Learn NixOS by turning a Raspberry Pi into a Wireless Router

I recently moved, and my new place has a relatively small footprint. (Yes, I moved during the COVID-19 pandemic. And yes, it was crazy.) I quickly realized that was going to need a wireless router of some sort, or more formally, a wireless access point (WAP). Using my Ubuntu laptop's "wireless hotspot" capability was a nice temporary solution, but it had a few serious drawbacks.

Drawbacks of hotspotting with a laptop

  • The wireless internet goes out whenever I would travel with the laptop,
  • The laptop had to be close to the modem, so that it could be plugged into ethernet, making my laptop not even portable within the apartment,
  • The SSID was my laptop's hostname,
  • The WPA password would be set to a random string whenever the hotspot was started, and so
  • Whenever I moved my laptop I would also need to reset the credentials on all of my wireless devices!

Additionally, some of my coworkers are Nix true believers. While I had read the NixOS docs, I had never actually taken it for a spin. Consider this my first few steps down the /etc/nixos path, because, while I lacked a WiFi router, I did have an errant Raspberry Pi 3B+ lying around...

Too Long; Didn't Read

Be sure to fill out the SSID and WPA passphrase in the file below.

/etc/nixos/configuration.nix

{ config, pkgs, lib, ... }:
{
  # NixOS wants to enable GRUB by default
  boot.loader.grub.enable = false;
  # Enables the generation of /boot/extlinux/extlinux.conf
  boot.loader.generic-extlinux-compatible.enable = true;

  # use an older kernel, so that we can actually boot
  boot.kernelPackages = pkgs.linuxPackages_4_19;

  # Needed for the virtual console to work on the RPi 3, as the default of 16M
  # doesn't seem to be enough. If X.org behaves weirdly (I only saw the cursor)
  # then try increasing this to 256M.
  boot.kernelParams = ["cma=32M"];

  # File systems configuration for using the installer's partition layout
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
    };
  };

  # Recommended swap file is optional
  swapDevices = [ { device = "/swapfile"; size = 1024; } ];

  # packages
  environment.systemPackages = with pkgs; [ hostapd dnsmasq bridge-utils ];

  # add wireless service
  hardware.enableRedistributableFirmware = true;
  networking.wireless.enable = true;

  # set up wireless access point
  networking.networkmanager.unmanaged = [ "interface-name:wlan*" ]
    ++ lib.optional config.services.hostapd.enable "interface-name:${config.services.hostapd.interface}";
  services.hostapd = {
    enable = true;
    interface = "wlan0";
    hwMode = "g";
    ssid = "<YOUR NETWORK NAME HERE>";
    wpaPassphrase = "<YOUR PASSWORD HERE>";
  };

  # set up wireless static IP address
  networking.interfaces.wlan0.ip4 = lib.mkOverride 0 [ ];
  networking.interfaces.wlan0.ipv4.addresses =
    lib.optionals config.services.hostapd.enable [{ address = "192.168.0.1"; prefixLength = 24; }];

  # set up wireless DNS
  services.dnsmasq = lib.optionalAttrs config.services.hostapd.enable {
    enable = true;
    extraConfig = ''
      interface=wlan0
      bind-interfaces
      dhcp-range=192.168.0.10,192.168.0.254,24h
    '';
  };
  networking.firewall.allowedUDPPorts = lib.optionals config.services.hostapd.enable [53 67];
  services.haveged.enable = config.services.hostapd.enable;

  # Finally, bridge ethernet and wifi
  networking.bridges.br0.interfaces = [ "eth0" "wlan0" ];
}

Learning to use Nix

Nix is great! Its mental model is really neat and there are some fantastic ideas under the covers. However, the documentation has some glaring holes. It almost all cases it either assumes that:

  1. You already know how to use Nix, or
  2. You already are on a Nix machine.

This makes it very frustrating to actually get started, especially on non-standard hardware such as the Raspberry Pi. A lot of these issues can be smoothed over by a friend who can act as your spirit guide. I write this as someone who has been a Linux user for 20 years and who works on open source packaging problems (conda-forge).

The following are some basic Nix tips for helping get you started.

Don't use nix-env

The first bit of philosophy to understand is that while much of the Nix documentation touts the functional nature of its underlying language, the important aspect of Nix is that it is declarative.

Nix wants you to specify the configuration and layout of your Operating System (OS) ahead of time in a relatively static way. This is very different from how other Linux distributions operate, which assume that you will procedurally build up your system from various available components, as needed. The declarative approach has advantages & disadvantages.

