diff --git a/common.nix b/common.nix index a8274b0..d34e31e 100644 --- a/common.nix +++ b/common.nix @@ -1,4 +1,10 @@ -{ lib, pkgs, config, self, ... }: +{ + lib, + pkgs, + config, + self, + ... +}: { networking = { wireless = { diff --git a/flake.nix b/flake.nix index 92d00f0..f238a69 100644 --- a/flake.nix +++ b/flake.nix @@ -46,5 +46,12 @@ inputs@{ self, nixpkgs, ... }: { nixosConfigurations = import ./systems.nix { inherit self inputs nixpkgs; }; + packages = nixpkgs.lib.attrsets.genAttrs nixpkgs.lib.systems.flakeExposed ( + system: + import ./mikrotik.nix { + inherit system inputs; + pkgs = nixpkgs.legacyPackages.${system}; + } + ); }; } diff --git a/mikrotik.nix b/mikrotik.nix new file mode 100644 index 0000000..6897b45 --- /dev/null +++ b/mikrotik.nix @@ -0,0 +1,55 @@ +{ + mikrotik-config ? ./router.nix, + pkgs, + inputs, + system, +}: +with pkgs; +with lib; +with builtins; + +let + rtr = (import mikrotik-config); + + formatValue = + key: value: + if key == "comment" then + ''${key}="${value}"'' + else if key == "no_label" then + formatValue null value + #''${key}="${value}"'' + else if isAttrs value && key != null then + concatStringsSep " " ([ "${key}" ] ++ (mapAttrsToList (k: v: formatValue k v) value)) + + else if isAttrs value then + concatStringsSep " " (mapAttrsToList (k: v: formatValue k v) value) + + else + "${key}=${value}"; + + formatSection = + name: opts: + [ "${name}" ] + ++ ( + if isAttrs opts then + (mapAttrsToList (k: v: "set ${formatValue k v}") opts) + else + (map (x: "add ${formatValue null x}") opts) + ); +in +rec { + mikrotik-router = stdenv.mkDerivation rec { + version = "0.0.1"; + name = "mikrotik-router-${version}"; + + src = builtins.toFile "router-config.rsc" ( + concatStringsSep "\n" (flatten (mapAttrsToList (key: values: formatSection key values) rtr)) + ); + + builder = builtins.toFile "builder.sh" '' + source $stdenv/setup + mkdir $out + install $src $out/router-config.rsc + ''; + }; +} diff --git a/router.nix b/router.nix new file mode 100644 index 0000000..c676be2 --- /dev/null +++ b/router.nix @@ -0,0 +1,198 @@ +{ + "/interface bridge" = [ + { + auto-mac = "no"; + comment = "defconf"; + name = "bridge"; + } + { name = "wifi"; } + ]; + "/interface list" = [ + { name = "WAN"; } + { name = "LAN"; } + ]; + "/ip pool" = [ + { + name = "wired-pool"; + ranges = "10.10.10.10-10.10.10.254"; + } + { + name = "wifi-pool"; + ranges = "10.10.11.10-10.10.11.254"; + } + ]; + "/ip dhcp-server" = [ + { + address-pool = "wired-pool"; + disabled = "no"; + interface = "bridge"; + name = "wired-dhcp"; + } + { + address-pool = "wifi-pool"; + disabled = "no"; + interface = "wifi"; + name = "wifi-dhcp"; + } + ]; + "/interface bridge port" = [ + { + bridge = "bridge"; + interface = "ether2"; + } + { + bridge = "bridge"; + interface = "ether3"; + } + { + bridge = "bridge"; + interface = "ether4"; + } + { + bridge = "wifi"; + interface = "ether5"; + } + { + bridge = "bridge"; + interface = "sfp1"; + } + ]; + "/ip neighbor discovery-settings" = { + discover-interface-list = "LAN"; + }; + "/interface list member" = [ + { + interface = "bridge"; + list = "LAN"; + } + { + interface = "ether1"; + list = "WAN"; + } + ]; + "/ip address" = [ + { + address = "10.10.10.1/24"; + interface = "bridge"; + network = "10.10.10.0"; + } + { + address = "10.10.11.1/24"; + interface = "wifi"; + network = "10.10.11.0"; + } + ]; + "/ip dhcp-client" = [ + { + disabled = "no"; + interface = "ether1"; + } + ]; + "/ip dhcp-server network" = [ + { + address = "10.10.10.0/24"; + gateway = "10.10.10.1"; + netmask = "24"; + } + { + address = "10.10.11.0/24"; + gateway = "10.10.11.1"; + netmask = "24"; + } + ]; + "/ip dns" = { + "allow-remote-requests" = "yes"; + servers = "1.1.1.1,1.0.0.1"; + }; + "/ip dns static" = [ + { + address = "192.168.88.1"; + name = "router.lan"; + } + ]; + "/ip firewall filter" = [ + { + action = "accept"; + chain = "input"; + comment = "defconf: accept established,related,untracked"; + "connection-state" = "established,related,untracked"; + } + { + action = "drop"; + chain = "input"; + comment = "defconf: drop invalid"; + "connection-state" = "invalid"; + } + { + action = "accept"; + chain = "input"; + comment = "defconf: accept ICMP"; + protocol = "icmp"; + } + { + action = "drop"; + chain = "input"; + comment = "defconf: drop all not coming from LAN"; + "in-interface-list" = "!LAN"; + } + { + action = "accept"; + chain = "forward"; + comment = "defconf: accept in ipsec policy"; + "ipsec-policy" = "in,ipsec"; + } + { + action = "accept"; + chain = "forward"; + comment = "defconf: accept out ipsec policy"; + "ipsec-policy" = "out,ipsec"; + } + { + action = "fasttrack-connection"; + chain = "forward"; + comment = "defconf: fasttrack"; + "connection-state" = "established,related"; + } + { + action = "accept"; + chain = "forward"; + comment = "defconf: accept established,related, untracked"; + "connection-state" = "established,related,untracked"; + } + { + action = "drop"; + chain = "forward"; + comment = "defconf: drop invalid"; + "connection-state" = "invalid"; + } + { + action = "drop"; + chain = "forward"; + comment = "defconf: drop all from WAN not DSTNATed"; + "connection-nat-state" = "!dstnat"; + "connection-state" = "new"; + "in-interface-list" = "WAN"; + } + ]; + "/ip firewall nat" = [ + { + action = "masquerade"; + chain = "srcnat"; + comment = "defconf: masquerade"; + "ipsec-policy" = "out,none"; + "out-interface-list" = "WAN"; + } + ]; + "/system clock" = { + "time-zone-name" = "Europe/Berlin"; + }; + "/system routerboard settings" = { + "silent-boot" = "no"; + }; + "/tool mac-server" = { + "allowed-interface-list" = "LAN"; + }; + "/tool mac-server mac-winbox" = { + "allowed-interface-list" = "LAN"; + }; +} diff --git a/systems/club-mate/default.nix b/systems/club-mate/default.nix index 38b08b1..b40ebcb 100644 --- a/systems/club-mate/default.nix +++ b/systems/club-mate/default.nix @@ -65,8 +65,14 @@ source-han-serif-japanese ]; fontconfig.defaultFonts = { - serif = [ "Noto Serif" "Source Han Serif" ]; - sansSerif = [ "Noto Sans" "Source Han Sans" ]; + serif = [ + "Noto Serif" + "Source Han Serif" + ]; + sansSerif = [ + "Noto Sans" + "Source Han Sans" + ]; }; }; @@ -115,7 +121,9 @@ }; }; - environment.variables = { LOG_ICONS = "true"; }; + environment.variables = { + LOG_ICONS = "true"; + }; services = { xserver = { xkb.layout = "de"; diff --git a/systems/fritz-mate/default.nix b/systems/fritz-mate/default.nix index 8805ac5..322a0fa 100644 --- a/systems/fritz-mate/default.nix +++ b/systems/fritz-mate/default.nix @@ -7,9 +7,7 @@ }: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot = { loader = { @@ -19,12 +17,14 @@ kernelPackages = self.inputs.rpi_5.legacyPackages.aarch64-linux.linuxPackages_rpi5; kernelModules = [ ]; initrd = { - availableKernelModules = [ "usbhid" "usb_storage" ]; + availableKernelModules = [ + "usbhid" + "usb_storage" + ]; kernelModules = [ ]; }; }; - networking = { useDHCP = lib.mkDefault true; wireless.iwd = { diff --git a/systems/mio-mio-mate/default.nix b/systems/mio-mio-mate/default.nix index 7e8a19f..0c51bc5 100644 --- a/systems/mio-mio-mate/default.nix +++ b/systems/mio-mio-mate/default.nix @@ -35,8 +35,16 @@ networking.firewall = { enable = true; - allowedTCPPorts = [ 80 443 53 ]; - allowedUDPPorts = [ 80 443 53 ]; + allowedTCPPorts = [ + 80 + 443 + 53 + ]; + allowedUDPPorts = [ + 80 + 443 + 53 + ]; }; services.nginx = { diff --git a/users/default.nix b/users/default.nix index 3cc8526..bfe68b4 100644 --- a/users/default.nix +++ b/users/default.nix @@ -1,8 +1,4 @@ -{ - pkgs, - config, - ... -}: +{ pkgs, config, ... }: { home = {