diff options
| -rw-r--r-- | config/networking/services/ap.nix | 255 | ||||
| -rw-r--r-- | flake.lock | 20 | ||||
| -rw-r--r-- | flake.nix | 13 |
3 files changed, 153 insertions, 135 deletions
diff --git a/config/networking/services/ap.nix b/config/networking/services/ap.nix index 8a40e84..33bae8c 100644 --- a/config/networking/services/ap.nix +++ b/config/networking/services/ap.nix @@ -1,87 +1,101 @@ -{ config, lib, utils, pkgs, secrets, ... }: - -let - cfg = config.services.hostapd; +{ + config, + lib, + utils, + pkgs, + secrets, + ... +}: let nets = config.personal.networking.networks; - makeHostapdConf = { name, device, interface, driver ? "nl80211", ssid - , hwMode ? "g", channel ? 0, countryCode ? "FR" - , passphrase ? secrets.wifi."${name}".passphrase, logLevel ? 2 - , extraConfig ? "" }: + makeHostapdConf = { + name, + device, + interface, + driver ? "nl80211", + ssid, + hwMode ? "g", + channel ? 0, + countryCode ? "FR", + passphrase ? secrets.wifi."${name}".passphrase, + logLevel ? 2, + extraConfig ? "", + }: builtins.toFile "hostapd.${name}.conf" ('' - interface=${device} - driver=${driver} + interface=${device} + driver=${driver} - # IEEE 802.11 - ssid=${ssid} - hw_mode=${hwMode} - channel=${toString channel} - max_num_sta=128 - auth_algs=1 - disassoc_low_ack=1 + # IEEE 802.11 + ssid=${ssid} + hw_mode=${hwMode} + channel=${toString channel} + max_num_sta=128 + auth_algs=1 + disassoc_low_ack=1 - # DFS - ieee80211h=1 - ieee80211d=1 - country_code=${countryCode} + # DFS + ieee80211h=1 + ieee80211d=1 + country_code=${countryCode} - # disable low-level bridging of frames - ap_isolate=1 - bridge=${interface} + # disable low-level bridging of frames + ap_isolate=1 + bridge=${interface} - # WPA/IEEE 802.11i - wpa=2 - wpa_key_mgmt=WPA-PSK - wpa_passphrase=${passphrase} - wpa_pairwise=CCMP + # WPA/IEEE 802.11i + wpa=2 + wpa_key_mgmt=WPA-PSK + wpa_passphrase=${passphrase} + wpa_pairwise=CCMP - # hostapd event logger configuration - logger_syslog=-1 - logger_syslog_level=${toString logLevel} - logger_stdout=-1 - logger_stdout_level=${toString logLevel} + # hostapd event logger configuration + logger_syslog=-1 + logger_syslog_level=${toString logLevel} + logger_stdout=-1 + logger_stdout_level=${toString logLevel} - # WMM - wmm_enabled=1 - uapsd_advertisement_enabled=1 - wmm_ac_bk_cwmin=4 - wmm_ac_bk_cwmax=10 - wmm_ac_bk_aifs=7 - wmm_ac_bk_txop_limit=0 - wmm_ac_bk_acm=0 - wmm_ac_be_aifs=3 - wmm_ac_be_cwmin=4 - wmm_ac_be_cwmax=10 - wmm_ac_be_txop_limit=0 - wmm_ac_be_acm=0 - wmm_ac_vi_aifs=2 - wmm_ac_vi_cwmin=3 - wmm_ac_vi_cwmax=4 - wmm_ac_vi_txop_limit=94 - wmm_ac_vi_acm=0 - wmm_ac_vo_aifs=2 - wmm_ac_vo_cwmin=2 - wmm_ac_vo_cwmax=3 - wmm_ac_vo_txop_limit=47 - wmm_ac_vo_acm=0 + # WMM + wmm_enabled=1 + uapsd_advertisement_enabled=1 + wmm_ac_bk_cwmin=4 + wmm_ac_bk_cwmax=10 + wmm_ac_bk_aifs=7 + wmm_ac_bk_txop_limit=0 + wmm_ac_bk_acm=0 + wmm_ac_be_aifs=3 + wmm_ac_be_cwmin=4 + wmm_ac_be_cwmax=10 + wmm_ac_be_txop_limit=0 + wmm_ac_be_acm=0 + wmm_ac_vi_aifs=2 + wmm_ac_vi_cwmin=3 + wmm_ac_vi_cwmax=4 + wmm_ac_vi_txop_limit=94 + wmm_ac_vi_acm=0 + wmm_ac_vo_aifs=2 + wmm_ac_vo_cwmin=2 + wmm_ac_vo_cwmax=3 + wmm_ac_vo_txop_limit=47 + wmm_ac_vo_acm=0 - # TX queue parameters - tx_queue_data3_aifs=7 - tx_queue_data3_cwmin=15 - tx_queue_data3_cwmax=1023 - tx_queue_data3_burst=0 - tx_queue_data2_aifs=3 - tx_queue_data2_cwmin=15 - tx_queue_data2_cwmax=63 - tx_queue_data2_burst=0 - tx_queue_data1_aifs=1 - tx_queue_data1_cwmin=7 - tx_queue_data1_cwmax=15 - tx_queue_data1_burst=3.0 - tx_queue_data0_aifs=1 - tx_queue_data0_cwmin=3 - tx_queue_data0_cwmax=7 - tx_queue_data0_burst=1.5 - '' + extraConfig); + # TX queue parameters + tx_queue_data3_aifs=7 + tx_queue_data3_cwmin=15 + tx_queue_data3_cwmax=1023 + tx_queue_data3_burst=0 + tx_queue_data2_aifs=3 + tx_queue_data2_cwmin=15 + tx_queue_data2_cwmax=63 + tx_queue_data2_burst=0 + tx_queue_data1_aifs=1 + tx_queue_data1_cwmin=7 + tx_queue_data1_cwmax=15 + tx_queue_data1_burst=3.0 + tx_queue_data0_aifs=1 + tx_queue_data0_cwmin=3 + tx_queue_data0_cwmax=7 + tx_queue_data0_burst=1.5 + '' + + extraConfig); hostapdIotConf = makeHostapdConf { name = "iot"; inherit (nets.iot) device interface; @@ -116,59 +130,58 @@ let ''; }; in { - services.udev.packages = [ pkgs.crda ]; - systemd.services.hostapd = let - subnets = with nets; [ wan iot ]; - netDevices = builtins.map (subnet: - "sys-subsystem-net-devices-${ + subnets = with nets; [wan iot]; + netDevices = + builtins.map (subnet: "sys-subsystem-net-devices-${ utils.escapeSystemdPath subnet.device - }.device") subnets; + }.device") + subnets; netdevServices = builtins.map (subnet: "${subnet.interface}-netdev.service") subnets; dependencies = lib.mkForce (netDevices ++ netdevServices); - in lib.mkForce { - # from https://github.com/NixOS/nixpkgs/blob/23.05/nixos/modules/services/networking/hostapd.nix - # with hardening from https://github.com/NixOS/nixpkgs/blob/23.11/nixos/modules/services/networking/hostapd.nix - description = "IEEE 802.11 Host Access-Point Daemon"; + in + lib.mkForce { + # from https://github.com/NixOS/nixpkgs/blob/23.05/nixos/modules/services/networking/hostapd.nix + # with hardening from https://github.com/NixOS/nixpkgs/blob/23.11/nixos/modules/services/networking/hostapd.nix + description = "IEEE 802.11 Host Access-Point Daemon"; - path = [ pkgs.hostapd ]; - after = dependencies; - bindsTo = dependencies; - wantedBy = [ "multi-user.target" ]; + path = [pkgs.hostapd]; + after = dependencies; + bindsTo = dependencies; + wantedBy = ["multi-user.target"]; - serviceConfig = { - ExecStart = "${pkgs.hostapd}/bin/hostapd ${hostapdIotConf} ${hostapdWanConf}"; - Restart = "always"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - RuntimeDirectory = "hostapd"; + serviceConfig = { + ExecStart = "${pkgs.hostapd}/bin/hostapd ${hostapdIotConf} ${hostapdWanConf}"; + Restart = "always"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + RuntimeDirectory = "hostapd"; - # Hardening - LockPersonality = true; - MemoryDenyWriteExecute = true; - DevicePolicy = "closed"; - DeviceAllow = "/dev/rfkill rw"; - NoNewPrivileges = true; - PrivateUsers = false; # hostapd requires true root access. - PrivateTmp = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - ProtectSystem = "strict"; - RestrictAddressFamilies = - [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" "AF_PACKET" ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ "@system-service" "~@privileged" "@chown" ]; - UMask = "0077"; + # Hardening + LockPersonality = true; + MemoryDenyWriteExecute = true; + DevicePolicy = "closed"; + DeviceAllow = "/dev/rfkill rw"; + NoNewPrivileges = true; + PrivateUsers = false; # hostapd requires true root access. + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" "AF_PACKET"]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = ["@system-service" "~@privileged" "@chown"]; + UMask = "0077"; + }; }; - }; } @@ -24,11 +24,11 @@ "nur": "nur" }, "locked": { - "lastModified": 1717090720, - "narHash": "sha256-SjWTYzzKDuwEMiGGNAr6pKMqcEk+MBidSP5aEZu50sU=", + "lastModified": 1717864550, + "narHash": "sha256-J1TY7ikiD/a7TS32pyEymkBL4ig85KcncK+lZJkAhg8=", "owner": "qaristote", "repo": "my-nixpkgs", - "rev": "626e51beda06e2554f2e86d4bd73898a2c4df504", + "rev": "47fa8979557e642d81bb87089b2f667b7d4eada0", "type": "github" }, "original": { @@ -39,11 +39,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1716987116, - "narHash": "sha256-uuEkErFVsFdg2K0cKbNQ9JlFSAm/xYqPr4rbPLI91Y8=", + "lastModified": 1717828156, + "narHash": "sha256-YvstO0lobf3JWQuAfZCLYRTROC2ZDEgtWeQtWbO49p4=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "8251761f93d6f5b91cee45ac09edb6e382641009", + "rev": "057a7996d012f342a38a26261ee529cebb1755ef", "type": "github" }, "original": { @@ -79,16 +79,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1716989506, - "narHash": "sha256-jKZkydpfu8xJ726i8UqLcIj8RVrhyT8+sH3Ab5ceq1I=", + "lastModified": 1717796960, + "narHash": "sha256-BKjQ9tQdsuoROrojHZb7KTAv95WprqCkNFvuzatfEo0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c0ac4cd43b565f6416ce76699fc14e65f88919a9", + "rev": "8e0a5f16b7bf7f212be068dd302c49888c6ad68f", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.11-small", + "ref": "nixos-24.05-small", "repo": "nixpkgs", "type": "github" } @@ -1,20 +1,25 @@ { inputs = { my-nixpkgs.url = "github:qaristote/my-nixpkgs"; - nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11-small"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; }; - outputs = { self, nixpkgs, my-nixpkgs, nixos-hardware, ... }: { + outputs = { + nixpkgs, + my-nixpkgs, + nixos-hardware, + ... + }: { nixosConfigurations = let system = "x86_64-linux"; commonModules = [ my-nixpkgs.nixosModules.personal - ({ ... }: { nixpkgs.overlays = [ my-nixpkgs.overlays.personal ]; }) + ({...}: {nixpkgs.overlays = [my-nixpkgs.overlays.personal];}) ]; in { kerberos = nixpkgs.lib.nixosSystem { inherit system; - modules = commonModules ++ [ ./config ]; + modules = commonModules ++ [./config]; specialArgs = { inherit nixos-hardware; secrets = import ./secrets.nix; |