chore: wip: begin building better hostapd module

hosts/zackbiene/hostapd.nix

@@ -8,63 +8,15 @@
     enable = true;
     interface = "wlan1";
     ssid = "🍯🐝💨";
-    # We'll set the options ourselves
-    wpa = false;
+    wpa = 3;
     # Use 2.4GHz, this network is ment for dumb embedded devices
     hwMode = "g";
     # Automatic Channel Selection (ACS) is unfortunately not implemented for mt7612u.
     channel = 13;
     # Respect the local regulations
     countryCode = "DE";
+    # TODO away
     logLevel = 0;
-
-    # This is made for a Mediatek mt7612u based device (ALFA AWUS036ACM)
-    extraConfig = ''
-      utf8_ssid=1
-      # Enable QoS, required for 802.11n/ac/ax
-      wmm_enabled=1
-
-      # DFS (IEEE 802.11d, IEEE 802.11h)
-      # Limit to frequencies allowed in country
-      ieee80211d=1
-      # Ensure TX Power and frequencies compliance with local regulatory requirements
-      ieee80211h=1
-
-      # IEEE 802.11ac (WiFi 4) - MIMO and channel bonding support
-      ieee80211n=1
-      ht_capab=[LDPC][HT40+][HT40-][GF][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1]
-
-      # IEEE 802.11ac (WiFi 5) - adds wider channel-width support and MU-MIMO (multi user MIMO)
-      ieee80211ac=1
-      #vht_capab=[SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN]
-      #vht_oper_chwidth=1
-
-      # WPA3
-      wpa=2
-      wpa_pairwise=CCMP CCMP-256
-      rsn_pairwise=CCMP CCMP-256
-      wpa_key_mgmt=SAE
-      # Require WPA, disable WEP
-      auth_algs=1
-      # Encrypt management frames to protect against deauthentication and similar attacks
-      ieee80211w=2
-      # Force WPA3-Personal without transition
-      transition_disable=0x01
-      # Derive PWE using both hunting-and-pecking loop and hash-to-element
-      sae_pwe=2
-      # SAE passwords can be set via wpa_passphrase but not via wpa_psk_file. This sucks
-      # and means we have to add the passwords in pre-start to prevent them being visible here
-      {{SAE_PASSWORDS}}
-
-      # Use a MAC-address access control list
-      macaddr_acl=1
-      accept_mac_file=/run/hostapd/client-macs
-
-      # Hide network and require devices to know the ssid in advance
-      #ignore_broadcast_ssid=1
-      # Don't allow clients to communicate with each other
-      ap_isolate=1
-    '';
   };
   # TODO dont adverttise!
   #wpa_psk_file=${config.rekey.secrets.wifi-clients.path}

hosts/zackbiene/secrets/wifi-clients.age

@@ -1,10 +1,11 @@
 age-encryption.org/v1
--> X25519 J0OVJ0jJkIkBk0nFoeZ7QhFoH2KZtVNEaqVrPAPOMkU
-gPL8EodGaHRmGU7SjCi0A+VSHX0Jki4QTSQJqKakOmc
--> piv-p256 xqSe8Q ApYjO1OYkLa5P5y/CUcreVv1D+XIuzmvL22b8xOn4KCo
-zXbQ2bBEoNfRBccduRzhezOHir1NoFgSaNpB2Kz9iLM
--> 3}-b-grease vM C
-9zBNWTL08GkY4ZkDLmiQQqc2Di2oFiHko39JdKAzdF53kRcEkpojS0MwOhii5673
-Pg0s035+WayZNZkpKHelA27aA7Yo+u6kGZ0xLP2N0ZxxjgZabYau
---- CkGhrXo9Gfpf5A1h9A4ZVRtdr3KOlE78J7wXOUyMJjI
-B6úµÖůĆ^áaµŇ@VÇ�hĘąą#ťG7›&…•ęőkË~ #¶_k™Hž™`ňxcčČÝk•ŐşËJ�ýwú¶ó±¸ĆĐ ‰
hF¦®ž[HéĂťęަ—�!ż}UR>•g’ÔşđÍBo¨ô�5ÂĐ9VĽ$ř’‡©Ŕ˝AŰob“g ,š/
+-> X25519 JEieTSfpgYVOG4jpaPU2Ixo5gzKfA2jADiVp2mDzo3o
+9rqppLh1oDh5+9OOIULyRc6wO6xHtuMUWlD3Cdd92cc
+-> piv-p256 xqSe8Q AhmCYR/YwLhHnFGfM8ovMFKesiCRq3KZJHhCkZCjOI8U
+JpsMBhEZSirrIhrJSrxzxoH3kMafZdnwSv6AqRZRqow
+-> 0-grease HqN8M8 ;L H9mxj ?vjE*x$[
+7V9ALzJ+IJAvP9aUkCaaGCCX/DKbqhJc7Ii/WWwhbX56NNXKAnMu+St1yfUdto86
+qhxQbDuVBB17Ls42W0gJxYlfwb0
+--- XFjv9Cuf8BHmKEgxH4g6CJaVjz0L7ojFgfWhFlHs884
+�ˇ´*‹Ů.•\&ĎťŰ�;?–\"ôĺŚÉj¦`›DŚSiwŚśÉAźŐ™ j€‡’51•	<_ÔXńů"{‹IµpÜ«±:Ŕ±§b=Č*µţ
+ł†~#´