{ pkgs, ... }: let wifiIface = "wlp4s0"; wifiIPv4 = "192.168.2"; gwIface = "enp5s0"; #gwIface = config.networking.defaultGateway.interface; in { systemd.network.networks = { "10-${wifiIface}" = { name = wifiIface; networkConfig = { Address = "${wifiIPv4}.1/24"; DHCPServer = true; IPv6PrivacyExtensions = true; IPv4Forwarding = true; #IPv6Forwarding = true; }; dhcpServerConfig = { DNS = "${wifiIPv4}.1"; EmitDNS = true; PoolOffset = 100; PoolSize = 20; }; linkConfig = { RequiredForOnline = "no"; }; }; }; environment.systemPackages = [ pkgs.iw ]; networking.nftables.ruleset = '' table inet filter { chain input-lan { meta l4proto { udp, tcp } th dport domain counter accept comment "DNS" tcp dport bootps counter accept comment "DHCP" } chain input { iifname ${wifiIface} goto input-lan } chain output-lan { counter accept } chain output { oifname ${wifiIface} goto output-lan } chain forward { iifname ${wifiIface} oifname ${gwIface} counter accept iifname ${gwIface} oifname ${wifiIface} counter accept } } ''; services.unbound.settings = { server = { interface = [ "${wifiIPv4}.1" ]; access-control = [ "${wifiIPv4}.0/24 allow" ]; local-zone = [ "sourcephile.fr typetransparent" "tracking.intl.miui.com always_refuse" ]; local-data = [ "\"bureau1.sourcephile.fr A ${wifiIPv4}.1\"" ]; }; }; networking.networkmanager.unmanaged = [ wifiIface ]; # iw dev wlp4s0 station dump # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf services.hostapd = { enable = true; radios = { ${wifiIface} = { band = "2g"; countryCode = "FR"; networks.${wifiIface} = { ssid = "bureau1"; authentication = { # FIXME: use wpa3-sae mode = "wpa2-sha256"; # FIXME: use wpaPasswordFile or saePasswordsFile wpaPassword = "bidonpoissonmaisonronron"; }; logLevel = 2; }; settings = { disassoc_low_ack = true; }; wifi4 = { enable = true; capabilities = [ "DSSS_CCK-40" "HT40+" "MAX-AMSDU-7935" "SHORT-GI-40" ]; require = false; }; }; }; /* extraConfig = '' # WLAN beacon_int=100 dtim_period=2 # DTIM (delivery trafic information message) preamble=1 # limit the frequencies used to those allowed in the country ieee80211d=1 # 0 means the AP will search for the channel with the least interferences (ACS) channel=1 # WPA2 wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP rsn_pairwise=CCMP auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both macaddr_acl=0 # QoS support, also required for full speed on 802.11n/ac/ax wmm_enabled=1 eap_reauth_period=360000 wpa_group_rekey=600 wpa_ptk_rekey=600 wpa_gmk_rekey=86400 # N-WLAN ieee80211n=1 # See Capabilities in iw list ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935] require_ht=1 obss_interval=0 # 802.11ac support ieee80211ac=0 ''; */ }; /* # Sometimes slow connection speeds are attributed to absence of haveged. services.haveged.enable = true; */ /* systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep; in { description = "iptables rules for wifi-relay"; after = [ "dhcpd4.service" ]; wantedBy = [ "multi-user.target" ]; script = '' ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s ${wifiIPv4}.0/24 ! -o wlan-ap0 -j MASQUERADE ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s ${wifiIPv4}.0/24 -j ACCEPT ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d ${wifiIPv4}.0/24 -j ACCEPT ''; }; */ }