2 files changed, 238 insertions, 8 deletions

diff --git a/config/networking/default.nix b/config/networking/default.nix
index 9dac00f..330ba3b 100644
--- a/config/networking/default.nix
+++ b/config/networking/default.nix
@@ -1,13 +1,105 @@
-{ pkgs, ... }:
+# https://skogsbrus.xyz/blog/2022/06/12/router/
+# https://blog.fraggod.net/2017/04/27/wifi-hostapd-configuration-for-80211ac-networks.html
+{ config, lib, pkgs, secrets, ... }:
 
-{
-  personal.networking = {
-    enable = true;
-    ssh.enable = true;
+let
+  ifaces = config.personal.networking.interfaces;
+  publicSubnet = "192.168.1";
+  privateSubnet = "192.168.2";
+in {
+  imports = [ ./hostapd.nix ];
+
+  options.personal.networking = {
+    interfaces = let
+      makeInterfaceOption = type:
+        lib.mkOption {
+          type = lib.types.str;
+          description = "Network device for the ${type} interface.";
+          example = "enp4s0";
+        };
+    in {
+      eth = makeInterfaceOption "ethernet";
+      wlp2ghz = makeInterfaceOption "2 GHz WiFi";
+      wlp5ghz = makeInterfaceOption "5 GHz WiFi";
+    };
   };
 
