]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/wireless.nix
losurdo: gitolite: update
[sourcephile-nix.git] / hosts / losurdo / networking / wireless.nix
1 { pkgs, lib, config, hosts, ... }:
2 let
3 iface = "wlp4s0";
4 gateway = "enp5s0";
5 #gateway = config.networking.defaultGateway.interface;
6 in
7 {
8 environment.systemPackages = [
9 pkgs.iw
10 ];
11 networking.interfaces.${iface} = {
12 ipv4.addresses = [ { address = "192.168.2.1"; prefixLength = 24; } ];
13 };
14 # Not merged, even though all are 1
15 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
16 boot.kernel.sysctl."net.ipv6.conf.${iface}.addr_gen_mode" = 1;
17 networking.nftables.ruleset = ''
18 add chain inet filter wifi2fw
19 add chain inet filter fw2wifi
20 add rule inet filter input iifname "${iface}" goto wifi2fw
21 add rule inet filter output oifname "${iface}" goto fw2wifi
22
23 # ${iface} firewalling
24 add rule inet filter fw2wifi counter accept
25
26 # Allow forwarding to the internet
27 add rule inet filter forward iifname "${iface}" oifname "${gateway}" counter accept
28 add rule inet filter forward iifname "${gateway}" oifname "${iface}" counter accept
29
30 # Allow networking services
31 add rule inet filter wifi2fw meta l4proto { udp, tcp } th dport 53 counter accept comment "DNS"
32 add rule inet filter wifi2fw tcp dport 67 counter accept comment "DHCP"
33 '';
34
35 services.unbound.settings = {
36 server = {
37 interface = [ "192.168.2.1" ];
38 access-control = ["192.168.2.0/24 allow"];
39 local-zone = [
40 "tracking.intl.miui.com always_refuse"
41 "sourcephile.fr typetransparent"
42 ];
43 local-data = [
44 "\"bureau1.sourcephile.fr A 192.168.2.1\""
45 ];
46 };
47 };
48
49 networking.wlanInterfaces.${iface} = {
50 device = "phy0";
51 };
52
53 /*
54 networking.networkmanager.unmanaged = [
55 "interface-name:phy0"
56 "interface-name:${iface}"
57 ];
58 */
59
60 # iw dev wlp4s0 station dump
61 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
62 services.hostapd = {
63 enable = true;
64 logLevel = 2;
65 interface = iface;
66 hwMode = "g";
67 ssid = "bureau1";
68 wpa = true;
69 wpaPassphrase = "bidonpoissonmaisonronron";
70 countryCode = "FR";
71 extraConfig = ''
72 # WLAN
73 beacon_int=100
74 dtim_period=2 # DTIM (delivery trafic information message)
75 preamble=1
76 # limit the frequencies used to those allowed in the country
77 ieee80211d=1
78 # 0 means the AP will search for the channel with the least interferences (ACS)
79 channel=1
80
81 # WPA2
82 wpa_key_mgmt=WPA-PSK
83 wpa_pairwise=CCMP
84 rsn_pairwise=CCMP
85 auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
86 macaddr_acl=0
87 # QoS support, also required for full speed on 802.11n/ac/ax
88 wmm_enabled=1
89 eap_reauth_period=360000
90 wpa_group_rekey=600
91 wpa_ptk_rekey=600
92 wpa_gmk_rekey=86400
93
94 # N-WLAN
95 ieee80211n=1
96 # See Capabilities in iw list
97 ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935]
98 require_ht=1
99 obss_interval=0
100
101 # 802.11ac support
102 ieee80211ac=0
103 '';
104 };
105 systemd.services."dhcpd4" = {
106 after = [ "network-addresses-${iface}.service" ];
107 requires = [
108 "network-addresses-${iface}.service"
109 "sys-subsystem-net-devices-${iface}.device"
110 ];
111 };
112 services.dhcpd4 = {
113 enable = true;
114 interfaces = [ iface ];
115 extraConfig = ''
116 option subnet-mask 255.255.255.0;
117 option broadcast-address 192.168.2.255;
118 option routers 192.168.2.1;
119 option domain-name-servers 192.168.2.1;
120 subnet 192.168.2.0 netmask 255.255.255.0 {
121 range 192.168.2.100 192.168.2.200;
122 }
123 '';
124 };
125
126 #networking.firewall.allowedUDPPorts = [ 53 67 ]; # DNS & DHCP
127 /*
128 # Sometimes slow connection speeds are attributed to absence of haveged.
129 services.haveged.enable = true;
130 */
131
132 /*
133
134 systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
135 in {
136 description = "iptables rules for wifi-relay";
137 after = [ "dhcpd4.service" ];
138 wantedBy = [ "multi-user.target" ];
139 script = ''
140 ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o wlan-ap0 -j MASQUERADE
141 ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s 192.168.2.0/24 -j ACCEPT
142 ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d 192.168.2.0/24 -j ACCEPT
143 '';
144 };
145 */
146 }