Advantages:

  • You can write out exactly what your OS is in a single text file (see above).
  • Your OS can be built and tested before booting into it.
  • Errors in configuration are caught and tested during the build process.

Disadvantages:

  • You have to know what you want in your OS before you build it.
  • Changes to the OS configuration require a rebuild.

In many cases, the advantages here outweigh the disadvantages. It is without question that Docker, CoreOS, and conda all owe a lot of conceptual inspiration to the work Nix has been performing for years.

Of course, even a functional OS has to have an escape valve. This is called nix-env and is a command line utility for creating & managing environments (a collection of packages) in an existing OS.

Warning

Do not use nix-env!

We want to create a dedicated device that, when it boots up, is a WAP. To this end, it is important that we declare everything in the configuration file. If we start creating environments willy-nilly, we won't obtain the proper boot behavior. This is very different from procedural OSes, where you can modify live configuration files that affect boot processes. Not so here! All boot config needs to be declared!

(Unfortunately, much of the Nix documentation uses nix-env, because it assumes that you are a user on an existing Nix box just trying things out.)

The configuration.nix file

So where does this mysterious OS configuration file live? Well, the full path to this file is /etc/nixos/configuration.nix. It is written in the Nix language, and is used by the nixos-rebuild command line tool. We'll see this tool later to build the router's OS.

Again, unfortunately, when people report bugs or list a configuration snippet, they are almost always referring to this file. However, they don't specify that they are talking about this file. It is just known.

Now you know too.

You need to be root (which is shockingly easy)

Another issue that is not clear from the docs is that any serious command you might want to run needs to be run as root (or another user in the wheel group). However, the default aarch64 image boots into a user named nixos. This requires you to sudo su to become the root user to run rebuild commands (or any of the commands prefixed by sudo).

Also, oddly, in the initial image neither the nixos nor the root user have passwords. So you end up running sudo without needing a password. You will probably want to set a password with the passwd utility, or via user management in /etc/nixos/configuration.nix.

First Boot!

Assuming you have the SD card for your Raspberry Pi handy, take it out of the Pi and plug it into another (Linux) computer. We are going to need to flash it with a basic NixOS. You can find generic instructions for NixOS on a Raspberry PI here and instructions for NixOS on ARM here. However, I'll summarize the important bits here.

First, go to the 19.09 aarm64 landing page and download the latest NixOS image. It will be called something like nixos-sd-image-19.09.2435.9642f121eb1-aarch64-linux.img. We'll assume this is in your ~/Downloads folder.

Second, figure out what device your SD card is. If you just plugged it in, you can determine this by looking at the end of the output of the dmesg command. For example,

$ dmesg
[ 4591.053095] usb 3-10: new high-speed USB device number 5 using xhci_hcd
[ 4591.201911] usb 3-10: New USB device found, idVendor=14cd, idProduct=168a, bcdDevice= 0.01
[ 4591.201915] usb 3-10: New USB device strings: Mfr=1, Product=3, SerialNumber=2
[ 4591.201917] usb 3-10: Product: USB Mass Storage Device
[ 4591.201919] usb 3-10: Manufacturer: USB Device
[ 4591.201921] usb 3-10: SerialNumber: 816820130806
[ 4591.202955] usb-storage 3-10:1.0: USB Mass Storage device detected
[ 4591.203140] scsi host10: usb-storage 3-10:1.0
[ 4592.205933] scsi 10:0:0:0: Direct-Access     USB Mass  Storage Device  1.00 PQ: 0 ANSI: 0
[ 4592.206338] sd 10:0:0:0: Attached scsi generic sg1 type 0
[ 4592.207288] sd 10:0:0:0: [sdb] 31116288 512-byte logical blocks: (15.9 GB/14.8 GiB)
[ 4592.207421] sd 10:0:0:0: [sdb] Write Protect is off
[ 4592.207425] sd 10:0:0:0: [sdb] Mode Sense: 03 00 00 00
[ 4592.207561] sd 10:0:0:0: [sdb] No Caching mode page found
[ 4592.207567] sd 10:0:0:0: [sdb] Assuming drive cache: write through
[ 4592.212993]  sdb: sdb1 sdb2
[ 4592.214220] sd 10:0:0:0: [sdb] Attached SCSI removable disk

This let's us know that the SD card is the /dev/sdb device and has two partitions. Yours might be called /dev/sdc or something similar. It also might have more than two partitions. That is totally normal at this step.

