From be255608586caf31c5ab737e568ffc382e5ea9c5 Mon Sep 17 00:00:00 2001 From: kurogeek Date: Thu, 16 Oct 2025 14:53:41 +0700 Subject: [PATCH] WhiteHouse router configuration --- .gitignore | 2 +- flake.lock | 19 ++++ flake.nix | 5 ++ routers/default.nix | 9 ++ routers/white-house/configuration.nix | 120 ++++++++++++++++++++++++++ routers/white-house/secrets.nix | 20 +++++ 6 files changed, 174 insertions(+), 1 deletion(-) create mode 100644 routers/default.nix create mode 100644 routers/white-house/configuration.nix create mode 100644 routers/white-house/secrets.nix diff --git a/.gitignore b/.gitignore index a806510..3d03efb 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,4 @@ # Ignore build outputs from performing a nix-build or `nix build` command result result-* - +run-vm-* diff --git a/flake.lock b/flake.lock index bff9901..81e24a7 100644 --- a/flake.lock +++ b/flake.lock @@ -136,6 +136,24 @@ "type": "github" } }, + "liminix": { + "flake": false, + "locked": { + "lastModified": 1760426231, + "narHash": "sha256-r8c5PKtsxAvtQ/k17GH+WNvP47Lr+AbExLMPdLtvAKE=", + "ref": "refs/heads/fix-gl-ar750", + "rev": "3f1f7c08d440130cce9262a93ce78ed7969d93cd", + "revCount": 1574, + "type": "git", + "url": "https://git.b4l.co.th/newedge/liminix" + }, + "original": { + "ref": "refs/heads/fix-gl-ar750", + "rev": "3f1f7c08d440130cce9262a93ce78ed7969d93cd", + "type": "git", + "url": "https://git.b4l.co.th/newedge/liminix" + } + }, "nix-darwin": { "inputs": { "nixpkgs": [ @@ -207,6 +225,7 @@ "devshell": "devshell", "flake-parts": "flake-parts", "import-tree": "import-tree", + "liminix": "liminix", "nixpkgs": "nixpkgs", "treefmt-nix": "treefmt-nix" } diff --git a/flake.nix b/flake.nix index e475ff3..b38a8a9 100644 --- a/flake.nix +++ b/flake.nix @@ -21,6 +21,10 @@ url = "github:numtide/treefmt-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + liminix = { + url = "git+https://git.b4l.co.th/newedge/liminix?ref=refs/heads/fix-gl-ar750&rev=3f1f7c08d440130cce9262a93ce78ed7969d93cd"; + flake = false; + }; }; outputs = { @@ -38,6 +42,7 @@ ./shell.nix ./machines + ./routers ./inventories ./modules/clan/flake-module.nix ]; diff --git a/routers/default.nix b/routers/default.nix new file mode 100644 index 0000000..0c5d3c5 --- /dev/null +++ b/routers/default.nix @@ -0,0 +1,9 @@ +{ inputs, ... }: +{ + flake.legacyPackages = { + whitehouse-router = import "${inputs.liminix}/default.nix" { + device = (import "${inputs.liminix}/devices/gl-ar750"); + liminix-config = import ./white-house/configuration.nix { inherit inputs; }; + }; + }; +} diff --git a/routers/white-house/configuration.nix b/routers/white-house/configuration.nix new file mode 100644 index 0000000..40a7b1d --- /dev/null +++ b/routers/white-house/configuration.nix @@ -0,0 +1,120 @@ +{ inputs }: +{ + config, + pkgs, + modulesPath, + lib, + ... +}: +let + secrets = { + firewallRules = { }; + } + // (import ./secrets.nix); + wirelessConfig = { + country_code = "TH"; + inherit (secrets) wpa_passphrase; + wmm_enabled = 1; + }; + svc = config.system.service; +in +{ + imports = [ + "${inputs.liminix}/modules/wlan.nix" + "${inputs.liminix}/modules/network" + "${inputs.liminix}/modules/vlan" + "${inputs.liminix}/modules/ssh" + "${inputs.liminix}/modules/bridge" + "${modulesPath}/profiles/gateway.nix" + ]; + + hostname = "whitehouse"; + boot = { + tftp = { + freeSpaceBytes = 3 * 1024 * 1024; + serverip = "${secrets.lan.prefix}.148"; + ipaddr = "${secrets.lan.prefix}.251"; + }; + }; + + services.sshd = svc.ssh.build { + authorizedKeys.root = secrets.root.openssh.authorizedKeys.keys; + }; + + users.root = secrets.root; + + services.resolvconf = lib.mkForce ( + pkgs.liminix.services.oneshot rec { + name = "resolvconf"; + up = '' + ( in_outputs ${name} + echo "nameserver $(output ${config.services.wan} ns1)" > resolv.conf + echo "nameserver $(output ${config.services.wan} ns2)" >> resolv.conf + chmod 0444 resolv.conf + ) + ''; + } + ); + + profile.gateway = { + lan = { + interfaces = with config.hardware.networkInterfaces; [ + wlan + wlan5 + lan + ]; + inherit (secrets.lan) prefix; + address = { + family = "inet"; + address = "${secrets.lan.prefix}.1"; + prefixLength = 24; + }; + dhcp = { + start = 10; + end = 240; + hosts = { }; + localDomain = "lan"; + }; + }; + wan = { + interface = svc.pppoe.build { + interface = config.hardware.networkInterfaces.wan; + username = secrets.l2tp.name; + password = secrets.l2tp.password; + }; + + dhcp6.enable = true; + }; + firewall = { + enable = true; + rules = secrets.firewallRules; + }; + wireless.networks = { + + "${secrets.ssid}" = { + interface = config.hardware.networkInterfaces.wlan; + hw_mode = "g"; + channel = "2"; + ieee80211n = 1; + } + // wirelessConfig; + "${secrets.ssid}-5" = rec { + interface = config.hardware.networkInterfaces.wlan5; + hw_mode = "a"; + channel = 36; + ht_capab = "[HT40+]"; + vht_oper_chwidth = 1; + vht_oper_centr_freq_seg0_idx = channel + 6; + ieee80211n = 1; + ieee80211ac = 1; + } + // wirelessConfig; + }; + }; + defaultProfile.packages = with pkgs; [ + busybox + iw + iptables + ]; + +} diff --git a/routers/white-house/secrets.nix b/routers/white-house/secrets.nix new file mode 100644 index 0000000..6a882dd --- /dev/null +++ b/routers/white-house/secrets.nix @@ -0,0 +1,20 @@ +{ + wpa_passphrase = ""; + ssid = "WhiteHouse"; + l2tp = { + name = ""; + password = ""; + }; + root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcZ/p1Ofa9liwIzPWzNtONhJ7+FUWd2lCz33r81t8+w kurogeek@kurogeek" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAB/raxJR8gASmquP63weHelbi+da2WBJR1DgzHPNz/f" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDuhpzDHBPvn8nv8RH1MRomDOaXyP4GziQm7r3MZ1Syk" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAmgyEGuY/r7SDlJgrzYmQqpcWS5W+fCzRi3OS59ne4W openpgp:0xFF687387" + ]; + }; + + lan = { + prefix = "192.168.1"; + }; +}