nixos/routnerr-3: new router

Signed-off-by: Matt Layher <mdlayher@gmail.com>

nixos/README.md

@@ -2,5 +2,5 @@
 
 NixOS configurations for my machines. I cannot say whether or not these configs
 are truly idiomatic, but they work well enough for my needs. Individual
-machines have their own directories, such as `routnerr-2/` or `servnerr-3/`.
+machines have their own directories, such as `routnerr-3/` or `servnerr-4/`.
 Shared Nix configurations are stored in `lib/`.

nixos/lib/system.nix

@@ -74,6 +74,7 @@ in {
       pciutils
       pkg-config
       pv
+      ripgrep
       smartmontools
       sysstat
       tcpdump

nixos/routnerr-2/README.md

@@ -1,4 +0,0 @@
-# routnerr-2
-
-This machine is my home router, built using the (PC Engines apu4d4)[https://www.pcengines.ch/apu4d4.htm]
-board.

nixos/routnerr-3/README.md

@@ -0,0 +1,5 @@
+# routnerr-2
+
+This machine is my home router based on the [Deciso DEC
+2750](https://shop.opnsense.com/product/dec2750-opnsense-rack-security-appliance/)
+OPNsense appliance, running NixOS.

nixos/routnerr-3/configuration.nix

@@ -9,7 +9,6 @@ let vars = import ./lib/vars.nix;
 in {
   imports = [
     # Hardware and base system configuration.
-    <nixos-hardware/pcengines/apu>
     ./hardware-configuration.nix
     ./lib/system.nix
 
@@ -26,7 +25,11 @@ in {
     ./lib/modules/wireguard_exporter.nix
   ];
 
-  system.stateVersion = "22.11";
+  # TODO: https://github.com/NixOS/nixos-hardware/pull/673
+  boot.kernelParams = [ "console=ttyS0,115200n8" ];
+
+  system.copySystemConfiguration = true;
+  system.stateVersion = "23.05";
 
   # Overlays for unstable and out-of-tree packages.
   nixpkgs.overlays = [
@@ -53,24 +56,17 @@ in {
         "net.ipv6.conf.${name}.autoconf" = 1;
       };
     };
-
-    # Use the GRUB 2 boot loader with MBR.
-    loader.grub = {
-      enable = true;
-      device = "/dev/disk/by-id/ata-INDMEM_mSATA_256GB_AA200313000000000122";
-    };
   };
 
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
   # Packages specific to this machine. The base package set is defined in
   # lib/system.nix.
   environment.systemPackages = with pkgs; [
     # Stable packages.
     bind
-    cbfstool
-    cmatrix
-    flashrom
-    libmbim
-    libqmi
 
     # Unstable and out-of-tree packages.
     wireguard_exporter

nixos/routnerr-3/coredns.nix

@@ -35,7 +35,7 @@ in {
               '' else
                 ""}
             '') (hosts.servers ++ hosts.infra ++ [{
-              name = "routnerr-2";
+              name = "routnerr-3";
               ipv4 = interfaces.lan0.ipv4;
               ipv6.ula = interfaces.lan0.ipv6.ula;
             }])

nixos/routnerr-3/hardware-configuration.nix

@@ -7,19 +7,25 @@
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
   boot.initrd.availableKernelModules =
-    [ "xhci_pci" "ahci" "ehci_pci" "sd_mod" "sdhci_pci" ];
+    [ "nvme" "xhci_pci" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
   fileSystems."/" = {
-    device = "/dev/disk/by-uuid/10be6bfd-9f03-4ce7-88b2-5d00691f728c";
+    device = "/dev/disk/by-uuid/d720351b-787d-4cfd-bd95-a65bd29a18c1";
     fsType = "ext4";
   };
 
-  swapDevices =
-    [{ device = "/dev/disk/by-uuid/56b049fa-6f09-4bc7-97e3-0c790cfa354a"; }];
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/AC76-96D5";
+    fsType = "vfat";
+  };
 
