l2 ap working

Author: randomizedcoder

desktop/l/flake.nix

@@ -25,14 +25,14 @@
         inherit system;
         config = {
           allowUnfree = true;
-            allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
-              # "nvidia-x11"
-              # "nvidia-settings"
-              # "nvidia-persistenced"
-              "google-chrome"
-              "android-studio"
-              "android-studio-stable"
-              ];
+          allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+            # "nvidia-x11"
+            # "nvidia-settings"
+            # "nvidia-persistenced"
+            "google-chrome"
+            "android-studio"
+            "android-studio-stable"
+            ];
         };
       };
       lib = nixpkgs.lib;

desktop/l/home.nix

@@ -373,24 +373,24 @@
     tmux
     screen
 
-    # LLVM/Clang toolchain (needed for race detection and C/C++ builds)
-    llvmPackages_20.clang-tools
-    llvmPackages_20.lld
-
-    # LLVM C++ Standard Library, compiler runtime, and unwind library
-    llvmPackages_20.stdenv
-    llvmPackages_20.libcxxStdenv
-    llvmPackages_20.libcxxClang
-    llvmPackages_20.libcxx          # Provides libc++.so, libc++.a (libraries)
-    llvmPackages_20.libcxx.dev      # Provides C++ headers
-    # do NOT include llvm.libc-full, because it will override glibc
-    #llvm.libc-full
-    llvmPackages_20.compiler-rt     # Provides libclang_rt.builtins*.a
-    llvmPackages_20.compiler-rt.dev # Provides libclang_rt headers
-    llvmPackages_20.libunwind       # Provides libunwind for exception handling
-    llvmPackages_20.libunwind.dev   # Provides libunwind headers
-
-    libclang libclang.dev libclang.lib
+    # # LLVM/Clang toolchain (needed for race detection and C/C++ builds)
+    # llvmPackages_20.clang-tools
+    # llvmPackages_20.lld
+
+    # # LLVM C++ Standard Library, compiler runtime, and unwind library
+    # #llvmPackages_20.stdenv
+    # llvmPackages_20.libcxxStdenv
+    # llvmPackages_20.libcxxClang
+    # llvmPackages_20.libcxx          # Provides libc++.so, libc++.a (libraries)
+    # llvmPackages_20.libcxx.dev      # Provides C++ headers
+    # # do NOT include llvm.libc-full, because it will override glibc
+    # #llvm.libc-full
+    # llvmPackages_20.compiler-rt     # Provides libclang_rt.builtins*.a
+    # llvmPackages_20.compiler-rt.dev # Provides libclang_rt headers
+    # llvmPackages_20.libunwind       # Provides libunwind for exception handling
+    # llvmPackages_20.libunwind.dev   # Provides libunwind headers
+
+    # llvmPackages_20.libclang llvmPackages_20.libclang.dev llvmPackages_20.libclang.lib
 
     # Essential development libraries (minimal headers)
     glibc glibc.dev glibc.static

desktop/l2/configuration.nix

@@ -32,12 +32,13 @@
       ./grafana.nix
       # clickhouse
       #./docker-compose.nix
-      ./docker-daemon.nix
+      #./docker-daemon.nix
       #./smokeping.nix
       #./distributed-builds.nix
       #./hyprland.nix
       #./hostapd.nix
       ./hostapd-multi.nix
+      ./network-optimization.nix
     ];
 
   boot = {
@@ -164,27 +165,17 @@
      enableSSHSupport = true;
   };
 
-  # https://nixos.wiki/wiki/Virt-manager
-  virtualisation.libvirtd.enable = true;
-  #programs.virt-manager.enable = true;
-  virtualisation.spiceUSBRedirection.enable = true;
+  # # https://nixos.wiki/wiki/Virt-manager
+  # virtualisation.libvirtd.enable = true;
+  # #programs.virt-manager.enable = true;
+  # virtualisation.spiceUSBRedirection.enable = true;
 
-  virtualisation.containers = {
-    ociSeccompBpfHook.enable = true;
-  };
-
-  # guest
-  # services.qemuGuest.enable = true;
-  # services.spice-vdagentd.enable = true;
-
-  # https://wiki.nixos.org/wiki/Laptop
+  # virtualisation.containers = {
+  #   ociSeccompBpfHook.enable = true;
+  # };
 
   system.stateVersion = "24.11";
 
-  nixpkgs.config = {
-    allowUnfree = true;
-  };
-
 }
 
 # end

desktop/l2/firewall.nix

@@ -1,32 +1,83 @@
 { config, pkgs, ... }:
 
