diff options
Diffstat (limited to 'config/networking')
| -rw-r--r-- | config/networking/services/ap.nix | 255 |
1 files changed, 134 insertions, 121 deletions
diff --git a/config/networking/services/ap.nix b/config/networking/services/ap.nix index 8a40e84..33bae8c 100644 --- a/config/networking/services/ap.nix +++ b/config/networking/services/ap.nix @@ -1,87 +1,101 @@ -{ config, lib, utils, pkgs, secrets, ... }: - -let - cfg = config.services.hostapd; +{ + config, + lib, + utils, + pkgs, + secrets, + ... +}: let nets = config.personal.networking.networks; - makeHostapdConf = { name, device, interface, driver ? "nl80211", ssid - , hwMode ? "g", channel ? 0, countryCode ? "FR" - , passphrase ? secrets.wifi."${name}".passphrase, logLevel ? 2 - , extraConfig ? "" }: + makeHostapdConf = { + name, + device, + interface, + driver ? "nl80211", + ssid, + hwMode ? "g", + channel ? 0, + countryCode ? "FR", + passphrase ? secrets.wifi."${name}".passphrase, + logLevel ? 2, + extraConfig ? "", + }: builtins.toFile "hostapd.${name}.conf" ('' - interface=${device} - driver=${driver} + interface=${device} + driver=${driver} - # IEEE 802.11 - ssid=${ssid} - hw_mode=${hwMode} - channel=${toString channel} - max_num_sta=128 - auth_algs=1 - disassoc_low_ack=1 + # IEEE 802.11 + ssid=${ssid} + hw_mode=${hwMode} + channel=${toString channel} + max_num_sta=128 + auth_algs=1 + disassoc_low_ack=1 - # DFS - ieee80211h=1 - ieee80211d=1 - country_code=${countryCode} + # DFS + ieee80211h=1 + ieee80211d=1 + country_code=${countryCode} - # disable low-level bridging of frames - ap_isolate=1 - bridge=${interface} + # disable low-level bridging of frames + ap_isolate=1 + bridge=${interface} - # WPA/IEEE 802.11i - wpa=2 - wpa_key_mgmt=WPA-PSK - wpa_passphrase=${passphrase} - wpa_pairwise=CCMP + # WPA/IEEE 802.11i + wpa=2 + wpa_key_mgmt=WPA-PSK + wpa_passphrase=${passphrase} + wpa_pairwise=CCMP - # hostapd event logger configuration - logger_syslog=-1 - logger_syslog_level=${toString logLevel} - logger_stdout=-1 - logger_stdout_level=${toString logLevel} + # hostapd event logger configuration + logger_syslog=-1 + logger_syslog_level=${toString logLevel} + logger_stdout=-1 + logger_stdout_level=${toString logLevel} - # WMM - wmm_enabled=1 - uapsd_advertisement_enabled=1 - wmm_ac_bk_cwmin=4 - wmm_ac_bk_cwmax=10 - wmm_ac_bk_aifs=7 - wmm_ac_bk_txop_limit=0 - wmm_ac_bk_acm=0 - wmm_ac_be_aifs=3 - wmm_ac_be_cwmin=4 - wmm_ac_be_cwmax=10 - wmm_ac_be_txop_limit=0 - wmm_ac_be_acm=0 - wmm_ac_vi_aifs=2 - wmm_ac_vi_cwmin=3 - wmm_ac_vi_cwmax=4 - wmm_ac_vi_txop_limit=94 - wmm_ac_vi_acm=0 - wmm_ac_vo_aifs=2 - wmm_ac_vo_cwmin=2 - wmm_ac_vo_cwmax=3 - wmm_ac_vo_txop_limit=47 - wmm_ac_vo_acm=0 + # WMM + wmm_enabled=1 + uapsd_advertisement_enabled=1 + wmm_ac_bk_cwmin=4 + wmm_ac_bk_cwmax=10 + wmm_ac_bk_aifs=7 + wmm_ac_bk_txop_limit=0 + wmm_ac_bk_acm=0 + wmm_ac_be_aifs=3 + wmm_ac_be_cwmin=4 + wmm_ac_be_cwmax=10 + wmm_ac_be_txop_limit=0 + wmm_ac_be_acm=0 + wmm_ac_vi_aifs=2 + wmm_ac_vi_cwmin=3 + wmm_ac_vi_cwmax=4 + wmm_ac_vi_txop_limit=94 + wmm_ac_vi_acm=0 + wmm_ac_vo_aifs=2 + wmm_ac_vo_cwmin=2 + wmm_ac_vo_cwmax=3 + wmm_ac_vo_txop_limit=47 + wmm_ac_vo_acm=0 - # TX queue parameters - tx_queue_data3_aifs=7 - tx_queue_data3_cwmin=15 - tx_queue_data3_cwmax=1023 - tx_queue_data3_burst=0 - tx_queue_data2_aifs=3 - tx_queue_data2_cwmin=15 - tx_queue_data2_cwmax=63 - tx_queue_data2_burst=0 - tx_queue_data1_aifs=1 - tx_queue_data1_cwmin=7 - tx_queue_data1_cwmax=15 - tx_queue_data1_burst=3.0 - tx_queue_data0_aifs=1 - tx_queue_data0_cwmin=3 - tx_queue_data0_cwmax=7 - tx_queue_data0_burst=1.5 - '' + extraConfig); + # TX queue parameters + tx_queue_data3_aifs=7 + tx_queue_data3_cwmin=15 + tx_queue_data3_cwmax=1023 + tx_queue_data3_burst=0 + tx_queue_data2_aifs=3 + tx_queue_data2_cwmin=15 + tx_queue_data2_cwmax=63 + tx_queue_data2_burst=0 + tx_queue_data1_aifs=1 + tx_queue_data1_cwmin=7 + tx_queue_data1_cwmax=15 + tx_queue_data1_burst=3.0 + tx_queue_data0_aifs=1 + tx_queue_data0_cwmin=3 + tx_queue_data0_cwmax=7 + tx_queue_data0_burst=1.5 + '' + + extraConfig); hostapdIotConf = makeHostapdConf { name = "iot"; inherit (nets.iot) device interface; @@ -116,59 +130,58 @@ let ''; }; in { - services.udev.packages = [ pkgs.crda ]; - systemd.services.hostapd = let - subnets = with nets; [ wan iot ]; - netDevices = builtins.map (subnet: - "sys-subsystem-net-devices-${ + subnets = with nets; [wan iot]; + netDevices = + builtins.map (subnet: "sys-subsystem-net-devices-${ utils.escapeSystemdPath subnet.device - }.device") subnets; + }.device") + subnets; netdevServices = builtins.map (subnet: "${subnet.interface}-netdev.service") subnets; dependencies = lib.mkForce (netDevices ++ netdevServices); - in lib.mkForce { - # from https://github.com/NixOS/nixpkgs/blob/23.05/nixos/modules/services/networking/hostapd.nix - # with hardening from https://github.com/NixOS/nixpkgs/blob/23.11/nixos/modules/services/networking/hostapd.nix - description = "IEEE 802.11 Host Access-Point Daemon"; + in + lib.mkForce { + # from https://github.com/NixOS/nixpkgs/blob/23.05/nixos/modules/services/networking/hostapd.nix + # with hardening from https://github.com/NixOS/nixpkgs/blob/23.11/nixos/modules/services/networking/hostapd.nix + description = "IEEE 802.11 Host Access-Point Daemon"; - path = [ pkgs.hostapd ]; - after = dependencies; - bindsTo = dependencies; - wantedBy = [ "multi-user.target" ]; + path = [pkgs.hostapd]; + after = dependencies; + bindsTo = dependencies; + wantedBy = ["multi-user.target"]; - serviceConfig = { - ExecStart = "${pkgs.hostapd}/bin/hostapd ${hostapdIotConf} ${hostapdWanConf}"; - Restart = "always"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - RuntimeDirectory = "hostapd"; + serviceConfig = { + ExecStart = "${pkgs.hostapd}/bin/hostapd ${hostapdIotConf} ${hostapdWanConf}"; + Restart = "always"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + RuntimeDirectory = "hostapd"; - # Hardening - LockPersonality = true; - MemoryDenyWriteExecute = true; - DevicePolicy = "closed"; - DeviceAllow = "/dev/rfkill rw"; - NoNewPrivileges = true; - PrivateUsers = false; # hostapd requires true root access. - PrivateTmp = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - ProtectSystem = "strict"; - RestrictAddressFamilies = - [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" "AF_PACKET" ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ "@system-service" "~@privileged" "@chown" ]; - UMask = "0077"; + # Hardening + LockPersonality = true; + MemoryDenyWriteExecute = true; + DevicePolicy = "closed"; + DeviceAllow = "/dev/rfkill rw"; + NoNewPrivileges = true; + PrivateUsers = false; # hostapd requires true root access. + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" "AF_PACKET"]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = ["@system-service" "~@privileged" "@chown"]; + UMask = "0077"; + }; }; - }; } |