{ pkgs, lib, hostName, ... }: with (import ./names-and-numbers.nix); with (import ./names-and-numbers.nix.clear); { imports = [ ../../../nixos/profiles/networking/wifi.nix ]; networking.interfaces = { ${wifiIface} = { useDHCP = false; ipv4.addresses = [{ address = "${wifiIPv4}.1"; prefixLength = 24; }]; ipv4.routes = [ { address = "${wifiIPv4}.0"; prefixLength = 24; options = { congctl = "westwood"; }; } ]; }; }; networking.nftables.ruleset = lib.mkAfter '' table inet filter { chain input { iifname ${wifiIface} jump input-lan iifname ${wifiIface} log level warn prefix "input-lan: " counter drop } chain output { oifname ${wifiIface} jump output-lan oifname ${wifiIface} log level warn prefix "output-lan: " counter drop } chain forward-to-wifi { accept } chain forward-from-wifi { accept } chain forward { iifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname ${wifiIface} goto forward-to-wifi iifname ${wifiIface} oifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } goto forward-from-wifi } } ''; networking.networkmanager.unmanaged = [ wifiIface ]; systemd.services.dhcpd4.onFailure = [ "network-addresses-${wifiIface}.service" ]; services.dhcpd4 = { enable = true; interfaces = [ wifiIface ]; extraConfig = '' subnet ${wifiIPv4}.0 netmask 255.255.255.0 { range ${wifiIPv4}.100 ${wifiIPv4}.200; option broadcast-address ${wifiIPv4}.255; option domain-name-servers ${wifiIPv4}.1; option routers ${wifiIPv4}.1; option subnet-mask 255.255.255.0; } ''; }; # iw dev wlp5s0 station dump # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf systemd.services.hostapd = { unitConfig.StartLimitIntervalSec = 5; serviceConfig.Restart = "always"; }; services.hostapd = { enable = true; logLevel = 2; interface = wifiIface; # 0 means the AP will search for the channel with the least interferences (ACS) channel = 0; # a=5GHz, g=2.4GHz hwMode = "g"; ssid = hostName; wpa = true; inherit wpaPassphrase; countryCode = "FR"; extraConfig = '' driver=nl80211 # WLAN beacon_int=100 dtim_period=2 # DTIM (delivery trafic information message) preamble=1 # limit the frequencies used to those allowed in the country ieee80211d=1 disassoc_low_ack=1 ignore_broadcast_ssid=1 macaddr_acl=0 # WPA2 #auth_algs=0 # 0=noauth, 1=wpa, 2=wep, 3=both wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP rsn_pairwise=CCMP # QoS support, also required for full speed on 802.11n/ac/ax wmm_enabled=1 eap_reauth_period=360000 wpa_group_rekey=600 wpa_ptk_rekey=600 wpa_gmk_rekey=86400 # N-WLAN ieee80211n=1 # See per band "Capabilities:" section in iw list ht_capab=[HT40+][SHORT-GI-40][MAX-AMSDU-3839][DSSS_CCK-40] require_ht=1 obss_interval=0 # 802.11ac support ieee80211ac=0 ''; }; }