| 1 Dec 2024 |
 freewalkr | should i use group jablotron as udev group? | 20:38:52 |
| freewalkr | * should i use group jablotron as udev rule group? | 20:39:03 |
| freewalkr | * should i use group jablotron as udev rule GROUP? | 20:39:13 |
 @hexa:lossy.network | that is what I would do | 20:39:13 |
| @hexa:lossy.network | root/jablotron | 20:39:19 |
| @hexa:lossy.network | then 660 | 20:39:23 |
| @hexa:lossy.network | and group membership delegates access to the device | 20:39:37 |
| freewalkr | well it didn't fix the problem
i guess it maybe something like integration keeps reading from dead file descriptor or something | 20:49:36 |
| freewalkr | * well it didn't fix the problem
i guess it may be something like integration keeps reading from dead file descriptor or something | 20:49:46 |
| @hexa:lossy.network | yeah, plausible | 20:49:47 |
| @hexa:lossy.network | best to talk to the componentn maintainer | 20:50:08 |
| @hexa:lossy.network | on permission error, try to reopen the device | 20:50:42 |
| freewalkr | retard move (at least it works for now)
services.udev.extraRules =
''ACTION=="add", KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ''
+ ''ATTRS{idVendor}=="16d6", ATTRS{idProduct}=="0008", ''
+ ''MODE="0660", OWNER="hass", GROUP="hass", SYMLINK+="jablotron", ''
+ ''RUN+="/bin/sh -c 'systemctl restart home-assistant.service'"''
| 21:32:56 |
| @hexa:lossy.network | 🤡 | 21:33:34 |
| 2 Dec 2024 |
 spacekitteh | ok i've created a nixos module for an openthread border router, any feedback?
{
config,
pkgs,
lib,
...
}:
{
options.services.openthread-border-router = {
enable = lib.mkEnableOption "Enable an OpenThread Border Router";
package = lib.mkOption {
type = lib.types.package;
description = "The OpenThread Border Router package to use";
default = pkgs.otbr-posix;
};
radioProtocol = lib.mkOption {
description = "The protocol used to connect to the radio coprocessor";
default = "spinel+hdlc+uart://";
type = lib.types.string;
};
radioDevice = lib.mkOption {
description = "The device file for the radio coprocessor";
example = "/dev/ttyUSB0";
type = lib.types.path;
};
infrastructureInterface = lib.mkOption {
description = "The IPv6 interface to bridge the Thread network to";
example = "eth0";
type = lib.types.string;
};
logLevel = lib.mkOption {
description = "The log level";
type = lib.types.ints.between 1 7;
default = 5;
};
threadInterface = lib.mkOption {
description = "The Thread interface name to create";
default = "wpan0";
type = lib.types.string;
};
openFirewall = lib.mkOption {
description = "Open the firewall port for the server's REST API";
default = true;
type = lib.types.bool;
};
};
config =
let
cfg = config.services.openthread-border-router;
otbr = cfg.package;
threadInterface = cfg.threadInterface;
accessInterface = cfg.infrastructureInterface;
forwardIngressChain = "OTBR_FORWARD_INGRESS";
in
lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ 8081 ];
systemd.services.otbr = {
serviceConfig = {
AmbientCapabilities = [
"CAP_NET_ADMIN"
"CAP_NET_RAW"
];
CapabilityBoundingSet = [
"CAP_NET_ADMIN"
"CAP_NET_RAW"
];
};
script =
let
radioURI = "${cfg.radioProtocol}${cfg.radioDevice}";
in
"${otbr}/bin/otbr-agent --verbose -d ${builtins.toString cfg.logLevel} -I ${threadInterface} -B ${accessInterface} ${radioURI} trel://${accessInterface}";
path = [
otbr
pkgs.ipset
pkgs.iptables
];
postStop = ''
ipset_destroy_if_exist()
{
if ipset list "$1"; then
ipset destroy "$1"
fi
}
while ip6tables -C FORWARD -o ${threadInterface} -j ${forwardIngressChain}; do
ip6tables -D FORWARD -o ${threadInterface} -j ${forwardIngressChain}
done
if ip6tables -L ${forwardIngressChain}; then
ip6tables -w -F ${forwardIngressChain}
ip6tables -w -X ${forwardIngressChain}
fi
ipset_destroy_if_exist otbr-ingress-deny-src
ipset_destroy_if_exist otbr-ingress-deny-src-swap
ipset_destroy_if_exist otbr-ingress-allow-dst
ipset_destroy_if_exist otbr-ingress-allow-dst-swap
'';
preStart = ''
ipset create -exist otbr-ingress-deny-src hash:net family inet6
ipset create -exist otbr-ingress-deny-src-swap hash:net family inet6
ipset create -exist otbr-ingress-allow-dst hash:net family inet6
ipset create -exist otbr-ingress-allow-dst-swap hash:net family inet6
ip6tables -N ${forwardIngressChain}
ip6tables -I FORWARD 1 -o ${threadInterface} -j ${forwardIngressChain}
ip6tables -A ${forwardIngressChain} -m pkttype --pkt-type unicast -i ${threadInterface} -j DROP
ip6tables -A ${forwardIngressChain} -m set --match-set otbr-ingress-deny-src src -j DROP
ip6tables -A ${forwardIngressChain} -m set --match-set otbr-ingress-allow-dst dst -j ACCEPT
ip6tables -A ${forwardIngressChain} -m pkttype --pkt-type unicast -j DROP
ip6tables -A ${forwardIngressChain} -j ACCEPT
'';
};
};
}
| 04:45:59 |
|  xenos76 joined the room. | 19:55:44 |
|  ethan joined the room. | 22:51:10 |
| 3 Dec 2024 |
| spacekitteh | Ooh actually I need to add some assertions to it to check that avahi is enabled and configured correctly | 02:21:01 |
| @hexa:lossy.network | the default nixos firewall uses nftables | 02:22:11 |
| @hexa:lossy.network | and boy that is a lot of vendor specific lingo | 02:22:29 |
| @hexa:lossy.network | * and I don't really understand otbr, so I hard to comment on the rest | 02:23:07 |
| @hexa:lossy.network | to unclutter it a bit you could
let
inherit (lib)
mkEnableOption
mkOption
mkPackageOption
types
;
in
| 02:23:48 |
| @hexa:lossy.network | you can also put the config let scope outside the module | 02:24:27 |
| @hexa:lossy.network | having two let blocks doesn't really have a positive benefit | 02:24:37 |
| @hexa:lossy.network | it just creates another scope, which has a cost | 02:24:49 |
| spacekitteh | In reply to @hexa:lossy.network
the default nixos firewall uses nftables Unfortunately, otbr uses iptables and ipset :( | 05:04:39 |
| spacekitteh | In reply to @hexa:lossy.network
it just creates another scope, which has a cost Right, I forget it's an interpreted language lol | 05:05:14 |
| 4 Dec 2024 |
|  mckr joined the room. | 05:21:37 |
|  nmrshll joined the room. | 15:01:00 |
| @hexa:lossy.network | hm great | 19:37:19 |