-  networking = {
-    hostName = "kerberos";
-    domain = "local";
+  config = {
+    personal.networking = {
+      enable = true;
+      ssh.enable = true;
+      interfaces = {
+        eth = "enp4s0";
+        wlp2ghz = "wlp5s0";
+        wlp5ghz = "wlp1s0";
+      };
+    };
+
+    networking = {
+      hostName = "kerberos";
+      domain = "local";
+
+      defaultGateway = {
+        address = "${publicSubnet}.1";
+        interface = ifaces.eth;
+      };
+
+      dhcpcd.enable = false;
+      interfaces = {
+        "${ifaces.eth}" = {
+          ipv4.addresses = [{
+            address = "${publicSubnet}.2";
+            prefixLength = 24;
+          }];
+        };
+        "${ifaces.wlp5ghz}" = {
+          ipv4.addresses = [{
+            address = "${privateSubnet}.1";
+            prefixLength = 24;
+          }];
+        };
+      };
+
+      nat = {
+        enable = true;
+        externalInterface = ifaces.eth;
+        internalInterfaces = [
+          # ifaces.wlp2ghz
+          ifaces.wlp5ghz
+        ];
+      };
+
+      firewall.interfaces."${ifaces.wlp5ghz}" = {
+        allowedTCPPorts = [ 53 ];
+        allowedUDPPorts = [ 53 ];
+      };
+    };
+
+    services.dhcpd4 = {
+      enable = true;
+      extraConfig = ''
+        option subnet-mask 255.255.255.0;
+        option routers ${privateSubnet}.1;
+        option domain-name-servers ${privateSubnet}.1, 9.9.9.9;
+        subnet ${privateSubnet}.0 netmask 255.255.255.0 {
+            range ${privateSubnet}.10 ${privateSubnet}.99;
+        }
+      '';
+      interfaces = [ ifaces.wlp5ghz ];
+    };
+
+    services.unbound = {
+      enable = true;
+      settings = {
+        server = {
+          interface = [ "127.0.0.1" "${privateSubnet}.1" ];
+          access-control = [
+            "0.0.0.0/0 refuse"
+            "127.0.0.0/8 allow"
+            "${privateSubnet}.0/24 allow"
+          ];
+        };
+      };
+    };
   };
 }
diff --git a/config/networking/hostapd.nix b/config/networking/hostapd.nix
new file mode 100644
index 0000000..f5f399b
--- /dev/null
+++ b/config/networking/hostapd.nix
@@ -0,0 +1,138 @@
+{ config, lib, utils, pkgs, secrets, ... }:
+
+let
+  cfg = config.services.hostapd;
+  makeHostapdConf = { name, interface ? cfg.interface, driver ? cfg.driver, ssid
+    , hwMode ? cfg.hwMode, channel ? cfg.channel, countryCode ? cfg.countryCode
+    , passphrase ? secrets.wifi."${name}".passphrase, logLevel ? cfg.logLevel
+    , extraConfig ? "" }:
+    builtins.toFile "hostapd.${name}.conf" (''
+      interface=${interface}
+      driver=${driver}
+
+      # IEEE 802.11
+      ssid=${ssid}
+      hw_mode=${hwMode}
+      channel=${toString channel}
+      max_num_sta=128
+      auth_algs=1
+      disassoc_low_ack=1
+
+      # DFS 
+      ieee80211h=1
+      ieee80211d=1
+      country_code=${countryCode}
+
+
+      # WPA/IEEE 802.11i
+      wpa=2
+      wpa_key_mgmt=WPA-PSK
+      wpa_passphrase=${passphrase}
+      wpa_pairwise=CCMP
+
+      # hostapd event logger configuration
+      logger_syslog=-1
+      logger_syslog_level=${toString logLevel}
+      logger_stdout=-1
+      logger_stdout_level=${toString logLevel}
+
+      # WMM
+      wmm_enabled=1
+      uapsd_advertisement_enabled=1
+      wmm_ac_bk_cwmin=4
+      wmm_ac_bk_cwmax=10
+      wmm_ac_bk_aifs=7
+      wmm_ac_bk_txop_limit=0
+      wmm_ac_bk_acm=0
+      wmm_ac_be_aifs=3
+      wmm_ac_be_cwmin=4
+      wmm_ac_be_cwmax=10
+      wmm_ac_be_txop_limit=0
+      wmm_ac_be_acm=0
+      wmm_ac_vi_aifs=2
+      wmm_ac_vi_cwmin=3
+      wmm_ac_vi_cwmax=4
+      wmm_ac_vi_txop_limit=94
+      wmm_ac_vi_acm=0
+      wmm_ac_vo_aifs=2
+      wmm_ac_vo_cwmin=2
+      wmm_ac_vo_cwmax=3
+      wmm_ac_vo_txop_limit=47
+      wmm_ac_vo_acm=0
+
+      # TX queue parameters
+      tx_queue_data3_aifs=7
+      tx_queue_data3_cwmin=15
+      tx_queue_data3_cwmax=1023
+      tx_queue_data3_burst=0
+      tx_queue_data2_aifs=3
+      tx_queue_data2_cwmin=15
+      tx_queue_data2_cwmax=63
+      tx_queue_data2_burst=0
+      tx_queue_data1_aifs=1
+      tx_queue_data1_cwmin=7
+      tx_queue_data1_cwmax=15
+      tx_queue_data1_burst=3.0
+      tx_queue_data0_aifs=1
+      tx_queue_data0_cwmin=3
+      tx_queue_data0_cwmax=7
+      tx_queue_data0_burst=1.5
+    '' + extraConfig);
+  hostapd2ghzConf = makeHostapdConf {
+    name = "2ghz";
+    interface = config.personal.networking.interfaces.wlp2ghz;
+    ssid = "Quentinternet of Things";
+    hwMode = "g";
+    channel = 0;
+    extraConfig = ''
+      # IEEE 802.11n
+      ieee80211n=1
+      require_ht=1
+      ht_capab=[HT40+][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40]
+    '';
+  };
+  hostapd5ghzConf = makeHostapdConf {
+    name = "5ghz";
+    interface = config.personal.networking.interfaces.wlp5ghz;
+    ssid = "Quentintranet";
+    hwMode = "a";
+    channel = 36;
+    extraConfig = ''
+      # IEEE 802.11n
+      ieee80211n=1
+      require_ht=1
+      ht_capab=[HT40+][LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40]
+
+      # IEEE 802.11ac
+      require_vht=1
+      ieee80211ac=1
+      vht_oper_chwidth=1
+      vht_oper_centr_freq_seg0_idx=42
+      vht_capab=[MAX-MPDU-11454][RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][MAX-A-MPDU-LEN-EXP7][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN]
+    '';
+  };
+in {
+  services.hostapd = {
+    enable = true;
+    driver = "nl80211";
+    countryCode = "FR";
+  };
+
+  systemd.services.hostapd = let
+    interfaces = with config.personal.networking.interfaces; [
+      wlp2ghz
+      wlp5ghz
+    ];
+    netDevices = builtins.map (interface:
+      "sys-subsystem-net-devices-${utils.escapeSystemdPath interface}.device")
+      interfaces;
+    networkLinkServices =
+      builtins.map (interface: "network-link-${interface}.service") interfaces;
+  in {
+    serviceConfig.ExecStart = lib.mkForce
+      "${pkgs.hostapd}/bin/hostapd ${hostapd2ghzConf} ${hostapd5ghzConf}";
+    after = lib.mkForce netDevices;
+    bindsTo = lib.mkForce netDevices;
+    requiredBy = lib.mkForce networkLinkServices;
+  };
+}