feat(zackbiene): start clean; add kea instead of dhcpcd

chore: switch to hosts.toml

hosts/ward/kea.nix

@@ -1,77 +1,60 @@
 {
-  config,
   lib,
   utils,
   nodes,
   ...
 }: let
-  inherit
-    (lib)
-    flip
-    mapAttrsToList
-    mkOption
-    net
-    types
-    ;
-
+  inherit (lib) net;
   lanCidrv4 = "192.168.100.0/24";
   dnsIp = net.cidr.host 2 lanCidrv4;
 in {
   # TODO make meta.kea module?
   # TODO reserve by default using assignIps algo?
-  options.networking.dhcp4Reservations = mkOption {
-    default = {};
-    type = types.attrsOf (types.net.ipv4-in lanCidrv4);
-    description = "Maps MAC addresses to their reserved ipv4 address.";
-  };
-
-  config = {
-    services.kea.dhcp4 = {
-      enable = true;
-      settings = {
-        lease-database = {
-          name = "/var/lib/kea/dhcp4.leases";
-          persist = true;
-          type = "memfile";
-        };
-        valid-lifetime = 4000;
-        renew-timer = 1000;
-        rebind-timer = 2000;
-        interfaces-config = {
-          # XXX: why does this bind other macvtaps?
-          interfaces = ["lan-self"];
-          service-sockets-max-retries = -1;
-        };
-        option-data = [
-          {
-            name = "domain-name-servers";
-            data = dnsIp;
-          }
-        ];
-        subnet4 = [
-          {
-            interface = "lan-self";
-            subnet = lanCidrv4;
-            pools = [
-              {pool = "${net.cidr.host 20 lanCidrv4} - ${net.cidr.host (-6) lanCidrv4}";}
-            ];
-            option-data = [
-              {
-                name = "routers";
-                data = net.cidr.host 1 lanCidrv4;
-              }
-            ];
-            reservations = [
-              {
-                hw-address = nodes.ward-adguardhome.config.lib.microvm.mac;
-                ip-address = dnsIp;
-              }
-            ];
-          }
-        ];
+  services.kea.dhcp4 = {
+    enable = true;
+    settings = {
+      lease-database = {
+        name = "/var/lib/kea/dhcp4.leases";
+        persist = true;
+        type = "memfile";
       };
+      valid-lifetime = 4000;
+      renew-timer = 1000;
+      rebind-timer = 2000;
+      interfaces-config = {
+        # XXX: why does this bind other macvtaps?
+        interfaces = ["lan-self"];
+        service-sockets-max-retries = -1;
+      };
+      option-data = [
+        {
+          name = "domain-name-servers";
+          data = dnsIp;
+        }
+      ];
+      subnet4 = [
+        {
+          interface = "lan-self";
+          subnet = lanCidrv4;
+          pools = [
+            {pool = "${net.cidr.host 20 lanCidrv4} - ${net.cidr.host (-6) lanCidrv4}";}
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = net.cidr.host 1 lanCidrv4;
+            }
+          ];
+          reservations = [
+            {
+              hw-address = nodes.ward-adguardhome.config.lib.microvm.mac;
+              ip-address = dnsIp;
+            }
+          ];
+        }
+      ];
     };
-
-    systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"];
   };
+
+  systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"];
 }

hosts/ward/microvms/common.nix

@@ -7,7 +7,7 @@ in {
     proxy = "sentinel";
   };
 
-  # Connect safely via wireguard to skip authentication
+  # Connect safely via wireguard to skip http authentication
   networking.hosts.${sentinelCfg.meta.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb];
   meta.telegraf = {
     enable = true;

hosts/zackbiene/default.nix

@@ -1,4 +1,10 @@
-{lib, ...}: {
+{
+  lib,
+  nodes,
+  ...
+}: let
+  sentinelCfg = nodes.sentinel.config;
+in {
   imports = [
     ../../modules/optional/hardware/odroid-n2plus.nix
 
