summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--files/files/etc/config/dropbear5
-rw-r--r--files/files/etc/config/firewall69
-rw-r--r--files/files/etc/config/network45
-rw-r--r--files/files/etc/config/system18
-rw-r--r--files/files/etc/config/wireless43
-rw-r--r--files/files/etc/dropbear/authorized_keys1
-rw-r--r--files/files/etc/dropbear/dropbear_ed25519_host_key.sops21
-rw-r--r--files/files/etc/fw_env.config1
-rw-r--r--files/files/etc/rc.local7
-rw-r--r--files/files/etc/shadow9
-rw-r--r--files/files/etc/sysctl.conf1
-rw-r--r--flake.nix2
-rw-r--r--patches/shannon-passphrase.patch.sops21
13 files changed, 242 insertions, 1 deletions
diff --git a/files/files/etc/config/dropbear b/files/files/etc/config/dropbear
new file mode 100644
index 0000000..39ba220
--- /dev/null
+++ b/files/files/etc/config/dropbear
@@ -0,0 +1,5 @@
1config dropbear
2 option Port '22'
3 option PasswordAuth 'off'
4 option RootPasswordAuth 'off'
5
diff --git a/files/files/etc/config/firewall b/files/files/etc/config/firewall
new file mode 100644
index 0000000..9b4d252
--- /dev/null
+++ b/files/files/etc/config/firewall
@@ -0,0 +1,69 @@
1config defaults
2 option syn_flood '1'
3 option input 'ACCEPT'
4 option output 'ACCEPT'
5 option forward 'REJECT'
6
7config zone 'lan'
8 option name 'lan'
9 list network 'lan'
10 option input 'ACCEPT'
11 option output 'ACCEPT'
12 option forward 'REJECT'
13
14config zone 'mgmt'
15 option name 'mgmt'
16 list network 'mgmt'
17 option input 'ACCEPT'
18 option output 'ACCEPT'
19 option forward 'REJECT'
20
21config rule
22 option name 'Allow-Ping'
23 option src '*'
24 option proto 'icmp'
25 option icmp_type 'echo-request'
26 option family 'ipv4'
27 option target 'ACCEPT'
28
29config rule
30 option name 'Allow-ICMPv6-Input'
31 option src '*'
32 option proto 'icmp'
33 list icmp_type 'echo-request'
34 list icmp_type 'echo-reply'
35 list icmp_type 'destination-unreachable'
36 list icmp_type 'packet-too-big'
37 list icmp_type 'time-exceeded'
38 list icmp_type 'bad-header'
39 list icmp_type 'unknown-header-type'
40 list icmp_type 'router-solicitation'
41 list icmp_type 'neighbour-solicitation'
42 list icmp_type 'router-advertisement'
43 list icmp_type 'neighbour-advertisement'
44 option limit '1000/sec'
45 option family 'ipv6'
46 option target 'ACCEPT'
47
48config rule
49 option name 'Allow-ICMPv6-Forward'
50 option src '*'
51 option dest '*'
52 option proto 'icmp'
53 list icmp_type 'echo-request'
54 list icmp_type 'echo-reply'
55 list icmp_type 'destination-unreachable'
56 list icmp_type 'packet-too-big'
57 list icmp_type 'time-exceeded'
58 list icmp_type 'bad-header'
59 list icmp_type 'unknown-header-type'
60 option limit '1000/sec'
61 option family 'ipv6'
62 option target 'ACCEPT'
63
64config rule
65 option name 'Allow-SSH'
66 option src '*'
67 option dest_port '22'
68 option proto 'tcp'
69 option target 'ACCEPT'
diff --git a/files/files/etc/config/network b/files/files/etc/config/network
new file mode 100644
index 0000000..288cdc9
--- /dev/null
+++ b/files/files/etc/config/network
@@ -0,0 +1,45 @@
1config interface 'loopback'
2 option ifname 'lo'
3 option proto 'static'
4 option ipaddr '127.0.0.1'
