WIP RPI hotspot fallback gateway

common/binary-cache.nix

@@ -1,6 +1,16 @@
 { config, lib, ... }:
 
+let
+
+in
 {
+  options.enableExtraSubstituters = lib.mkEnableOption "Enable extra substituters";
+
+  config = lib.mkMerge [
+    {
+      enableExtraSubstituters = lib.mkDefault true;
+    }
+    (lib.mkIf config.enableExtraSubstituters {
       nix = {
         settings = {
           substituters = [
@@ -14,4 +24,6 @@
           ];
         };
       };
+    })
+  ];
 }

machines/hotspot/default.nix

@@ -0,0 +1,69 @@
+{ config, pkgs, lib, ... }:
+
+let
+  internal = "end0";
+  wireless = "wlan0";
+  internal-gateway-ip = "192.168.0.1";
+  internal-ip-lower = "192.168.0.10";
+  internal-ip-upper = "192.168.0.100";
+in
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  enableExtraSubstituters = false;
+
+  # networking.interfaces.${internal}.ipv4.addresses = [{
+  #   address = internal-gateway-ip;
+  #   prefixLength = 24;
+  # }];
+
+  # DHCP on all interfaces except for the internal interface
+  networking.useDHCP = true;
+  networking.interfaces.${internal}.useDHCP = true;
+  networking.interfaces.${wireless}.useDHCP = true;
+
+  # Enable NAT
+  networking.ip_forward = true;
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ internal ];
+    externalInterface = wireless;
+  };
+
+  networking.wireless = {
+    enable = true;
+    networks = {
+      "Pixel_6054".psk = "@PSK_Pixel_6054@";
+    };
+    interfaces = [ wireless ];
+    environmentFile = "/run/agenix/hostspot-passwords";
+  };
+  age.secrets.hostspot-passwords.file = ../../secrets/hostspot-passwords.age;
+
+  # dnsmasq for internal interface
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      server = [ "1.1.1.1" "8.8.8.8" ];
+      dhcp-range = "${internal-ip-lower},${internal-ip-upper},24h";
+      dhcp-option = [
+        "option:router,${internal-gateway-ip}"
+        "option:broadcast,10.0.0.255"
+        "option:ntp-server,0.0.0.0"
+      ];
+    };
+  };
+
+  networking.firewall.interfaces.${internal}.allowedTCPPorts = [
+    53 # dnsmasq
+  ];
+
+  # Make it appear we are not using phone tethering to the ISP
+  networking.firewall = {
+    extraCommands = ''
+      iptables -t mangle -A POSTROUTING -o ${wireless} -j TTL --ttl-set 65
+    '';
+  };
+}

machines/hotspot/hardware-configuration.nix

@@ -0,0 +1,27 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot = {
+    kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
+    initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
+    loader = {
+      grub.enable = false;
+      generic-extlinux-compatible.enable = true;
+    };
+  };
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}

machines/hotspot/properties.nix

@@ -0,0 +1,13 @@
+{
+  hostNames = [
+    "hotspot"
+  ];
+
+  arch = "aarch64-linux";
+
+  systemRoles = [
+    "hotspot"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAION4IUAef687RIzWrP4HEZnpdSJswt06QmrdRMDPHHGY";
+}

secrets/hostspot-passwords.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cObvAg l/suU/M4AATK7lQuZv/qnjG/xqNGoVqhS7b3xirmNUM
+Ao2tP6BBSZdlL7jZJPmLyJQWfqdU89M9hCjkkuqtxlw
+-> ssh-ed25519 w3nu8g szQugiuFfzkzVndyIdP1agun4nmCsZzFG/6EEB2V1Gk
+5+DEUJ5tkVFUpm+w/tptUCByRpMxRigwfrVglTYc8XI
+--- pjviyhRustHHMipIpkKsQ4cpu+YA66JwvWXjceXopi4
+)˜Ö®Äý8³È6Y"@?Ý9”®@¡Ÿžè|ÂÄž+©Z*4ö2å“R<qef…êªG¹ïV+{©%CmÞd^™b

secrets/secrets.nix

@@ -57,4 +57,7 @@ with roles;
 
   # Frigate (DVR)
   "frigate-credentials.age".publicKeys = frigate;
+
+  # Phone hotspot passwords
+  "hostspot-passwords.age".publicKeys = hotspot;
 }