@@ -7,17 +13,32 @@
     ../../modules/optional/initrd-ssh.nix
     ../../modules/optional/zfs.nix
 
-    #./dnsmasq.nix
     #./esphome.nix
     ./fs.nix
     #./home-assistant.nix
-    #./hostapd.nix
+    ./hostapd.nix
     #./mosquitto.nix
+    ./kea.nix
     ./net.nix
     #./nginx.nix
     #./zigbee2mqtt.nix
   ];
 
+  meta.wireguard-proxy.sentinel = {};
+  meta.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
+  # Connect safely via wireguard to skip http authentication
+  networking.hosts.${sentinelCfg.meta.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb];
+  meta.telegraf = {
+    enable = true;
+    influxdb2.domain = sentinelCfg.networking.providedDomains.influxdb;
+    influxdb2.organization = "servers";
+    influxdb2.bucket = "telegraf";
+  };
+
   # Fails if there are no SMART devices
   services.smartd.enable = lib.mkForce false;
 }

hosts/zackbiene/dnsmasq.nix

@@ -1,21 +0,0 @@
-{
-  services.dnsmasq = {
-    enable = true;
-    resolveLocalQueries = false;
-    settings = {
-      interface = "wlan1";
-      dhcp-authoritative = true;
-      dhcp-range = [
-        "10.0.90.10,10.0.90.240,24h"
-        "fd90::10,fd90::ff0,24h"
-      ];
-
-      # Enable ipv6 router advertisements
-      enable-ra = true;
-      # Don't use anything from /etc/resolv.conf
-      no-resolv = true;
-      # Never forward addresses in the non-routed address spaces.
-      bogus-priv = true;
-    };
-  };
-}

hosts/zackbiene/hostapd.nix

@@ -1,9 +1,4 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}: {
+{config, ...}: {
   # Associates each known client to a unique password
   age.secrets.wifi-clients.rekeyFile = ./secrets/wifi-clients.age;
 
@@ -12,7 +7,7 @@
   services.hostapd = {
     enable = true;
     radios.wlan1 = {
-      hwMode = "g";
+      band = "2g";
       countryCode = "DE";
       channel = 13; # Automatic Channel Selection (ACS) is unfortunately not implemented for mt7612u.
       wifi4.capabilities = ["LDPC" "HT40+" "HT40-" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1"];
@@ -22,7 +17,8 @@
         apIsolate = true;
         authentication = {
           saePasswordsFile = config.age.secrets.wifi-clients.path;
-          saeAddToMacAllow = true;
+          # TODO reenable when nixpkgs#245413 is merged
+          # saeAddToMacAllow = true;
           enableRecommendedPairwiseCiphers = true;
         };
         bssid = "00:c0:ca:b1:4f:9f";

hosts/zackbiene/kea.nix

@@ -0,0 +1,43 @@
+{
+  lib,
+  utils,
+  ...
+}: let
+  inherit (lib) net;
+  iotCidrv4 = "10.0.90.0/24";
+in {
+  services.kea.dhcp4 = {
+    enable = true;
+    settings = {
+      lease-database = {
+        name = "/var/lib/kea/dhcp4.leases";
+        persist = true;
+        type = "memfile";
+      };
+      valid-lifetime = 4000;
+      renew-timer = 1000;
+      rebind-timer = 2000;
+      interfaces-config = {
+        interfaces = ["wlan1"];
+        service-sockets-max-retries = -1;
+      };
+      subnet4 = [
+        {
+          interface = "wlan1";
+          subnet = iotCidrv4;
+          pools = [
+            {pool = "${net.cidr.host 20 iotCidrv4} - ${net.cidr.host (-6) iotCidrv4}";}
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = net.cidr.host 1 iotCidrv4;
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "wlan1"}.device"];
+}

