    port=${localDnsPort}
+      port=${cfg.localDnsPort}
      # The following two options make you a better netizen, since they
      # tell dnsmasq to filter out queries which the public DNS cannot
@ -60,13 +93,13 @@ in {
      # Add local-only domains here, queries in these domains are answered
      # from /etc/hosts or DHCP only.
-    local=/${localDomain}/
+      local=/${config.networking.hostName}/
      # Add domains which you want to force to an IP address here.
      # The example below send any host in double-click.net to a local
      # web-server.
      #address=/double-click.net/127.0.0.1
-    address=/${routerHostName}.${localDomain}/${internalRouterIP}
+      address=/${cfg.routerHostName}.${cfg.localDomain}/${routerCfg.internalRouterIP}
      # --address (and --server) work with IPv6 addresses too.
      #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
@ -89,7 +122,7 @@ in {
      # specified interfaces (and the loopback) give the name of the
      # interface (eg eth0) here.
      # Repeat the line for more than one interface.
-    interface=${internalBridgeInterfaceName}
+      interface=${routerCfg.internalBridgeInterfaceName}
      interface=lo
      # Or you can specify which interface _not_ to listen on
      #except-interface=
@ -128,7 +161,7 @@ in {
      # 2) Sets the "domain" DHCP option thereby potentially setting the
      #    domain of all systems configured by DHCP
      # 3) Provides the domain part for "expand-hosts"
-    domain=${localDomain}
+      domain=${cfg.localDomain}
      # Set a different domain for a particular subnet
      #domain=wireless.thekelleys.org.uk,192.168.2.0/24
@ -141,7 +174,7 @@ in {
      # a lease time. If you have more than one network, you will need to
      # repeat this for each network on which you want to supply DHCP
      # service.
-    dhcp-range=${dhcpRange},48h
+      dhcp-range=${cfg.dhcpRange},48h
      # This is an example of a DHCP range where the netmask is given. This
      # is needed for networks we reach the dnsmasq DHCP server via a relay
@ -309,7 +342,7 @@ in {
      # Override the default route supplied by dnsmasq, which assumes the
      # router is the same machine as the one running dnsmasq.
      #dhcp-option=3,1.2.3.4
-    dhcp-option=6,${internalRouterIP}
+      dhcp-option=6,${routerCfg.internalRouterIP}
      # Do the same thing, but using the option name
      #dhcp-option=option:router,1.2.3.4
@ -369,7 +402,7 @@ in {
      # Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
      # probably doesn't support this......
-    dhcp-option=option:domain-search,${localDomain}
+      dhcp-option=option:domain-search,${cfg.localDomain}
      # Send RFC-3442 classless static routes (note the netmask encoding)
      #dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
@ -624,4 +657,5 @@ in {
    '';
    systemd.services.dnsmasq = { bindsTo = [ "network-addresses-lan.service" ]; };
  };
 }
--- a/role/router-dns/default.nix
+++ b/role/router-dns/default.nix
@ -1,27 +1,46 @@
-{ internalRouterIP, networkIdIP, revIpDomain, internalPrefixLength? 24, localDomain, }:
+{ config, lib, pkgs, ... }:
-let pkgs = import <nixpkgs> { };
+with lib;
 let routerCfg = config.services.router;
    dhcpCfg = config.services.router.dhcp;
    cfg = config.services.router.recursiveDns;
    with lib.lists; with builtins; revIpDomain = concatStringsSep "." reverseList take 3 split "\." networkIdIp;
 in {
  options.services.router.recursiveDns = {
    enable = mkEnableOption "router recursive dns service";
    networkIdIp = mkOption {
      type = types.str;
      example = "192.168.0.0";
      description = ''
        Network ID IP of local network.
      '';
    };
  };
  config = mkIf cfg.enable {
    services.unbound = {
      enable = true;
-    interfaces = [ "127.0.0.1" internalRouterIP ];
+      interfaces = [ "127.0.0.1" routerCfg.internalRouterIP ];
-    allowedAccess = [ "127.0.0.0/24" "${networkIdIP}/${toString internalPrefixLength}" ];
+      allowedAccess = [ "127.0.0.0/24" "${cfg.networkIdIp}/${toString routerCfg.internalPrefixLength}" ];
-    extraConfig = ''
+      extraConfig = mkIf dhcpCfg.enable ''
        # Custom configuration (leave this note to assure indentation!)
          do-not-query-localhost: no
-        private-domain: "${localDomain}."
+          private-domain: "${dhcpCfg.localDomain}."
-        domain-insecure: "${localDomain}."
+          domain-insecure: "${dhcpCfg.localDomain}."
          private-domain: "${revIpDomain}.in-addr.arpa."
          domain-insecure: "${revIpDomain}.in-addr.arpa."
          local-zone: "${revIpDomain}.in-addr.arpa" transparent
          forward-zone:
-            name: "${localDomain}."
