a bit of refactoring

nixos/legacy/nginx-logging.nix

@@ -0,0 +1,41 @@
+{ pkgs, lib, ... }:
+let
+  access_log_sink = "workhorse.private:12304";
+  error_log_sink = "workhorse.private:12305";
+in
+{
+
+  security.acme.defaults.email = "contact@ingolf-wagner.de";
+  security.acme.acceptTerms = true;
+
+  services.nginx = {
+
+    # Use recommended settings
+    recommendedGzipSettings = lib.mkDefault true;
+    recommendedOptimisation = lib.mkDefault true;
+    recommendedProxySettings = lib.mkDefault true;
+    recommendedTlsSettings = lib.mkDefault true;
+
+    # for graylog logging
+    #commonHttpConfig = ''
+    #  log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", '
+    #    '"facility": "nginx", '
+    #    '"src_addr": "$remote_addr", '
+    #    '"body_bytes_sent": $body_bytes_sent, '
+    #    '"request_time": $request_time, '
+    #    '"response_status": $status, '
+    #    '"request": "$request", '
+    #    '"request_method": "$request_method", '
+    #    '"host": "$host",'
+    #    '"upstream_cache_status": "$upstream_cache_status",'
+    #    '"upstream_addr": "$upstream_addr",'
+    #    '"http_x_forwarded_for": "$http_x_forwarded_for",'
+    #    '"http_referrer": "$http_referer", '
+    #    '"http_user_agent": "$http_user_agent" }';
+    #  access_log syslog:server=${access_log_sink} graylog2_json;
+    #  error_log syslog:server=${error_log_sink};
+    #'';
+  };
+
+  services.nginx.package = pkgs.nginxMainline;
+}

nixos/legacy/wifi-access-point.nix

@@ -0,0 +1,85 @@
+{ lib, pkgs, ... }:
+
+let
+  wifi = "wlp0s29u1u2";
+  ipAddress = "10.123.145.1";
+  prefixLength = 24;
+  servedAddressRange = "10.123.145.2,10.123.145.150,12h";
+  ssid = "bumbumbum";
+  wifiPassword = lib.fileContents <secrets/wifi-access-point>;
+
+in
+{
+  # todo only open needed ports
+  networking.firewall.trustedInterfaces = [ wifi ];
+
+  networking.networkmanager.unmanaged = [ wifi ];
+  networking.dhcpcd.denyInterfaces = [ wifi ];
+
+  networking.interfaces."${wifi}".ipv4.addresses = [{
+    address = ipAddress;
+    prefixLength = prefixLength;
+  }];
+
+  # forward traffic coming in trough the access point => provide internet and vpn network access
+  # todo : forward to own servers
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.${wifi}.forwarding" = true;
+    "net.ipv6.conf.${wifi}.forwarding" = true;
+  };
+
+  systemd.services.hostapd = {
+    description = "hostapd wireless AP";
+    path = [ pkgs.hostapd ];
+
+    # start manual
+    # wantedBy = [ "network.target" ];
+
+    after = [
+      "${wifi}-cfg.service"
+      "nat.service"
+      "bind.service"
+      "dhcpd.service"
+      "sys-subsystem-net-devices-${wifi}.device"
+    ];
+
+    serviceConfig = {
+      ExecStart = "${pkgs.hostapd}/bin/hostapd ${
+          pkgs.writeText "hostapd.conf" ''
+            interface=${wifi}
+            hw_mode=g
+            channel=10
+            ieee80211d=1
+            country_code=DE
+            ieee80211n=1
+            wmm_enabled=1
+
+            ssid=${ssid}
+            auth_algs=1
+            wpa=2
+            wpa_key_mgmt=WPA-PSK
+            rsn_pairwise=CCMP
+            wpa_passphrase=${wifiPassword}
+          ''
+        }";
+      Restart = "always";
+    };
+  };
+
+  services.dnsmasq = {
+    enable = true;
+    extraConfig = ''
+      # Only listen to routers' LAN NIC.  Doing so opens up tcp/udp port 53 to
+      # localhost and udp port 67 to world:
+      interface=${wifi}
+
+      # Explicitly specify the address to listen on
+      listen-address=${ipAddress}
+
+      # Dynamic range of IPs to make available to LAN PC and the lease time.
+      # Ideally set the lease time to 5m only at first to test everything works okay before you set long-lasting records.
+      dhcp-range=${servedAddressRange}
+    '';
+  };
+
+}