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/ea5ad06f-254f-42ee-92b4-84512016a0b6"; }];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.amd.updateMicrocode =
     lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

nixos/routnerr-3/networking.nix

@@ -75,7 +75,7 @@ let
   in v: toHex' v "";
 in {
   networking = {
-    hostName = "routnerr-2";
+    hostName = "routnerr-3";
 
     # Use systemd-networkd for configuration. Forcibly disable legacy DHCP
     # client.
@@ -98,8 +98,6 @@ in {
   };
 
   # Manage network configuration with networkd.
-  #
-  # TODO(mdlayher): template out again.
   systemd.network = {
     enable = true;
 
@@ -117,7 +115,7 @@ in {
     };
 
     # Wired WAN.
-    links."10-wan0" = ethLink "wan0" "00:0d:b9:53:ea:cc";
+    links."10-wan0" = ethLink "wan0" "f4:90:ea:00:c7:8d";
     networks."10-wan0" = {
       matchConfig.Name = "wan0";
       networkConfig.DHCP = "yes";
@@ -141,15 +139,9 @@ in {
       };
     };
 
-    # Wireless WAN, temporarily unused.
-    links."11-wwan0" = {
-      matchConfig.Path = "pci-0000:00:13.0-usb-0:1.3:1.12";
-      linkConfig.Name = "wwan0";
-    };
-
     # Physical management LAN. For physical LANs, we have to make sure to match
     # on both Type and MACAddress since VLANs would share the same MAC.
-    links."15-mgmt0" = ethLink "mgmt0" "00:0d:b9:53:ea:cd";
+    links."15-mgmt0" = ethLink "mgmt0" "f4:90:ea:00:c7:90";
     networks."15-mgmt0" = {
       matchConfig.Name = "mgmt0";
 
@@ -192,8 +184,11 @@ in {
     };
 
     # Unused physical management LANs.
-    links."16-mgmt1" = ethLink "mgmt1" "00:0d:b9:53:ea:ce";
-    links."17-mgmt2" = ethLink "mgmt2" "00:0d:b9:53:ea:cf";
+    links."11-wan1" = ethLink "mgmt1" "f4:90:ea:00:c7:91";
+
+    # Unused WANs.
+    links."12-eth1" = ethLink "eth1" "f4:90:ea:00:c7:8e";
+    links."13-eth2" = ethLink "eth2" "f4:90:ea:00:c7:8f";
 
     # Home VLAN.
     netdevs."20-lan0" = vlanNetdev "lan0" 10;
@@ -234,19 +229,6 @@ in {
     };
   };
 
-  # Use NM/MM only to manage the LTE modem.
-  networking.networkmanager = {
-    enable = true;
-    dns = "systemd-resolved";
-    unmanaged = [ "*,except:type:gsm" ];
-  };
-
-  # Bring up MM and exporter with NM.
-  systemd.services.ModemManager = {
-    enable = true;
-    wantedBy = [ "NetworkManager.service" ];
-  };
-
   services.tailscale = {
     enable = false;
     package = unstable.tailscale;

nixos/routnerr-3/nftables.nix

@@ -23,9 +23,8 @@ let
   mkCSV = lib.concatMapStrings (ifi: "${ifi.name}, ");
 
   # WAN interfaces.
-  metered_wans = with vars.interfaces; [ wwan0 ];
   unmetered_wans = with vars.interfaces; [ wan0 ];
-  all_wans = with vars.interfaces; [ wan0 wwan0 ];
+  all_wans = with vars.interfaces; [ wan0 ];
 
   # LAN interfaces, segmented into trusted, limited, and untrusted groups.
   metered_lans = with vars.interfaces; [ mgmt0 lan0 ];
@@ -182,13 +181,6 @@ in {
             ${mkCSV unmetered_wans}
           } counter accept comment "Allow trusted LANs to unmetered WANs";
 
-          # Forward certain trusted LAN traffic to metered WANs.
-          iifname {
-            ${mkCSV metered_lans}
-          } oifname {
-            ${mkCSV metered_wans}
-          } counter accept comment "trusted LAN devices to metered WANs"
-
           iifname {
             ${mkCSV trusted_lans}
           } oifname {