fuuko/router: Add wireless AP
It is anything but great, though I will try to find a better solution for this.
This commit is contained in:
parent
7c0ccbbd6a
commit
5cd4845dbf
|
@ -2,14 +2,15 @@ restic-ssh-key: ENC[AES256_GCM,data:wA7JCg6Y900s6+1JoevMzbr6fKRN6jbfUuX166VS+TUF
|
||||||
wg-home-private-key: ENC[AES256_GCM,data:6l3CgB4qCsPuyYOWuwU2vNiEeC0D1wl6yZvXGGYVsZfYvdPjRz8j5yV7ekQ=,iv:slB/qr+cxi8r7cnTuZAd8CuzWVnvp24Li6A/AnZaFzo=,tag:ynh1Z2+IELAJcgBbHwFC0A==,type:str]
|
wg-home-private-key: ENC[AES256_GCM,data:6l3CgB4qCsPuyYOWuwU2vNiEeC0D1wl6yZvXGGYVsZfYvdPjRz8j5yV7ekQ=,iv:slB/qr+cxi8r7cnTuZAd8CuzWVnvp24Li6A/AnZaFzo=,tag:ynh1Z2+IELAJcgBbHwFC0A==,type:str]
|
||||||
wg-mullvad-private-key: ENC[AES256_GCM,data:4smAYjzrMz6bapthHwTdeDJSvnEqnGmDFRZjJwnXWXLSYnEhzhvRttVrmFw=,iv:94o7E8IlZ6V+wez5+Zr9xv92rr06MlUfBCvtMW8VnEA=,tag:SJjrbBseVyWwhf9IHRi7rQ==,type:str]
|
wg-mullvad-private-key: ENC[AES256_GCM,data:4smAYjzrMz6bapthHwTdeDJSvnEqnGmDFRZjJwnXWXLSYnEhzhvRttVrmFw=,iv:94o7E8IlZ6V+wez5+Zr9xv92rr06MlUfBCvtMW8VnEA=,tag:SJjrbBseVyWwhf9IHRi7rQ==,type:str]
|
||||||
wg-qbittorrent-private-key: ENC[AES256_GCM,data:9sjqTCMXqN0oWS95RQOmfLK0/2dH6V4Rs2LX8ydnYl+7zR55PG5pW3kROH8=,iv:m+4xKthKNCQBOEP9ExOHY5Dg3i+yTgREwrAci4zhqUk=,tag:L0vnwyiGOAoarr7FZFE91A==,type:str]
|
wg-qbittorrent-private-key: ENC[AES256_GCM,data:9sjqTCMXqN0oWS95RQOmfLK0/2dH6V4Rs2LX8ydnYl+7zR55PG5pW3kROH8=,iv:m+4xKthKNCQBOEP9ExOHY5Dg3i+yTgREwrAci4zhqUk=,tag:L0vnwyiGOAoarr7FZFE91A==,type:str]
|
||||||
|
hostapd-config: ENC[AES256_GCM,data:In1Y4a6ScXlhQX5G5Z5rjpAZPuY2PFBzQ9d+bjzot1V6iqM2073OyBvGbM4Bl/Airfx6/rTYQLKmsmVHFMioKiqKoixAxcDltlKrpqgb5ciwmdqbS/kFpop3m5c2pWTMUzQ2KGWN0br72fFGCwVfo9W/xYuafMVVxKWBvM/1wcKvuDZBhUitPo2oQUZidUwsXs58Jkya3vQxBKMTEyBBQAtRlmd+9U3PDqwWwEoxb7BY+hSNJ2jZtTjCIsefmSRagCumBlYJawnehUXpSOP932lKB1IAjAAFP1lNVeetYxb3IVKepN3n2RRS81GQzQjZVRD5nokKIn6nTd67QmdK0BY+1d+Ts9o/eIAD1JuT+HQsf3lKZ0wVrQoxE62/3oAqE2kU/gSb/LGCohnHRhVjtUsgxQr4znE1iZeApFwA5NkaiEutVuJXEsfYpVhm0S0ekSGd2iVZuD8TUbI8ixOfObdkL6V8jzj3fd8jzLz53XQL,iv:Piu0iyrkVWPW+WdsojniNlDuI4sHcUt2863AS8u9OCo=,tag:D6eNGvaCul9AtwDdmeWRtg==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
azure_kv: []
|
azure_kv: []
|
||||||
hc_vault: []
|
hc_vault: []
|
||||||
age: []
|
age: []
|
||||||
lastmodified: "2023-04-01T22:52:16Z"
|
lastmodified: "2023-04-05T08:05:11Z"
|
||||||
mac: ENC[AES256_GCM,data:mz8qIWirNUomuUPR9elZZK2mTfQhMqParnraw9gSQNDkhFPBCtkORys4tA9+q1stL1Edzuh6CPFzkywct64ZrKsApMdNMIqcXBc//uuF354T3B6+LmHvmMmxlQFz3hIo3Xo01sgAJinoZrIsktA0xIYV1SeBndzsmWPCtdBk/Go=,iv:hNNBxDwoppfC6kRi5kWYILdEBRjzhdeit6xRmxD+ACU=,tag:qli2XWAjf7LgbiA/nxyQGw==,type:str]
|
mac: ENC[AES256_GCM,data:2AkEmfCCTD8k3PstxFXI5LdqoT837XCDAlUQvBG01vb4LoIDiVXVnkehu5Y7JkGoI9r3PdFYzzh4NxUcJn9VrV0yeZqbsqEz/NmWGMViIHi5tHXcTgHOsb5Cr4ifqcSbnOfaUzS0YYAxn41ELRajzcuMNACj8mUswWoMIJwgR9c=,iv:aESGCCrNNppByFi9MuOQhtB2qTT5ME259OYluA5y2XU=,tag:ZFY2Q0UpX3gz7Qn0XmB34Q==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2021-04-06T11:27:21Z"
|
- created_at: "2021-04-06T11:27:21Z"
|
||||||
