hosts/losurdo/networking/wireless.nix

   1 { pkgs, ... }:
   2 let
   3   wifiIface = "wlp4s0";
   4   wifiIPv4 = "192.168.2";
   5   gwIface = "enp5s0";
   6 in
   7 #gwIface = config.networking.defaultGateway.interface;
   8 {
   9   systemd.network.networks = {
  10     "10-${wifiIface}" = {
  11       name = wifiIface;
  12       networkConfig = {
  13         Address = "${wifiIPv4}.1/24";
  14         DHCPServer = true;
  15         IPv6PrivacyExtensions = true;
  16         IPv4Forwarding = true;
  17         #IPv6Forwarding = true;
  18       };
  19       dhcpServerConfig = {
  20         DNS = "${wifiIPv4}.1";
  21         EmitDNS = true;
  22         PoolOffset = 100;
  23         PoolSize = 20;
  24       };
  25       linkConfig = {
  26         RequiredForOnline = "no";
  27       };
  28     };
  29   };
  30   environment.systemPackages = [
  31     pkgs.iw
  32   ];
  33   networking.nftables.ruleset = ''
  34     table inet filter {
  35       chain input-lan {
  36         meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
  37         tcp dport bootps counter accept comment "DHCP"
  38       }
  39       chain input {
  40         iifname ${wifiIface} goto input-lan
  41       }
  42       chain output-lan {
  43         counter accept
  44       }
  45       chain output {
  46         oifname ${wifiIface} goto output-lan
  47       }
  48       chain forward {
  49         iifname ${wifiIface} oifname ${gwIface} counter accept
  50         iifname ${gwIface} oifname ${wifiIface} counter accept
  51       }
  52     }
  53   '';
  54
  55   services.unbound.settings = {
  56     server = {
  57       interface = [ "${wifiIPv4}.1" ];
  58       access-control = [ "${wifiIPv4}.0/24 allow" ];
  59       local-zone = [
  60         "sourcephile.fr typetransparent"
  61         "tracking.intl.miui.com always_refuse"
  62       ];
  63       local-data = [
  64         "\"bureau1.sourcephile.fr A ${wifiIPv4}.1\""
  65       ];
  66     };
  67   };
  68
  69   networking.networkmanager.unmanaged = [
  70     wifiIface
  71   ];
  72
  73   # iw dev wlp4s0 station dump
  74   # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
  75   services.hostapd = {
  76     enable = true;
  77     radios = {
  78       ${wifiIface} = {
  79         band = "2g";
  80         channel = 1;
  81         countryCode = "FR";
  82         networks.${wifiIface} = {
  83           ssid = "bureau1";
  84           authentication = {
  85             # FIXME: use wpa3-sae
  86             mode = "wpa2-sha256";
  87             # FIXME: use wpaPasswordFile or saePasswordsFile
  88             wpaPassword = "bidonpoissonmaisonronron";
  89           };
  90           logLevel = 2;
  91         };
  92         settings = {
  93           disassoc_low_ack = true;
  94         };
  95         wifi4 = {
  96           enable = true;
  97           capabilities = [
  98             "DSSS_CCK-40"
  99             "HT40+"
 100             "MAX-AMSDU-7935"
 101             "SHORT-GI-40"
 102           ];
 103           require = false;
 104         };
 105       };
 106     };
 107     /*
 108       extraConfig = ''
 109       # WLAN
 110       beacon_int=100
 111       dtim_period=2 # DTIM (delivery trafic information message)
 112       preamble=1
 113       # limit the frequencies used to those allowed in the country
 114       ieee80211d=1
 115       # 0 means the AP will search for the channel with the least interferences (ACS)
 116       channel=1
 117
 118       # WPA2
 119       wpa_key_mgmt=WPA-PSK
 120       wpa_pairwise=CCMP
 121       rsn_pairwise=CCMP
 122       auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
 123       macaddr_acl=0
 124       # QoS support, also required for full speed on 802.11n/ac/ax
 125       wmm_enabled=1
 126       eap_reauth_period=360000
 127       wpa_group_rekey=600
 128       wpa_ptk_rekey=600
 129       wpa_gmk_rekey=86400
 130
 131       # N-WLAN
 132       ieee80211n=1
 133       # See Capabilities in iw list
 134       ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935]
 135       require_ht=1
 136       obss_interval=0
 137
 138       # 802.11ac support
 139       ieee80211ac=0
 140       '';
 141     */
 142   };
 143
 144   /*
 145     # Sometimes slow connection speeds are attributed to absence of haveged.
 146     services.haveged.enable = true;
 147   */
 148
 149   /*
 150     systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
 151     in {
 152     description = "iptables rules for wifi-relay";
 153     after = [ "dhcpd4.service" ];
 154     wantedBy = [ "multi-user.target" ];
 155     script = ''
 156     ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s ${wifiIPv4}.0/24 ! -o wlan-ap0 -j MASQUERADE
 157     ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s ${wifiIPv4}.0/24 -j ACCEPT
 158     ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d ${wifiIPv4}.0/24 -j ACCEPT
 159     '';
 160     };
 161   */
 162 }