]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/aubergine/networking/wifi.nix
aubergine: nftables: fix DHCP renewal
[julm/julm-nix.git] / hosts / aubergine / networking / wifi.nix
1 { pkgs, lib, hostName, ... }:
2 with (import ./names-and-numbers.nix);
3 with (import ./names-and-numbers.nix.clear);
4 {
5 imports = [
6 ../../../nixos/profiles/networking/wifi.nix
7 ];
8 systemd.network.networks = {
9 "20-${wifiIface}" = {
10 name = wifiIface;
11 networkConfig = {
12 Address = "${wifiIPv4}.1/24";
13 DHCPServer = true;
14 };
15 dhcpServerConfig = {
16 DNS = "${wifiIPv4}.1";
17 EmitDNS = true;
18 PoolOffset = 100;
19 PoolSize = 20;
20 };
21 linkConfig = {
22 RequiredForOnline = "no";
23 };
24 #routes = [
25 # {
26 # routeConfig = {
27 # Destination = "${wifiIPv4}.0/24";
28 # # FIXME: Not supported by nixos-23.11
29 # #TCPCongestionControlAlgorithm = "westwood";
30 # };
31 # }
32 #];
33 };
34 };
35 networking.networkmanager.unmanaged = [ wifiIface ];
36
37 networking.nftables.ruleset = lib.mkAfter ''
38 table inet filter {
39 chain input {
40 iifname ${wifiIface} jump input-lan
41 iifname ${wifiIface} log level warn prefix "input-lan: " counter drop
42 }
43 chain output {
44 oifname ${wifiIface} jump output-lan
45 oifname ${wifiIface} log level warn prefix "output-lan: " counter drop
46 }
47 chain forward-to-wifi {
48 accept
49 }
50 chain forward-from-wifi {
51 accept
52 }
53 chain forward {
54 iifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname ${wifiIface} goto forward-to-wifi
55 iifname ${wifiIface} oifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } goto forward-from-wifi
56 }
57 }
58 '';
59
60 # iw dev wlp5s0 station dump
61 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
62 systemd.services.hostapd = {
63 unitConfig.StartLimitIntervalSec = 5;
64 serviceConfig.Restart = "always";
65 };
66 services.hostapd = {
67 enable = true;
68 radios = {
69 ${wifiIface} = {
70 band = "2g";
71 countryCode = "FR";
72 networks.${wifiIface} = {
73 ssid = hostName;
74 #ignoreBroadcastSsid = "clear";
75 authentication = {
76 # FIXME: use wpa3-sae
77 mode = "wpa2-sha256";
78 #mode = "none";
79 # FIXME: use wpaPasswordFile or saePasswordsFile
80 wpaPassword = wpaPassphrase;
81 };
82 logLevel = 2;
83 };
84 settings = {
85 disassoc_low_ack = true;
86 };
87 wifi4 = {
88 enable = true;
89 # See per band "Capabilities:" section in `iw list`
90 capabilities = [
91 "DSSS_CCK-40"
92 "HT40+"
93 "MAX-AMSDU-3839"
94 "SHORT-GI-40"
95 ];
96 require = false;
97 };
98 };
99 };
100 /*
101 extraConfig = ''
102 # WLAN
103 beacon_int=100
104 dtim_period=2 # DTIM (delivery trafic information message)
105 preamble=1
106 # limit the frequencies used to those allowed in the country
107 ieee80211d=1
108 ignore_broadcast_ssid=1
109 macaddr_acl=0
110 # 0 means the AP will search for the channel with the least interferences (ACS)
111 channel=1
112
113 # WPA2
114 #auth_algs=0 # 0=noauth, 1=wpa, 2=wep, 3=both
115 wpa_key_mgmt=WPA-PSK
116 wpa_pairwise=CCMP
117 rsn_pairwise=CCMP
118 # QoS support, also required for full speed on 802.11n/ac/ax
119 wmm_enabled=1
120 eap_reauth_period=360000
121 wpa_group_rekey=600
122 wpa_ptk_rekey=600
123 wpa_gmk_rekey=86400
124
125 # N-WLAN
126 ieee80211n=1
127 # See per band "Capabilities:" section in iw list
128 ht_capab=[HT40+][SHORT-GI-40][MAX-AMSDU-3839][DSSS_CCK-40]
129 require_ht=1
130 obss_interval=0
131
132 # 802.11ac support
133 ieee80211ac=0
134 '';
135 */
136 };
137
138 }