diff options
| -rw-r--r-- | config/networking/bridges.nix | 8 | ||||
| -rw-r--r-- | config/networking/services/ap.nix | 57 | ||||
| -rw-r--r-- | config/networking/services/igmpproxy.nix | 5 | ||||
| -rw-r--r-- | flake.lock | 265 | ||||
| -rw-r--r-- | flake.nix | 2 |
5 files changed, 78 insertions, 259 deletions
diff --git a/config/networking/bridges.nix b/config/networking/bridges.nix index 2b24552..cdef41b 100644 --- a/config/networking/bridges.nix +++ b/config/networking/bridges.nix @@ -3,9 +3,9 @@ let nets = config.personal.networking.networks; in { config = lib.mkMerge ([{ - systemd.services.hostapd.postStart = lib.mkBefore '' + systemd.services.hostapd.postStart = lib.mkForce (lib.mkBefore '' sleep 3 - ''; + ''); }] ++ (builtins.map (network: let bridge = network.interface; @@ -18,9 +18,9 @@ in { ip link set ${bridge} type bridge forward_delay 0 ''; - systemd.services.hostapd.postStart = '' + systemd.services.hostapd.postStart = lib.mkForce ('' echo Setting ${device} to hairpin mode... ${pkgs.iproute2}/bin/bridge link set dev ${device} hairpin on - ''; + ''); }) [ nets.wan nets.iot ])); } diff --git a/config/networking/services/ap.nix b/config/networking/services/ap.nix index 2324c41..8a40e84 100644 --- a/config/networking/services/ap.nix +++ b/config/networking/services/ap.nix @@ -3,9 +3,9 @@ let cfg = config.services.hostapd; nets = config.personal.networking.networks; - makeHostapdConf = { name, device, interface, driver ? cfg.driver, ssid - , hwMode ? cfg.hwMode, channel ? cfg.channel, countryCode ? cfg.countryCode - , passphrase ? secrets.wifi."${name}".passphrase, logLevel ? cfg.logLevel + makeHostapdConf = { name, device, interface, driver ? "nl80211", ssid + , hwMode ? "g", channel ? 0, countryCode ? "FR" + , passphrase ? secrets.wifi."${name}".passphrase, logLevel ? 2 , extraConfig ? "" }: builtins.toFile "hostapd.${name}.conf" ('' interface=${device} @@ -116,12 +116,7 @@ let ''; }; in { - services.hostapd = { - enable = true; - driver = "nl80211"; - countryCode = "FR"; - interface = ""; - }; + services.udev.packages = [ pkgs.crda ]; systemd.services.hostapd = let subnets = with nets; [ wan iot ]; @@ -132,10 +127,48 @@ in { netdevServices = builtins.map (subnet: "${subnet.interface}-netdev.service") subnets; dependencies = lib.mkForce (netDevices ++ netdevServices); - in { - serviceConfig.ExecStart = lib.mkForce - "${pkgs.hostapd}/bin/hostapd ${hostapdIotConf} ${hostapdWanConf}"; + in lib.mkForce { + # from https://github.com/NixOS/nixpkgs/blob/23.05/nixos/modules/services/networking/hostapd.nix + # with hardening from https://github.com/NixOS/nixpkgs/blob/23.11/nixos/modules/services/networking/hostapd.nix + description = "IEEE 802.11 Host Access-Point Daemon"; + + path = [ pkgs.hostapd ]; after = dependencies; bindsTo = dependencies; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = "${pkgs.hostapd}/bin/hostapd ${hostapdIotConf} ${hostapdWanConf}"; + Restart = "always"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + RuntimeDirectory = "hostapd"; + + # Hardening + LockPersonality = true; + MemoryDenyWriteExecute = true; + DevicePolicy = "closed"; + DeviceAllow = "/dev/rfkill rw"; + NoNewPrivileges = true; + PrivateUsers = false; # hostapd requires true root access. + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + RestrictAddressFamilies = + [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" "AF_PACKET" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "@chown" ]; + UMask = "0077"; + }; }; } diff --git a/config/networking/services/igmpproxy.nix b/config/networking/services/igmpproxy.nix index b7a25da..6999807 100644 --- a/config/networking/services/igmpproxy.nix +++ b/config/networking/services/igmpproxy.nix @@ -5,9 +5,8 @@ let netdevServices = builtins.map (subnet: "${subnet.interface}-netdev.service") (with nets; [ wan iot ]); conf = pkgs.writeText "igmpproxy.conf" '' - phyint ${nets.wan.interface} upstream - ratelimit 0 threshold 1 phyint ${nets.iot.interface} downstream ratelimit 0 - threshold 1 phyint ${nets.lan.interface} downstream ratelimit 0 threshold 1 + phyint ${nets.wan.interface} upstream ratelimit 0 threshold 1 + phyint ${nets.iot.interface} downstream ratelimit 0 threshold 1 ''; in { systemd.services.igmpproxy = { @@ -1,52 +1,15 @@ { "nodes": { - "devenv": { - "inputs": { - "flake-compat": "flake-compat", - "nix": "nix", - "nixpkgs": "nixpkgs", - "pre-commit-hooks": "pre-commit-hooks" - }, - "locked": { - "lastModified": 1694422554, - "narHash": "sha256-s5NTPzT66yIMmau+ZGP7q9z4NjgceDETL4xZ6HJ/TBg=", - "owner": "cachix", - "repo": "devenv", - "rev": "63d20fe09aa09060ea9ec9bb6d582c025402ba15", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "devenv", - "type": "github" - } - }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1693611461, - "narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=", + "lastModified": 1701473968, + "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca", + "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5", "type": "github" }, "original": { @@ -54,76 +17,18 @@ "type": "indirect" } }, - "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1685518550, - "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "gitignore": { - "inputs": { - "nixpkgs": [ - "my-nixpkgs", - "devenv", - "pre-commit-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1660459072, - "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "lowdown-src": { - "flake": false, - "locked": { - "lastModified": 1633514407, - "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=", - "owner": "kristapsdz", - "repo": "lowdown", - "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8", - "type": "github" - }, - "original": { - "owner": "kristapsdz", - "repo": "lowdown", - "type": "github" - } - }, "my-nixpkgs": { "inputs": { - "devenv": "devenv", "flake-parts": "flake-parts", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", "nur": "nur" }, "locked": { - "lastModified": 1697264946, - "narHash": "sha256-bFEmpEDPVBEWKoZgtxR9SlSpGKEQQ1VpS6ux/eR6R7Q=", + "lastModified": 1714247678, + "narHash": "sha256-MPGvtqbQutfp0cuLAPUK7lWxAbgkH0tQOh9FpkPy+c8=", "owner": "qaristote", "repo": "my-nixpkgs", - "rev": "a00d4bf2c04220255f5f48ee313f24360a1b70bb", + "rev": "84e3b5b66bac0549919336567515c9e87623c38f", "type": "github" }, "original": { @@ -132,38 +37,13 @@ "type": "github" } }, - "nix": { - "inputs": { - "lowdown-src": "lowdown-src", - "nixpkgs": [ - "my-nixpkgs", - "devenv", - "nixpkgs" - ], - "nixpkgs-regression": "nixpkgs-regression" - }, - "locked": { - "lastModified": 1676545802, - "narHash": "sha256-EK4rZ+Hd5hsvXnzSzk2ikhStJnD63odF7SzsQ8CuSPU=", - "owner": "domenkozar", - "repo": "nix", - "rev": "7c91803598ffbcfe4a55c44ac6d49b2cf07a527f", - "type": "github" - }, - "original": { - "owner": "domenkozar", - "ref": "relaxed-flakes", - "repo": "nix", - "type": "github" - } - }, "nixos-hardware": { "locked": { - "lastModified": 1697100850, - "narHash": "sha256-qSAzJVzNRIo+r3kBjL8TcpJctcgcHlnZyqdzpWgtg0M=", + "lastModified": 1714201532, + "narHash": "sha256-nk0W4rH7xYdDeS7k1SqqNtBaNrcgIBYNmOVc8P2puEY=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "fb6af288f6cf0f00d3af60cf9d5110433b954565", + "rev": "53db5e1070d07e750030bf65f1b9963df8f0c678", "type": "github" }, "original": { @@ -173,28 +53,26 @@ }, "nixpkgs": { "locked": { - "lastModified": 1697009197, - "narHash": "sha256-viVRhBTFT8fPJTb1N3brQIpFZnttmwo3JVKNuWRVc3s=", + "lastModified": 1702938738, + "narHash": "sha256-O7Vb0xC9s4Dmgxj8APEpuuMj7HsLgPbpy1UKvNVJp7o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "01441e14af5e29c9d27ace398e6dd0b293e25a54", + "rev": "dd8e82f3b4017b8faa52c2b1897a38d53c3c26cb", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" + "id": "nixpkgs", + "type": "indirect" } }, "nixpkgs-lib": { "locked": { "dir": "lib", - "lastModified": 1693471703, - "narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=", + "lastModified": 1701253981, + "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85", + "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58", "type": "github" }, "original": { @@ -205,75 +83,29 @@ "type": "github" } }, - "nixpkgs-regression": { - "locked": { - "lastModified": 1643052045, - "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", - "type": "github" - } - }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1685801374, - "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c37ca420157f4abc31e26f436c1145f8951ff373", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_2": { "locked": { - "lastModified": 1694948089, - "narHash": "sha256-d2B282GmQ9o8klc22/Rbbbj6r99EnELQpOQjWMyv0rU=", + "lastModified": 1714230522, + "narHash": "sha256-RODqrJQ9QqNnJe6floeUM5cbz4fh3BBqCEegA+4zm0M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5148520bfab61f99fd25fb9ff7bfbb50dad3c9db", + "rev": "485480127ad7df42fb0d82bc56efcdd33f37f350", "type": "github" }, "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1697226376, - "narHash": "sha256-cumLLb1QOUtWieUnLGqo+ylNt3+fU8Lcv5Zl+tYbRUE=", "owner": "NixOS", - "repo": "nixpkgs", - "rev": "898cb2064b6e98b8c5499f37e81adbdf2925f7c5", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-23.05-small", + "ref": "nixos-23.11-small", "repo": "nixpkgs", "type": "github" } }, "nur": { "locked": { - "lastModified": 1694954496, - "narHash": "sha256-l9xsmZxZ0ISgbH6RRZdNbFfi3hKDdA8rHdSn2zJElJ0=", + "lastModified": 1703076631, + "narHash": "sha256-4QnntZP+6xaCkKGvSg57mRN3RtCzdR2i67C7R3AXld8=", "owner": "nix-community", "repo": "NUR", - "rev": "926dfdc88dd64c4ec4ed1ba1c29bc198e9713bbb", + "rev": "1367f14eadcb8a4fa6d15f773ff05f9dbd6065eb", "type": "github" }, "original": { @@ -281,56 +113,11 @@ "type": "indirect" } }, - "pre-commit-hooks": { - "inputs": { - "flake-compat": [ - "my-nixpkgs", - "devenv", - "flake-compat" - ], - "flake-utils": "flake-utils", - "gitignore": "gitignore", - "nixpkgs": [ - "my-nixpkgs", - "devenv", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1688056373, - "narHash": "sha256-2+SDlNRTKsgo3LBRiMUcoEUb6sDViRNQhzJquZ4koOI=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "5843cf069272d92b60c3ed9e55b7a8989c01d4c7", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, "root": { "inputs": { "my-nixpkgs": "my-nixpkgs", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_3" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" + "nixpkgs": "nixpkgs_2" } } }, @@ -1,7 +1,7 @@ { inputs = { my-nixpkgs.url = "github:qaristote/my-nixpkgs"; - nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05-small"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11-small"; }; outputs = { self, nixpkgs, my-nixpkgs, nixos-hardware, ... }: { |