{ pkgs, ... }: let wifiIface = "wlp4s0"; gwIface = "enp5s0"; #gwIface = config.networking.defaultGateway.interface; in { environment.systemPackages = [ pkgs.iw ]; networking.interfaces.${wifiIface} = { ipv4.addresses = [{ address = "192.168.2.1"; prefixLength = 24; }]; }; # Not merged, even though all are 1 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1; boot.kernel.sysctl."net.ipv6.conf.${wifiIface}.addr_gen_mode" = 1; networking.nftables.ruleset = '' table inet filter { chain input-lan { meta l4proto { udp, tcp } th dport domain counter accept comment "DNS" tcp dport bootps counter accept comment "DHCP" } chain input { iifname ${wifiIface} goto input-lan } chain output-lan { counter accept } chain output { oifname ${wifiIface} goto output-lan } chain forward { iifname ${wifiIface} oifname ${gwIface} counter accept iifname ${gwIface} oifname ${wifiIface} counter accept } } ''; services.unbound.settings = { server = { interface = [ "192.168.2.1" ]; access-control = [ "192.168.2.0/24 allow" ]; local-zone = [ "tracking.intl.miui.com always_refuse" "sourcephile.fr typetransparent" ]; local-data = [ "\"bureau1.sourcephile.fr A 192.168.2.1\"" ]; }; }; networking.wlanInterfaces.${wifiIface} = { device = "phy0"; }; networking.networkmanager.unmanaged = [ wifiIface ]; # iw dev wlp4s0 station dump # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf services.hostapd = { enable = true; interface = wifiIface; hwMode = "g"; ssid = "bureau1"; wpa = true; radios = { ${wifiIface} = { # countryCode = "US"; networks.${wifiIface} = { ssid = "bureau1"; authentication = { # FIXME: use wpa3-sae mode = "wpa2-sha256"; # FIXME: use wpaPasswordFile or saePasswordsFile wpaPassword = "bidonpoissonmaisonronron"; logLevel = 2; band = "g"; }; }; }; }; countryCode = "FR"; extraConfig = '' # WLAN beacon_int=100 dtim_period=2 # DTIM (delivery trafic information message) preamble=1 # limit the frequencies used to those allowed in the country ieee80211d=1 # 0 means the AP will search for the channel with the least interferences (ACS) channel=1 # WPA2 wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP rsn_pairwise=CCMP auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both macaddr_acl=0 # QoS support, also required for full speed on 802.11n/ac/ax wmm_enabled=1 eap_reauth_period=360000 wpa_group_rekey=600 wpa_ptk_rekey=600 wpa_gmk_rekey=86400 # N-WLAN ieee80211n=1 # See Capabilities in iw list ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935] require_ht=1 obss_interval=0 # 802.11ac support ieee80211ac=0 ''; }; /* systemd.services.dhcpd4 = { after = [ "network-addresses-${wifiIface}.service" ]; requires = [ "network-addresses-${wifiIface}.service" "sys-subsystem-net-devices-${wifiIface}.device" ]; unitConfig.StartLimitIntervalSec = 0; serviceConfig.RestartSec = 5; }; services.dhcpd4 = { enable = true; interfaces = [ wifiIface ]; extraConfig = '' option subnet-mask 255.255.255.0; option broadcast-address 192.168.2.255; option routers 192.168.2.1; option domain-name-servers 192.168.2.1; subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.100 192.168.2.200; } ''; }; */ #networking.firewall.allowedUDPPorts = [ 53 67 ]; # DNS & DHCP /* # Sometimes slow connection speeds are attributed to absence of haveged. services.haveged.enable = true; */ /* systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep; in { description = "iptables rules for wifi-relay"; after = [ "dhcpd4.service" ]; wantedBy = [ "multi-user.target" ]; script = '' ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o wlan-ap0 -j MASQUERADE ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s 192.168.2.0/24 -j ACCEPT ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d 192.168.2.0/24 -j ACCEPT ''; }; */ }