1 { pkgs, lib, config, hosts, ... }:
5 environment.systemPackages = [
8 networking.interfaces.${iface} = {
9 ipv4.addresses = [ { address = "192.168.2.1"; prefixLength = 24; } ];
11 # Fix to set the address before starting dhcpd4.service
12 systemd.services."network-addresses-${iface}" = {
13 after = [ "hostapd.service"];
14 bindsTo = [ "hostapd.service"];
15 wantedBy = ["network.target"];
17 boot.kernel.sysctl."net.ipv6.conf.${iface}.addr_gen_mode" = 1;
18 networking.nftables.ruleset = ''
19 # Hook ${iface} into relevant chains
20 add rule inet filter input iifname "${iface}" jump wifi2fw
21 add rule inet filter input iifname "${iface}" log level warn prefix "wifi2fw: " counter drop
22 add rule inet filter output oifname "${iface}" jump fw2wifi
23 add rule inet filter output oifname "${iface}" log level warn prefix "fw2wifi: " counter drop
25 # ${iface} firewalling
26 add rule inet filter fw2wifi counter accept
27 add rule inet filter forward iifname "${iface}" jump fwd-wifi
29 # Allow forwarding to the internet
30 add rule inet filter fwd-wifi oifname "enp5s0" counter accept
32 # Allow networking services
33 add rule inet filter wifi2fw udp dport 53 counter accept comment "DNS"
34 add rule inet filter wifi2fw tcp dport 53 counter accept comment "DNS"
35 add rule inet filter wifi2fw tcp dport 67 counter accept comment "DHCP"
37 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
39 services.unbound.settings = {
41 interface = [ "192.168.2.1" ];
42 access-control = ["192.168.2.0/24 allow"];
44 "tracking.intl.miui.com always_refuse"
45 "sourcephile.fr typetransparent"
48 "\"bureau1.sourcephile.fr A 192.168.2.1\""
53 networking.wlanInterfaces.${iface} = {
58 networking.networkmanager.unmanaged = [
60 "interface-name:${iface}"
64 # iw dev wlp4s0 station dump
65 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
73 wpaPassphrase = "bidonpoissonmaisonronron";
78 dtim_period=2 # DTIM (delivery trafic information message)
80 # limit the frequencies used to those allowed in the country
82 # 0 means the AP will search for the channel with the least interferences (ACS)
89 auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
91 # QoS support, also required for full speed on 802.11n/ac/ax
93 eap_reauth_period=360000
100 # See Capabilities in iw list
101 ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935]
111 interfaces = [ iface ];
113 option subnet-mask 255.255.255.0;
114 option broadcast-address 192.168.2.255;
115 option routers 192.168.2.1;
116 option domain-name-servers 192.168.2.1;
117 subnet 192.168.2.0 netmask 255.255.255.0 {
118 range 192.168.2.100 192.168.2.200;
123 #networking.firewall.allowedUDPPorts = [ 53 67 ]; # DNS & DHCP
125 # Sometimes slow connection speeds are attributed to absence of haveged.
126 services.haveged.enable = true;
131 systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
133 description = "iptables rules for wifi-relay";
134 after = [ "dhcpd4.service" ];
135 wantedBy = [ "multi-user.target" ];
137 ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o wlan-ap0 -j MASQUERADE
138 ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s 192.168.2.0/24 -j ACCEPT
139 ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d 192.168.2.0/24 -j ACCEPT