66 lines
1.7 KiB
Nix
66 lines
1.7 KiB
Nix
|
{ config, pkgs, ... }:
|
||
|
{
|
||
|
sops.secrets.hostapd-config = {
|
||
|
sopsFile = ../../secrets.yaml;
|
||
|
};
|
||
|
|
||
|
# The service is mostly taken from nixpkgs pr 222536.
|
||
|
systemd.services.hostapd = {
|
||
|
path = with pkgs; [ hostapd ];
|
||
|
after = [ "sys-subsystem-net-devices-wlp5s0.device" ];
|
||
|
bindsTo = [ "sys-subsystem-net-devices-wlp5s0.device" ];
|
||
|
wantedBy = [ "multi-user.target" ];
|
||
|
|
||
|
serviceConfig = {
|
||
|
ExecStart = "${pkgs.hostapd}/bin/hostapd ${config.sops.secrets.hostapd-config.path}";
|
||
|
Restart = "always";
|
||
|
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||
|
RuntimeDirectory = "hostapd";
|
||
|
|
||
|
# Hardening
|
||
|
LockPersonality = true;
|
||
|
MemoryDenyWriteExecute = true;
|
||
|
DevicePolicy = "closed";
|
||
|
DeviceAllow = "/dev/rfkill rw";
|
||
|
NoNewPrivileges = true;
|
||
|
PrivateUsers = false; # hostapd requires true root access.
|
||
|
PrivateTmp = true;
|
||
|
ProtectClock = true;
|
||
|
ProtectControlGroups = true;
|
||
|
ProtectHome = true;
|
||
|
ProtectHostname = true;
|
||
|
ProtectKernelLogs = true;
|
||
|
ProtectKernelModules = true;
|
||
|
ProtectKernelTunables = true;
|
||
|
ProtectProc = "invisible";
|
||
|
ProcSubset = "pid";
|
||
|
ProtectSystem = "strict";
|
||
|
RestrictAddressFamilies = [
|
||
|
"AF_INET"
|
||
|
"AF_INET6"
|
||
|
"AF_NETLINK"
|
||
|
"AF_UNIX"
|
||
|
];
|
||
|
RestrictNamespaces = true;
|
||
|
RestrictRealtime = true;
|
||
|
RestrictSUIDSGID = true;
|
||
|
SystemCallArchitectures = "native";
|
||
|
SystemCallFilter = [
|
||
|
"@system-service"
|
||
|
"~@privileged"
|
||
|
"@chown"
|
||
|
];
|
||
|
UMask = "0077";
|
||
|
};
|
||
|
};
|
||
|
|
||
|
environment.systemPackages = with pkgs; [
|
||
|
iw
|
||
|
wirelesstools
|
||
|
];
|
||
|
|
||
|
|
||
|
# Wireless
|
||
|
boot.kernelModules = [ "nl80211" ];
|
||
|
}
|