NixOS router is now in active use :)

flake.nix

@@ -126,7 +126,7 @@
 
       in {
         s0 = mkDeploy "s0" "s0";
-        router = mkDeploy "router" "192.168.1.228";
+        router = mkDeploy "router" "router";
         ponyo = mkDeploy "ponyo" "ponyo.neet.dev";
       };
 

machines/router/router.nix

@@ -50,7 +50,17 @@ in
       };
     };
 
-    networking.networkmanager.enable = false;
+    networking.firewall = {
+      enable = true;
+      trustedInterfaces = [ "br0" "tailscale0" ];
+
+      interfaces = {
+        enp1s0 = {
+          allowedTCPPorts = [ ];
+          allowedUDPPorts = [ ];
+        };
+      };
+    };
 
     services.dnsmasq = {
       enable = true;
@@ -77,8 +87,6 @@ in
       '';
     };
 
-    networking.firewall.enable = lib.mkForce false; # TODO
-
     services.hostapd = {
       enable = true;
       radios = {
@@ -102,9 +110,19 @@ in
             multiUserBeamformer = true;
             operatingChannelWidth = "20or40";
           };
-          networks.wlp4s0 = {
+          networks = {
-            ssid = "- Experimental 5G Tower by AT&T";
+            wlp4s0 = {
-            authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
+              ssid = "CXNK00BF9176";
+              authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
+            };
+            # wlp4s0-1 = {
+            #   ssid = "- Experimental 5G Tower by AT&T";
+            #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
+            # };
+            # wlp4s0-2 = {
+            #   ssid = "FBI Surveillance Van 2";
+            #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
+            # };
           };
           extraConfig = ''
             he_oper_centr_freq_seg0_idx=8
@@ -132,9 +150,19 @@ in
             multiUserBeamformer = true;
             operatingChannelWidth = "160";
           };
-          networks.wlan1 = {
+          networks = {
-            ssid = "- Experimental 5G Tower by AT&T";
+            wlan1 = {
-            authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
+              ssid = "CXNK00BF9176";
+              authentication.saePasswordsFile = "/run/agenix/hostapd-pw-CXNK00BF9176";
+            };
+            # wlan1-1 = {
+            #   ssid = "- Experimental 5G Tower by AT&T";
+            #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
+            # };
+            # wlan1-2 = {
+            #   ssid = "FBI Surveillance Van 5";
+            #   authentication.saePasswordsFile = "/run/agenix/hostapd-pw-experimental-tower";
+            # };
           };
           extraConfig = ''
             vht_oper_centr_freq_seg0_idx=114
@@ -144,6 +172,7 @@ in
       };
     };
     age.secrets.hostapd-pw-experimental-tower.file = ../../secrets/hostapd-pw-experimental-tower.age;
+    age.secrets.hostapd-pw-CXNK00BF9176.file = ../../secrets/hostapd-pw-CXNK00BF9176.age;
 
     hardware.firmware = [
       pkgs.mt7916-firmware

secrets/hostapd-pw-CXNK00BF9176.age

@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 VyYH/Q I1gFDOOOEfSDSUtZ4YtZK/qxWJqWIFFHsilSCmZbJHA
+EpY7XZ28RrBvJ7NEQYhEnp2vpKEkge6SzGCKJYkeH14
+-> ssh-ed25519 xoAm7w +2NRmQIyrHZ3BcwclLxDOatDL+za1u3lHp6v9HEtmEs
+L8wjpBk6FcrRmaBfJfxZAN9v/aE5G//MpwU4WuiDX1Q
+-> ssh-ed25519 mbw8xA fpiGYGRxYwc1BS+U6NaomHuC2zxCY3ijuYQi6XUg6lw
+yWgTUbvvx3Hsnz3suPdYPVNTb3errqd5GXmtUHJnrEM
+-> ssh-ed25519 2a2Yhw sr15CIyZX/FznIcn48vTCl8bva8b/fC+9VKacnEImHE
+oN34RfbM14+4kKyr5aLdioxKPWsnsLbBc9bCRIgLObc
+-> ssh-ed25519 dMQYog NRUfD/s+mS4fKiKN/hDTXBe0TD2IVnnWMptEUbPOhm0
+FXUCV9DnNjVC3fcDelE9c3Facl2/SuKXwyeb3ywW4N0
+-> 6[iGZC;-grease .
+9nz6/4cWYXy0/9QHBMKVngqDjEfaIdPjdgESEf0EZYo7y+xtTUKd4QNq3N0C6+dz
+MTUMD6eVwNlf990aLihSGriHuEgoBEEHBvdPxw4tn6tVZBRfvImi5caLbRZT
+--- fKgNkprjYxTkoHrZFYSgS+Y/Dbe9zner89UuZalEv8M
+Õ(Ae Lžà/3L—¨o=䀆‘Ãè³Ãñ±Å||´dª“'ÇiOšÊßìó

secrets/secrets.nix

@@ -1,8 +1,13 @@
 let
   keys = import ../common/ssh.nix;
+  system = keys.system;
   systems = keys.systems;
   users = keys.users;
   all = users ++ systems;
+
+  wireless = [
+    system.router
+  ] ++ users;
 in
 {
   # TODO: Minimum necessary access to keys
@@ -17,5 +22,6 @@ in
   "wolframalpha.age".publicKeys = all;
 
   # hostapd
-  "hostapd-pw-experimental-tower.age".publicKeys = all;
+  "hostapd-pw-experimental-tower.age".publicKeys = wireless;
+  "hostapd-pw-CXNK00BF9176.age".publicKeys = wireless;
 }