hosts/losurdo/networking/wireless.nix

   1 { pkgs, ... }:
   2 let
   3   wifiIface = "wlp4s0";
   4   wifiIPv4 = "192.168.2";
   5   gwIface = "enp5s0";
   6   #gwIface = config.networking.defaultGateway.interface;
   7 in
   8 {
   9   systemd.network.networks = {
  10     "10-${wifiIface}" = {
  11       name = wifiIface;
  12       networkConfig = {
  13         Address = "${wifiIPv4}.1/24";
  14         DHCPServer = true;
  15         IPv6PrivacyExtensions = true;
  16         IPv4Forwarding = true;
  17         #IPv6Forwarding = true;
  18       };
  19       dhcpServerConfig = {
  20         DNS = "${wifiIPv4}.1";
  21         EmitDNS = true;
  22         PoolOffset = 100;
  23         PoolSize = 20;
  24       };
  25       linkConfig = {
  26         RequiredForOnline = "no";
  27       };
  28     };
  29   };
  30   environment.systemPackages = [
  31     pkgs.iw
  32   ];
  33   networking.nftables.ruleset = ''
  34     table inet filter {
  35       chain input-lan {
  36         meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
  37         tcp dport bootps counter accept comment "DHCP"
  38       }
  39       chain input {
  40         iifname ${wifiIface} goto input-lan
  41       }
  42       chain output-lan {
  43         counter accept
  44       }
  45       chain output {
  46         oifname ${wifiIface} goto output-lan
  47       }
  48       chain forward {
  49         iifname ${wifiIface} oifname ${gwIface} counter accept
  50         iifname ${gwIface} oifname ${wifiIface} counter accept
  51       }
  52     }
  53   '';
  54
  55   services.unbound.settings = {
  56     server = {
  57       interface = [ "${wifiIPv4}.1" ];
  58       access-control = [ "${wifiIPv4}.0/24 allow" ];
  59       local-zone = [
  60         "sourcephile.fr typetransparent"
  61         "tracking.intl.miui.com always_refuse"
  62       ];
  63       local-data = [
  64         "\"bureau1.sourcephile.fr A ${wifiIPv4}.1\""
  65       ];
  66     };
  67   };
  68
  69   networking.networkmanager.unmanaged = [
  70     wifiIface
  71   ];
  72
  73   # iw dev wlp4s0 station dump
  74   # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
  75   services.hostapd = {
  76     enable = true;
  77     radios = {
  78       ${wifiIface} = {
  79         band = "2g";
  80         countryCode = "FR";
  81         networks.${wifiIface} = {
  82           ssid = "bureau1";
  83           authentication = {
  84             # FIXME: use wpa3-sae
  85             mode = "wpa2-sha256";
  86             # FIXME: use wpaPasswordFile or saePasswordsFile
  87             wpaPassword = "bidonpoissonmaisonronron";
  88           };
  89           logLevel = 2;
  90         };
  91         settings = {
  92           disassoc_low_ack = true;
  93         };
  94         wifi4 = {
  95           enable = true;
  96           capabilities = [
  97             "DSSS_CCK-40"
  98             "HT40+"
  99             "MAX-AMSDU-7935"
 100             "SHORT-GI-40"
 101           ];
 102           require = false;
 103         };
 104       };
 105     };
 106     /*
 107       extraConfig = ''
 108       # WLAN
 109       beacon_int=100
 110       dtim_period=2 # DTIM (delivery trafic information message)
 111       preamble=1
 112       # limit the frequencies used to those allowed in the country
 113       ieee80211d=1
 114       # 0 means the AP will search for the channel with the least interferences (ACS)
 115       channel=1
 116
 117       # WPA2
 118       wpa_key_mgmt=WPA-PSK
 119       wpa_pairwise=CCMP
 120       rsn_pairwise=CCMP
 121       auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
 122       macaddr_acl=0
 123       # QoS support, also required for full speed on 802.11n/ac/ax
 124       wmm_enabled=1
 125       eap_reauth_period=360000
 126       wpa_group_rekey=600
 127       wpa_ptk_rekey=600
 128       wpa_gmk_rekey=86400
 129
 130       # N-WLAN
 131       ieee80211n=1
 132       # See Capabilities in iw list
 133       ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935]
 134       require_ht=1
 135       obss_interval=0
 136
 137       # 802.11ac support
 138       ieee80211ac=0
 139       '';
 140     */
 141   };
 142
 143   /*
 144     # Sometimes slow connection speeds are attributed to absence of haveged.
 145     services.haveged.enable = true;
 146   */
 147
 148   /*
 149     systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
 150     in {
 151     description = "iptables rules for wifi-relay";
 152     after = [ "dhcpd4.service" ];
 153     wantedBy = [ "multi-user.target" ];
 154     script = ''
 155     ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s ${wifiIPv4}.0/24 ! -o wlan-ap0 -j MASQUERADE
 156     ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s ${wifiIPv4}.0/24 -j ACCEPT
 157     ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d ${wifiIPv4}.0/24 -j ACCEPT
 158     '';
 159     };
 160   */
 161 }