+              name: "${dhcpCfg.localDomain}."
-            forward-addr: 127.0.0.1@5553
+              forward-addr: 127.0.0.1@${dhcpCfg.lanLocalDnsPort}
          forward-zone:
              name: "${revIpDomain}.in-addr.arpa."
-           forward-addr: 127.0.0.1@5553
+             forward-addr: 127.0.0.1@${dhcpCfg.lanLocalDnsPort}
      '';
    };
  };
 }
--- a/role/router-wireless-ap/default.nix
+++ b/role/router-wireless-ap/default.nix
@ -1,31 +1,74 @@
-{ wleInterface24Ghz ? "", wleInterface5Ghz ? "", wleSSID,
+{ config, lib, pkgs, ... }:
 # Generate Encrypted Passphrase with: wpa_passphrase <wleSSID> <passphrase>
 wlePassphrase, }:
-with builtins;
+with lib;
-let
+
-  pkgs = import <nixpkgs> { };
+let routerCfg = config.services.router;
-  country = "US";
+    cfg = config.services.router.wireless
-  wle24GhzEnabled = (stringLength wleInterface24Ghz) > 0;
+in {
-  wle5GhzEnabled = (stringLength wleInterface5Ghz) > 0;
+  options.services.wireless = {
    enable = mkEnableOption "router wireless service";
    wleInterface24Ghz = mkOption {
      type = with types; nullOr str;
      example = "wlp1";
      description = ''
        Wireless interface name for 2.4 GHz wireless band.
      '';
    };
    wleInterface5Ghz = mkOption {
      type = with types; nullOr str;
      example = "wlp2";
      description = ''
        Wireless interface name for 5 GHz wireless band.
      '';
    };
    ssid = mkOption {
      type = types.str;
      example = "MyNetwork";
      description = ''
        Wireless network SSID.
      '';
    };
    passphrase = mkOption {
      type = types.str;
      description = ''
        Passphrase of wireless network. May be encrypted with <literal>wpa_passphrase &lt;wleSSID&gt; &lt;passphrase&gt;</literal>.
      '';
    };
    regulatoryCountryCode = mkOption {
      type = types.str;
      default = "US";
      description = ''
        Regulatory wireless country code.
      '';
    };
  };
  config = mkIf cfg.enable let
    wle24GhzEnabled = cfg.wleInterface24Ghz != null;
    wle5GhzEnabled = wleInterface5Ghz != null;
  in {
    boot.extraModprobeConfig = ''
-    options cfg80211 ieee80211_regdom=${country}
+      options cfg80211 ieee80211_regdom=${cfg.regulatoryCountryCode}
    '';
    imports = [ ./hostapd5ghz.nix ];
-  services.udev.packages = [ pkgs.crda ];
+    services.udev.packages = [ pkgs.crda ]; # TODO: Still required with 20.03?
    services.hostapd5ghz = {
      enable = wle5GhzEnabled;
-    interface = wleInterface5Ghz;
+      interface = cfg.wleInterface5Ghz;
      hwMode = "a";
-    ssid = wleSSID;
+      ssid = cfg.ssid;
-    wpaPassphrase = wlePassphrase;
+      wpaPassphrase = cfg.passphrase;
      channel = 36;
      extraConfig = ''
-      ${optionalString wle24GhzEnabled "except-interface=${wleInterface24Ghz}"}
+        ${optionalString wle24GhzEnabled "except-interface=${cfg.wleInterface24Ghz}"}
        max_num_sta=255
        #Details for Connecting Clients via WPA2 TKIP
@ -38,7 +81,7 @@ in {
        ieee80211d=1
        # DFS
        #ieee80211h=1
-      country_code=${country}
+        country_code=${cfg.regulatoryCountryCode}
        #802.11n Configurations
        ieee80211n=1
@ -92,11 +135,11 @@ in {
      enable = wle24GhzEnabled;
      interface = wleInterface;
      hwMode = "g";
-    ssid = wleSSID;
+      ssid = cfg.ssid;
-    wpaPassphrase = wlePassphrase;
+      wpaPassphrase = cfg.passphrase;
      channel = 6;
      extraConfig = ''
-      ${optionalString wle5GhzEnabled "except-interface=${wleInterface5Ghz}"}
+        ${optionalString wle5GhzEnabled "except-interface=${cfg.wleInterface5Ghz}"}
        #macaddr_acl sets options for mac address filtering. 0 means "accept unless in deny list"
        macaddr_acl=0
@ -122,5 +165,5 @@ in {
        ieee80211n=1
      '';
    };
-
+  };
 }