]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/wireless.nix
mermet: fail2ban: readd postfix support
[sourcephile-nix.git] / hosts / losurdo / networking / wireless.nix
1 { pkgs, ... }:
2 let
3 wifiIface = "wlp4s0";
4 wifiIPv4 = "192.168.2";
5 gwIface = "enp5s0";
6 #gwIface = config.networking.defaultGateway.interface;
7 in
8 {
9 systemd.network.networks = {
10 "10-${wifiIface}" = {
11 name = wifiIface;
12 networkConfig = {
13 Address = "${wifiIPv4}.1/24";
14 DHCPServer = true;
15 IPv6PrivacyExtensions = true;
16 IPForward = true;
17 };
18 dhcpServerConfig = {
19 DNS = "${wifiIPv4}.1";
20 EmitDNS = true;
21 PoolOffset = 100;
22 PoolSize = 20;
23 };
24 linkConfig = {
25 RequiredForOnline = "no";
26 };
27 };
28 };
29 environment.systemPackages = [
30 pkgs.iw
31 ];
32 networking.nftables.ruleset = ''
33 table inet filter {
34 chain input-lan {
35 meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
36 tcp dport bootps counter accept comment "DHCP"
37 }
38 chain input {
39 iifname ${wifiIface} goto input-lan
40 }
41 chain output-lan {
42 counter accept
43 }
44 chain output {
45 oifname ${wifiIface} goto output-lan
46 }
47 chain forward {
48 iifname ${wifiIface} oifname ${gwIface} counter accept
49 iifname ${gwIface} oifname ${wifiIface} counter accept
50 }
51 }
52 '';
53
54 services.unbound.settings = {
55 server = {
56 interface = [ "${wifiIPv4}.1" ];
57 access-control = [ "${wifiIPv4}.0/24 allow" ];
58 local-zone = [
59 "sourcephile.fr typetransparent"
60 "tracking.intl.miui.com always_refuse"
61 ];
62 local-data = [
63 "\"bureau1.sourcephile.fr A ${wifiIPv4}.1\""
64 ];
65 };
66 };
67
68 networking.networkmanager.unmanaged = [
69 wifiIface
70 ];
71
72 # iw dev wlp4s0 station dump
73 # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
74 services.hostapd = {
75 enable = true;
76 radios = {
77 ${wifiIface} = {
78 band = "2g";
79 countryCode = "FR";
80 networks.${wifiIface} = {
81 ssid = "bureau1";
82 authentication = {
83 # FIXME: use wpa3-sae
84 mode = "wpa2-sha256";
85 # FIXME: use wpaPasswordFile or saePasswordsFile
86 wpaPassword = "bidonpoissonmaisonronron";
87 };
88 logLevel = 2;
89 };
90 settings = {
91 disassoc_low_ack = true;
92 };
93 wifi4 = {
94 enable = true;
95 capabilities = [
96 "DSSS_CCK-40"
97 "HT40+"
98 "MAX-AMSDU-7935"
99 "SHORT-GI-40"
100 ];
101 require = false;
102 };
103 };
104 };
105 /*
106 extraConfig = ''
107 # WLAN
108 beacon_int=100
109 dtim_period=2 # DTIM (delivery trafic information message)
110 preamble=1
111 # limit the frequencies used to those allowed in the country
112 ieee80211d=1
113 # 0 means the AP will search for the channel with the least interferences (ACS)
114 channel=1
115
116 # WPA2
117 wpa_key_mgmt=WPA-PSK
118 wpa_pairwise=CCMP
119 rsn_pairwise=CCMP
120 auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
121 macaddr_acl=0
122 # QoS support, also required for full speed on 802.11n/ac/ax
123 wmm_enabled=1
124 eap_reauth_period=360000
125 wpa_group_rekey=600
126 wpa_ptk_rekey=600
127 wpa_gmk_rekey=86400
128
129 # N-WLAN
130 ieee80211n=1
131 # See Capabilities in iw list
132 ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935]
133 require_ht=1
134 obss_interval=0
135
136 # 802.11ac support
137 ieee80211ac=0
138 '';
139 */
140 };
141
142 /*
143 # Sometimes slow connection speeds are attributed to absence of haveged.
144 services.haveged.enable = true;
145 */
146
147 /*
148 systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
149 in {
150 description = "iptables rules for wifi-relay";
151 after = [ "dhcpd4.service" ];
152 wantedBy = [ "multi-user.target" ];
153 script = ''
154 ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s ${wifiIPv4}.0/24 ! -o wlan-ap0 -j MASQUERADE
155 ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s ${wifiIPv4}.0/24 -j ACCEPT
156 ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d ${wifiIPv4}.0/24 -j ACCEPT
157 '';
158 };
159 */
160 }