]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/wireless.nix
wireguard: remove old cred
[sourcephile-nix.git] / hosts / losurdo / networking / wireless.nix
1 { pkgs, ... }:
2 let
3 wifiIface = "wlp4s0";
4 gwIface = "enp5s0";
5 #gwIface = config.networking.defaultGateway.interface;
6 in
7 {
8 environment.systemPackages = [
9 pkgs.iw
10 ];
11 networking.interfaces.${wifiIface} = {
12 ipv4.addresses = [{ address = "192.168.2.1"; prefixLength = 24; }];
13 };
14 # Not merged, even though all are 1
15 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
16 boot.kernel.sysctl."net.ipv6.conf.${wifiIface}.addr_gen_mode" = 1;
17 networking.nftables.ruleset = ''
18 table inet filter {
19 chain input-lan {
20 meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
21 tcp dport bootps counter accept comment "DHCP"
22 }
23 chain input {
24 iifname ${wifiIface} goto input-lan
25 }
26 chain output-lan {
27 counter accept
28 }
29 chain output {
30 oifname ${wifiIface} goto output-lan
31 }
32 chain forward {
33 iifname ${wifiIface} oifname ${gwIface} counter accept
34 iifname ${gwIface} oifname ${wifiIface} counter accept
35 }
36 }
37 '';
38
39 services.unbound.settings = {
40 server = {
41 interface = [ "192.168.2.1" ];
42 access-control = [ "192.168.2.0/24 allow" ];
43 local-zone = [
44 "tracking.intl.miui.com always_refuse"
45 "sourcephile.fr typetransparent"
46 ];
47 local-data = [
48 "\"bureau1.sourcephile.fr A 192.168.2.1\""
49 ];
50 };
51 };
52
53 networking.wlanInterfaces.${wifiIface} = {
54 device = "phy0";
55 };
56
57 networking.networkmanager.unmanaged = [
58 wifiIface
59 ];
60
61 # iw dev wlp4s0 station dump
62 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
63 services.hostapd = {
64 enable = true;
65 logLevel = 2;
66 interface = wifiIface;
67 hwMode = "g";
68 ssid = "bureau1";
69 wpa = true;
70 wpaPassphrase = "bidonpoissonmaisonronron";
71 countryCode = "FR";
72 extraConfig = ''
73 # WLAN
74 beacon_int=100
75 dtim_period=2 # DTIM (delivery trafic information message)
76 preamble=1
77 # limit the frequencies used to those allowed in the country
78 ieee80211d=1
79 # 0 means the AP will search for the channel with the least interferences (ACS)
80 channel=1
81
82 # WPA2
83 wpa_key_mgmt=WPA-PSK
84 wpa_pairwise=CCMP
85 rsn_pairwise=CCMP
86 auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
87 macaddr_acl=0
88 # QoS support, also required for full speed on 802.11n/ac/ax
89 wmm_enabled=1
90 eap_reauth_period=360000
91 wpa_group_rekey=600
92 wpa_ptk_rekey=600
93 wpa_gmk_rekey=86400
94
95 # N-WLAN
96 ieee80211n=1
97 # See Capabilities in iw list
98 ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935]
99 require_ht=1
100 obss_interval=0
101
102 # 802.11ac support
103 ieee80211ac=0
104 '';
105 };
106 systemd.services.dhcpd4 = {
107 after = [ "network-addresses-${wifiIface}.service" ];
108 requires = [
109 "network-addresses-${wifiIface}.service"
110 "sys-subsystem-net-devices-${wifiIface}.device"
111 ];
112 unitConfig.StartLimitIntervalSec = 0;
113 serviceConfig.RestartSec = 5;
114 };
115 services.dhcpd4 = {
116 enable = true;
117 interfaces = [ wifiIface ];
118 extraConfig = ''
119 option subnet-mask 255.255.255.0;
120 option broadcast-address 192.168.2.255;
121 option routers 192.168.2.1;
122 option domain-name-servers 192.168.2.1;
123 subnet 192.168.2.0 netmask 255.255.255.0 {
124 range 192.168.2.100 192.168.2.200;
125 }
126 '';
127 };
128
129 #networking.firewall.allowedUDPPorts = [ 53 67 ]; # DNS & DHCP
130 /*
131 # Sometimes slow connection speeds are attributed to absence of haveged.
132 services.haveged.enable = true;
133 */
134
135 /*
136
137 systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
138 in {
139 description = "iptables rules for wifi-relay";
140 after = [ "dhcpd4.service" ];
141 wantedBy = [ "multi-user.target" ];
142 script = ''
143 ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o wlan-ap0 -j MASQUERADE
144 ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s 192.168.2.0/24 -j ACCEPT
145 ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d 192.168.2.0/24 -j ACCEPT
146 '';
147 };
148 */
149 }