diff options
| -rw-r--r-- | config/boot.nix | 4 | ||||
| -rw-r--r-- | config/hardware/default.nix | 17 | ||||
| -rw-r--r-- | config/networking/default.nix | 108 | ||||
| -rw-r--r-- | config/networking/hostapd.nix | 138 | ||||
| -rw-r--r-- | config/nix.nix | 4 | ||||
| -rw-r--r-- | flake.lock | 18 | ||||
| -rw-r--r-- | flake.nix | 8 | ||||
| -rw-r--r-- | secrets.nix | 10 |
8 files changed, 285 insertions, 22 deletions
diff --git a/config/boot.nix b/config/boot.nix index 257f64d..cf86ea2 100644 --- a/config/boot.nix +++ b/config/boot.nix @@ -5,5 +5,7 @@ grub.enable = true; }; boot.loader.grub.device = "/dev/disk/by-id/ata-SATA_SSD_A45E07221AE300053322"; - boot.kernelPackages = pkgs.linuxPackages_latest; + # This makes the system use the XanMod Linux kernel, a set of + # patches reducing latency and improving performance. + boot.kernelPackages = pkgs.linuxPackages_xanmod_latest; } diff --git a/config/hardware/default.nix b/config/hardware/default.nix index a6219f8..8bf1e70 100644 --- a/config/hardware/default.nix +++ b/config/hardware/default.nix @@ -1,13 +1,28 @@ -{ nixos-hardware, ... }: { +{ nixos-hardware, ... }: + +{ imports = [ ./hardware-configuration.nix nixos-hardware.nixosModules.pcengines-apu nixos-hardware.nixosModules.common-pc-ssd nixos-hardware.nixosModules.common-cpu-amd ]; + personal.hardware = { usb.enable = true; firmwareNonFree.enable = true; }; + swapDevices = [{ device = "/swap"; }]; + + # The CPU frequency should stay at the minimum until the router has + # some load to compute. + powerManagement.cpuFreqGovernor = "ondemand"; + services.acpid.enable = true; + + # The service irqbalance is useful as it assigns certain IRQ calls + # to specific CPUs instead of letting the first CPU core to handle + # everything. This is supposed to increase performance by hitting + # CPU cache more often. + services.irqbalance.enable = true; } diff --git a/config/networking/default.nix b/config/networking/default.nix index 9dac00f..330ba3b 100644 --- a/config/networking/default.nix +++ b/config/networking/default.nix @@ -1,13 +1,105 @@ -{ pkgs, ... }: +# https://skogsbrus.xyz/blog/2022/06/12/router/ +# https://blog.fraggod.net/2017/04/27/wifi-hostapd-configuration-for-80211ac-networks.html +{ config, lib, pkgs, secrets, ... }: -{ - personal.networking = { - enable = true; - ssh.enable = true; +let + ifaces = config.personal.networking.interfaces; + publicSubnet = "192.168.1"; + privateSubnet = "192.168.2"; +in { + imports = [ ./hostapd.nix ]; + + options.personal.networking = { + interfaces = let + makeInterfaceOption = type: + lib.mkOption { + type = lib.types.str; + description = "Network device for the ${type} interface."; + example = "enp4s0"; + }; + in { + eth = makeInterfaceOption "ethernet"; + wlp2ghz = makeInterfaceOption "2 GHz WiFi"; + wlp5ghz = makeInterfaceOption "5 GHz WiFi"; + }; }; - networking = { - hostName = "kerberos"; - domain = "local"; + config = { + personal.networking = { + enable = true; + ssh.enable = true; + interfaces = { + eth = "enp4s0"; + wlp2ghz = "wlp5s0"; + wlp5ghz = "wlp1s0"; + }; + }; + + networking = { + hostName = "kerberos"; + domain = "local"; + + defaultGateway = { + address = "${publicSubnet}.1"; + interface = ifaces.eth; + }; + + dhcpcd.enable = false; + interfaces = { + "${ifaces.eth}" = { + ipv4.addresses = [{ + address = "${publicSubnet}.2"; + prefixLength = 24; + }]; + }; + "${ifaces.wlp5ghz}" = { + ipv4.addresses = [{ + address = "${privateSubnet}.1"; + prefixLength = 24; + }]; + }; + }; + + nat = { + enable = true; + externalInterface = ifaces.eth; + internalInterfaces = [ + # ifaces.wlp2ghz + ifaces.wlp5ghz + ]; + }; + + firewall.interfaces."