From 58fe7351c9a2ba0d1db8adefaf466f4aad0b0069 Mon Sep 17 00:00:00 2001
From: catvayor <catvayor@katvayor.net>
Date: Fri, 11 Oct 2024 12:56:05 +0200
Subject: [PATCH] feat(agb02): enable hostapd

---
 machines/agb01/networking.nix | 84 ++++++++++++++++++++++++-----------
 wg-keys/agb01.pub             |  1 +
 2 files changed, 58 insertions(+), 27 deletions(-)
 create mode 100644 wg-keys/agb01.pub

diff --git a/machines/agb01/networking.nix b/machines/agb01/networking.nix
index ff36ff9..10e5289 100644
--- a/machines/agb01/networking.nix
+++ b/machines/agb01/networking.nix
@@ -4,13 +4,11 @@
   pkgs,
   ...
 }: {
-  networking.useDHCP = false;
-
-  networking.wireless.userControlled.enable = true;
-  networking.wireless.enable = true;
+  boot.kernel.sysctl."net.ipv4.ip_forward" = true;
 
   systemd.network = {
     enable = true;
+    wait-online.anyInterface = true;
 
     networks = {
       "10-uplink" = {
@@ -25,12 +23,10 @@
       };
       "10-wifi" = {
         name = "wlan0";
-        DHCP = "yes";
-        networkConfig = {
-        };
-        dhcpV4Config = {
-          RouteMetric = 2000;
-        };
+        networkConfig.DHCPServer = "yes";
+        address = [
+          "192.168.55.1/24"
+        ];
       };
     };
     netdevs = {
@@ -39,30 +35,64 @@
           Name = "wg0";
           Kind = "wireguard";
         };
-        wireguardConfig = {
-          PrivateKeyFile = config.age.secrets."wg".path;
-        };
+        wireguardConfig.PrivateKeyFile = config.age.secrets."wg".path;
 
         wireguardPeers = [
           {
-            wireguardPeerConfig = {
-              AllowedIPs = [
-                "10.10.10.1/24"
-              ];
-              PublicKey = "CzUK0RPHsoG9N1NisOG0u7xwyGhTZnjhl7Cus3X76Es=";
-              Endpoint="129.199.129.76:1194";
-          PersistentKeepalive = 5;
-            };
+            AllowedIPs = [
+              "10.10.10.0/24"
+            ];
+            PublicKey = lib.trim (builtins.readFile ../../wg-keys/hackens-org.pub);
+            Endpoint = "129.199.129.76:1194";
+            PersistentKeepalive = 5;
           }
         ];
       };
     };
   };
-  networking.nameservers = [
-    "2620:fe::fe"
-    "2620:fe::9"
-    "9.9.9.9"
-    "149.112.112.112"
-  ];
+  networking = {
+    useDHCP = false;
+    nameservers = [
+      "2620:fe::fe"
+      "2620:fe::9"
+      "9.9.9.9"
+      "149.112.112.112"
+    ];
+    nftables = {
+      enable = true;
+      tables.nat = {
+        family = "ip";
+        content = ''
+          chain postrouting {
+            type nat hook postrouting priority 100;
+            ip saddr 192.168.55.0/24 masquerade
+          }
+        '';
+      };
+    };
 
+    firewall.allowedUDPPorts = [ 67 ];
+  };
+
+  services.hostapd = {
+    enable = true;
+    radios.wlan0 = {
+      # countryCode = "FR";
+      wifi4.enable = false;
+      wifi5.enable = false;
+      channel = 7; # ACS doesn't work
+      networks.wlan0 = {
+        settings = {
+          ieee80211w = 0;
+          wmm_enabled = false;
+        };
+        ssid = "agb - wifi";
+        logLevel = 0;
+        authentication = {
+          mode = "wpa2-sha1";
+          wpaPasswordFile = pkgs.writeText "psk" "azertyuiop"; # TODO : secret
+        };
+      };
+    };
+  };
 }
diff --git a/wg-keys/agb01.pub b/wg-keys/agb01.pub
new file mode 100644
index 0000000..be3d982
--- /dev/null
+++ b/wg-keys/agb01.pub
@@ -0,0 +1 @@
+JpUHFiavhlQfiHfOdUffQP3HLLeStttheACCaqlXAF8=