-{ pkgs, lib, config, hosts, ... }:
-let iface = "wlp4s0";
+{ pkgs, ... }:
+let
+ wifiIface = "wlp4s0";
+ wifiIPv4 = "192.168.2";
+ gwIface = "enp5s0";
+ #gwIface = config.networking.defaultGateway.interface;
in
{
-environment.systemPackages = [
- pkgs.iw
-];
-networking.interfaces.${iface} = {
- ipv4.addresses = [ { address = "192.168.2.1"; prefixLength = 24; } ];
-};
-# Fix to set the address before starting dhcpd4.service
-systemd.services."network-addresses-${iface}" = {
- bindsTo = [ "hostapd.service"];
- wantedBy = ["network.target"];
-};
-boot.kernel.sysctl."net.ipv6.conf.${iface}.addr_gen_mode" = 1;
-networking.nftables.ruleset = ''
- # Hook ${iface} into relevant chains
- add rule inet filter input iifname "${iface}" jump wifi2fw
- add rule inet filter input iifname "${iface}" log level warn prefix "wifi2fw: " counter drop
- add rule inet filter output oifname "${iface}" jump fw2wifi
- add rule inet filter output oifname "${iface}" log level warn prefix "fw2wifi: " counter drop
-
- # ${iface} firewalling
- add rule inet filter fw2wifi counter accept
- add rule inet filter forward iifname "${iface}" jump fwd-wifi
-
- # Allow forwarding to the internet
- add rule inet filter fwd-wifi oifname "enp5s0" counter accept
-
- # Allow networking services
- add rule inet filter wifi2fw udp dport 53 counter accept comment "DNS"
- add rule inet filter wifi2fw tcp dport 53 counter accept comment "DNS"
- add rule inet filter wifi2fw tcp dport 67 counter accept comment "DHCP"
-'';
-#boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-
-services.unbound.settings = {
- server = {
- interface = [ "192.168.2.1" ];
- access-control = ["192.168.2.0/24 allow"];
- local-zone = [
- "tracking.intl.miui.com always_refuse"
- "sourcephile.fr typetransparent"
- ];
- local-data = [
- "\"bureau1.sourcephile.fr A 192.168.2.1\""
- ];
+ systemd.network.networks = {
+ "10-${wifiIface}" = {
+ name = wifiIface;
+ networkConfig = {
+ Address = "${wifiIPv4}.1/24";
+ DHCPServer = true;
+ IPv6PrivacyExtensions = true;
+ IPForward = true;
+ };
+ dhcpServerConfig = {
+ DNS = "${wifiIPv4}.1";
+ EmitDNS = true;
+ PoolOffset = 100;
+ PoolSize = 20;
+ };
+ linkConfig = {
+ RequiredForOnline = "no";
+ };
+ };
};
-};
-
-networking.wlanInterfaces.${iface} = {
- device = "phy0";
-};
+ environment.systemPackages = [
+ pkgs.iw
+ ];
+ networking.nftables.ruleset = ''
+ table inet filter {
+ chain input-lan {
+ meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
+ tcp dport bootps counter accept comment "DHCP"
+ }
+ chain input {
+ iifname ${wifiIface} goto input-lan
+ }
+ chain output-lan {
+ counter accept
+ }
+ chain output {
+ oifname ${wifiIface} goto output-lan
+ }
+ chain forward {
+ iifname ${wifiIface} oifname ${gwIface} counter accept
+ iifname ${gwIface} oifname ${wifiIface} counter accept
+ }
+ }
+ '';
-/*
-networking.networkmanager.unmanaged = [
- "interface-name:phy0"
- "interface-name:${iface}"
-];
-*/
+ services.unbound.settings = {
+ server = {
+ interface = [ "${wifiIPv4}.1" ];
+ access-control = [ "${wifiIPv4}.0/24 allow" ];
+ local-zone = [
+ "sourcephile.fr typetransparent"
+ "tracking.intl.miui.com always_refuse"
+ ];
+ local-data = [
+ "\"bureau1.sourcephile.fr A ${wifiIPv4}.1\""
+ ];
+ };
+ };
-# iw dev wlp4s0 station dump
-# DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
-services.hostapd = {
- enable = true;
- logLevel = 2;
- interface = iface;
- hwMode = "g";
- ssid = "bureau1";
- wpa = true;
- wpaPassphrase = "bidonpoissonmaisonronron";
- countryCode = "FR";
- extraConfig = ''
- # WLAN
- beacon_int=100
- dtim_period=2 # DTIM (delivery trafic information message)
- preamble=1
- # limit the frequencies used to those allowed in the country
- ieee80211d=1
- # 0 means the AP will search for the channel with the least interferences (ACS)
- channel=1
+ networking.networkmanager.unmanaged = [
+ wifiIface
+ ];
- # WPA2
- wpa_key_mgmt=WPA-PSK
- wpa_pairwise=CCMP
- rsn_pairwise=CCMP
- auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
- macaddr_acl=0
- # QoS support, also required for full speed on 802.11n/ac/ax
- wmm_enabled=1
- eap_reauth_period=360000
- wpa_group_rekey=600
- wpa_ptk_rekey=600
- wpa_gmk_rekey=86400
+ # iw dev wlp4s0 station dump
+ # DOC: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
+ services.hostapd = {
+ enable = true;
+ radios = {
+ ${wifiIface} = {
+ band = "2g";
+ countryCode = "FR";
+ networks.${wifiIface} = {
+ ssid = "bureau1";
+ authentication = {
+ # FIXME: use wpa3-sae
+ mode = "wpa2-sha256";
+ # FIXME: use wpaPasswordFile or saePasswordsFile
+ wpaPassword = "bidonpoissonmaisonronron";
+ };
+ logLevel = 2;
+ };
+ settings = {
+ disassoc_low_ack = true;
+ };
+ wifi4 = {
+ enable = true;
+ capabilities = [
+ "DSSS_CCK-40"
+ "HT40+"
+ "MAX-AMSDU-7935"
+ "SHORT-GI-40"
+ ];
+ require = false;
+ };
+ };
+ };
+ /*
+ extraConfig = ''
+ # WLAN
+ beacon_int=100
+ dtim_period=2 # DTIM (delivery trafic information message)
+ preamble=1
+ # limit the frequencies used to those allowed in the country
+ ieee80211d=1
+ # 0 means the AP will search for the channel with the least interferences (ACS)
+ channel=1
- # N-WLAN
- ieee80211n=1
- # See Capabilities in iw list
- ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935]
- require_ht=1
- obss_interval=0
+ # WPA2
+ wpa_key_mgmt=WPA-PSK
+ wpa_pairwise=CCMP
+ rsn_pairwise=CCMP
+ auth_algs=1 # 0=noauth, 1=wpa, 2=wep, 3=both
+ macaddr_acl=0
+ # QoS support, also required for full speed on 802.11n/ac/ax
+ wmm_enabled=1
+ eap_reauth_period=360000
+ wpa_group_rekey=600
+ wpa_ptk_rekey=600
+ wpa_gmk_rekey=86400
- # 802.11ac support
- ieee80211ac=0
- '';
-};
-services.dhcpd4 = {
- enable = true;
- interfaces = [ iface ];
- extraConfig = ''
- option subnet-mask 255.255.255.0;
- option broadcast-address 192.168.2.255;
- option routers 192.168.2.1;
- option domain-name-servers 192.168.2.1;
- subnet 192.168.2.0 netmask 255.255.255.0 {
- range 192.168.2.100 192.168.2.200;
- }
- '';
-};
+ # N-WLAN
+ ieee80211n=1
+ # See Capabilities in iw list
+ ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][MAX-AMSDU-7935]
+ require_ht=1
+ obss_interval=0
-#networking.firewall.allowedUDPPorts = [ 53 67 ]; # DNS & DHCP
-/*
-# Sometimes slow connection speeds are attributed to absence of haveged.
-services.haveged.enable = true;
-*/
+ # 802.11ac support
+ ieee80211ac=0
+ '';
+ */
+ };
-/*
+ /*
+ # Sometimes slow connection speeds are attributed to absence of haveged.
+ services.haveged.enable = true;
+ */
-systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
-in {
- description = "iptables rules for wifi-relay";
- after = [ "dhcpd4.service" ];
- wantedBy = [ "multi-user.target" ];
- script = ''
- ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o wlan-ap0 -j MASQUERADE
- ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s 192.168.2.0/24 -j ACCEPT
- ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d 192.168.2.0/24 -j ACCEPT
- '';
-};
-*/
+ /*
+ systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
+ in {
+ description = "iptables rules for wifi-relay";
+ after = [ "dhcpd4.service" ];
+ wantedBy = [ "multi-user.target" ];
+ script = ''
+ ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s ${wifiIPv4}.0/24 ! -o wlan-ap0 -j MASQUERADE
+ ${iptables}/bin/iptables -w -I FORWARD -i wlan-ap0 -s ${wifiIPv4}.0/24 -j ACCEPT
+ ${iptables}/bin/iptables -w -I FORWARD -i wlan-station0 -d ${wifiIPv4}.0/24 -j ACCEPT
+ '';
+ };
+ */
}