{ pkgs, lib, config, hosts, ... }: let iface = "wlp4s0"; in { environment.systemPackages = [ pkgs.iw ]; networking.interfaces.${iface} = { ipv4.addresses = [ { address = "192.168.2.1"; prefixLength = 24; } ]; }; # Fix to set the address before starting dhcpd4.service systemd.services."network-addresses-${iface}" = { bindsTo = [ "hostapd.service"]; wantedBy = ["network.target"]; }; boot.kernel.sysctl."net.ipv6.conf.${iface}.addr_gen_mode" = 1; networking.nftables.ruleset = '' # Hook ${iface} into relevant chains add rule inet filter input iifname "${iface}" jump wifi2fw add rule inet filter input iifname "${iface}" log level warn prefix "wifi2fw: " counter drop add rule inet filter output oifname "${iface}" jump fw2wifi add rule inet filter output oifname "${iface}" log level warn prefix "fw2wifi: " counter drop # ${iface} firewalling add rule inet filter fw2wifi counter accept add rule inet filter forward iifname "${iface}" jump fwd-wifi # Allow forwarding to the internet add rule inet filter fwd-wifi oifname "enp5s0" counter accept # Allow networking services add rule inet filter wifi2fw udp dport 53 counter accept comment "DNS" add rule inet filter wifi2fw tcp dport 53 counter accept comment "DNS" add rule inet filter wifi2fw tcp dport 67 counter accept comment "DHCP" ''; #boot.kernel.sysctl."net.ipv4.ip_forward" = 1; services.unbound.settings = { server = { interface = [ "192.168.2.1" ]; access-control = ["192.168.2.0/24 allow"]; local-zone = [ "tracking.intl.miui.com always_refuse" "sourcephile.fr typetransparent" ]; local-data = [ "\"bureau1.sourcephile.fr A 192.168.2.1\"" ]; }; }; networking.wlanInterfaces.${iface} = { device = "phy0"; }; /* networking.networkmanager.unmanaged = [ "interface-name:phy0" "interface-name:${iface}" ]; */ # iw dev wlp4s0 station dump # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf services.hostapd = { enable = true; logLevel = 2; interface = iface; hwMode = "g"; ssid = "bureau1"; wpa = true; wpaPassphrase = "bidonpoissonmaisonronron"; countryCode = "FR"; extraConfig = '' # WLAN beacon_int=100 dtim_period=2 # DTIM (delivery trafic information message) preamble=1 # limit the frequencies used to those allowed in the country ieee80211d=1 # 0 means the AP will search for the channel with the least interferences (ACS) channel=1 # WPA2 wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP rsn_pairwise=CCMP auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both macaddr_acl=0 # QoS support, also required for full speed on 802.11n/ac/ax wmm_enabled=1 eap_reauth_period=360000 wpa_group_rekey=600 wpa_ptk_rekey=600 wpa_gmk_rekey=86400 # N-WLAN ieee80211n=1 # See Capabilities in iw list ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935] require_ht=1 obss_interval=0 # 802.11ac support ieee80211ac=0 ''; }; services.dhcpd4 = { enable = true; interfaces = [ iface ]; extraConfig = '' option subnet-mask 255.255.255.0; option broadcast-address 192.168.2.255; option routers 192.168.2.1; option domain-name-servers 192.168.2.1; subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.100 192.168.2.200; } ''; }; #networking.firewall.allowedUDPPorts = [ 53 67 ]; # DNS & DHCP /* # Sometimes slow connection speeds are attributed to absence of haveged. services.haveged.enable = true; */ /* systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep; in { description = "iptables rules for wifi-relay"; after = [ "dhcpd4.service" ]; wantedBy = [ "multi-user.target" ]; script = '' ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o wlan-ap0 -j MASQUERADE ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s 192.168.2.0/24 -j ACCEPT ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d 192.168.2.0/24 -j ACCEPT ''; }; */ }