]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/wireless.nix
nftables: fix buggy ip6 nexthdr
[sourcephile-nix.git] / hosts / losurdo / networking / wireless.nix
1 { pkgs, lib, config, hosts, ... }:
2 let iface = "wlp4s0";
3 in
4 {
5 environment.systemPackages = [
6 pkgs.iw
7 ];
8 networking.interfaces.${iface} = {
9 ipv4.addresses = [ { address = "192.168.2.1"; prefixLength = 24; } ];
10 };
11 # Fix to set the address before starting dhcpd4.service
12 systemd.services."network-addresses-${iface}" = {
13 before = ["network.target"];
14 wantedBy = ["network.target"];
15 };
16 boot.kernel.sysctl."net.ipv6.conf.${iface}.addr_gen_mode" = 1;
17 networking.nftables.ruleset = ''
18 # Hook ${iface} into relevant chains
19 add rule inet filter input iifname "${iface}" jump wifi2fw
20 add rule inet filter input iifname "${iface}" log level warn prefix "wifi2fw: " counter drop
21 add rule inet filter output oifname "${iface}" jump fw2wifi
22 add rule inet filter output oifname "${iface}" log level warn prefix "fw2wifi: " counter drop
23
24 # ${iface} firewalling
25 add rule inet filter fw2wifi counter accept
26 add rule inet filter forward iifname "${iface}" jump fwd-wifi
27
28 # Allow forwarding to the internet
29 add rule inet filter fwd-wifi oifname "enp5s0" counter accept
30
31 # Allow networking services
32 add rule inet filter wifi2fw udp dport 53 counter accept comment "DNS"
33 add rule inet filter wifi2fw tcp dport 53 counter accept comment "DNS"
34 add rule inet filter wifi2fw tcp dport 67 counter accept comment "DHCP"
35 '';
36 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
37
38 services.unbound.settings = {
39 server = {
40 interface = [ "192.168.2.1" ];
41 access-control = ["192.168.2.0/24 allow"];
42 local-zone = [
43 "tracking.intl.miui.com always_refuse"
44 "sourcephile.fr typetransparent"
45 ];
46 local-data = [
47 "\"bureau1.sourcephile.fr A 192.168.2.1\""
48 ];
49 };
50 };
51
52 networking.wlanInterfaces.${iface} = {
53 device = "phy0";
54 };
55
56 /*
57 networking.networkmanager.unmanaged = [
58 "interface-name:phy0"
59 "interface-name:${iface}"
60 ];
61 */
62
63 # iw dev wlp4s0 station dump
64 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
65 services.hostapd = {
66 enable = true;
67 logLevel = 2;
68 interface = iface;
69 hwMode = "g";
70 ssid = "bureau1";
71 wpa = true;
72 wpaPassphrase = "bidonpoissonmaisonronron";
73 countryCode = "FR";
74 extraConfig = ''
75 # WLAN
76 beacon_int=100
77 dtim_period=2 # DTIM (delivery trafic information message)
78 preamble=1
79 # limit the frequencies used to those allowed in the country
80 ieee80211d=1
81 # 0 means the AP will search for the channel with the least interferences (ACS)
82 channel=1
83
84 # WPA2
85 wpa_key_mgmt=WPA-PSK
86 wpa_pairwise=CCMP
87 rsn_pairwise=CCMP
88 auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
89 macaddr_acl=0
90 # QoS support, also required for full speed on 802.11n/ac/ax
91 wmm_enabled=1
92 eap_reauth_period=360000
93 wpa_group_rekey=600
94 wpa_ptk_rekey=600
95 wpa_gmk_rekey=86400
96
97 # N-WLAN
98 ieee80211n=1
99 # See Capabilities in iw list
100 ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935]
101 require_ht=1
102 obss_interval=0
103
104 # 802.11ac support
105 ieee80211ac=0
106 '';
107 };
108 services.dhcpd4 = {
109 enable = true;
110 interfaces = [ iface ];
111 extraConfig = ''
112 option subnet-mask 255.255.255.0;
113 option broadcast-address 192.168.2.255;
114 option routers 192.168.2.1;
115 option domain-name-servers 192.168.2.1;
116 subnet 192.168.2.0 netmask 255.255.255.0 {
117 range 192.168.2.100 192.168.2.200;
118 }
119 '';
120 };
121
122 #networking.firewall.allowedUDPPorts = [ 53 67 ]; # DNS & DHCP
123 /*
124 # Sometimes slow connection speeds are attributed to absence of haveged.
125 services.haveged.enable = true;
126 */
127
128 /*
129
130 systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
131 in {
132 description = "iptables rules for wifi-relay";
133 after = [ "dhcpd4.service" ];
134 wantedBy = [ "multi-user.target" ];
135 script = ''
136 ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o wlan-ap0 -j MASQUERADE
137 ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s 192.168.2.0/24 -j ACCEPT
138 ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d 192.168.2.0/24 -j ACCEPT
139 '';
140 };
141 */
142 }