simon
/
nixos-config
1
1
Fork 0
Code Issues 8 Pull Requests Projects Releases Activity

shinobu/wlan: Drop 

It was not used anyway.
reuse
Simon Bruder 2024-01-06 00:10:02 +01:00
parent 8d764fc7e4
commit 9e545950f5
Signed by: simon
GPG Key ID: 8D3C82F9F309F8EC
2 changed files with 0 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
machines/shinobu/services/router/default.nix
View File

@ -30,7 +30,6 @@ in
./dnsmasq.nix
./nft.nix
./tc.nix
#./wlan.nix
];
boot.kernel.sysctl = {

65
machines/shinobu/services/router/wlan.nix
View File

@ -1,65 +0,0 @@
{ config, pkgs, ... }:
{
sops.secrets.hostapd-config = {
sopsFile = ../../secrets.yaml;
};
# The service is mostly taken from nixpkgs pr 222536.
systemd.services.hostapd = {
path = with pkgs; [ hostapd ];
after = [ "sys-subsystem-net-devices-wlp5s0.device" ];
bindsTo = [ "sys-subsystem-net-devices-wlp5s0.device" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.hostapd}/bin/hostapd ${config.sops.secrets.hostapd-config.path}";
Restart = "always";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
RuntimeDirectory = "hostapd";
# Hardening
LockPersonality = true;
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
DeviceAllow = "/dev/rfkill rw";
NoNewPrivileges = true;
PrivateUsers = false; # hostapd requires true root access.
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"@chown"
];
UMask = "0077";
};
};
environment.systemPackages = with pkgs; [
iw
wirelesstools
];
# Wireless
boot.kernelModules = [ "nl80211" ];
}