hosts/zackbiene/net.nix

@@ -32,6 +32,16 @@ in {
         (lib.net.cidr.hostCidr 1 iotCidrv6)
       ];
       matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wlan1.mac;
+      networkConfig = {
+        IPForward = "yes";
+        IPv6PrivacyExtensions = "yes";
+        IPv6SendRA = true;
+        MulticastDNS = true;
+      };
+      # Announce a static prefix
+      ipv6Prefixes = [
+        {ipv6PrefixConfig.Prefix = iotCidrv6;}
+      ];
       linkConfig.RequiredForOnline = "no";
     };
   };

hosts/zackbiene/nginx.nix

@@ -1,20 +0,0 @@
-{
-  lib,
-  config,
-  ...
-}: {
-  age.secrets."selfcert.crt" = {
-    rekeyFile = ./secrets/selfcert.crt.age;
-    mode = "440";
-    group = "nginx";
-  };
-  age.secrets."selfcert.key" = {
-    rekeyFile = ./secrets/selfcert.key.age;
-    mode = "440";
-    group = "nginx";
-  };
-
-  #security.acme.acceptTerms = true;
-  #security.acme.defaults.email = "admin+acme@example.com";
-  services.nginx.enable = true;
-}

hosts/zackbiene/secrets/host.pub

@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJVBhqJKfIBWOwXHGNjlskKMIpCuL3qjOjKiXyF8hkGT
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILaKQa+gcGMvtm9d1LM11lvsXRtE3Tvo+o40nG+eXYgo

hosts/zackbiene/secrets/promtail-loki-basic-auth-password.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 GORopMcTgwBFuvljV/6TrebfoW4aL13meWOk0tjX2Fg
+A9OOzSPEqT8dPNYeKHcvVVdZOfYMnEzaSdudKzyals4
+-> piv-p256 xqSe8Q As7KMtJM+NWObNYdVxTjfePy8MThyA6PkOv32lvMNbth
+LkC4vtpHWjizzs3qEyJF+L5yBniMH9XdMH6Y/H5RfTc
+-> WQ0T*-grease ;xyW-]= 5tB %=C(B9M jM<jH1
+OVWNxQR0ExMSLB9+AM/jq5I1df7Dvcs/JBAlp1m3WCir+qbwc+CJSV1Hbphyw+7a
+h3uw+bd8lhGqa7Ig8JPRpRuDUWA92d/RKzGWGjXEIreeUXPuU6ssHAg5yDnWINDU
+L3M
+--- /zsULNtPqVAFPr8wPDODnlkWK5sITH30ZJ7BK11Sius
+ÆP�_'Ü7Å€Á£+B½©ëÊHFi9|@Èg
(ß;DÛ Ž~ÊÕ	zlòJk³»_�wfž¦¦ÒEftY\‘)‰:Âرa+4

hosts/zackbiene/secrets/telegraf-influxdb-token.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> X25519 DCVhASEENA4z7QkZIAz+7shz69B3UGfuR4QwV28e3w4
+KcvcVb5PxsRMlA5n35c/4nRLdv7WoIL2bqJn6Ry0tBU
+-> piv-p256 xqSe8Q ArDV5TYzLEFhnRxXIY1OMPe4nPE7rtNhsUhU+7J2La3o
+SoqSbbPvxlF4uaGSRNKSumajM9aEr2EoHE8PyPr3sMk
+-> e\9`z-grease
+PtN7lO2jjyBoMojXSiPLmWGgv23uUbzd9TxrAwwDiCcBbW5RL5vvR2HFzc+k+ZVa
+RA3xLg5UeIzjsZdkWBezPHX1p7OALN49ZxtJ21fzfDhdUCTfVIKK4mi++At2hEJF
+6g
+--- FdR7X/jFWv+BhzuO8kpGr8xC3SKgmrwHg4YaHRxnwHE
+¶ßÌÚÝp 6SD´…˜W(¶YRÜ3ƒs_Ûª/2g}Äܶ§W?ub
+)‘¯/û,{÷&ƒFÿ-ŒØ5£ß/u.�p¬	\%ÊÉŸæ—üï4qÓ‰�ðÛ˜yKQk4W™3÷ËŒ
+
§Óˆ[Áþ°t‡__4y× ±q�¬^/Fש*