Third, we need to copy the NixOS image over to the SD card. We'll do this with the dd command. The SD card should not be mounted right now. Run the following command with the path to the image and the SD card device replaced as appropriate.

$ sudo dd if=~/Downloads/nixos-sd-image-19.09.2435.9642f121eb1-aarch64-linux.img of=/dev/sdb

Great! At this point, we have now flashed the SD card with our new NixOS!

Fourth, it will save us a lot of typing if we copy over an existing configuration file to the SD card. Copy the text of the /etc/nixos/configuration.nix file at the top of this article to a new file, let's call it ~/Downloads/config.nix. Fill in this file with the SSID and password that you want your network to have. Then, run the following commands to copy the configuration file to the SD card. Again, modify the paths here as needed.

$ mkdir -p ~/mount
$ sudo mount /dev/sdb2 ~/mount
$ sudo mkdir -p ~/mount/etc/nixos
$ sudo cp ~/Downloads/config.nix ~/mount/etc/nixos/configuration.nix
$ sudo umount ~/mount

Fifth, now unplug the SD card from your main machine, plug it into the Raspberry Pi! Attach the ethernet, keyboard, monitor, and power supply to the Pi you will be booting up into your first NixOS! 🎉

Build the Router OS

The operating system that we have just booted into on the Raspberry Pi is a generic image that does not use the configuration file that we copied over. We need the Nix tools to be able to build the image. Luckily, we are now on a Nix machine!

Sixth, we need to be root to run a lot of these tools. However, we booted into the nixos user. To make the rest of the process easier, let's just log in as root with the following:

$ sudo su

Seventh, now let's verify that we have a working internet connection and that the network devices exist. To do so, start with a simple ping that should looks like`

$ ping 8.8.8.8 -c 3
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=19.1 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=55 time=19.3 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=55 time=24.2 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 19.098/20.847/24.154/2.345 ms

If you only see packet loss, then this means you do not have internet on the Pi and you cannot proceed. Nix requires internet access to build in all realistic scenarios.

Next run the ifconfig command and verify that both eth0 (the ethernet device) and wlan0 (the wireless device) exist.

$ ifconfig
...
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 37.128.100.42  netmask 255.255.255.0
        ...
wlan0: ...
...

Eighth, we finally get to build the new OS for our router! We do this with the nixos-rebuild command. All you have to do is run the following command and watch the text scroll by.

$ nixos-rebuild switch -v

Ninth, we can now reboot into our router! Just run:

$ reboot

The default boot option has been changed to be the OS we just built, which is the same as the second option in the bootloader's listing. The original image will be the last boot option (which for various reasons says it is from 1970). This allows us to always get back to a working NixOS to do another nixos-rebuild if something went terribly wrong and we need to do another rebuild. For example, this could happen if there was a typo in the configuration file. If you ever modify /etc/nixos/configuration.nix, you'll need to rebuild & reboot. The rebuild & reboot cycle is the fundamental implication of having a declarative OS.

Tenth, if you want to verify that everything is working on your router after reboot, you can log in as root and run ifconfig again. This time, you should see eth0, wlan0, and br0 devices. Of course, the ping command should work too.

Eleventh, you should now be able to connect a wireless device like a phone or a laptop to your shiny new WAP!

Deep dive into configuration.nix

For the truly inquisitive who are still reading, let's break down what the different parts of the configuration file actually mean, and how they help define our wireless router.

Bootloader

boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;

These lines are part of the standard ARM configuration and help speed up the boot process a bit by disabling the fancy GRUB bootloader.

Older Kernel

boot.kernelPackages = pkgs.linuxPackages_4_19;

This line pins our packages to use and older version of the Linux kernel (v4.19). This is super critical because, without this line, nixos-rebuild will end up grabbing a kernel in the v5.x series. Unfortunately, the Raspberry Pi 3 has problems starting up these more recent kernels and the Pi will hang indefinitely on boot. Using an older kernel version avoids this problem for the time being.

Console Memory

boot.kernelParams = ["cma=32M"];

This line gives the console more memory than the default value of 16 MB. The Raspberry Pi seems to need this.

Partition Layout

fileSystems = {
  "/" = {
    device = "/dev/disk/by-label/NIXOS_SD";
    fsType = "ext4";
  };
};

The above specifies where the root file system lives. It is part of the standard ARM configuration.

Swap

swapDevices = [ { device = "/swapfile"; size = 1024; } ];

This line gives the machine some extra virtual memory, which is always a good idea.

