losurdo: try to fix hostapd config

[sourcephile-nix.git] / hosts / losurdo / networking / wireless.nix

{ pkgs, lib, config, hosts, ... }:
let iface = "wlp4s0";
in
{
environment.systemPackages = [
  pkgs.iw
];
networking.interfaces.${iface} = {
  ipv4.addresses = [ { address = "192.168.2.1"; prefixLength = 24; } ];
};
# Fix to set the address before starting dhcpd4.service
systemd.services."network-addresses-${iface}" = {
  before = ["network.target"];
  wantedBy = ["network.target"];
};
boot.kernel.sysctl."net.ipv6.conf.${iface}.addr_gen_mode" = 1;
networking.nftables.ruleset = ''
  # Hook ${iface} into relevant chains
  add rule inet filter input  iifname "${iface}" jump wifi2fw
  add rule inet filter input  iifname "${iface}" log level warn prefix "wifi2fw: " counter drop
  add rule inet filter output oifname "${iface}" jump fw2wifi
  add rule inet filter output oifname "${iface}" log level warn prefix "fw2wifi: " counter drop

  # ${iface} firewalling
  add rule inet filter fw2wifi counter accept
  add rule inet filter forward iifname "${iface}" jump fwd-wifi

  # Allow forwarding to the internet
  add rule inet filter fwd-wifi oifname "enp5s0" counter accept

  # Allow networking services
  add rule inet filter wifi2fw udp dport 53 counter accept comment "DNS"
  add rule inet filter wifi2fw tcp dport 53 counter accept comment "DNS"
  add rule inet filter wifi2fw tcp dport 67 counter accept comment "DHCP"
'';
#boot.kernel.sysctl."net.ipv4.ip_forward" = 1;

services.unbound.settings = {
  server = {
    interface = [ "192.168.2.1" ];
    access-control = ["192.168.2.0/24 allow"];
    local-zone = [
      "tracking.intl.miui.com always_refuse"
      "sourcephile.fr typetransparent"
    ];
    local-data = [
      "\"bureau1.sourcephile.fr A 192.168.2.1\""
    ];
  };
};

networking.wlanInterfaces.${iface} = {
  device = "phy0";
};

/*
networking.networkmanager.unmanaged = [
  "interface-name:phy0"
  "interface-name:${iface}"
];
*/

# iw dev wlp4s0 station dump
services.hostapd = {
  enable = true;
  logLevel = 2;
  interface = iface;
  # a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g
  hwMode = "g";
  ssid = "bureau1";
  wpa = true;
  wpaPassphrase = "bidonpoissonmaisonronron";
  countryCode = "FR";
  extraConfig = ''
    # WLAN
    beacon_int=100
    dtim_period=2 # DTIM (delivery trafic information message)
    max_num_sta=255 # Maximum number of stations allowed in station table
    rts_threshold=2347 # RTS/CTS threshold; 2347 = disabled (default)
    fragm_threshold=2346 # Fragmentation threshold; 2346 = disabled (default)
    preamble=1

    # WPA2
    wpa_key_mgmt=WPA-PSK
    wpa_pairwise=CCMP
    rsn_pairwise=CCMP
    auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
    macaddr_acl=0
    wmm_enabled=1
    eap_reauth_period=360000
    wpa_group_rekey=600
    wpa_ptk_rekey=600
    wpa_gmk_rekey=86400

    # N-WLAN
    ieee80211n=1
    # See Capabilities in iw list
    ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935]
    require_ht=1
    obss_interval=0
  '';
};
services.dhcpd4 = {
  enable = true;
  interfaces = [ iface ];
  extraConfig = ''
    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.2.255;
    option routers 192.168.2.1;
    option domain-name-servers 192.168.2.1;
    subnet 192.168.2.0 netmask 255.255.255.0 {
      range 192.168.2.100 192.168.2.200;
    }
  '';
};

#networking.firewall.allowedUDPPorts = [ 53 67 ]; # DNS & DHCP
/*
# Sometimes slow connection speeds are attributed to absence of haveged.
services.haveged.enable = true;
*/

/*

systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
in {
  description = "iptables rules for wifi-relay";
  after = [ "dhcpd4.service" ];
  wantedBy = [ "multi-user.target" ];
  script = ''
    ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o wlan-ap0 -j MASQUERADE
    ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s 192.168.2.0/24 -j ACCEPT
    ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d 192.168.2.0/24 -j ACCEPT
  '';
};
*/
}