${ifaces.wlp5ghz}" = { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 ]; + }; + }; + + services.dhcpd4 = { + enable = true; + extraConfig = '' + option subnet-mask 255.255.255.0; + option routers ${privateSubnet}.1; + option domain-name-servers ${privateSubnet}.1, 9.9.9.9; + subnet ${privateSubnet}.0 netmask 255.255.255.0 { + range ${privateSubnet}.10 ${privateSubnet}.99; + } + ''; + interfaces = [ ifaces.wlp5ghz ]; + }; + + services.unbound = { + enable = true; + settings = { + server = { + interface = [ "127.0.0.1" "${privateSubnet}.1" ]; + access-control = [ + "0.0.0.0/0 refuse" + "127.0.0.0/8 allow" + "${privateSubnet}.0/24 allow" + ]; + }; + }; + }; }; } diff --git a/config/networking/hostapd.nix b/config/networking/hostapd.nix new file mode 100644 index 0000000..f5f399b --- /dev/null +++ b/config/networking/hostapd.nix @@ -0,0 +1,138 @@ +{ config, lib, utils, pkgs, secrets, ... }: + +let + cfg = config.services.hostapd; + makeHostapdConf = { name, interface ? cfg.interface, driver ? cfg.driver, ssid + , hwMode ? cfg.hwMode, channel ? cfg.channel, countryCode ? cfg.countryCode + , passphrase ? secrets.wifi."${name}".passphrase, logLevel ? cfg.logLevel + , extraConfig ? "" }: + builtins.toFile "hostapd.${name}.conf" ('' + interface=${interface} + driver=${driver} + + # IEEE 802.11 + ssid=${ssid} + hw_mode=${hwMode} + channel=${toString channel} + max_num_sta=128 + auth_algs=1 + disassoc_low_ack=1 + + # DFS + ieee80211h=1 + ieee80211d=1 + country_code=${countryCode} + + + # WPA/IEEE 802.11i + wpa=2 + wpa_key_mgmt=WPA-PSK + wpa_passphrase=${passphrase} + wpa_pairwise=CCMP + + # hostapd event logger configuration + logger_syslog=-1 + logger_syslog_level=${toString logLevel} + logger_stdout=-1 + logger_stdout_level=${toString logLevel} + + # WMM + wmm_enabled=1 + uapsd_advertisement_enabled=1 + wmm_ac_bk_cwmin=4 + wmm_ac_bk_cwmax=10 + wmm_ac_bk_aifs=7 + wmm_ac_bk_txop_limit=0 + wmm_ac_bk_acm=0 + wmm_ac_be_aifs=3 + wmm_ac_be_cwmin=4 + wmm_ac_be_cwmax=10 + wmm_ac_be_txop_limit=0 + wmm_ac_be_acm=0 + wmm_ac_vi_aifs=2 + wmm_ac_vi_cwmin=3 + wmm_ac_vi_cwmax=4 + wmm_ac_vi_txop_limit=94 + wmm_ac_vi_acm=0 + wmm_ac_vo_aifs=2 + wmm_ac_vo_cwmin=2 + wmm_ac_vo_cwmax=3 + wmm_ac_vo_txop_limit=47 + wmm_ac_vo_acm=0 + + # TX queue parameters + tx_queue_data3_aifs=7 + tx_queue_data3_cwmin=15 + tx_queue_data3_cwmax=1023 + tx_queue_data3_burst=0 + tx_queue_data2_aifs=3 + tx_queue_data2_cwmin=15 + tx_queue_data2_cwmax=63 + tx_queue_data2_burst=0 + tx_queue_data1_aifs=1 + tx_queue_data1_cwmin=7 + tx_queue_data1_cwmax=15 + tx_queue_data1_burst=3.0 + tx_queue_data0_aifs=1 + tx_queue_data0_cwmin=3 + tx_queue_data0_cwmax=7 + tx_queue_data0_burst=1.5 + '' + extraConfig); + hostapd2ghzConf = makeHostapdConf { + name = "2ghz"; + interface = config.personal.networking.interfaces.wlp2ghz; + ssid = "Quentinternet of Things"; + hwMode = "g"; + channel = 0; + extraConfig = '' + # IEEE 802.11n + ieee80211n=1 + require_ht=1 + ht_capab=[HT40+][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40] + ''; + }; + hostapd5ghzConf = makeHostapdConf { + name = "5ghz"; + interface = config.personal.networking.interfaces.wlp5ghz; + ssid = "Quentintranet"; + hwMode = "a"; + channel = 36; + extraConfig = '' + # IEEE 802.11n + ieee80211n=1 + require_ht=1 + ht_capab=[HT40+][LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40] + + # IEEE 802.11ac + require_vht=1 + ieee80211ac=1 + vht_oper_chwidth=1 + vht_oper_centr_freq_seg0_idx=42 + vht_capab=[MAX-MPDU-11454][RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][MAX-A-MPDU-LEN-EXP7][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN] + ''; + }; +in { + services.hostapd = { + enable = true; + driver = "nl80211"; + countryCode = "FR"; + }; + + systemd.services.hostapd = let + interfaces = with config.personal.networking.interfaces; [ + wlp2ghz + wlp5ghz + ]; + netDevices = builtins.map (interface: + "sys-subsystem-net-devices-${utils.escapeSystemdPath interface}.device") + interfaces; + networkLinkServices = + builtins.map (interface: "network-link-${interface}.service") interfaces; + in { + serviceConfig.ExecStart = lib.mkForce + "${pkgs.hostapd}/bin/hostapd ${hostapd2ghzConf} ${hostapd5ghzConf}"; + after = lib.mkForce netDevices; + bindsTo = lib.mkForce netDevices; + requiredBy = lib.mkForce networkLinkServices; + }; +} diff --git a/config/nix.nix b/config/nix.nix index 7b8360a..436adf4 100644 --- a/config/nix.nix +++ b/config/nix.nix @@ -8,4 +8,8 @@ flake = "git+file:///etc/nixos/"; }; nix.settings.max-jobs = lib.mkDefault 1; + system.autoUpgrade.flags = [ + # for reading secrets from a file + "--impure" + ]; } @@ -21,11 +21,11 @@ "nur": "nur" }, "locked": { - "lastModified": 1679748657, - "narHash": "sha256-cQnRR0csl+SILkmHuG96+c3IgQTUtoji5EYBCt39jS4=", + "lastModified": 1679846082, + "narHash": "sha256-/Ca5WubkmQc1l7rf4YyTMV5q/M9gGC7ANRdKwcEvDeo=", "owner": "qaristote", "repo": "my-nixpkgs", - "rev": "85a3de3e1d6a5bfe3c1354f38c0553c6256493c5", + "rev": "3bbfa37f2a200c92a5ddd31cc4765df321794fc2", "type": "github" }, "original": { @@ -36,11 +36,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1679598117, - "narHash": "sha256-Vs1f/7imI77OkMOQhO3xgx4jalN2Gx3D3C2wmnlpWJM=", + "lastModified": 1679765008, + "narHash": "sha256-VCkg/wC2e882suYDS5PDAemaMLYSOdFm4fsx2gowMR0=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "648021dcb2b65498eed3ea3a7339cdfc3bea4d82", + "rev": "f38f9a4c9b2b6f89a5778465e0afd166a8300680", "type": "github" }, "original": { @@ -64,11 +64,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1679739176, - "narHash": "sha256-Mp9lSjvg2wARLmr2BY86nId8qs4/L3EXGxP0vcIzz/8=", + "lastModified": 1679832111, + "narHash": "sha256-88XbjOUUtt6ufBn5dnMW26rT/xK/Lrg7ej1itIQ4DyU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3ad61dd36578917be90da4b69e53d4aced677a14", + "rev": "7f5388006e771101ff27ce55fb4d695ef918a88f", "type": "github" }, "original": { @@ -14,9 +14,11 @@ in { kerberos = nixpkgs.lib.nixosSystem { inherit system; - modules = commonModules - ++ [ ./config ]; - specialArgs = { inherit nixos-hardware; }; + modules = commonModules ++ [ ./config ]; + specialArgs = { + inherit nixos-hardware; + secrets = import ./secrets.nix; + }; }; }; }; diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..542fb40 --- /dev/null +++ b/secrets.nix @@ -0,0 +1,10 @@ +{ + wifi = { + "2ghz" = { + passphrase = builtins.readFile "/etc/hostapd/hostapd.2ghz.pw"; + }; + "5ghz" = { + passphrase = builtins.readFile "/etc/hostapd/hostapd.5ghz.pw"; + }; + }; +} |