5 option netmask '255.0.0.0'
6
7config globals 'globals'
8 option ula_prefix 'fd69:f71f:1364::/48'
9
10config interface 'lan'
11 option type 'bridge'
12 option proto 'dhcp'
13 list ifname 'eth0.3'
14 list ifname 'eth0.101'
15 list ifname 'eth0.102'
16
17config interface 'mgmt'
18 option type 'bridge'
19 option proto 'dhcp'
20 list ifname 'eth0.2'
21
22config switch
23 option name 'switch0'
24 option reset '1'
25 option enable_vlan '1'
26
27config switch_vlan
28 option device 'switch0'
29 option vlan '101'
30 option ports '3 0t'
31
32config switch_vlan
33 option device 'switch0'
34 option vlan '102'
35 option ports '2 0t'
36
37config switch_vlan
38 option device 'switch0'
39 option vlan '3'
40 option ports '2t 0t'
41
42config switch_vlan
43 option device 'switch0'
44 option vlan '2'
45 option ports '2t 0t' \ No newline at end of file
diff --git a/files/files/etc/config/system b/files/files/etc/config/system
new file mode 100644
index 0000000..e5ccea0
--- /dev/null
+++ b/files/files/etc/config/system
@@ -0,0 +1,18 @@
1config system
2 option timezone 'UTC'
3 option ttylogin '0'
4 option log_size '64'
5 option urandom_seed '0'
6 option hostname 'ap01'
7
8config timeserver 'ntp'
9 option enabled '1'
10 option enable_server '0'
11 list server '10.141.1.1'
12
13config led
14 option name 'BlueDome'
15 option trigger 'none'
16 option brightness '0'
17 option default '0'
18 option sysfs 'blue:dome'
diff --git a/files/files/etc/config/wireless b/files/files/etc/config/wireless
new file mode 100644
index 0000000..6204c21
--- /dev/null
+++ b/files/files/etc/config/wireless
@@ -0,0 +1,43 @@
1config wifi-device 'radio0'
2 option type 'mac80211'
3 option hwmode '11a'
4 option path 'pci0000:00/0000:00:00.0'
5 option htmode 'VHT80'
6 option country 'DE'
7 option disabled '0'
8 option channel '60'
9
10config wifi-iface 'default_radio0'
11 option device 'radio0'
12 option network 'lan'
13 option mode 'ap'
14 option key '<passphrase>'
15 option ssid 'shannon'
16 option encryption 'psk2+ccmp'
17 option ieee80211r '1'
18 option mobility_domain 'e612'
19 option ft_psk_generate_local '1'
20 option ft_over_ds '1'
21 option pmk_r1_push '1'
22
23config wifi-device 'radio1'
24 option type 'mac80211'
25 option channel '11'
26 option hwmode '11g'
27 option path 'platform/ahb/18100000.wmac'
28 option htmode 'HT20'
29 option country 'DE'
30 option disabled '0'
31
32config wifi-iface 'default_radio1'
33 option device 'radio1'
34 option network 'lan'
35 option mode 'ap'
36 option ssid 'shannon'
37 option encryption 'psk2+ccmp'
38 option key '<passphrase>'
39 option ieee80211r '1'
40 option mobility_domain 'e612'
41 option ft_psk_generate_local '1'
42 option ft_over_ds '1'
43 option pmk_r1_push '1'
diff --git a/files/files/etc/dropbear/authorized_keys b/files/files/etc/dropbear/authorized_keys
new file mode 100644
index 0000000..e9aaf21
--- /dev/null
+++ b/files/files/etc/dropbear/authorized_keys
@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrHPERae+OUTNOzNf9d2767ljFCm5hgmQw48Dj4RrlU gkleen@sif.midgard.yggdrasil
diff --git a/files/files/etc/dropbear/dropbear_ed25519_host_key.sops b/files/files/etc/dropbear/dropbear_ed25519_host_key.sops