enc: |
|
enc: |
|
||||||
|
|
|
@ -19,9 +19,10 @@
|
||||||
# 4 | tagged | 2,3
|
# 4 | tagged | 2,3
|
||||||
# 1-3 | untagged | 3
|
# 1-3 | untagged | 3
|
||||||
#
|
#
|
||||||
# Wireless currently still is done by a separate GL.iNet GL-MT300N-V2 running OpenWRT,
|
# Wireless is configured by providing the whole hostapd configuration file as a secret.
|
||||||
# but this will be changed to a Intel Wireless-AC 9260 in fuuko at a later date.
|
# Once nixpkgs PR 222536 is merged, I will migrate to using the NixOS module.
|
||||||
{ config, lib, ... }:
|
# Thanks to Intel’s wisdom, it’s not possible to use 5GHz in AP mode.
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
domain = "home.sbruder.de";
|
domain = "home.sbruder.de";
|
||||||
in
|
in
|
||||||
|
@ -30,6 +31,9 @@ in
|
||||||
owner = config.users.users.systemd-network.name;
|
owner = config.users.users.systemd-network.name;
|
||||||
sopsFile = ../secrets.yaml;
|
sopsFile = ../secrets.yaml;
|
||||||
};
|
};
|
||||||
|
sops.secrets.hostapd-config = {
|
||||||
|
sopsFile = ../secrets.yaml;
|
||||||
|
};
|
||||||
|
|
||||||
boot.kernel.sysctl = {
|
boot.kernel.sysctl = {
|
||||||
"net.ipv4.conf.all.forwarding" = true;
|
"net.ipv4.conf.all.forwarding" = true;
|
||||||
|
@ -229,4 +233,62 @@ in
|
||||||
|
|
||||||
networking.firewall.allowedUDPPorts = [ 53 67 ];
|
networking.firewall.allowedUDPPorts = [ 53 67 ];
|
||||||
networking.firewall.allowedTCPPorts = [ 53 ];
|
networking.firewall.allowedTCPPorts = [ 53 ];
|
||||||
|
|
||||||
|
# Wireless
|
||||||
|
boot.kernelModules = [ "nl80211" ];
|
||||||
|
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
iw
|
||||||
|
wirelesstools
|
||||||
|
];
|
||||||
|
|
||||||
|
# The service is mostly taken from nixpkgs pr 222536.
|
||||||
|
systemd.services.hostapd = {
|
||||||
|
path = with pkgs; [ hostapd ];
|
||||||
|
after = [ "sys-subsystem-net-devices-wlp7s0.device" ];
|
||||||
|
bindsTo = [ "sys-subsystem-net-devices-wlp7s0.device" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = "${pkgs.hostapd}/bin/hostapd ${config.sops.secrets.hostapd-config.path}";
|
||||||
|
Restart = "always";
|
||||||
|
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||||
|
RuntimeDirectory = "hostapd";
|
||||||
|
|
||||||
|
# Hardening
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
DevicePolicy = "closed";
|
||||||
|
DeviceAllow = "/dev/rfkill rw";
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateUsers = false; # hostapd requires true root access.
|
||||||
|
PrivateTmp = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
ProcSubset = "pid";
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
RestrictAddressFamilies = [
|
||||||
|
"AF_INET"
|
||||||
|
"AF_INET6"
|
||||||
|
"AF_NETLINK"
|
||||||
|
"AF_UNIX"
|
||||||
|
];
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = [
|
||||||
|
"@system-service"
|
||||||
|
"~@privileged"
|
||||||
|
"@chown"
|
||||||
|
];
|
||||||
|
UMask = "0077";
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue