hosts/losurdo/networking/wireless.nix

   1 { pkgs, lib, config, hosts, ... }:
   2 let iface = "wlp4s0";
   3 in
   4 {
   5 environment.systemPackages = [
   6   pkgs.iw
   7 ];
   8 networking.interfaces.${iface} = {
   9   ipv4.addresses = [ { address = "192.168.2.1"; prefixLength = 24; } ];
  10 };
  11 # Fix to set the address before starting dhcpd4.service
  12 systemd.services."network-addresses-${iface}" = {
  13   after = [ "hostapd.service"];
  14   bindsTo = [ "hostapd.service"];
  15   wantedBy = ["network.target"];
  16 };
  17 boot.kernel.sysctl."net.ipv6.conf.${iface}.addr_gen_mode" = 1;
  18 networking.nftables.ruleset = ''
  19   # Hook ${iface} into relevant chains
  20   add rule inet filter input  iifname "${iface}" jump wifi2fw
  21   add rule inet filter input  iifname "${iface}" log level warn prefix "wifi2fw: " counter drop
  22   add rule inet filter output oifname "${iface}" jump fw2wifi
  23   add rule inet filter output oifname "${iface}" log level warn prefix "fw2wifi: " counter drop
  24
  25   # ${iface} firewalling
  26   add rule inet filter fw2wifi counter accept
  27   add rule inet filter forward iifname "${iface}" jump fwd-wifi
  28
  29   # Allow forwarding to the internet
  30   add rule inet filter fwd-wifi oifname "enp5s0" counter accept
  31
  32   # Allow networking services
  33   add rule inet filter wifi2fw udp dport 53 counter accept comment "DNS"
  34   add rule inet filter wifi2fw tcp dport 53 counter accept comment "DNS"
  35   add rule inet filter wifi2fw tcp dport 67 counter accept comment "DHCP"
  36 '';
  37 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  38
  39 services.unbound.settings = {
  40   server = {
  41     interface = [ "192.168.2.1" ];
  42     access-control = ["192.168.2.0/24 allow"];
  43     local-zone = [
  44       "tracking.intl.miui.com always_refuse"
  45       "sourcephile.fr typetransparent"
  46     ];
  47     local-data = [
  48       "\"bureau1.sourcephile.fr A 192.168.2.1\""
  49     ];
  50   };
  51 };
  52
  53 networking.wlanInterfaces.${iface} = {
  54   device = "phy0";
  55 };
  56
  57 /*
  58 networking.networkmanager.unmanaged = [
  59   "interface-name:phy0"
  60   "interface-name:${iface}"
  61 ];
  62 */
  63
  64 # iw dev wlp4s0 station dump
  65 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
  66 services.hostapd = {
  67   enable = true;
  68   logLevel = 2;
  69   interface = iface;
  70   hwMode = "g";
  71   ssid = "bureau1";
  72   wpa = true;
  73   wpaPassphrase = "bidonpoissonmaisonronron";
  74   countryCode = "FR";
  75   extraConfig = ''
  76     # WLAN
  77     beacon_int=100
  78     dtim_period=2 # DTIM (delivery trafic information message)
  79     preamble=1
  80     # limit the frequencies used to those allowed in the country
  81     ieee80211d=1
  82     # 0 means the AP will search for the channel with the least interferences (ACS)
  83     channel=1
  84
  85     # WPA2
  86     wpa_key_mgmt=WPA-PSK
  87     wpa_pairwise=CCMP
  88     rsn_pairwise=CCMP
  89     auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
  90     macaddr_acl=0
  91     # QoS support, also required for full speed on 802.11n/ac/ax
  92     wmm_enabled=1
  93     eap_reauth_period=360000
  94     wpa_group_rekey=600
  95     wpa_ptk_rekey=600
  96     wpa_gmk_rekey=86400
  97
  98     # N-WLAN
  99     ieee80211n=1
 100     # See Capabilities in iw list
 101     ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935]
 102     require_ht=1
 103     obss_interval=0
 104
 105     # 802.11ac support
 106     ieee80211ac=0
 107   '';
 108 };
 109 services.dhcpd4 = {
 110   enable = true;
 111   interfaces = [ iface ];
 112   extraConfig = ''
 113     option subnet-mask 255.255.255.0;
 114     option broadcast-address 192.168.2.255;
 115     option routers 192.168.2.1;
 116     option domain-name-servers 192.168.2.1;
 117     subnet 192.168.2.0 netmask 255.255.255.0 {
 118       range 192.168.2.100 192.168.2.200;
 119     }
 120   '';
 121 };
 122
 123 #networking.firewall.allowedUDPPorts = [ 53 67 ]; # DNS & DHCP
 124 /*
 125 # Sometimes slow connection speeds are attributed to absence of haveged.
 126 services.haveged.enable = true;
 127 */
 128
 129 /*
 130
 131 systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
 132 in {
 133   description = "iptables rules for wifi-relay";
 134   after = [ "dhcpd4.service" ];
 135   wantedBy = [ "multi-user.target" ];
 136   script = ''
 137     ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o wlan-ap0 -j MASQUERADE
 138     ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s 192.168.2.0/24 -j ACCEPT
 139     ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d 192.168.2.0/24 -j ACCEPT
 140   '';
 141 };
 142 */
 143 }