new file mode 100644
index 0000000..4757e37
--- /dev/null
+++ b/files/files/etc/dropbear/dropbear_ed25519_host_key.sops
@@ -0,0 +1,21 @@
1{
2 "data": "ENC[AES256_GCM,data:VLWYJ9WkBtH428VWlrb5Bwtcp8ONUPxcvW9cNFC0dpEf+i1FKHHoaQJ7t6jTAn2vR/tW3gQ1NQw1OG42ISaDyvOZvx2Axl3Y20LdYL/TcJ0ZV08=,iv:uIllCug5SLdx5Z72GNdVr9LFbFA7tNNVhAbJhWqwgDQ=,tag:rR0Za81+313HsggbDoppdQ==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2022-01-05T23:40:44Z",
10 "mac": "ENC[AES256_GCM,data:4X+vdVWKrr7zlVAlRPd3ZCrVQIcqtHfEoxncemPvgPN4OrBoKLhKOkFn0UmzM3FxOfQsTVagvLzcz2TjQ6iwpeigzGETIdMSolOLg1mSwk1+mJliTaOZUTuTvkybZJYda1DKcpRY61HAVAWjPNgxtGe/VdSAhbQFmlgx3Vbi+fc=,iv:HOoc4ojQBKoaCp/qLFEs/HJAL9ilknhqpM7xgP4ZQ4o=,tag:Ih+mzHyk3u/3mOCR8/kyXw==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2022-01-05T23:40:44Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA2WT0pJ8xrYTjc1nz1oAmjUptqCbFRC4WvyiO69w8Riww\n9dGqIDPFj63lC/WgzWdbLdBw4mga6JPV81BJUZvmf6u3EIH9d97Dvch4jMdJgY0t\n0l4BUw/tckmp6bGjsrswU5HOn6M8fXcRPUz1tIl71XjpKsTy5z40W+Afzg+Oetly\nrNEIJNHS+tOVNaACi8mWjBa/aZmXHAY96kT0wViwDM6CI7kbqupEL6ZEXl5ENfJa\n=i4pI\n-----END PGP MESSAGE-----\n",
15 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
16 }
17 ],
18 "unencrypted_suffix": "_unencrypted",
19 "version": "3.7.1"
20 }
21} \ No newline at end of file
diff --git a/files/files/etc/fw_env.config b/files/files/etc/fw_env.config
new file mode 100644
index 0000000..a2a2b3c
--- /dev/null
+++ b/files/files/etc/fw_env.config
@@ -0,0 +1 @@
/dev/mtd1 0x0000 0x10000 0x10000
diff --git a/files/files/etc/rc.local b/files/files/etc/rc.local
new file mode 100644
index 0000000..569c686
--- /dev/null
+++ b/files/files/etc/rc.local
@@ -0,0 +1,7 @@
1# Put your custom commands here that should be executed once
2# the system init finished. By default this file does nothing.
3
4echo "timer" > /sys/class/leds/ubnt\:blue\:dome/trigger
5sleep 1
6echo "none" > /sys/class/leds/ubnt\:blue\:dome/trigger
7exit 0
diff --git a/files/files/etc/shadow b/files/files/etc/shadow
new file mode 100644
index 0000000..6511d4f
--- /dev/null
+++ b/files/files/etc/shadow
@@ -0,0 +1,9 @@
1root:x:0:0:99999:7:::
2daemon:*:0:0:99999:7:::
3ftp:*:0:0:99999:7:::
4network:*:0:0:99999:7:::
5nobody:*:0:0:99999:7:::
6ntp:x:0:0:99999:7:::
7dnsmasq:x:0:0:99999:7:::
8logd:x:0:0:99999:7:::
9ubus:x:0:0:99999:7::: \ No newline at end of file
diff --git a/files/files/etc/sysctl.conf b/files/files/etc/sysctl.conf
new file mode 100644
index 0000000..75dd97e
--- /dev/null
+++ b/files/files/etc/sysctl.conf
@@ -0,0 +1 @@
net.ipv6.conf.default.accept_ra=1
diff --git a/flake.nix b/flake.nix
index 17b8b92..40fd0be 100644
--- a/flake.nix
+++ b/flake.nix
@@ -128,7 +128,7 @@
128 function unpackPhase() { 128 function unpackPhase() {
129 ${pkgs.rsync}/bin/rsync --chmod=u+wX -rlptD ${openwrtWithPackages}/. ${./files}/. ./. 129 ${pkgs.rsync}/bin/rsync --chmod=u+wX -rlptD ${openwrtWithPackages}/. ${./files}/. ./.
130 130
131 patchDir=$(mktemp -d patches.XXXXXXXXXX) 131 patchDir=$(mktemp -d -t patches.XXXXXXXXXX)
132 ${pkgs.rsync}/bin/rsync --chmod=u+wX -rlptD ${./patches}/. "$patchDir/." 132 ${pkgs.rsync}/bin/rsync --chmod=u+wX -rlptD ${./patches}/. "$patchDir/."
