WIP everything

2024-01-18 14:59:17 +00:00 · 2024-01-18 14:59:17 +00:00 · 26f0bde4b3
commit 26f0bde4b3
parent 2a23c7fdbe
29 changed files with 1630 additions and 423 deletions
--- a/nix/os/devices/router0-dmz0/configuration.nix
+++ b/nix/os/devices/router0-dmz0/configuration.nix
@ -184,10 +184,11 @@ in {
            after = ["hook"];
            rules = let
              wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces;
-              exposedHost = "192.168.22.121";
+              exposedHost = "srv0-dmz0.dmz.internal";
             in [
              "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22"
-              "iifname { ${wanInterfaces} } dnat ip to ${exposedHost}"
+              # TODO: if this hostname doesn't resolve it'll break the whole ruleset
+              # "iifname { ${wanInterfaces} } dnat ip to ${exposedHost}"
            ];
          };
        };
@ -574,7 +575,8 @@ in {
              # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path;

              # enables debug logging
-              # logger_stdout_level= lib.mkForce 0;
+              logger_stdout_level= lib.mkForce 0;
+              logger_stdout = -1;
              # logger_syslog_level= lib.mkForce 0;

              # resources on vlan tagging
@ -583,6 +585,7 @@ in {

              dynamic_vlan = 1;

+              # this option currently requires a patch to hostapd
              vlan_no_bridge = 1;

              /* not used due to the above vlan_no_bridge setting
@ -620,14 +623,36 @@ in {
                # "SAE"
              ]);

+              # wpa_psk_radius = 0;
+              wpa_pairwise = "CCMP";
+              wmm_enabled = 1;
+
              # IEEE 802.11i (authentication) related configuration
              # Encrypt management frames to protect against deauthentication and similar attacks
              ieee80211w = 1;
              sae_require_mfp = 1;
              sae_groups = "19 20 21";
+
+              # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default)
+              tls_flags= "[ENABLE-TLSv1.3]";
+
+              ieee8021x=0;
+              eap_server=0;
            };
          };

+          # wlan0-1 = {
+          #   ssid = "mlsia-testing";
+          #   authentication = {
+          #     mode = "wpa3-sae-transition";
+          #   };
+
+          #   bssid = mkBssid 1;
+          #   settings = {
+          #     bridge = bridgeInterfaceName;
+          #   };
+          # };
+
          # wlan0-1 = {
          #   ssid = "justtestingwifi-wpa3";
          #   authentication = {
@ -777,7 +802,7 @@ in {
          tag
          (mkVlanIpv4HostAddr { inherit vlanid; host = 100; cidr = false; })
          (mkVlanIpv4HostAddr { inherit vlanid; host = 199; cidr = false; })
-          "30m"
+          "12h"
        ];
      in
        builtins.map
@ -843,7 +868,8 @@ in {
  };

  # The service irqbalance is useful as it assigns certain IRQ calls to specific CPUs instead of letting the first CPU core to handle everything. This is supposed to increase performance by hitting CPU cache more often.
-  services.irqbalance.enable = true;
+  # disable for now as i think it causes wifi issues
+  services.irqbalance.enable = false;

  system.stateVersion = "23.05";