3 files changed, 51 insertions, 19 deletions
diff --git a/config/networking/bridges.nix b/config/networking/bridges.nix
index 2b24552..cdef41b 100644
--- a/config/networking/bridges.nix
+++ b/config/networking/bridges.nix
@@ -3,9 +3,9 @@
 let nets = config.personal.networking.networks;
 in {
   config = lib.mkMerge ([{
-    systemd.services.hostapd.postStart = lib.mkBefore ''
+    systemd.services.hostapd.postStart = lib.mkForce (lib.mkBefore ''
       sleep 3
-    '';
+    '');
   }] ++ (builtins.map (network:
     let
       bridge = network.interface;
@@ -18,9 +18,9 @@ in {
         ip link set ${bridge} type bridge forward_delay 0
       '';
 
-      systemd.services.hostapd.postStart = ''
+      systemd.services.hostapd.postStart = lib.mkForce (''
         echo Setting ${device} to hairpin mode...
         ${pkgs.iproute2}/bin/bridge link set dev ${device} hairpin on
-      '';
+      '');
     }) [ nets.wan nets.iot ]));
 }
diff --git a/config/networking/services/ap.nix b/config/networking/services/ap.nix
index 2324c41..8a40e84 100644
--- a/config/networking/services/ap.nix
+++ b/config/networking/services/ap.nix
@@ -3,9 +3,9 @@
 let
   cfg = config.services.hostapd;
   nets = config.personal.networking.networks;
-  makeHostapdConf = { name, device, interface, driver ? cfg.driver, ssid
-    , hwMode ? cfg.hwMode, channel ? cfg.channel, countryCode ? cfg.countryCode
-    , passphrase ? secrets.wifi."${name}".passphrase, logLevel ? cfg.logLevel
+  makeHostapdConf = { name, device, interface, driver ? "nl80211", ssid
+    , hwMode ? "g", channel ? 0, countryCode ? "FR"
+    , passphrase ? secrets.wifi."${name}".passphrase, logLevel ? 2
     , extraConfig ? "" }:
     builtins.toFile "hostapd.${name}.conf" (''
       interface=${device}
@@ -116,12 +116,7 @@ let
     '';
   };
 in {
-  services.hostapd = {
-    enable = true;
-    driver = "nl80211";
-    countryCode = "FR";
-    interface = "";
-  };
+  services.udev.packages = [ pkgs.crda ];
 
   systemd.services.hostapd = let
     subnets = with nets; [ wan iot ];
@@ -132,10 +127,48 @@ in {
     netdevServices =
       builtins.map (subnet: "${subnet.interface}-netdev.service") subnets;
     dependencies = lib.mkForce (netDevices ++ netdevServices);
-  in {
-    serviceConfig.ExecStart = lib.mkForce
-      "${pkgs.hostapd}/bin/hostapd ${hostapdIotConf} ${hostapdWanConf}";
+  in lib.mkForce {
+    # from https://github.com/NixOS/nixpkgs/blob/23.05/nixos/modules/services/networking/hostapd.nix
+    # with hardening from https://github.com/NixOS/nixpkgs/blob/23.11/nixos/modules/services/networking/hostapd.nix
+    description = "IEEE 802.11 Host Access-Point Daemon";
+
+    path = [ pkgs.hostapd ];
     after = dependencies;
     bindsTo = dependencies;
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      ExecStart = "${pkgs.hostapd}/bin/hostapd ${hostapdIotConf} ${hostapdWanConf}";
+      Restart = "always";
+      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      RuntimeDirectory = "hostapd";
+
+      # Hardening
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      DevicePolicy = "closed";
+      DeviceAllow = "/dev/rfkill rw";
+      NoNewPrivileges = true;
+      PrivateUsers = false; # hostapd requires true root access.
+      PrivateTmp = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      ProtectSystem = "strict";
+      RestrictAddressFamilies =
+        [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" "AF_PACKET" ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [ "@system-service" "~@privileged" "@chown" ];
+      UMask = "0077";
+    };
   };
 }
diff --git a/config/networking/services/igmpproxy.nix b/config/networking/services/igmpproxy.nix
index b7a25da..6999807 100644
--- a/config/networking/services/igmpproxy.nix
+++ b/config/networking/services/igmpproxy.nix
@@ -5,9 +5,8 @@ let
   netdevServices = builtins.map (subnet: "${subnet.interface}-netdev.service")
     (with nets; [ wan iot ]);
   conf = pkgs.writeText "igmpproxy.conf" ''
-    phyint ${nets.wan.interface} upstream
-     ratelimit 0 threshold 1 phyint ${nets.iot.interface} downstream ratelimit 0
-     threshold 1 phyint ${nets.lan.interface} downstream ratelimit 0 threshold 1
+    phyint ${nets.wan.interface} upstream ratelimit 0 threshold 1
+    phyint ${nets.iot.interface} downstream ratelimit 0 threshold 1
   '';
 in {
   systemd.services.igmpproxy = {