1 { pkgs, lib, config, hosts, ... }:
5 environment.systemPackages = [
8 networking.interfaces.${iface} = {
9 ipv4.addresses = [ { address = "192.168.2.1"; prefixLength = 24; } ];
11 # Fix to set the address before starting dhcpd4.service
12 systemd.services."network-addresses-${iface}" = {
13 bindsTo = [ "hostapd.service"];
14 wantedBy = ["network.target"];
16 boot.kernel.sysctl."net.ipv6.conf.${iface}.addr_gen_mode" = 1;
17 networking.nftables.ruleset = ''
18 # Hook ${iface} into relevant chains
19 add rule inet filter input iifname "${iface}" jump wifi2fw
20 add rule inet filter input iifname "${iface}" log level warn prefix "wifi2fw: " counter drop
21 add rule inet filter output oifname "${iface}" jump fw2wifi
22 add rule inet filter output oifname "${iface}" log level warn prefix "fw2wifi: " counter drop
24 # ${iface} firewalling
25 add rule inet filter fw2wifi counter accept
26 add rule inet filter forward iifname "${iface}" jump fwd-wifi
28 # Allow forwarding to the internet
29 add rule inet filter fwd-wifi oifname "enp5s0" counter accept
31 # Allow networking services
32 add rule inet filter wifi2fw udp dport 53 counter accept comment "DNS"
33 add rule inet filter wifi2fw tcp dport 53 counter accept comment "DNS"
34 add rule inet filter wifi2fw tcp dport 67 counter accept comment "DHCP"
36 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
38 services.unbound.settings = {
40 interface = [ "192.168.2.1" ];
41 access-control = ["192.168.2.0/24 allow"];
43 "tracking.intl.miui.com always_refuse"
44 "sourcephile.fr typetransparent"
47 "\"bureau1.sourcephile.fr A 192.168.2.1\""
52 networking.wlanInterfaces.${iface} = {
57 networking.networkmanager.unmanaged = [
59 "interface-name:${iface}"
63 # iw dev wlp4s0 station dump
64 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
72 wpaPassphrase = "bidonpoissonmaisonronron";
77 dtim_period=2 # DTIM (delivery trafic information message)
79 # limit the frequencies used to those allowed in the country
81 # 0 means the AP will search for the channel with the least interferences (ACS)
88 auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
90 # QoS support, also required for full speed on 802.11n/ac/ax
92 eap_reauth_period=360000
99 # See Capabilities in iw list
100 ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935]
110 interfaces = [ iface ];
112 option subnet-mask 255.255.255.0;
113 option broadcast-address 192.168.2.255;
114 option routers 192.168.2.1;
115 option domain-name-servers 192.168.2.1;
116 subnet 192.168.2.0 netmask 255.255.255.0 {
117 range 192.168.2.100 192.168.2.200;
122 #networking.firewall.allowedUDPPorts = [ 53 67 ]; # DNS & DHCP
124 # Sometimes slow connection speeds are attributed to absence of haveged.
125 services.haveged.enable = true;
130 systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
132 description = "iptables rules for wifi-relay";
133 after = [ "dhcpd4.service" ];
134 wantedBy = [ "multi-user.target" ];
136 ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o wlan-ap0 -j MASQUERADE
137 ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s 192.168.2.0/24 -j ACCEPT
138 ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d 192.168.2.0/24 -j ACCEPT