133 133
134 while IFS= read -r -d $'\0' sopsFile; do 134 while IFS= read -r -d $'\0' sopsFile; do
diff --git a/patches/shannon-passphrase.patch.sops b/patches/shannon-passphrase.patch.sops
new file mode 100644
index 0000000..592aa7f
--- /dev/null
+++ b/patches/shannon-passphrase.patch.sops
@@ -0,0 +1,21 @@
1{
2 "data": "ENC[AES256_GCM,data:fL0e0Vt/uesQkV/tMz3DusvCfaKnBEZEtphBdqsg6d/GGU1Ob8PHAwpvtAuEkI+5iY5oJaN6iuatdRQgfqn+6+ni7JclQCNxv3T+8cy9Ljn5OBhTanRn50vJoWaipFzD2qKlNpuYI5i8k5eUcJDJI8xZ2Lwbu7lPilZWKCb9SiOYbNQtT4R3cI9Y9uUb8imzkzwCluAf517+ZSeI61oF6NAxcS0j49BtJWYe9/aPgX9G7slXktiP4lJD2AUKvdLp6VURurSfQCmWd5jrMw3kjM93bUgnOZGbKF/VYQz4Uon+va5cbmYGeDoYZwzFVn142w7gxLk3GC2NUjkl1DbWHbpfUF3GP1jXGlspZEUIU0AbP3MqSsAdq3W4LKB0peF3oZiJdeWEIbpr4i0anx7VLFPdjyJlXvrEJJLko+Prez5Nxf9ih+u7Nvy5Yz89CSenieDnlCCbWCHD9U4Kitb8aNPr1oQ/h4JTC6FUjJdSzmeQhLK08a1wA3c4pi/kYndQYhR0vvYQuE712A4D/WjPOl+ADjsPedo/su0jHZ67pcEyRsq6tLf0hTtPQws9CSJkbLickbvmHygMfXFJUoujr8FcAt6vdhgtkD+3jZiL6lwIWyYgSuXGs0Y0yMYEbukfi/oD85bZtMwZlJv63dhn5btXICHS1Ix7Je0BtOk9k1BKp9GNhoZn5bpSFsLDMbD8zktTlkI+lLsAXIJNDbwA7yt2jQKX6b9xvYgEnwyL/q8Y3oP/CXTc/q64ocbZS+gFboLRfI/GDW3vjj3Vuzw3+NuEF/E7xyv8G8gzEy+q7m6+TG/pcDyECeQso+40gYW5rqkE922JqtLb6wB5EI5nLRcjW1xGdKT8zqrzr9FKCsvXz+mG9ee8Bc1cB+9I//LPuVAIIdsPYQd4WB953M/xRcD+lvzpYD4dTWjb+db1y86ybLW+Z9qykrvNLOy/TSPKgDrxH8iOYfk=,iv:yBpJGbVzEqwQ3/xQqTMqsUP6lPfbp+TvKG+uK+1HdFo=,tag:lB/qb6Bwc6cKuW6RZlHvOg==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2022-01-06T00:06:07Z",
10 "mac": "ENC[AES256_GCM,data:0/3v8DeWijSOIJAMsKwXZsDXy020FWWWKquMs+99IB0ky8r/BX8CGlJD3T1mKO+j1olznvN4AqpaOFsMEexdqlxOFx1UwBMTzQZhfPlHsgDkf3XtplHMZbLsK+XNWAjCPiAqdooCd5NeYKiYKBRvJP3IclIwn+aLFw5wv4LlMuo=,iv:lcQeXL/s/NwxyysdqcSfBr8XXN8ef3T9Sw5s2uPYlG8=,tag:lWNPEENTv42CZuZIutxAJA==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2022-01-06T00:06:07Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAiTff5/oPWj97TYpAeywxbPJxgeiZJcsKBSqB4c/fEC4w\nnkrawta5umacLix+FgjfJwsqcsI7kHtgUlwhE0oPr+CoinVP5SXqvsm5oPqIxQCw\n0lwB0Wy6sCLBUyXrqbQX8jZQEUl6xMDb55W8Vk3YEurYpYtYya7jL7ArxB3qkyts\nKEnP7TVTcQrppUeHFwLHZp1PTiOyUuYVhhlpUWs3YhSuRj0OXqepVjbs3Uf/jQ==\n=3zRQ\n-----END PGP MESSAGE-----\n",
15 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
16 }
17 ],
18 "unencrypted_suffix": "_unencrypted",
19 "version": "3.7.1"
20 }
21} \ No newline at end of file