{ pkgs, ... }:
let
wifiIface = "wlp4s0";
gwIface = "enp5s0";
#gwIface = config.networking.defaultGateway.interface;
in
{
environment.systemPackages = [
pkgs.iw
];
networking.interfaces.${wifiIface} = {
ipv4.addresses = [{ address = "192.168.2.1"; prefixLength = 24; }];
};
# Not merged, even though all are 1
#boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
boot.kernel.sysctl."net.ipv6.conf.${wifiIface}.addr_gen_mode" = 1;
networking.nftables.ruleset = ''
table inet filter {
chain input-lan {
meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
tcp dport bootps counter accept comment "DHCP"
}
chain input {
iifname ${wifiIface} goto input-lan
}
chain output-lan {
counter accept
}
chain output {
oifname ${wifiIface} goto output-lan
}
chain forward {
iifname ${wifiIface} oifname ${gwIface} counter accept
iifname ${gwIface} oifname ${wifiIface} counter accept
}
}
'';
services.unbound.settings = {
server = {
interface = [ "192.168.2.1" ];
access-control = [ "192.168.2.0/24 allow" ];
local-zone = [
"tracking.intl.miui.com always_refuse"
"sourcephile.fr typetransparent"
];
local-data = [
"\"bureau1.sourcephile.fr A 192.168.2.1\""
];
};
};
networking.wlanInterfaces.${wifiIface} = {
device = "phy0";
};
networking.networkmanager.unmanaged = [
wifiIface
];
# iw dev wlp4s0 station dump
# DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
services.hostapd = {
enable = true;
interface = wifiIface;
hwMode = "g";
ssid = "bureau1";
wpa = true;
radios = {
${wifiIface} = {
# countryCode = "US";
networks.${wifiIface} = {
ssid = "bureau1";
authentication = {
# FIXME: use wpa3-sae
mode = "wpa2-sha256";
# FIXME: use wpaPasswordFile or saePasswordsFile
wpaPassword = "bidonpoissonmaisonronron";
logLevel = 2;
band = "g";
};
};
};
};
countryCode = "FR";
extraConfig = ''
# WLAN
beacon_int=100
dtim_period=2 # DTIM (delivery trafic information message)
preamble=1
# limit the frequencies used to those allowed in the country
ieee80211d=1
# 0 means the AP will search for the channel with the least interferences (ACS)
channel=1
# WPA2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
rsn_pairwise=CCMP
auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
macaddr_acl=0
# QoS support, also required for full speed on 802.11n/ac/ax
wmm_enabled=1
eap_reauth_period=360000
wpa_group_rekey=600
wpa_ptk_rekey=600
wpa_gmk_rekey=86400
# N-WLAN
ieee80211n=1
# See Capabilities in iw list
ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935]
require_ht=1
obss_interval=0
# 802.11ac support
ieee80211ac=0
'';
};
/*
systemd.services.dhcpd4 = {
after = [ "network-addresses-${wifiIface}.service" ];
requires = [
"network-addresses-${wifiIface}.service"
"sys-subsystem-net-devices-${wifiIface}.device"
];
unitConfig.StartLimitIntervalSec = 0;
serviceConfig.RestartSec = 5;
};
services.dhcpd4 = {
enable = true;
interfaces = [ wifiIface ];
extraConfig = ''
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.2.255;
option routers 192.168.2.1;
option domain-name-servers 192.168.2.1;
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.100 192.168.2.200;
}
'';
};
*/
#networking.firewall.allowedUDPPorts = [ 53 67 ]; # DNS & DHCP
/*
# Sometimes slow connection speeds are attributed to absence of haveged.
services.haveged.enable = true;
*/
/*
systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
in {
description = "iptables rules for wifi-relay";
after = [ "dhcpd4.service" ];
wantedBy = [ "multi-user.target" ];
script = ''
${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o wlan-ap0 -j MASQUERADE
${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s 192.168.2.0/24 -j ACCEPT
${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d 192.168.2.0/24 -j ACCEPT
'';
};
*/
}