hosts/losurdo/networking/wireless.nix

   1 { pkgs, ... }:
   2 let
   3   wifiIface = "wlp4s0";
   4   wifiIPv4 = "192.168.2";
   5   gwIface = "enp5s0";
   6   #gwIface = config.networking.defaultGateway.interface;
   7 in
   8 {
   9   systemd.network.networks = {
  10     "10-${wifiIface}" = {
  11       name = wifiIface;
  12       networkConfig = {
  13         Address = "${wifiIPv4}.1/24";
  14         DHCPServer = true;
  15         IPv6PrivacyExtensions = true;
  16         IPForward = true;
  17       };
  18       dhcpServerConfig = {
  19         DNS = "${wifiIPv4}.1";
  20         EmitDNS = true;
  21         PoolOffset = 100;
  22         PoolSize = 20;
  23       };
  24       linkConfig = {
  25         RequiredForOnline = "no";
  26       };
  27     };
  28   };
  29   environment.systemPackages = [
  30     pkgs.iw
  31   ];
  32   networking.nftables.ruleset = ''
  33     table inet filter {
  34       chain input-lan {
  35         meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
  36         tcp dport bootps counter accept comment "DHCP"
  37       }
  38       chain input {
  39         iifname ${wifiIface} goto input-lan
  40       }
  41       chain output-lan {
  42         counter accept
  43       }
  44       chain output {
  45         oifname ${wifiIface} goto output-lan
  46       }
  47       chain forward {
  48         iifname ${wifiIface} oifname ${gwIface} counter accept
  49         iifname ${gwIface} oifname ${wifiIface} counter accept
  50       }
  51     }
  52   '';
  53
  54   services.unbound.settings = {
  55     server = {
  56       interface = [ "${wifiIPv4}.1" ];
  57       access-control = [ "${wifiIPv4}.0/24 allow" ];
  58       local-zone = [
  59         "sourcephile.fr typetransparent"
  60         "tracking.intl.miui.com always_refuse"
  61       ];
  62       local-data = [
  63         "\"bureau1.sourcephile.fr A ${wifiIPv4}.1\""
  64       ];
  65     };
  66   };
  67
  68   networking.networkmanager.unmanaged = [
  69     wifiIface
  70   ];
  71
  72   # iw dev wlp4s0 station dump
  73   # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
  74   services.hostapd = {
  75     enable = true;
  76     radios = {
  77       ${wifiIface} = {
  78         band = "2g";
  79         countryCode = "FR";
  80         networks.${wifiIface} = {
  81           ssid = "bureau1";
  82           authentication = {
  83             # FIXME: use wpa3-sae
  84             mode = "wpa2-sha256";
  85             # FIXME: use wpaPasswordFile or saePasswordsFile
  86             wpaPassword = "bidonpoissonmaisonronron";
  87           };
  88           logLevel = 2;
  89         };
  90         settings = {
  91           disassoc_low_ack = true;
  92         };
  93         wifi4 = {
  94           enable = true;
  95           capabilities = [
  96             "DSSS_CCK-40"
  97             "HT40+"
  98             "MAX-AMSDU-7935"
  99             "SHORT-GI-40"
 100           ];
 101           require = false;
 102         };
 103       };
 104     };
 105     /*
 106       extraConfig = ''
 107       # WLAN
 108       beacon_int=100
 109       dtim_period=2 # DTIM (delivery trafic information message)
 110       preamble=1
 111       # limit the frequencies used to those allowed in the country
 112       ieee80211d=1
 113       # 0 means the AP will search for the channel with the least interferences (ACS)
 114       channel=1
 115
 116       # WPA2
 117       wpa_key_mgmt=WPA-PSK
 118       wpa_pairwise=CCMP
 119       rsn_pairwise=CCMP
 120       auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
 121       macaddr_acl=0
 122       # QoS support, also required for full speed on 802.11n/ac/ax
 123       wmm_enabled=1
 124       eap_reauth_period=360000
 125       wpa_group_rekey=600
 126       wpa_ptk_rekey=600
 127       wpa_gmk_rekey=86400
 128
 129       # N-WLAN
 130       ieee80211n=1
 131       # See Capabilities in iw list
 132       ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935]
 133       require_ht=1
 134       obss_interval=0
 135
 136       # 802.11ac support
 137       ieee80211ac=0
 138       '';
 139     */
 140   };
 141
 142   /*
 143     # Sometimes slow connection speeds are attributed to absence of haveged.
 144     services.haveged.enable = true;
 145   */
 146
 147   /*
 148     systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
 149     in {
 150     description = "iptables rules for wifi-relay";
 151     after = [ "dhcpd4.service" ];
 152     wantedBy = [ "multi-user.target" ];
 153     script = ''
 154     ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s ${wifiIPv4}.0/24 ! -o wlan-ap0 -j MASQUERADE
 155     ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s ${wifiIPv4}.0/24 -j ACCEPT
 156     ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d ${wifiIPv4}.0/24 -j ACCEPT
 157     '';
 158     };
 159   */
 160 }