diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix index d27db2b..06715a1 100644 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -1,3 +1,4 @@ +# TODO: don't pull in bluez (or any bluetooth components) { repoFlake, pkgs, @@ -904,13 +905,53 @@ in { wlan0 = { band = "2g"; countryCode = "CH"; - channel = 0; # ACS + channel = 0; # 0 would mean Automatic Channel Selection + + settings = { + # TODO: with 1 the x13s on windows can't connect, however this slows the AP down. + # ieee80211n = 1; + + # Exclude DFS channels from ACS + # This option can be used to exclude all DFS channels from the ACS channel list + # in cases where the driver supports DFS channels. + acs_exclude_dfs = 0; + + # Disassociate stations based on excessive transmission failures or other + # indications of connection loss. This depends on the driver capabilities and + # may not be available with all drivers. + disassoc_low_ack = 0; + }; # use 'iw phy#1 info' to determine your VHT capabilities wifi4 = { enable = true; - capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; + require = false; + capabilities = [ + "HT20" + "HT40+" + "LDPC" + "SHORT-GI-20" + "SHORT-GI-40" + "TX-STBC" + "RX-STBC1" + "MAX-AMSDU-7935" + + # "DELAYED-BA" + # "DSSS_CCK-40" + "40-INTOLERANT" + ]; }; + + wifi5 = { + enable = false; + require = false; + }; + + wifi6 = { + enable = false; + require = false; + }; + networks = { wlan0 = let iface = "wlan0"; @@ -918,6 +959,9 @@ in { ssid = "mlsia"; bssid = mkBssid 0; + # enables debug logging + logLevel = 0; + authentication.mode = "wpa2-sha256" # "wpa3-sae-transition" @@ -931,23 +975,20 @@ in { # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference settings = { + # disable syslog because it duplicates stdout + logger_syslog = lib.mkForce 0; + # bridge = bridgeInterfaceName; # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; # not yet supported on hostapd 2.10 # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; - # enables debug logging - logger_stdout_level = lib.mkForce 0; - logger_stdout = -1; - # logger_syslog_level= lib.mkForce 0; - # resources on vlan tagging # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 dynamic_vlan = 1; - # this option currently requires a patch to hostapd vlan_no_bridge = 1; @@ -997,15 +1038,15 @@ in { # IEEE 802.11i (authentication) related configuration # Encrypt management frames to protect against deauthentication and similar attacks - ieee80211w = 0; - sae_require_mfp = 0; + ieee80211w = 1; + # sae_require_mfp = 1; # sae_groups = "19 20 21"; # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) tls_flags = "[ENABLE-TLSv1.3]"; - ieee8021x = 0; - eap_server = 0; + ieee8021x = 1; + eap_server = 1; }; }; @@ -1276,7 +1317,7 @@ in { environment.systemPackages = [ pkgs.ethtool - pkgs.neovim + pkgs.vim pkgs.wireguard-tools pkgs.tshark