hackens-org-configurations/machines/agb01/networking.nix

98 lines
2 KiB
Nix

{
config,
lib,
pkgs,
...
}: {
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
systemd.network = {
enable = true;
wait-online.anyInterface = true;
networks = {
"10-uplink" = {
name = "enu1u1";
DHCP = "yes";
};
"50-wg0" = {
name = "wg0";
address = [
"10.10.10.5/24"
];
};
"10-wifi" = {
name = "wlan0";
networkConfig.DHCPServer = "yes";
address = [
"192.168.55.1/24"
];
};
};
netdevs = {
"50-wg0" = {
netdevConfig = {
Name = "wg0";
Kind = "wireguard";
};
wireguardConfig.PrivateKeyFile = config.age.secrets."wg".path;
wireguardPeers = [
{
AllowedIPs = [
"10.10.10.0/24"
];
PublicKey = lib.trim (builtins.readFile ../../wg-keys/hackens-org.pub);
Endpoint = "129.199.129.76:1194";
PersistentKeepalive = 5;
}
];
};
};
};
networking = {
useDHCP = false;
nameservers = [
"2620:fe::fe"
"2620:fe::9"
"9.9.9.9"
"149.112.112.112"
];
nftables = {
enable = true;
tables.nat = {
family = "ip";
content = ''
chain postrouting {
type nat hook postrouting priority 100;
ip saddr 192.168.55.0/24 masquerade
}
'';
};
};
firewall.allowedUDPPorts = [ 67 ];
};
services.hostapd = {
enable = true;
radios.wlan0 = {
# countryCode = "FR";
wifi4.enable = false;
wifi5.enable = false;
channel = 7; # ACS doesn't work
networks.wlan0 = {
settings = {
ieee80211w = 0;
wmm_enabled = false;
};
ssid = "agb - wifi";
logLevel = 0;
authentication = {
mode = "wpa2-sha1";
wpaPasswordFile = pkgs.writeText "psk" "azertyuiop"; # TODO : secret
};
};
};
};
}