fuuko/router: Add wireless AP

It is anything but great, though I will try to find a better solution
for this.
This commit is contained in:
Simon Bruder 2023-04-05 10:09:34 +02:00
parent 7c0ccbbd6a
commit 5cd4845dbf
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
2 changed files with 68 additions and 5 deletions

View file

@ -2,14 +2,15 @@ restic-ssh-key: ENC[AES256_GCM,data:wA7JCg6Y900s6+1JoevMzbr6fKRN6jbfUuX166VS+TUF
wg-home-private-key: ENC[AES256_GCM,data:6l3CgB4qCsPuyYOWuwU2vNiEeC0D1wl6yZvXGGYVsZfYvdPjRz8j5yV7ekQ=,iv:slB/qr+cxi8r7cnTuZAd8CuzWVnvp24Li6A/AnZaFzo=,tag:ynh1Z2+IELAJcgBbHwFC0A==,type:str] wg-home-private-key: ENC[AES256_GCM,data:6l3CgB4qCsPuyYOWuwU2vNiEeC0D1wl6yZvXGGYVsZfYvdPjRz8j5yV7ekQ=,iv:slB/qr+cxi8r7cnTuZAd8CuzWVnvp24Li6A/AnZaFzo=,tag:ynh1Z2+IELAJcgBbHwFC0A==,type:str]
wg-mullvad-private-key: ENC[AES256_GCM,data:4smAYjzrMz6bapthHwTdeDJSvnEqnGmDFRZjJwnXWXLSYnEhzhvRttVrmFw=,iv:94o7E8IlZ6V+wez5+Zr9xv92rr06MlUfBCvtMW8VnEA=,tag:SJjrbBseVyWwhf9IHRi7rQ==,type:str] wg-mullvad-private-key: ENC[AES256_GCM,data:4smAYjzrMz6bapthHwTdeDJSvnEqnGmDFRZjJwnXWXLSYnEhzhvRttVrmFw=,iv:94o7E8IlZ6V+wez5+Zr9xv92rr06MlUfBCvtMW8VnEA=,tag:SJjrbBseVyWwhf9IHRi7rQ==,type:str]
wg-qbittorrent-private-key: ENC[AES256_GCM,data:9sjqTCMXqN0oWS95RQOmfLK0/2dH6V4Rs2LX8ydnYl+7zR55PG5pW3kROH8=,iv:m+4xKthKNCQBOEP9ExOHY5Dg3i+yTgREwrAci4zhqUk=,tag:L0vnwyiGOAoarr7FZFE91A==,type:str] wg-qbittorrent-private-key: ENC[AES256_GCM,data:9sjqTCMXqN0oWS95RQOmfLK0/2dH6V4Rs2LX8ydnYl+7zR55PG5pW3kROH8=,iv:m+4xKthKNCQBOEP9ExOHY5Dg3i+yTgREwrAci4zhqUk=,tag:L0vnwyiGOAoarr7FZFE91A==,type:str]
hostapd-config: ENC[AES256_GCM,data:In1Y4a6ScXlhQX5G5Z5rjpAZPuY2PFBzQ9d+bjzot1V6iqM2073OyBvGbM4Bl/Airfx6/rTYQLKmsmVHFMioKiqKoixAxcDltlKrpqgb5ciwmdqbS/kFpop3m5c2pWTMUzQ2KGWN0br72fFGCwVfo9W/xYuafMVVxKWBvM/1wcKvuDZBhUitPo2oQUZidUwsXs58Jkya3vQxBKMTEyBBQAtRlmd+9U3PDqwWwEoxb7BY+hSNJ2jZtTjCIsefmSRagCumBlYJawnehUXpSOP932lKB1IAjAAFP1lNVeetYxb3IVKepN3n2RRS81GQzQjZVRD5nokKIn6nTd67QmdK0BY+1d+Ts9o/eIAD1JuT+HQsf3lKZ0wVrQoxE62/3oAqE2kU/gSb/LGCohnHRhVjtUsgxQr4znE1iZeApFwA5NkaiEutVuJXEsfYpVhm0S0ekSGd2iVZuD8TUbI8ixOfObdkL6V8jzj3fd8jzLz53XQL,iv:Piu0iyrkVWPW+WdsojniNlDuI4sHcUt2863AS8u9OCo=,tag:D6eNGvaCul9AtwDdmeWRtg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2023-04-01T22:52:16Z" lastmodified: "2023-04-05T08:05:11Z"
mac: ENC[AES256_GCM,data:mz8qIWirNUomuUPR9elZZK2mTfQhMqParnraw9gSQNDkhFPBCtkORys4tA9+q1stL1Edzuh6CPFzkywct64ZrKsApMdNMIqcXBc//uuF354T3B6+LmHvmMmxlQFz3hIo3Xo01sgAJinoZrIsktA0xIYV1SeBndzsmWPCtdBk/Go=,iv:hNNBxDwoppfC6kRi5kWYILdEBRjzhdeit6xRmxD+ACU=,tag:qli2XWAjf7LgbiA/nxyQGw==,type:str] mac: ENC[AES256_GCM,data:2AkEmfCCTD8k3PstxFXI5LdqoT837XCDAlUQvBG01vb4LoIDiVXVnkehu5Y7JkGoI9r3PdFYzzh4NxUcJn9VrV0yeZqbsqEz/NmWGMViIHi5tHXcTgHOsb5Cr4ifqcSbnOfaUzS0YYAxn41ELRajzcuMNACj8mUswWoMIJwgR9c=,iv:aESGCCrNNppByFi9MuOQhtB2qTT5ME259OYluA5y2XU=,tag:ZFY2Q0UpX3gz7Qn0XmB34Q==,type:str]
pgp: pgp:
- created_at: "2021-04-06T11:27:21Z" - created_at: "2021-04-06T11:27:21Z"
enc: | enc: |

View file

@ -19,9 +19,10 @@
# 4 | tagged | 2,3 # 4 | tagged | 2,3
# 1-3 | untagged | 3 # 1-3 | untagged | 3
# #
# Wireless currently still is done by a separate GL.iNet GL-MT300N-V2 running OpenWRT, # Wireless is configured by providing the whole hostapd configuration file as a secret.
# but this will be changed to a Intel Wireless-AC 9260 in fuuko at a later date. # Once nixpkgs PR 222536 is merged, I will migrate to using the NixOS module.
{ config, lib, ... }: # Thanks to Intels wisdom, its not possible to use 5GHz in AP mode.
{ config, lib, pkgs, ... }:
let let
domain = "home.sbruder.de"; domain = "home.sbruder.de";
in in
@ -30,6 +31,9 @@ in
owner = config.users.users.systemd-network.name; owner = config.users.users.systemd-network.name;
sopsFile = ../secrets.yaml; sopsFile = ../secrets.yaml;
}; };
sops.secrets.hostapd-config = {
sopsFile = ../secrets.yaml;
};
boot.kernel.sysctl = { boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true; "net.ipv4.conf.all.forwarding" = true;
@ -229,4 +233,62 @@ in
networking.firewall.allowedUDPPorts = [ 53 67 ]; networking.firewall.allowedUDPPorts = [ 53 67 ];
networking.firewall.allowedTCPPorts = [ 53 ]; networking.firewall.allowedTCPPorts = [ 53 ];
# Wireless
boot.kernelModules = [ "nl80211" ];
environment.systemPackages = with pkgs; [
iw
wirelesstools
];
# The service is mostly taken from nixpkgs pr 222536.
systemd.services.hostapd = {
path = with pkgs; [ hostapd ];
after = [ "sys-subsystem-net-devices-wlp7s0.device" ];
bindsTo = [ "sys-subsystem-net-devices-wlp7s0.device" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.hostapd}/bin/hostapd ${config.sops.secrets.hostapd-config.path}";
Restart = "always";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
RuntimeDirectory = "hostapd";
# Hardening
LockPersonality = true;
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
DeviceAllow = "/dev/rfkill rw";
NoNewPrivileges = true;
PrivateUsers = false; # hostapd requires true root access.
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"@chown"
];
UMask = "0077";
};
};
} }