]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/aubergine/networking/wifi.nix
oignon: nftables: output-net: tcp dport 20022 accept
[julm/julm-nix.git] / hosts / aubergine / networking / wifi.nix
1 { pkgs, lib, hostName, ... }:
2 with (import ./names-and-numbers.nix);
3 with (import ./names-and-numbers.nix.clear);
4 {
5 imports = [
6 ../../../nixos/profiles/networking/wifi.nix
7 ];
8 networking.interfaces = {
9 ${wifiIface} = {
10 useDHCP = false;
11 ipv4.addresses = [{ address = "${wifiIPv4}.1"; prefixLength = 24; }];
12 ipv4.routes = [
13 {
14 address = "${wifiIPv4}.0";
15 prefixLength = 24;
16 options = { congctl = "westwood"; };
17 }
18 ];
19 };
20 };
21 networking.nftables.ruleset = lib.mkAfter ''
22 table inet filter {
23 chain input {
24 iifname ${wifiIface} jump input-lan
25 iifname ${wifiIface} log level warn prefix "input-lan: " counter drop
26 }
27 chain output {
28 oifname ${wifiIface} jump output-lan
29 oifname ${wifiIface} log level warn prefix "output-lan: " counter drop
30 }
31 chain forward-to-wifi {
32 accept
33 }
34 chain forward-from-wifi {
35 accept
36 }
37 chain forward {
38 iifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname ${wifiIface} goto forward-to-wifi
39 iifname ${wifiIface} oifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } goto forward-from-wifi
40 }
41 }
42 '';
43
44 networking.networkmanager.unmanaged = [ wifiIface ];
45 systemd.services.dhcpd4.onFailure = [ "network-addresses-${wifiIface}.service" ];
46 services.dhcpd4 = {
47 enable = true;
48 interfaces = [ wifiIface ];
49 extraConfig = ''
50 subnet ${wifiIPv4}.0 netmask 255.255.255.0 {
51 range ${wifiIPv4}.100 ${wifiIPv4}.200;
52 option broadcast-address ${wifiIPv4}.255;
53 option domain-name-servers ${wifiIPv4}.1;
54 option routers ${wifiIPv4}.1;
55 option subnet-mask 255.255.255.0;
56 }
57 '';
58 };
59 # iw dev wlp5s0 station dump
60 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
61 systemd.services.hostapd = {
62 unitConfig.StartLimitIntervalSec = 5;
63 serviceConfig.Restart = "always";
64 };
65 services.hostapd = {
66 enable = true;
67 logLevel = 2;
68 interface = wifiIface;
69 # 0 means the AP will search for the channel with the least interferences (ACS)
70 channel = 0;
71 # a=5GHz, g=2.4GHz
72 hwMode = "g";
73 ssid = hostName;
74 wpa = true;
75 inherit wpaPassphrase;
76 countryCode = "FR";
77 extraConfig = ''
78 driver=nl80211
79 # WLAN
80 beacon_int=100
81 dtim_period=2 # DTIM (delivery trafic information message)
82 preamble=1
83 # limit the frequencies used to those allowed in the country
84 ieee80211d=1
85 disassoc_low_ack=1
86 ignore_broadcast_ssid=1
87 macaddr_acl=0
88
89 # WPA2
90 #auth_algs=0 # 0=noauth, 1=wpa, 2=wep, 3=both
91 wpa_key_mgmt=WPA-PSK
92 wpa_pairwise=CCMP
93 rsn_pairwise=CCMP
94 # QoS support, also required for full speed on 802.11n/ac/ax
95 wmm_enabled=1
96 eap_reauth_period=360000
97 wpa_group_rekey=600
98 wpa_ptk_rekey=600
99 wpa_gmk_rekey=86400
100
101 # N-WLAN
102 ieee80211n=1
103 # See per band "Capabilities:" section in iw list
104 ht_capab=[HT40+][SHORT-GI-40][MAX-AMSDU-3839][DSSS_CCK-40]
105 require_ht=1
106 obss_interval=0
107
108 # 802.11ac support
109 ieee80211ac=0
110 '';
111 };
112
113 }