summaryrefslogtreecommitdiffstats
path: root/lass
diff options
context:
space:
mode:
Diffstat (limited to 'lass')
-rw-r--r--lass/1systems/cabal/config.nix1
-rw-r--r--lass/2configs/AP.nix77
2 files changed, 78 insertions, 0 deletions
diff --git a/lass/1systems/cabal/config.nix b/lass/1systems/cabal/config.nix
index 88f642d6b..9ac3cb681 100644
--- a/lass/1systems/cabal/config.nix
+++ b/lass/1systems/cabal/config.nix
@@ -15,6 +15,7 @@
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/bitcoin.nix>
+ <stockholm/lass/2configs/AP.nix>
];
krebs.build.host = config.krebs.hosts.cabal;
diff --git a/lass/2configs/AP.nix b/lass/2configs/AP.nix
new file mode 100644
index 000000000..5ce7cfff8
--- /dev/null
+++ b/lass/2configs/AP.nix
@@ -0,0 +1,77 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+let
+ wifi = "wlp0s29u1u2";
+in {
+ boot.extraModulePackages = [
+ pkgs.linuxPackages.rtl8814au
+ ];
+ networking.networkmanager.unmanaged = [ wifi ];
+
+ systemd.services.hostapd = {
+ description = "hostapd wireless AP";
+ path = [ pkgs.hostapd ];
+ wantedBy = [ "network.target" ];
+
+ after = [ "${wifi}-cfg.service" "nat.service" "bind.service" "dhcpd.service" "sys-subsystem-net-devices-${wifi}.device" ];
+
+ serviceConfig = {
+ ExecStart = "${pkgs.hostapd}/bin/hostapd ${pkgs.writeText "hostapd.conf" ''
+ interface=${wifi}
+ hw_mode=a
+ channel=36
+ ieee80211d=1
+ country_code=DE
+ ieee80211n=1
+ ieee80211ac=1
+ wmm_enabled=1
+
+ # 5ghz
+ ssid=krebsing
+ auth_algs=1
+ wpa=2
+ wpa_key_mgmt=WPA-PSK
+ rsn_pairwise=CCMP
+ wpa_passphrase=aidsballz
+ ''}";
+ Restart = "always";
+ };
+ };
+
+ networking.interfaces.${wifi}.ipv4.addresses = [
+ { address = "10.99.0.1"; prefixLength = 24; }
+ ];
+ services.dhcpd4 = {
+ enable = true;
+ interfaces = [ wifi ];
+ extraConfig = ''
+ option subnet-mask 255.255.255.0;
+ option routers 10.99.0.1;
+ option domain-name-servers 1.1.1.1, 8.8.8.8;
+ subnet 10.99.0.0 netmask 255.255.255.0 {
+ range 10.99.0.100 10.99.0.200;
+ }
+ '';
+ };
+
+ boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+ krebs.iptables.tables.filter.FORWARD.rules = [
+ { v6 = false; predicate = "-d 10.99.0.0/24 -o ${wifi} -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-s 10.99.0.0/24 -i ${wifi}"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-i ${wifi} -o ${wifi}"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-o ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; }
+ { v6 = false; predicate = "-i ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; }
+ ];
+ krebs.iptables.tables.nat.PREROUTING.rules = [
+ { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; }
+ ];
+ krebs.iptables.tables.nat.POSTROUTING.rules = [
+ #TODO find out what this is about?
+ { v6 = false; predicate = "-s 10.99.0.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
+ { v6 = false; predicate = "-s 10.99.0.0/24 -d 255.255.255.255"; target = "RETURN"; }
+
+ { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24"; target = "MASQUERADE"; }
+ { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
+ { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
+ ];
+}