shinobu/wlan: Drop
It was not used anyway.
This commit is contained in:
parent
8d764fc7e4
commit
9e545950f5
GPG key ID:
8D3C82F9F309F8EC
|
|
@ -30,7 +30,6 @@ in
|
||||||
./dnsmasq.nix
|
./dnsmasq.nix
|
||||||
./nft.nix
|
./nft.nix
|
||||||
./tc.nix
|
./tc.nix
|
||||||
#./wlan.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.kernel.sysctl = {
|
boot.kernel.sysctl = {
|
||||||
|
|
|
||||||
|
|
@ -1,65 +0,0 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
{
|
|
||||||
sops.secrets.hostapd-config = {
|
|
||||||
sopsFile = ../../secrets.yaml;
|
|
||||||
};
|
|
||||||
|
|
||||||
# The service is mostly taken from nixpkgs pr 222536.
|
|
||||||
systemd.services.hostapd = {
|
|
||||||
path = with pkgs; [ hostapd ];
|
|
||||||
after = [ "sys-subsystem-net-devices-wlp5s0.device" ];
|
|
||||||
bindsTo = [ "sys-subsystem-net-devices-wlp5s0.device" ];
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
ExecStart = "${pkgs.hostapd}/bin/hostapd ${config.sops.secrets.hostapd-config.path}";
|
|
||||||
Restart = "always";
|
|
||||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
|
||||||
RuntimeDirectory = "hostapd";
|
|
||||||
|
|
||||||
# Hardening
|
|
||||||
LockPersonality = true;
|
|
||||||
MemoryDenyWriteExecute = true;
|
|
||||||
DevicePolicy = "closed";
|
|
||||||
DeviceAllow = "/dev/rfkill rw";
|
|
||||||
NoNewPrivileges = true;
|
|
||||||
PrivateUsers = false; # hostapd requires true root access.
|
|
||||||
PrivateTmp = true;
|
|
||||||
ProtectClock = true;
|
|
||||||
ProtectControlGroups = true;
|
|
||||||
ProtectHome = true;
|
|
||||||
ProtectHostname = true;
|
|
||||||
ProtectKernelLogs = true;
|
|
||||||
ProtectKernelModules = true;
|
|
||||||
ProtectKernelTunables = true;
|
|
||||||
ProtectProc = "invisible";
|
|
||||||
ProcSubset = "pid";
|
|
||||||
ProtectSystem = "strict";
|
|
||||||
RestrictAddressFamilies = [
|
|
||||||
"AF_INET"
|
|
||||||
"AF_INET6"
|
|
||||||
"AF_NETLINK"
|
|
||||||
"AF_UNIX"
|
|
||||||
];
|
|
||||||
RestrictNamespaces = true;
|
|
||||||
RestrictRealtime = true;
|
|
||||||
RestrictSUIDSGID = true;
|
|
||||||
SystemCallArchitectures = "native";
|
|
||||||
SystemCallFilter = [
|
|
||||||
"@system-service"
|
|
||||||
"~@privileged"
|
|
||||||
"@chown"
|
|
||||||
];
|
|
||||||
UMask = "0077";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
iw
|
|
||||||
wirelesstools
|
|
||||||
];
|
|
||||||
|
|
||||||
|
|
||||||
# Wireless
|
|
||||||
boot.kernelModules = [ "nl80211" ];
|
|
||||||
}
|
|
||||||
Loading…
Reference in a new issue