Add 1 git-crypt collaborator

[julm/julm-nix.git] / hosts / aubergine / networking / wifi.nix

diff --git a/hosts/aubergine/networking/wifi.nix b/hosts/aubergine/networking/wifi.nix
index 6ee5e5c4e424eb0948879c49b73c957e2270f773..ea22f21c52cdd36b7c08a6fe02b1274182fb36d6 100644 (file)
--- a/hosts/aubergine/networking/wifi.nix
+++ b/hosts/aubergine/networking/wifi.nix
@@ -1,8 +1,9 @@
 { pkgs, lib, hostName, ... }:
 with (import ./names-and-numbers.nix);
+with (import ./names-and-numbers.nix.clear);
 {
-  environment.systemPackages = [
-    pkgs.iw
+  imports = [
+    ../../../nixos/profiles/networking/wifi.nix
   ];
   networking.interfaces = {
     ${wifiIface} = {
@@ -27,11 +28,20 @@ with (import ./names-and-numbers.nix);
         oifname ${wifiIface} jump output-lan
         oifname ${wifiIface} log level warn prefix "output-lan: " counter drop
       }
+      chain forward-to-wifi {
+        accept
+      }
+      chain forward-from-wifi {
+        accept
+      }
+      chain forward {
+        iifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } oifname ${wifiIface} goto forward-to-wifi
+        iifname ${wifiIface} oifname { ${eth1Iface}, ${eth2Iface}, ${eth3Iface} } goto forward-from-wifi
+      }
     }
   '';
 
   networking.networkmanager.unmanaged = [ wifiIface ];
-  services.dnscrypt-proxy2.settings.listen_addresses = [ "${wifiIPv4}.1:53" ];
   systemd.services.dhcpd4.onFailure = [ "network-addresses-${wifiIface}.service" ];
   services.dhcpd4 = {
     enable = true;
@@ -48,31 +58,39 @@ with (import ./names-and-numbers.nix);
   };
   # iw dev wlp5s0 station dump
   # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
+  systemd.services.hostapd = {
+    unitConfig.StartLimitIntervalSec = 5;
+    serviceConfig.Restart = "always";
+  };
   services.hostapd = {
     enable = true;
     logLevel = 2;
     interface = wifiIface;
     # 0 means the AP will search for the channel with the least interferences (ACS)
-    channel = 1;
+    channel = 0;
+    # a=5GHz, g=2.4GHz
     hwMode = "g";
     ssid = hostName;
-    wpa = false;
-    #wpaPassphrase = "bidonpoissonmaisonronron";
+    wpa = true;
+    inherit wpaPassphrase;
     countryCode = "FR";
     extraConfig = ''
+      driver=nl80211
       # WLAN
       beacon_int=100
       dtim_period=2 # DTIM (delivery trafic information message)
       preamble=1
       # limit the frequencies used to those allowed in the country
       ieee80211d=1
+      disassoc_low_ack=1
+      ignore_broadcast_ssid=1
+      macaddr_acl=0
 
       # WPA2
-      #wpa_key_mgmt=WPA-PSK
-      #wpa_pairwise=CCMP
-      #rsn_pairwise=CCMP
-      #auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
-      macaddr_acl=0
+      #auth_algs=0 # 0=noauth, 1=wpa, 2=wep, 3=both
+      wpa_key_mgmt=WPA-PSK
+      wpa_pairwise=CCMP
+      rsn_pairwise=CCMP
       # QoS support, also required for full speed on 802.11n/ac/ax
       wmm_enabled=1
       eap_reauth_period=360000
@@ -82,8 +100,8 @@ with (import ./names-and-numbers.nix);
 
       # N-WLAN
       ieee80211n=1
-      # See Capabilities in iw list
-      #ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-3839]
+      # See per band "Capabilities:" section in iw list
+      ht_capab=[HT40+][SHORT-GI-40][MAX-AMSDU-3839][DSSS_CCK-40]
       require_ht=1
       obss_interval=0
 
@@ -92,8 +110,4 @@ with (import ./names-and-numbers.nix);
     '';
   };
 
-  services.openssh.listenAddresses = [
-    { addr = "${wifiIPv4}.1"; port = 22; }
-  ];
-
 }