diff --git a/config/services/hostapd.nix b/config/services/hostapd.nix index 2a5af1c..4516af2 100644 --- a/config/services/hostapd.nix +++ b/config/services/hostapd.nix @@ -1,4 +1,9 @@ -{ globals, pkgs, ... }: +{ + globals, + pkgs, + lib, + ... +}: { microvm.devices = [ { @@ -6,27 +11,53 @@ path = "0000:01:00.0"; } ]; + hardware.firmware = with pkgs; [ + linux-firmware + intel2200BGFirmware + ]; + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; networking.nftables.firewall.zones.untrusted.interfaces = [ "lan-services" ]; hardware.wirelessRegulatoryDatabase = true; - systemd.network = { - netdevs."40-wifi-home" = { - netdevConfig = { - Name = "br-home"; - Kind = "bridge"; - }; - }; - networks."10-home-bridge" = { - matchConfig.Name = "lan-home"; - DHCP = "no"; - extraConfig = '' - [Network] - Bridge=br-home - ''; - }; - networks."10-home-" = { - matchConfig.Name = "br-home"; - DHCP = "yes"; - }; + # systemd.network = { + # netdevs."40-wifi-home" = { + # netdevConfig = { + # Name = "br-home"; + # Kind = "bridge"; + # }; + # }; + # networks."10-home-bridge" = { + # networkConfig.LinkLocalAddressing = "no"; + # matchConfig.Name = "lan-home"; + # DHCP = "no"; + # extraConfig = '' + # [Network] + # Bridge=br-home + # ''; + # }; + # networks."10-home-" = { + # matchConfig.Name = "br-home"; + # DHCP = "yes"; + # }; + # }; + + networking.nftables.firewall.zones.wlan.interfaces = [ "wlan1" ]; + networking.nftables.firewall.zones.home.interfaces = [ "lan-home" ]; + networking.nftables.firewall.rules.wifi-forward = { + from = [ "wlan" ]; + to = [ "lan-home" ]; + verdict = "accept"; + }; + systemd.network.networks."40-wifi" = { + matchConfig.Name = "lan-home"; + address = [ + (lib.net.cidr.hostCidr (globals.services.hostapd.ip + 1) globals.net.vlans.home.cidrv4) + (lib.net.cidr.hostCidr (globals.services.hostapd.ip + 1) globals.net.vlans.home.cidrv6) + ]; + gateway = [ + (lib.net.cidr.host 1 globals.net.vlans.home.cidrv4) + (lib.net.cidr.host 1 globals.net.vlans.home.cidrv6) + ]; + }; services.hostapd = { @@ -58,20 +89,20 @@ networks.wlan1 = { inherit (globals.hostapd) ssid; apIsolate = true; - settings.vlan_file = "${pkgs.writeText "hostaps.vlans" '' - 10 wifi-home br-home - 50 wifi-guest br-guest - ''}"; + # settings.vlan_file = "${pkgs.writeText "hostaps.vlans" '' + # 10 wifi-home br-home + # 50 wifi-guest br-guest + # ''}"; authentication = { saePasswords = [ { - password = "lol"; - vlanid = 10; - } - { - password = "lel"; - vlanid = 50; + password = "ctiectie"; + # vlanid = 10; } + # { + # password = "nrsgnrsg"; + # vlanid = 50; + # } ]; pairwiseCiphers = [ "CCMP" diff --git a/globals.nix b/globals.nix index 8dba54a..debdc90 100644 --- a/globals.nix +++ b/globals.nix @@ -136,6 +136,7 @@ in }; hostapd = { host = "nucnix-hostapd"; + ip = 19; }; murmur = { domain = "ts.${globals.domains.web}"; diff --git a/hosts/nucnix/net.nix b/hosts/nucnix/net.nix index 4a05841..3566e5e 100644 --- a/hosts/nucnix/net.nix +++ b/hosts/nucnix/net.nix @@ -25,7 +25,7 @@ in fritz.interfaces = [ "vlan-fritz" ]; wg-services.interfaces = [ "services" ]; printer.ipv4Addresses = [ - (lib.net.cidr.host 32 globals.net.vlans.device.cidrv4) + (lib.net.cidr.host 32 globals.net.vlans.devices.cidrv4) ]; adguard.ipv4Addresses = [ (lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4)