fuuko/router: Add wireless AP

It is anything but great, though I will try to find a better solution for this.
2023-04-05 10:09:34 +02:00 · 2023-04-05 10:09:34 +02:00 · 5cd4845dbf
parent 7c0ccbbd6a
commit 5cd4845dbf
2 changed files with 68 additions and 5 deletions
--- a/machines/fuuko/secrets.yaml
+++ b/machines/fuuko/secrets.yaml
@ -2,14 +2,15 @@ restic-ssh-key: ENC[AES256_GCM,data:wA7JCg6Y900s6+1JoevMzbr6fKRN6jbfUuX166VS+TUF
 wg-home-private-key: ENC[AES256_GCM,data:6l3CgB4qCsPuyYOWuwU2vNiEeC0D1wl6yZvXGGYVsZfYvdPjRz8j5yV7ekQ=,iv:slB/qr+cxi8r7cnTuZAd8CuzWVnvp24Li6A/AnZaFzo=,tag:ynh1Z2+IELAJcgBbHwFC0A==,type:str]
 wg-mullvad-private-key: ENC[AES256_GCM,data:4smAYjzrMz6bapthHwTdeDJSvnEqnGmDFRZjJwnXWXLSYnEhzhvRttVrmFw=,iv:94o7E8IlZ6V+wez5+Zr9xv92rr06MlUfBCvtMW8VnEA=,tag:SJjrbBseVyWwhf9IHRi7rQ==,type:str]
 wg-qbittorrent-private-key: ENC[AES256_GCM,data:9sjqTCMXqN0oWS95RQOmfLK0/2dH6V4Rs2LX8ydnYl+7zR55PG5pW3kROH8=,iv:m+4xKthKNCQBOEP9ExOHY5Dg3i+yTgREwrAci4zhqUk=,tag:L0vnwyiGOAoarr7FZFE91A==,type:str]
+hostapd-config: ENC[AES256_GCM,data:In1Y4a6ScXlhQX5G5Z5rjpAZPuY2PFBzQ9d+bjzot1V6iqM2073OyBvGbM4Bl/Airfx6/rTYQLKmsmVHFMioKiqKoixAxcDltlKrpqgb5ciwmdqbS/kFpop3m5c2pWTMUzQ2KGWN0br72fFGCwVfo9W/xYuafMVVxKWBvM/1wcKvuDZBhUitPo2oQUZidUwsXs58Jkya3vQxBKMTEyBBQAtRlmd+9U3PDqwWwEoxb7BY+hSNJ2jZtTjCIsefmSRagCumBlYJawnehUXpSOP932lKB1IAjAAFP1lNVeetYxb3IVKepN3n2RRS81GQzQjZVRD5nokKIn6nTd67QmdK0BY+1d+Ts9o/eIAD1JuT+HQsf3lKZ0wVrQoxE62/3oAqE2kU/gSb/LGCohnHRhVjtUsgxQr4znE1iZeApFwA5NkaiEutVuJXEsfYpVhm0S0ekSGd2iVZuD8TUbI8ixOfObdkL6V8jzj3fd8jzLz53XQL,iv:Piu0iyrkVWPW+WdsojniNlDuI4sHcUt2863AS8u9OCo=,tag:D6eNGvaCul9AtwDdmeWRtg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2023-04-01T22:52:16Z"
-    mac: ENC[AES256_GCM,data:mz8qIWirNUomuUPR9elZZK2mTfQhMqParnraw9gSQNDkhFPBCtkORys4tA9+q1stL1Edzuh6CPFzkywct64ZrKsApMdNMIqcXBc//uuF354T3B6+LmHvmMmxlQFz3hIo3Xo01sgAJinoZrIsktA0xIYV1SeBndzsmWPCtdBk/Go=,iv:hNNBxDwoppfC6kRi5kWYILdEBRjzhdeit6xRmxD+ACU=,tag:qli2XWAjf7LgbiA/nxyQGw==,type:str]
+    lastmodified: "2023-04-05T08:05:11Z"
+    mac: ENC[AES256_GCM,data:2AkEmfCCTD8k3PstxFXI5LdqoT837XCDAlUQvBG01vb4LoIDiVXVnkehu5Y7JkGoI9r3PdFYzzh4NxUcJn9VrV0yeZqbsqEz/NmWGMViIHi5tHXcTgHOsb5Cr4ifqcSbnOfaUzS0YYAxn41ELRajzcuMNACj8mUswWoMIJwgR9c=,iv:aESGCCrNNppByFi9MuOQhtB2qTT5ME259OYluA5y2XU=,tag:ZFY2Q0UpX3gz7Qn0XmB34Q==,type:str]
    pgp:
        - created_at: "2021-04-06T11:27:21Z"
          enc: |
--- a/machines/fuuko/services/router.nix
+++ b/machines/fuuko/services/router.nix
@ -19,9 +19,10 @@
 # 4    | tagged   | 2,3
 # 1-3  | untagged | 3
 #
-# Wireless currently still is done by a separate GL.iNet GL-MT300N-V2 running OpenWRT,
-# but this will be changed to a Intel Wireless-AC 9260 in fuuko at a later date.
-{ config, lib, ... }:
+# Wireless is configured by providing the whole hostapd configuration file as a secret.
+# Once nixpkgs PR 222536 is merged, I will migrate to using the NixOS module.
+# Thanks to Intel’s wisdom, it’s not possible to use 5GHz in AP mode.
+{ config, lib, pkgs, ... }:
 let
  domain = "home.sbruder.de";
 in
@ -30,6 +31,9 @@ in
    owner = config.users.users.systemd-network.name;
    sopsFile = ../secrets.yaml;
  };
+  sops.secrets.hostapd-config = {
+    sopsFile = ../secrets.yaml;
+  };

  boot.kernel.sysctl = {
    "net.ipv4.conf.all.forwarding" = true;
@ -229,4 +233,62 @@ in

  networking.firewall.allowedUDPPorts = [ 53 67 ];
  networking.firewall.allowedTCPPorts = [ 53 ];
+
+  # Wireless
+  boot.kernelModules = [ "nl80211" ];
+
+  environment.systemPackages = with pkgs; [
+    iw
+    wirelesstools
+  ];
+
+  # The service is mostly taken from nixpkgs pr 222536.
+  systemd.services.hostapd = {
+    path = with pkgs; [ hostapd ];
+    after = [ "sys-subsystem-net-devices-wlp7s0.device" ];
+    bindsTo = [ "sys-subsystem-net-devices-wlp7s0.device" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      ExecStart = "${pkgs.hostapd}/bin/hostapd ${config.sops.secrets.hostapd-config.path}";
+      Restart = "always";
+      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      RuntimeDirectory = "hostapd";
+
+      # Hardening
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      DevicePolicy = "closed";
+      DeviceAllow = "/dev/rfkill rw";
+      NoNewPrivileges = true;
+      PrivateUsers = false; # hostapd requires true root access.
+      PrivateTmp = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      ProtectSystem = "strict";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_NETLINK"
+        "AF_UNIX"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+        "@chown"
+      ];
+      UMask = "0077";
+    };
+  };
 }