-{ pkgs, lib, config, hostName, ... }:
+{ pkgs, lib, hostName, ... }:
with (import ./names-and-numbers.nix);
+with (import ./names-and-numbers.nix.clear);
{
-environment.systemPackages = [
- pkgs.iw
-];
-networking.interfaces = {
- ${wifiIface} = {
- useDHCP = false;
- ipv4.addresses = [ { address = "${wifiIPv4}.1"; prefixLength = 24; } ];
- ipv4.routes = [
- { address = "${wifiIPv4}.0";
- prefixLength = 24;
- options = { congctl="westwood";};
- }
- ];
+ imports = [
+ ../../../nixos/profiles/networking/wifi.nix
+ ];
+ systemd.network.networks = {
+ "20-${wifiIface}" = {
+ name = wifiIface;
+ networkConfig = {
+ Address = "${wifiIPv4}.1/24";
+ DHCPServer = true;
+ };
+ dhcpServerConfig = {
+ DNS = "${wifiIPv4}.1";
+ EmitDNS = true;
+ PoolOffset = 100;
+ PoolSize = 20;
+ };
+ linkConfig = {
+ RequiredForOnline = "no";
+ };
+ #routes = [
+ # {
+ # routeConfig = {
+ # Destination = "${wifiIPv4}.0/24";
+ # # FIXME: Not supported by nixos-23.11
+ # #TCPCongestionControlAlgorithm = "westwood";
+ # };
+ # }
+ #];
+ };
};
-};
-networking.nftables.ruleset = lib.mkAfter ''
- table inet filter {
- chain input {
- iifname ${wifiIface} jump input-lan
- iifname ${wifiIface} log level warn prefix "input-lan: " counter drop
- }
- chain output {
- oifname ${wifiIface} jump output-lan
- oifname ${wifiIface} log level warn prefix "output-lan: " counter drop
- }
- }
-'';
+ networking.networkmanager.unmanaged = [ wifiIface ];
-networking.networkmanager.unmanaged = [ wifiIface ];
-services.dnscrypt-proxy2.settings.listen_addresses = [ "${wifiIPv4}.1:53" ];
-systemd.services.dhcpd4.onFailure = [ "network-addresses-${wifiIface}.service" ];
-services.dhcpd4 = {
- enable = true;
- interfaces = [ wifiIface ];
- extraConfig = ''
- subnet ${wifiIPv4}.0 netmask 255.255.255.0 {
- range ${wifiIPv4}.100 ${wifiIPv4}.200;
- option broadcast-address ${wifiIPv4}.255;
- option domain-name-servers ${wifiIPv4}.1;
- option routers ${wifiIPv4}.1;
- option subnet-mask 255.255.255.0;
+ networking.nftables.ruleset = lib.mkAfter ''
+ table inet filter {
+ chain input {
+ iifname ${wifiIface} jump input-lan
+ iifname ${wifiIface} log level warn prefix "input-lan: " counter drop
+ }
+ chain output {
+ oifname ${wifiIface} jump output-lan
+ oifname ${wifiIface} log level warn prefix "output-lan: " counter drop
+ }
+ chain forward-to-wifi {
+ accept
+ }
+ chain forward-from-wifi {
+ accept
+ }
+ chain forward {
+ iifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname ${wifiIface} goto forward-to-wifi
+ iifname ${wifiIface} oifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } goto forward-from-wifi
+ }
}
'';
-};
-# iw dev wlp5s0 station dump
-# DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
-services.hostapd = {
- enable = true;
- logLevel = 2;
- interface = wifiIface;
- # 0 means the AP will search for the channel with the least interferences (ACS)
- channel = 1;
- hwMode = "g";
- ssid = hostName;
- wpa = false;
- #wpaPassphrase = "bidonpoissonmaisonronron";
- countryCode = "FR";
- extraConfig = ''
- # WLAN
- beacon_int=100
- dtim_period=2 # DTIM (delivery trafic information message)
- preamble=1
- # limit the frequencies used to those allowed in the country
- ieee80211d=1
- # WPA2
- #wpa_key_mgmt=WPA-PSK
- #wpa_pairwise=CCMP
- #rsn_pairwise=CCMP
- #auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
- macaddr_acl=0
- # QoS support, also required for full speed on 802.11n/ac/ax
- wmm_enabled=1
- eap_reauth_period=360000
- wpa_group_rekey=600
- wpa_ptk_rekey=600
- wpa_gmk_rekey=86400
+ # iw dev wlp5s0 station dump
+ # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
+ systemd.services.hostapd = {
+ unitConfig.StartLimitIntervalSec = 5;
+ serviceConfig.Restart = "always";
+ };
+ services.hostapd = {
+ enable = true;
+ radios = {
+ ${wifiIface} = {
+ band = "2g";
+ countryCode = "FR";
+ networks.${wifiIface} = {
+ ssid = hostName;
+ ignoreBroadcastSsid = "empty";
+ authentication = {
+ # FIXME: use wpa3-sae
+ mode = "wpa2-sha256";
+ # FIXME: use wpaPasswordFile or saePasswordsFile
+ wpaPassword = wpaPassphrase;
+ };
+ logLevel = 2;
+ };
+ settings = {
+ disassoc_low_ack = true;
+ };
+ wifi4 = {
+ enable = true;
+ # See per band "Capabilities:" section in `iw list`
+ capabilities = [
+ "DSSS_CCK-40"
+ "HT40+"
+ "MAX-AMSDU-3839"
+ "SHORT-GI-40"
+ ];
+ require = false;
+ };
+ };
+ };
+ /*
+ extraConfig = ''
+ # WLAN
+ beacon_int=100
+ dtim_period=2 # DTIM (delivery trafic information message)
+ preamble=1
+ # limit the frequencies used to those allowed in the country
+ ieee80211d=1
+ ignore_broadcast_ssid=1
+ macaddr_acl=0
+ # 0 means the AP will search for the channel with the least interferences (ACS)
+ channel=1
- # N-WLAN
- ieee80211n=1
- # See Capabilities in iw list
- #ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-3839]
- require_ht=1
- obss_interval=0
+ # WPA2
+ #auth_algs=0 # 0=noauth, 1=wpa, 2=wep, 3=both
+ wpa_key_mgmt=WPA-PSK
+ wpa_pairwise=CCMP
+ rsn_pairwise=CCMP
+ # QoS support, also required for full speed on 802.11n/ac/ax
+ wmm_enabled=1
+ eap_reauth_period=360000
+ wpa_group_rekey=600
+ wpa_ptk_rekey=600
+ wpa_gmk_rekey=86400
- # 802.11ac support
- ieee80211ac=0
- '';
-};
+ # N-WLAN
+ ieee80211n=1
+ # See per band "Capabilities:" section in iw list
+ ht_capab=[HT40+][SHORT-GI-40][MAX-AMSDU-3839][DSSS_CCK-40]
+ require_ht=1
+ obss_interval=0
-services.openssh.listenAddresses = [
- { addr = "${wifiIPv4}.1"; port = 22; }
-];
+ # 802.11ac support
+ ieee80211ac=0
+ '';
+ */
+ };
}
sourcephile / git / julm / julm-nix.git / blobdiff