Router packages

environment.systemPackages = with pkgs; [ hostapd dnsmasq bridge-utils ];

Unlike procedural OSes, we list all of the packages that we need inside the configuration file itself. This ensures that our router is running exactly the software that we want it to. In this case, we only need three packages to enable the Pi to act as an access point, provide a domain name service, and bridge the ethernet and the WiFi device.

For comparison, in Ubuntu, we would install these packages after we installed Ubuntu itself. In Nix, we install the OS and the packages at the same time!

Enable the wireless device

hardware.enableRedistributableFirmware = true;
networking.wireless.enable = true;

These lines simply allow the wireless card to be used on the Raspberry Pi in the simplest possible way.

Set up the wireless access point

networking.networkmanager.unmanaged = [ "interface-name:wlan*" ]
  ++ lib.optional config.services.hostapd.enable "interface-name:${config.services.hostapd.interface}";
services.hostapd = {
  enable = true;
  interface = "wlan0";
  hwMode = "g";
  ssid = "<YOUR NETWORK NAME HERE>";
  wpaPassphrase = "<YOUR PASSWORD HERE>";
};

Because we are installing the router packages along with the OS, we also need to configure these packages at the same time we configure the OS itself. The first line here tells Nix not to use normal networking management on the wlan0 device. This is because we'll be managing it as a WAP ourselves.

The remaining lines configure the access point, including the SSID and password for the wireless network.

Set up wireless static IP address

networking.interfaces.wlan0.ip4 = lib.mkOverride 0 [ ];
networking.interfaces.wlan0.ipv4.addresses =
  lib.optionals config.services.hostapd.enable [{ address = "192.168.0.1"; prefixLength = 24; }];

Now, we would like the router itself to have a consistent IP address. We set this in the second line above as 192.168.0.1, though any value in 192.168.x.x would work equally well. However, just providing the static IP on its own is not enough. This is because NixOS will verify that wlan0 does not have an IP address during the nixos-rebuild process. Since we are giving wlan0 an IP address, we need to turn off the IP address checking. If we do not remove this verification, the whole OS build process will fail. The first line in the above snippet removes this check with the mkOverride function.

Set up the wireless DNS

services.dnsmasq = lib.optionalAttrs config.services.hostapd.enable {
  enable = true;
  extraConfig = ''
    interface=wlan0
    bind-interfaces
    dhcp-range=192.168.0.10,192.168.0.254,24h
  '';
};
networking.firewall.allowedUDPPorts = lib.optionals config.services.hostapd.enable [53 67];
services.haveged.enable = config.services.hostapd.enable;

The collection of lines above allows the wlan0 device to operate as a domain name server, proxying a real DNS online. It also sets the range of IP addresses that the router will issue to other network devices. This is seen in the dhcp-range=192.168.0.10,192.168.0.254 portion. The first IP address is the lowest address the router will issue, and the second IP address is the highest.

Bridge ethernet and wifi

networking.bridges.br0.interfaces = [ "eth0" "wlan0" ];

Lastly, we 'bridge' the ethernet and wireless devices. This allows network traffic to flow through the eth0 connection and into the wlan0.

Reflections

This was a really fun weekend project! I certainly learned a lot about Nix, Raspberry Pis, and about how to set up various parts of the Linux networking stack that I had never explored before. My main wish in this process was that Nix had better documentation that was more aimed at,

  1. People who had never used Nix before, and
  2. People who are trying to build dedicated devices.

A lot of the Nix documentation seems to be aimed at a very particular kind of desktop user: someone who already has Nix installed! Such users represent an important use case, and the nix build configurations are easy enough to read. However, I definitely think there is on-boarding improvement work to be done in the Nix ecosystem.

So, will I ever go back? I don't think so! This router was so cheap (~$40) and the Raspberry Pi 3B+ is so powerful that I get amazing performance throughout my entire apartment. If it ever breaks, the Pi will be trivial to replace. I am really happy with what I created. Even if this little project isn't original, it solves a real problem in my day-to-day life.

In terms of NixOS as a Linux distribution, I think I now am totally on board. Nix has so many incredible advantages that (as a control freak who builds his own WiFi router) I just can't ignore or give up. The feature of Ubuntu that was keeping me on that distribution for so long was that "it just works" © ®.

But Nix "just works" too. The only catch is that you need to know what "it" is that you want working ahead of time. I am also comfortable with responsibly using environments, so I think that increases my willingness to jump into a new OS framework. I am a little worried about moving from Ubuntu to Nix on an existing machine, but that is what external hard drive backups are for!

That is all folks! Thanks for reading 👋

Comments