hosts/aubergine/hostapd.nix

   1 { pkgs, lib, config, hosts, ... }:
   2 let
   3   iface = "wlp5s0";
   4   gateway = "enp2s0";
   5   #gateway = config.networking.defaultGateway.interface;
   6 in
   7 {
   8 environment.systemPackages = [
   9   pkgs.iw
  10 ];
  11 networking.interfaces.${iface} = {
  12   ipv4.addresses = [ { address = "192.168.6.1"; prefixLength = 24; } ];
  13 };
  14 # Not merged, even though all are 1
  15 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  16 boot.kernel.sysctl."net.ipv6.conf.${iface}.addr_gen_mode" = 1;
  17 networking.nftables.ruleset = ''
  18   table inet filter {
  19     chain input-wifi {
  20       meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
  21       tcp dport bootps counter accept comment "DHCP"
  22     }
  23     chain input {
  24       iifname ${iface} jump input-wifi
  25       iifname ${iface} log level warn prefix "input-wifi: " counter drop
  26     }
  27
  28     chain output-wifi {
  29       counter accept
  30     }
  31     chain output {
  32       oifname ${iface} jump output-wifi
  33       oifname ${iface} log level warn prefix "output-wifi: " counter drop
  34     }
  35
  36     chain forward {
  37       iifname ${iface} oifname ${gateway} counter accept
  38       iifname ${gateway} oifname ${iface} counter accept
  39     }
  40   }
  41 '';
  42
  43 services.unbound.settings = {
  44   server = {
  45     interface = [ "192.168.6.1" ];
  46     access-control = ["192.168.6.0/24 allow"];
  47     local-zone = [
  48       "tracking.intl.miui.com always_refuse"
  49       "sourcephile.fr typetransparent"
  50     ];
  51     local-data = [
  52       "\"bureau1.sourcephile.fr A 192.168.6.1\""
  53     ];
  54   };
  55 };
  56
  57 networking.wlanInterfaces.${iface} = {
  58   device = "phy0";
  59 };
  60
  61 /*
  62 networking.networkmanager.unmanaged = [
  63   "interface-name:phy0"
  64   "interface-name:${iface}"
  65 ];
  66 */
  67
  68 # iw dev wlp4s0 station dump
  69 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
  70 services.hostapd = {
  71   enable = true;
  72   logLevel = 2;
  73   interface = iface;
  74   hwMode = "g";
  75   ssid = "bureau1";
  76   wpa = true;
  77   wpaPassphrase = "bidonpoissonmaisonronron";
  78   countryCode = "FR";
  79   extraConfig = ''
  80     # WLAN
  81     beacon_int=100
  82     dtim_period=2 # DTIM (delivery trafic information message)
  83     preamble=1
  84     # limit the frequencies used to those allowed in the country
  85     ieee80211d=1
  86     # 0 means the AP will search for the channel with the least interferences (ACS)
  87     channel=1
  88
  89     # WPA2
  90     wpa_key_mgmt=WPA-PSK
  91     wpa_pairwise=CCMP
  92     rsn_pairwise=CCMP
  93     auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
  94     macaddr_acl=0
  95     # QoS support, also required for full speed on 802.11n/ac/ax
  96     wmm_enabled=1
  97     eap_reauth_period=360000
  98     wpa_group_rekey=600
  99     wpa_ptk_rekey=600
 100     wpa_gmk_rekey=86400
 101
 102     # N-WLAN
 103     ieee80211n=1
 104     # See Capabilities in iw list
 105     ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935]
 106     require_ht=1
 107     obss_interval=0
 108
 109     # 802.11ac support
 110     ieee80211ac=0
 111   '';
 112 };
 113 systemd.services."dhcpd4" = {
 114   after = [ "network-addresses-${iface}.service" ];
 115   requires = [
 116     "network-addresses-${iface}.service"
 117     "sys-subsystem-net-devices-${iface}.device"
 118   ];
 119 };
 120 services.dhcpd4 = {
 121   enable = true;
 122   interfaces = [ iface ];
 123   extraConfig = ''
 124     option subnet-mask 255.255.255.0;
 125     option broadcast-address 192.168.6.255;
 126     option routers 192.168.6.1;
 127     option domain-name-servers 192.168.6.1;
 128     subnet 192.168.6.0 netmask 255.255.255.0 {
 129       range 192.168.6.100 192.168.6.200;
 130     }
 131   '';
 132 };
 133
 134 #networking.firewall.allowedUDPPorts = [ 53 67 ]; # DNS & DHCP
 135 /*
 136 # Sometimes slow connection speeds are attributed to absence of haveged.
 137 services.haveged.enable = true;
 138 */
 139
 140 /*
 141
 142 systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
 143 in {
 144   description = "iptables rules for wifi-relay";
 145   after = [ "dhcpd4.service" ];
 146   wantedBy = [ "multi-user.target" ];
 147   script = ''
 148     ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.6.0/24 ! -o wlan-ap0 -j MASQUERADE
 149     ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s 192.168.6.0/24 -j ACCEPT
 150     ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d 192.168.6.0/24 -j ACCEPT
 151   '';
 152 };
 153 */
 154 }