hosts/losurdo/networking/wireless.nix

   1 { pkgs, lib, config, hosts, ... }:
   2 let iface = "wlp4s0";
   3 in
   4 {
   5 environment.systemPackages = [
   6   pkgs.iw
   7 ];
   8 networking.interfaces.${iface} = {
   9   ipv4.addresses = [ { address = "192.168.2.1"; prefixLength = 24; } ];
  10 };
  11 # Fix to set the address before starting dhcpd4.service
  12 systemd.services.network-addresses-${iface} = {
  13   before = ["network.target"];
  14   wantedBy = ["network.target"];
  15 };
  16 boot.kernel.sysctl."net.ipv6.conf.${iface}.addr_gen_mode" = 1;
  17 networking.nftables.ruleset = ''
  18   # Hook ${iface} into relevant chains
  19   add rule inet filter input  iifname "${iface}" jump wifi2fw
  20   add rule inet filter input  iifname "${iface}" log level warn prefix "wifi2fw: " counter drop
  21   add rule inet filter output oifname "${iface}" jump fw2wifi
  22   add rule inet filter output oifname "${iface}" log level warn prefix "fw2wifi: " counter drop
  23
  24   # ${iface} firewalling
  25   add rule inet filter fw2wifi counter accept
  26   add rule inet filter forward iifname "${iface}" jump fwd-wifi
  27
  28   # Allow forwarding to the internet
  29   add rule inet filter fwd-wifi oifname "enp5s0" counter accept
  30
  31   # Allow networking services
  32   add rule inet filter wifi2fw udp dport 53 counter accept comment "DNS"
  33   add rule inet filter wifi2fw tcp dport 53 counter accept comment "DNS"
  34   add rule inet filter wifi2fw tcp dport 67 counter accept comment "DHCP"
  35 '';
  36 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  37
  38 services.unbound.settings = {
  39   server = {
  40     interface = [ "192.168.2.1" ];
  41     access-control = ["192.168.2.0/24 allow"];
  42     local-zone = [
  43       "tracking.intl.miui.com always_refuse"
  44       "sourcephile.fr typetransparent"
  45     ];
  46     local-data = [
  47       "\"bureau1.sourcephile.fr A 192.168.2.1\""
  48     ];
  49   };
  50 };
  51
  52 networking.wlanInterfaces.${iface} = {
  53   device = "phy0";
  54 };
  55
  56 /*
  57 networking.networkmanager.unmanaged = [
  58   "interface-name:phy0"
  59   "interface-name:${iface}"
  60 ];
  61 */
  62
  63 services.hostapd = {
  64   enable = true;
  65   logLevel = 3;
  66   interface = iface;
  67   hwMode = "g";
  68   ssid = "bureau1";
  69   wpa = true;
  70   wpaPassphrase = "bidonpoissonmaisonronron";
  71   countryCode = "FR";
  72   extraConfig = ''
  73   '';
  74 };
  75 services.dhcpd4 = {
  76   enable = true;
  77   interfaces = [ iface ];
  78   extraConfig = ''
  79     option subnet-mask 255.255.255.0;
  80     option broadcast-address 192.168.2.255;
  81     option routers 192.168.2.1;
  82     option domain-name-servers 192.168.2.1;
  83     subnet 192.168.2.0 netmask 255.255.255.0 {
  84       range 192.168.2.100 192.168.2.200;
  85     }
  86   '';
  87 };
  88
  89 #networking.firewall.allowedUDPPorts = [ 53 67 ]; # DNS & DHCP
  90 /*
  91 # Sometimes slow connection speeds are attributed to absence of haveged.
  92 services.haveged.enable = true;
  93 */
  94
  95 /*
  96
  97 systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
  98 in {
  99   description = "iptables rules for wifi-relay";
 100   after = [ "dhcpd4.service" ];
 101   wantedBy = [ "multi-user.target" ];
 102   script = ''
 103     ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o wlan-ap0 -j MASQUERADE
 104     ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s 192.168.2.0/24 -j ACCEPT
 105     ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d 192.168.2.0/24 -j ACCEPT
 106   '';
 107 };
 108 */
 109 }