diff --git a/machines/fuuko/secrets.yaml b/machines/fuuko/secrets.yaml index 9edbd4f..df0de9f 100644 --- a/machines/fuuko/secrets.yaml +++ b/machines/fuuko/secrets.yaml @@ -2,14 +2,15 @@ restic-ssh-key: ENC[AES256_GCM,data:wA7JCg6Y900s6+1JoevMzbr6fKRN6jbfUuX166VS+TUF wg-home-private-key: ENC[AES256_GCM,data:6l3CgB4qCsPuyYOWuwU2vNiEeC0D1wl6yZvXGGYVsZfYvdPjRz8j5yV7ekQ=,iv:slB/qr+cxi8r7cnTuZAd8CuzWVnvp24Li6A/AnZaFzo=,tag:ynh1Z2+IELAJcgBbHwFC0A==,type:str] wg-mullvad-private-key: ENC[AES256_GCM,data:4smAYjzrMz6bapthHwTdeDJSvnEqnGmDFRZjJwnXWXLSYnEhzhvRttVrmFw=,iv:94o7E8IlZ6V+wez5+Zr9xv92rr06MlUfBCvtMW8VnEA=,tag:SJjrbBseVyWwhf9IHRi7rQ==,type:str] wg-qbittorrent-private-key: ENC[AES256_GCM,data:9sjqTCMXqN0oWS95RQOmfLK0/2dH6V4Rs2LX8ydnYl+7zR55PG5pW3kROH8=,iv:m+4xKthKNCQBOEP9ExOHY5Dg3i+yTgREwrAci4zhqUk=,tag:L0vnwyiGOAoarr7FZFE91A==,type:str] +hostapd-config: ENC[AES256_GCM,data:In1Y4a6ScXlhQX5G5Z5rjpAZPuY2PFBzQ9d+bjzot1V6iqM2073OyBvGbM4Bl/Airfx6/rTYQLKmsmVHFMioKiqKoixAxcDltlKrpqgb5ciwmdqbS/kFpop3m5c2pWTMUzQ2KGWN0br72fFGCwVfo9W/xYuafMVVxKWBvM/1wcKvuDZBhUitPo2oQUZidUwsXs58Jkya3vQxBKMTEyBBQAtRlmd+9U3PDqwWwEoxb7BY+hSNJ2jZtTjCIsefmSRagCumBlYJawnehUXpSOP932lKB1IAjAAFP1lNVeetYxb3IVKepN3n2RRS81GQzQjZVRD5nokKIn6nTd67QmdK0BY+1d+Ts9o/eIAD1JuT+HQsf3lKZ0wVrQoxE62/3oAqE2kU/gSb/LGCohnHRhVjtUsgxQr4znE1iZeApFwA5NkaiEutVuJXEsfYpVhm0S0ekSGd2iVZuD8TUbI8ixOfObdkL6V8jzj3fd8jzLz53XQL,iv:Piu0iyrkVWPW+WdsojniNlDuI4sHcUt2863AS8u9OCo=,tag:D6eNGvaCul9AtwDdmeWRtg==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-04-01T22:52:16Z" - mac: ENC[AES256_GCM,data:mz8qIWirNUomuUPR9elZZK2mTfQhMqParnraw9gSQNDkhFPBCtkORys4tA9+q1stL1Edzuh6CPFzkywct64ZrKsApMdNMIqcXBc//uuF354T3B6+LmHvmMmxlQFz3hIo3Xo01sgAJinoZrIsktA0xIYV1SeBndzsmWPCtdBk/Go=,iv:hNNBxDwoppfC6kRi5kWYILdEBRjzhdeit6xRmxD+ACU=,tag:qli2XWAjf7LgbiA/nxyQGw==,type:str] + lastmodified: "2023-04-05T08:05:11Z" + mac: ENC[AES256_GCM,data:2AkEmfCCTD8k3PstxFXI5LdqoT837XCDAlUQvBG01vb4LoIDiVXVnkehu5Y7JkGoI9r3PdFYzzh4NxUcJn9VrV0yeZqbsqEz/NmWGMViIHi5tHXcTgHOsb5Cr4ifqcSbnOfaUzS0YYAxn41ELRajzcuMNACj8mUswWoMIJwgR9c=,iv:aESGCCrNNppByFi9MuOQhtB2qTT5ME259OYluA5y2XU=,tag:ZFY2Q0UpX3gz7Qn0XmB34Q==,type:str] pgp: - created_at: "2021-04-06T11:27:21Z" enc: | diff --git a/machines/fuuko/services/router.nix b/machines/fuuko/services/router.nix index ab86ee6..10391dc 100644 --- a/machines/fuuko/services/router.nix +++ b/machines/fuuko/services/router.nix @@ -19,9 +19,10 @@ # 4 | tagged | 2,3 # 1-3 | untagged | 3 # -# Wireless currently still is done by a separate GL.iNet GL-MT300N-V2 running OpenWRT, -# but this will be changed to a Intel Wireless-AC 9260 in fuuko at a later date. -{ config, lib, ... }: +# Wireless is configured by providing the whole hostapd configuration file as a secret. +# Once nixpkgs PR 222536 is merged, I will migrate to using the NixOS module. +# Thanks to Intel’s wisdom, it’s not possible to use 5GHz in AP mode. +{ config, lib, pkgs, ... }: let domain = "home.sbruder.de"; in @@ -30,6 +31,9 @@ in owner = config.users.users.systemd-network.name; sopsFile = ../secrets.yaml; }; + sops.secrets.hostapd-config = { + sopsFile = ../secrets.yaml; + }; boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; @@ -229,4 +233,62 @@ in networking.firewall.allowedUDPPorts = [ 53 67 ]; networking.firewall.allowedTCPPorts = [ 53 ]; + + # Wireless + boot.kernelModules = [ "nl80211" ]; + + environment.systemPackages = with pkgs; [ + iw + wirelesstools + ]; + + # The service is mostly taken from nixpkgs pr 222536. + systemd.services.hostapd = { + path = with pkgs; [ hostapd ]; + after = [ "sys-subsystem-net-devices-wlp7s0.device" ]; + bindsTo = [ "sys-subsystem-net-devices-wlp7s0.device" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = "${pkgs.hostapd}/bin/hostapd ${config.sops.secrets.hostapd-config.path}"; + Restart = "always"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + RuntimeDirectory = "hostapd"; + + # Hardening + LockPersonality = true; + MemoryDenyWriteExecute = true; + DevicePolicy = "closed"; + DeviceAllow = "/dev/rfkill rw"; + NoNewPrivileges = true; + PrivateUsers = false; # hostapd requires true root access. + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "@chown" + ]; + UMask = "0077"; + }; + }; }