 {
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
-  # https://nixos.wiki/wiki/Firewall
-  # https://scvalex.net/posts/54/
-  # sudo nft --stateless list table filter
-  # sudo sudo iptables-save
-  networking.firewall = {
-    enable = false;
-    allowedTCPPorts = [
-      22     # ssh
-      5001   # iperf2
-    ];
-    #   allowedTCPPorts = [ 22 5001 ];
-    #   #allowedUDPPortRanges = [
-    #   #  { from = 4000; to = 4007; }
-    #   #  { from = 8000; to = 8010; }
-    #   #];
-    # NixOS automagically creates stateful connection tracking, which we don't want
-    # for performance reasons
-    # extraCommands = ''
-    # iptables --delete nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept || true
-    # '';
+  # Disable the default iptables firewall since we're using nftables
+  networking.firewall.enable = false;
+
+  # Enable nftables with connection tracking for maximum security
+  networking.nftables = {
+    enable = true;
+    ruleset = ''
+      table inet filter {
+        chain input {
+          type filter hook input priority 0; policy drop;
+
+          # Enable connection tracking
+          ct state established,related accept
+          ct state invalid drop
+
+          # Allow loopback
+          iif lo accept
+          oif lo accept
+
+          # Allow SSH from anywhere
+          tcp dport 22 accept
+
+          # Allow DNS queries
+          udp dport 53 accept
+          tcp dport 53 accept
+
+          # Allow DHCP
+          udp dport 67 accept
+          udp dport 547 accept
+
+          # Allow ICMP (ping, etc.)
+          icmp type echo-request accept
+          icmpv6 type echo-request accept
+
+          # Allow RA (Router Advertisement)
+          icmpv6 type nd-router-advert accept
+        }
+
+        chain forward {
+          type filter hook forward priority 0; policy drop;
+
+          # Allow traffic from internal network to external
+          # Use meta iifname to avoid interface existence check at load time
+          meta iifname "br0" oifname "enp1s0" accept
+
+          # Allow return traffic from external to internal
+          meta iifname "enp1s0" oifname "br0" ct state established,related accept
+        }
+
+        chain output {
+          type filter hook output priority 0; policy accept;
+        }
+      }
+
+      table ip nat {
+        chain prerouting {
+          type nat hook prerouting priority dstnat;
+        }
+
+        chain postrouting {
+          type nat hook postrouting priority srcnat;
+          # IPv4 masquerading
+          meta oifname "enp1s0" masquerade
+        }
+      }
+
+      table ip6 nat {
+        chain prerouting {
+          type nat hook prerouting priority dstnat;
+        }
+
+        chain postrouting {
+          type nat hook postrouting priority srcnat;
+          # IPv6 masquerading
+          meta oifname "enp1s0" masquerade
+        }
+      }
+    '';
   };
-  # networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];
 }

desktop/l2/flake.nix

@@ -18,28 +18,56 @@
   outputs = { self, nixpkgs, home-manager, ... }:
     let
       system = "x86_64-linux";
+
+      lib = nixpkgs.lib;
+
+      overlays = {
+        default = final: prev: {
+          hostapd = prev.hostapd.overrideDerivation (old: {
+            version = "2.10";
+            src = final.fetchurl {
+              url = "https://w1.fi/releases/hostapd-2.10.tar.gz";
+              sha256 = "0pcik0a6yin9nib02frjhaglmg44hwik086iwg1751b7kdwpqvi0";
+              # nix-prefetch-url https://w1.fi/releases/hostapd-2.10.tar.gz
+            };
+            patches = [
+              (final.fetchpatch {
+                url = "https://tildearrow.org/storage/hostapd-2.10-lar.patch";
+                sha256 = "USiHBZH5QcUJfZSxGoFwUefq3ARc4S/KliwUm8SqvoI=";
+              })
+            ];
+          });
+        };
+      };
+
       pkgs = import nixpkgs {
         inherit system;
-        config = {
-          allowUnfree = true;
-        };
+        overlays = [ overlays.default ];
+        config.allowUnfree = true;
       };
-      lib = nixpkgs.lib;
+
     in {
-    nixosConfigurations = {
-      l2 = lib.nixosSystem rec {
-        inherit system;
-        modules = [
-          ./configuration.nix
-          home-manager.nixosModules.home-manager
-          {
-            home-manager.useUserPackages = true;
-            home-manager.users.das = { config, pkgs, ... }: {
-              imports = [ ./home.nix ];
-            };
-          }
-        ];
+      nixosConfigurations = {
+        l2 = lib.nixosSystem {
+
+          inherit system;
+
+          modules = [
+            ./configuration.nix
+            {
+              nixpkgs.pkgs = pkgs;
+            }
+            home-manager.nixosModules.home-manager
+            {
+              home-manager.useUserPackages = true;
+              home-manager.users.das = { config, pkgs, ... }: {
+                imports = [ ./home.nix ];
+              };
+            }
+          ];
+        };
       };
     };
-  };
 }
+
+# end

desktop/l2/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
@@ -37,6 +37,5 @@
   # networking.useDHCP = lib.mkDefault true;
   # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
 
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }