add basic ap stuff: hostapd, dhcpd

8 files changed, 285 insertions, 22 deletions

diff --git a/config/boot.nix b/config/boot.nix
index 257f64d..cf86ea2 100644
--- a/config/boot.nix
+++ b/config/boot.nix
@@ -5,5 +5,7 @@
     grub.enable = true;
   };
   boot.loader.grub.device = "/dev/disk/by-id/ata-SATA_SSD_A45E07221AE300053322";
-  boot.kernelPackages = pkgs.linuxPackages_latest;
+  # This makes the system use the XanMod Linux kernel,  a set of
+  # patches reducing latency and improving performance. 
+  boot.kernelPackages = pkgs.linuxPackages_xanmod_latest;
 }
diff --git a/config/hardware/default.nix b/config/hardware/default.nix
index a6219f8..8bf1e70 100644
--- a/config/hardware/default.nix
+++ b/config/hardware/default.nix
@@ -1,13 +1,28 @@
-{ nixos-hardware, ... }: {
+{ nixos-hardware, ... }:
+
+{
   imports = [
     ./hardware-configuration.nix
     nixos-hardware.nixosModules.pcengines-apu
     nixos-hardware.nixosModules.common-pc-ssd
     nixos-hardware.nixosModules.common-cpu-amd
   ];
+
   personal.hardware = {
     usb.enable = true;
     firmwareNonFree.enable = true;
   };
+
   swapDevices = [{ device = "/swap"; }];
+
+  # The CPU frequency should stay at the minimum until the router has
+  # some load to compute.
+  powerManagement.cpuFreqGovernor = "ondemand";
+  services.acpid.enable = true;
+
+  # The service irqbalance is useful as it assigns certain IRQ calls
+  # to specific CPUs instead of letting the first CPU core to handle
+  # everything. This is supposed to increase performance by hitting
+  # CPU cache more often. 
+  services.irqbalance.enable = true;
 }
diff --git a/config/networking/default.nix b/config/networking/default.nix
index 9dac00f..330ba3b 100644
--- a/config/networking/default.nix
+++ b/config/networking/default.nix
@@ -1,13 +1,105 @@
-{ pkgs, ... }:
+# https://skogsbrus.xyz/blog/2022/06/12/router/
+# https://blog.fraggod.net/2017/04/27/wifi-hostapd-configuration-for-80211ac-networks.html
+{ config, lib, pkgs, secrets, ... }:
 
-{
-  personal.networking = {
-    enable = true;
-    ssh.enable = true;
+let
+  ifaces = config.personal.networking.interfaces;
+  publicSubnet = "192.168.1";
+  privateSubnet = "192.168.2";
+in {
+  imports = [ ./hostapd.nix ];
+
+  options.personal.networking = {
+    interfaces = let
+      makeInterfaceOption = type:
+        lib.mkOption {
+          type = lib.types.str;
+          description = "Network device for the ${type} interface.";
+          example = "enp4s0";
+        };
+    in {
+      eth = makeInterfaceOption "ethernet";
+      wlp2ghz = makeInterfaceOption "2 GHz WiFi";
+      wlp5ghz = makeInterfaceOption "5 GHz WiFi";
+    };
   };
 
-  networking = {
-    hostName = "kerberos";
-    domain = "local";
+  config = {
+    personal.networking = {
+      enable = true;
+      ssh.enable = true;
+      interfaces = {
+        eth = "enp4s0";
+        wlp2ghz = "wlp5s0";
+        wlp5ghz = "wlp1s0";
+      };
+    };
+
+    networking = {
+      hostName = "kerberos";
+      domain = "local";
+
+      defaultGateway = {
+        address = "${publicSubnet}.1";
+        interface = ifaces.eth;
+      };
+
+      dhcpcd.enable = false;
+      interfaces = {
+        "${ifaces.eth}" = {
+          ipv4.addresses = [{
+            address = "${publicSubnet}.2";
+            prefixLength = 24;
+          }];
+        };
+        "${ifaces.wlp5ghz}" = {
+          ipv4.addresses = [{
+            address = "${privateSubnet}.1";
+            prefixLength = 24;
+          }];
+        };
+      };
+
+      nat = {
+        enable = true;
+        externalInterface = ifaces.eth;
+        internalInterfaces = [
+          # ifaces.wlp2ghz
+          ifaces.wlp5ghz
+        ];
+      };
+
+      firewall.interfaces."${ifaces.wlp5ghz}" = {
+        allowedTCPPorts = [ 53 ];
+        allowedUDPPorts = [ 53 ];
+      };
+    };
+
+    services.dhcpd4 = {
+      enable = true;
+      extraConfig = ''
+        option subnet-mask 255.255.255.0;
+        option routers ${privateSubnet}.1;
+        option domain-name-servers ${privateSubnet}.1, 9.9.9.9;
+        subnet ${privateSubnet}.0 netmask 255.255.255.0 {
+            range ${privateSubnet}.10 ${privateSubnet}.99;
+        }
+      '';
+      interfaces = [ ifaces.wlp5ghz ];
+    };
+
+    services.unbound = {
+      enable = true;
+      settings = {
+        server = {
+          interface = [ "127.0.0.1" "${privateSubnet}.1" ];
+          access-control = [
+            "0.0.0.0/0 refuse"
+            "127.0.0.0/8 allow"
+            "${privateSubnet}.0/24 allow"
+          ];
+        };
+      };
+    };
   };
 }
diff --git a/config/networking/hostapd.nix b/config/networking/hostapd.nix
new file mode 100644
index 0000000..f5f399b
--- /dev/null
+++ b/config/networking/hostapd.nix
@@ -0,0 +1,138 @@
+{ config, lib, utils, pkgs, secrets, ... }:
+
+let
+  cfg = config.services.hostapd;
+  makeHostapdConf = { name, interface ? cfg.interface, driver ? cfg.driver, ssid
+    , hwMode ? cfg.hwMode, channel ? cfg.channel, countryCode ? cfg.countryCode
+    , passphrase ? secrets.wifi."${name}".passphrase, logLevel ? cfg.logLevel
+    , extraConfig ? "" }:
+    builtins.toFile "hostapd.${name}.conf" (''
+      interface=${interface}
+      driver=${driver}
+
+      # IEEE 802.11
+      ssid=${ssid}
+      hw_mode=${hwMode}
+      channel=${toString channel}
+      max_num_sta=128
+      auth_algs=1
+      disassoc_low_ack=1
+
+      # DFS 
+      ieee80211h=1
+      ieee80211d=1
+      country_code=${countryCode}
+
+
+      # WPA/IEEE 802.11i
+      wpa=2
+      wpa_key_mgmt=WPA-PSK
+      wpa_passphrase=${passphrase}
+      wpa_pairwise=CCMP
+
+      # hostapd event logger configuration
+      logger_syslog=-1
+      logger_syslog_level=${toString logLevel}
+      logger_stdout=-1
+      logger_stdout_level=${toString logLevel}
+
+      # WMM
+      wmm_enabled=1
+      uapsd_advertisement_enabled=1
+      wmm_ac_bk_cwmin=4
+      wmm_ac_bk_cwmax=10
+      wmm_ac_bk_aifs=7
+      wmm_ac_bk_txop_limit=0
+      wmm_ac_bk_acm=0
+      wmm_ac_be_aifs=3
+      wmm_ac_be_cwmin=4
+      wmm_ac_be_cwmax=10
+      wmm_ac_be_txop_limit=0
+      wmm_ac_be_acm=0
+      wmm_ac_vi_aifs=2
+      wmm_ac_vi_cwmin=3
+      wmm_ac_vi_cwmax=4
+      wmm_ac_vi_txop_limit=94
+      wmm_ac_vi_acm=0
+      wmm_ac_vo_aifs=2
+      wmm_ac_vo_cwmin=2
+      wmm_ac_vo_cwmax=3
+      wmm_ac_vo_txop_limit=47
+      wmm_ac_vo_acm=0
+
+      # TX queue parameters
+      tx_queue_data3_aifs=7
+      tx_queue_data3_cwmin=15
+      tx_queue_data3_cwmax=1023
+      tx_queue_data3_burst=0
+      tx_queue_data2_aifs=3
+      tx_queue_data2_cwmin=15
+      tx_queue_data2_cwmax=63
+      tx_queue_data2_burst=0
+      tx_queue_data1_aifs=1
+      tx_queue_data1_cwmin=7
+      tx_queue_data1_cwmax=15
+      tx_queue_data1_burst=3.0
+      tx_queue_data0_aifs=1
+      tx_queue_data0_cwmin=3
+      tx_queue_data0_cwmax=7
+      tx_queue_data0_burst=1.5
+    '' + extraConfig);
+  hostapd2ghzConf = makeHostapdConf {
+    name = "2ghz";
+    interface = config.personal.networking.interfaces.wlp2ghz;
+    ssid = "Quentinternet of Things";
+    hwMode = "g";
+    channel = 0;
+    extraConfig = ''
+      # IEEE 802.11n
+      ieee80211n=1
+      require_ht=1
+      ht_capab=[HT40+][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40]
+    '';
+  };
+  hostapd5ghzConf = makeHostapdConf {
+    name = "5ghz";
+    interface = config.personal.networking.interfaces.wlp5ghz;
+    ssid = "Quentintranet";
+    hwMode = "a";
+    channel = 36;
+    extraConfig = ''
+      # IEEE 802.11n
+      ieee80211n=1
+      require_ht=1
+      ht_capab=[HT40+][LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40]
+
+      # IEEE 802.11ac
+      require_vht=1
+      ieee80211ac=1
+      vht_oper_chwidth=1
+      vht_oper_centr_freq_seg0_idx=42
+      vht_capab=[MAX-MPDU-11454][RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][MAX-A-MPDU-LEN-EXP7][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN]
+    '';
+  };
+in {
+  services.hostapd = {
+    enable = true;
+    driver = "nl80211";
+    countryCode = "FR";
+  };
+
+  systemd.services.hostapd = let
+    interfaces = with config.personal.networking.interfaces; [
+      wlp2ghz
+      wlp5ghz
+    ];
+    netDevices = builtins.map (interface:
+      "sys-subsystem-net-devices-${utils.escapeSystemdPath interface}.device")
+      interfaces;
+    networkLinkServices =
+      builtins.map (interface: "network-link-${interface}.service") interfaces;
+  in {
+    serviceConfig.ExecStart = lib.mkForce
+      "${pkgs.hostapd}/bin/hostapd ${hostapd2ghzConf} ${hostapd5ghzConf}";
+    after = lib.mkForce netDevices;
+    bindsTo = lib.mkForce netDevices;
+    requiredBy = lib.mkForce networkLinkServices;
+  };
+}
diff --git a/config/nix.nix b/config/nix.nix
index 7b8360a..436adf4 100644
--- a/config/nix.nix
+++ b/config/nix.nix
@@ -8,4 +8,8 @@
     flake = "git+file:///etc/nixos/";
   };
   nix.settings.max-jobs = lib.mkDefault 1;
+  system.autoUpgrade.flags = [
+    # for reading secrets from a file
+    "--impure"
+  ];
 }
diff --git a/flake.lock b/flake.lock
index 9dd8f98..15cc6a0 100644
--- a/flake.lock
+++ b/flake.lock
@@ -21,11 +21,11 @@
         "nur": "nur"
       },
       "locked": {
-        "lastModified": 1679748657,
-        "narHash": "sha256-cQnRR0csl+SILkmHuG96+c3IgQTUtoji5EYBCt39jS4=",
+        "lastModified": 1679846082,
+        "narHash": "sha256-/Ca5WubkmQc1l7rf4YyTMV5q/M9gGC7ANRdKwcEvDeo=",
         "owner": "qaristote",
         "repo": "my-nixpkgs",
-        "rev": "85a3de3e1d6a5bfe3c1354f38c0553c6256493c5",
+        "rev": "3bbfa37f2a200c92a5ddd31cc4765df321794fc2",
         "type": "github"
       },
       "original": {
@@ -36,11 +36,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1679598117,
-        "narHash": "sha256-Vs1f/7imI77OkMOQhO3xgx4jalN2Gx3D3C2wmnlpWJM=",
+        "lastModified": 1679765008,
+        "narHash": "sha256-VCkg/wC2e882suYDS5PDAemaMLYSOdFm4fsx2gowMR0=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "648021dcb2b65498eed3ea3a7339cdfc3bea4d82",
+        "rev": "f38f9a4c9b2b6f89a5778465e0afd166a8300680",
         "type": "github"
       },
       "original": {
@@ -64,11 +64,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1679739176,
-        "narHash": "sha256-Mp9lSjvg2wARLmr2BY86nId8qs4/L3EXGxP0vcIzz/8=",
+        "lastModified": 1679832111,
+        "narHash": "sha256-88XbjOUUtt6ufBn5dnMW26rT/xK/Lrg7ej1itIQ4DyU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3ad61dd36578917be90da4b69e53d4aced677a14",
+        "rev": "7f5388006e771101ff27ce55fb4d695ef918a88f",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 69898bc..1c7fc51 100644
--- a/flake.nix
+++ b/flake.nix
@@ -14,9 +14,11 @@
     in {
       kerberos = nixpkgs.lib.nixosSystem {
         inherit system;
-        modules = commonModules
-          ++ [ ./config ];
-        specialArgs = { inherit nixos-hardware; };
+        modules = commonModules ++ [ ./config ];
+        specialArgs = {
+          inherit nixos-hardware;
+          secrets = import ./secrets.nix;
+        };
       };
     };
   };
diff --git a/secrets.nix b/secrets.nix
new file mode 100644
index 0000000..542fb40
--- /dev/null
+++ b/secrets.nix
@@ -0,0 +1,10 @@
+{
+  wifi = {
+    "2ghz" = {
+      passphrase = builtins.readFile "/etc/hostapd/hostapd.2ghz.pw";
+    };
+    "5ghz" = {
+      passphrase = builtins.readFile "/etc/hostapd/hostapd.5ghz.pw";
+    };
+  };
+}