hosts/losurdo/networking/wireless.nix

   1 { pkgs, lib, config, hosts, ... }:
   2 let
   3   iface = "wlp4s0";
   4   gateway = "enp5s0";
   5   #gateway = config.networking.defaultGateway.interface;
   6 in
   7 {
   8 environment.systemPackages = [
   9   pkgs.iw
  10 ];
  11 networking.interfaces.${iface} = {
  12   ipv4.addresses = [ { address = "192.168.2.1"; prefixLength = 24; } ];
  13 };
  14 # Not merged, even though all are 1
  15 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  16 boot.kernel.sysctl."net.ipv6.conf.${iface}.addr_gen_mode" = 1;
  17 networking.nftables.ruleset = ''
  18   add chain inet filter wifi2fw
  19   add chain inet filter fw2wifi
  20   add rule inet filter input iifname "${iface}" goto wifi2fw
  21   add rule inet filter output oifname "${iface}" goto fw2wifi
  22
  23   # ${iface} firewalling
  24   add rule inet filter fw2wifi counter accept
  25
  26   # Allow forwarding to the internet
  27   add rule inet filter forward iifname "${iface}" oifname "${gateway}" counter accept
  28   add rule inet filter forward iifname "${gateway}" oifname "${iface}" counter accept
  29
  30   # Allow networking services
  31   add rule inet filter wifi2fw meta l4proto { udp, tcp } th dport 53 counter accept comment "DNS"
  32   add rule inet filter wifi2fw tcp dport 67 counter accept comment "DHCP"
  33 '';
  34
  35 services.unbound.settings = {
  36   server = {
  37     interface = [ "192.168.2.1" ];
  38     access-control = ["192.168.2.0/24 allow"];
  39     local-zone = [
  40       "tracking.intl.miui.com always_refuse"
  41       "sourcephile.fr typetransparent"
  42     ];
  43     local-data = [
  44       "\"bureau1.sourcephile.fr A 192.168.2.1\""
  45     ];
  46   };
  47 };
  48
  49 networking.wlanInterfaces.${iface} = {
  50   device = "phy0";
  51 };
  52
  53 /*
  54 networking.networkmanager.unmanaged = [
  55   "interface-name:phy0"
  56   "interface-name:${iface}"
  57 ];
  58 */
  59
  60 # iw dev wlp4s0 station dump
  61 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
  62 services.hostapd = {
  63   enable = true;
  64   logLevel = 2;
  65   interface = iface;
  66   hwMode = "g";
  67   ssid = "bureau1";
  68   wpa = true;
  69   wpaPassphrase = "bidonpoissonmaisonronron";
  70   countryCode = "FR";
  71   extraConfig = ''
  72     # WLAN
  73     beacon_int=100
  74     dtim_period=2 # DTIM (delivery trafic information message)
  75     preamble=1
  76     # limit the frequencies used to those allowed in the country
  77     ieee80211d=1
  78     # 0 means the AP will search for the channel with the least interferences (ACS)
  79     channel=1
  80
  81     # WPA2
  82     wpa_key_mgmt=WPA-PSK
  83     wpa_pairwise=CCMP
  84     rsn_pairwise=CCMP
  85     auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
  86     macaddr_acl=0
  87     # QoS support, also required for full speed on 802.11n/ac/ax
  88     wmm_enabled=1
  89     eap_reauth_period=360000
  90     wpa_group_rekey=600
  91     wpa_ptk_rekey=600
  92     wpa_gmk_rekey=86400
  93
  94     # N-WLAN
  95     ieee80211n=1
  96     # See Capabilities in iw list
  97     ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935]
  98     require_ht=1
  99     obss_interval=0
 100
 101     # 802.11ac support
 102     ieee80211ac=0
 103   '';
 104 };
 105 systemd.services."dhcpd4" = {
 106   after = [ "network-addresses-${iface}.service" ];
 107   requires = [
 108     "network-addresses-${iface}.service"
 109     "sys-subsystem-net-devices-${iface}.device"
 110   ];
 111 };
 112 services.dhcpd4 = {
 113   enable = true;
 114   interfaces = [ iface ];
 115   extraConfig = ''
 116     option subnet-mask 255.255.255.0;
 117     option broadcast-address 192.168.2.255;
 118     option routers 192.168.2.1;
 119     option domain-name-servers 192.168.2.1;
 120     subnet 192.168.2.0 netmask 255.255.255.0 {
 121       range 192.168.2.100 192.168.2.200;
 122     }
 123   '';
 124 };
 125
 126 #networking.firewall.allowedUDPPorts = [ 53 67 ]; # DNS & DHCP
 127 /*
 128 # Sometimes slow connection speeds are attributed to absence of haveged.
 129 services.haveged.enable = true;
 130 */
 131
 132 /*
 133
 134 systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
 135 in {
 136   description = "iptables rules for wifi-relay";
 137   after = [ "dhcpd4.service" ];
 138   wantedBy = [ "multi-user.target" ];
 139   script = ''
 140     ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o wlan-ap0 -j MASQUERADE
 141     ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s 192.168.2.0/24 -j ACCEPT
 142     ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d 192.168.2.0/24 -j ACCEPT
 143   '';
 144 };
 145 */
 146 }