{ config, pkgs, modulesPath, ... }: let # inherit (pkgs.liminix.services) # oneshot # longrun # bundle # target # ; # inherit (pkgs) writeText; svc = config.system.service; secrets-1 = { ssid = "DGNum 2G prototype (N)"; }; secrets-2 = { ssid = "DGNum 5G prototype (AX)"; }; baseParams = { country_code = "FR"; hw_mode = "g"; channel = 6; wmm_enabled = 1; ieee80211n = 1; ht_capab = "[LDPC][GF][HT40-][HT40+][SHORT-GI-40][MAX-AMSDU-7935][TX-STBC]"; auth_algs = 1; wpa = 2; wpa_pairwise = "TKIP CCMP"; rsn_pairwise = "CCMP"; }; radiusKeyMgmt = { wpa_key_mgmt = "WPA-EAP"; }; modernParams = { hw_mode = "a"; he_su_beamformer = 1; he_su_beamformee = 1; he_mu_beamformer = 1; preamble = 1; # Allow radar detection. ieee80211d = 1; ieee80211h = 1; ieee80211ac = 1; ieee80211ax = 1; vht_capab = "[MAX-MPDU-7991][SU-BEAMFORMEE][SU-BEAMFORMER][RXLDPC][SHORT-GI-80][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][TX-STBC-2BY1][RX-STBC-1][MU-BEAMFORMER]"; vht_oper_chwidth = 1; he_oper_chwidth = 1; channel = 36; vht_oper_centr_freq_seg0_idx = 42; he_oper_centr_freq_seg0_idx = 42; require_vht = 1; }; clientRadius = { ieee8021x = 1; eapol_version = 2; use_pae_group_addr = 1; dynamic_vlan = 0; vlan_tagged_interface = "lan"; }; serverRadius = { radius_server_clients = pkgs.writeText "clients" '' 0.0.0.0/0 dgnum ''; radius_server_auth_port = 1812; radius_server_ipv6 = 1; }; localRadius = { eap_server = 1; eap_user_file = pkgs.writeText "user.db" '' # anonymous login in phase 1 * PEAP # password based in the secure tunnel in phase 2 "test" MSCHAPV2 "diamond dogs" [2] ''; # DGNum CA certificate. ca_cert = builtins.toFile "dgnum-test-ap-ca" ( builtins.readFile ../../keys/certs/dgnum-test-ap-ca.crt ); # Server certificate for this AP. server_cert = builtins.toFile "dgnum-ap-server" ( builtins.readFile ../../keys/certs/dgnum-ap-server.crt ); private_key = builtins.toFile "dgnum-ap-server-pkey" ( builtins.readFile ../../keys/certs/dgnum-ap-server.key.pem ); }; # externalRadius = { # own_ip_addr = ""; # nas_identifier = ""; # auth_server_addr = ""; # auth_server_port = 1812; # auth_server_shared_secret = "dgnum"; # }; mkWifiSta = params: interface: secrets: svc.hostapd.build { inherit interface; package = pkgs.hostapd-radius; params = params // secrets; }; in rec { imports = [ "${modulesPath}/wlan.nix" "${modulesPath}/network" "${modulesPath}/hostapd" "${modulesPath}/ssh" "${modulesPath}/ntp" "${modulesPath}/vlan" "${modulesPath}/bridge" "${modulesPath}/jitter-rng" "${modulesPath}/pki" ../../modules/dgn-access-control.nix # TODO: god that's so a fucking hack. (import "${modulesPath}/../devices/zyxel-nwa50ax").module ]; hostname = "ap01-prototype"; security.pki = { installCACerts = true; certificateFiles = [ ../../keys/certs/dgnum-test-ap-ca.crt ]; }; # SSH keys are handled by the access control module. dgn-access-control.enable = true; users.root = { # EDIT: choose a root password and then use # "mkpasswd -m sha512crypt" to determine the hash. # It should start wirh $6$. passwd = "$6$jVXFFOp8HBYmgINR$lutB4kvw.W1jlXRby9ZYAgBitQ32RxQdYAGN.s2x4ris8J07vM6tzlRBQoeLELOIEMClDzbciQV0itfHQnTqd1"; }; services.int = svc.bridge.primary.build { ifname = "int"; }; services.bridge = svc.bridge.members.build { primary = services.int; members = with config.hardware.networkInterfaces; [ lan wlan0 wlan1 ]; }; services.dhcpv4 = let iface = services.int; in svc.network.dhcp.client.build { interface = iface; }; services.defaultroute4 = svc.network.route.build { via = "$(output ${services.dhcpv4} address)"; target = "default"; dependencies = [ services.dhcpv4 ]; }; services.packet_forwarding = svc.network.forward.build { }; services.sshd = svc.ssh.build { allowRoot = true; }; services.ntp = config.system.service.ntp.build { pools = { "pool.ntp.org" = [ "iburst" ]; }; }; boot.tftp = { serverip = "192.0.2.10"; ipaddr = "192.0.2.12"; }; # wlan0 is the 2.4GHz interface. services.hostap-1 = mkWifiSta ( baseParams // clientRadius // localRadius // serverRadius // radiusKeyMgmt ) config.hardware.networkInterfaces.wlan0 secrets-1; # wlan1 is the 5GHz interface, e.g. AX capable. services.hostap-2 = mkWifiSta ( baseParams // clientRadius // localRadius // serverRadius // radiusKeyMgmt // modernParams ) config.hardware.networkInterfaces.wlan1 secrets-2; defaultProfile.packages = with pkgs; [ zyxel-bootconfig iw min-collect-garbage mtdutils ]; }