]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/wireless.nix
nginx: remove deprecated X-XSS-Protection header
[sourcephile-nix.git] / hosts / losurdo / networking / wireless.nix
1 { pkgs, ... }:
2 let
3 wifiIface = "wlp4s0";
4 gwIface = "enp5s0";
5 #gwIface = config.networking.defaultGateway.interface;
6 in
7 {
8 environment.systemPackages = [
9 pkgs.iw
10 ];
11 networking.interfaces.${wifiIface} = {
12 ipv4.addresses = [{ address = "192.168.2.1"; prefixLength = 24; }];
13 };
14 # Not merged, even though all are 1
15 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
16 boot.kernel.sysctl."net.ipv6.conf.${wifiIface}.addr_gen_mode" = 1;
17 networking.nftables.ruleset = ''
18 table inet filter {
19 chain input-lan {
20 meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
21 tcp dport bootps counter accept comment "DHCP"
22 }
23 chain input {
24 iifname ${wifiIface} goto input-lan
25 }
26 chain output-lan {
27 counter accept
28 }
29 chain output {
30 oifname ${wifiIface} goto output-lan
31 }
32 chain forward {
33 iifname ${wifiIface} oifname ${gwIface} counter accept
34 iifname ${gwIface} oifname ${wifiIface} counter accept
35 }
36 }
37 '';
38
39 services.unbound.settings = {
40 server = {
41 interface = [ "192.168.2.1" ];
42 access-control = [ "192.168.2.0/24 allow" ];
43 local-zone = [
44 "tracking.intl.miui.com always_refuse"
45 "sourcephile.fr typetransparent"
46 ];
47 local-data = [
48 "\"bureau1.sourcephile.fr A 192.168.2.1\""
49 ];
50 };
51 };
52
53 networking.wlanInterfaces.${wifiIface} = {
54 device = "phy0";
55 };
56
57 networking.networkmanager.unmanaged = [
58 wifiIface
59 ];
60
61 # iw dev wlp4s0 station dump
62 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
63 services.hostapd = {
64 enable = true;
65 interface = wifiIface;
66 hwMode = "g";
67 ssid = "bureau1";
68 wpa = true;
69 radios = {
70 ${wifiIface} = {
71 # countryCode = "US";
72 networks.${wifiIface} = {
73 ssid = "bureau1";
74 authentication = {
75 # FIXME: use wpa3-sae
76 mode = "wpa2-sha256";
77 # FIXME: use wpaPasswordFile or saePasswordsFile
78 wpaPassword = "bidonpoissonmaisonronron";
79 logLevel = 2;
80 band = "g";
81 };
82 };
83 };
84 };
85 countryCode = "FR";
86 extraConfig = ''
87 # WLAN
88 beacon_int=100
89 dtim_period=2 # DTIM (delivery trafic information message)
90 preamble=1
91 # limit the frequencies used to those allowed in the country
92 ieee80211d=1
93 # 0 means the AP will search for the channel with the least interferences (ACS)
94 channel=1
95
96 # WPA2
97 wpa_key_mgmt=WPA-PSK
98 wpa_pairwise=CCMP
99 rsn_pairwise=CCMP
100 auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
101 macaddr_acl=0
102 # QoS support, also required for full speed on 802.11n/ac/ax
103 wmm_enabled=1
104 eap_reauth_period=360000
105 wpa_group_rekey=600
106 wpa_ptk_rekey=600
107 wpa_gmk_rekey=86400
108
109 # N-WLAN
110 ieee80211n=1
111 # See Capabilities in iw list
112 ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935]
113 require_ht=1
114 obss_interval=0
115
116 # 802.11ac support
117 ieee80211ac=0
118 '';
119 };
120 /*
121 systemd.services.dhcpd4 = {
122 after = [ "network-addresses-${wifiIface}.service" ];
123 requires = [
124 "network-addresses-${wifiIface}.service"
125 "sys-subsystem-net-devices-${wifiIface}.device"
126 ];
127 unitConfig.StartLimitIntervalSec = 0;
128 serviceConfig.RestartSec = 5;
129 };
130 services.dhcpd4 = {
131 enable = true;
132 interfaces = [ wifiIface ];
133 extraConfig = ''
134 option subnet-mask 255.255.255.0;
135 option broadcast-address 192.168.2.255;
136 option routers 192.168.2.1;
137 option domain-name-servers 192.168.2.1;
138 subnet 192.168.2.0 netmask 255.255.255.0 {
139 range 192.168.2.100 192.168.2.200;
140 }
141 '';
142 };
143 */
144
145 #networking.firewall.allowedUDPPorts = [ 53 67 ]; # DNS & DHCP
146 /*
147 # Sometimes slow connection speeds are attributed to absence of haveged.
148 services.haveged.enable = true;
149 */
150
151 /*
152
153 systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
154 in {
155 description = "iptables rules for wifi-relay";
156 after = [ "dhcpd4.service" ];
157 wantedBy = [ "multi-user.target" ];
158 script = ''
159 ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o wlan-ap0 -j MASQUERADE
160 ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s 192.168.2.0/24 -j ACCEPT
161 ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d 192.168.2.0/24 -j ACCEPT
162 '';
163 };
164 */
165 }