From 1f7b034a5eac1c596185dbfad735f393f3ac484e Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Sat, 18 Mar 2023 15:49:18 +0100
Subject: [PATCH] chore: hostapd doesn't understand wpa_psk_file for SAE.
 prepare to restructure.

---
 hosts/zackbiene/hostapd.nix | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/hosts/zackbiene/hostapd.nix b/hosts/zackbiene/hostapd.nix
index 6cae831..51c3aff 100644
--- a/hosts/zackbiene/hostapd.nix
+++ b/hosts/zackbiene/hostapd.nix
@@ -1,6 +1,7 @@
 {
   lib,
   config,
+  pkgs,
   ...
 }: {
   services.hostapd = {
@@ -15,6 +16,7 @@
     channel = 13;
     # Respect the local regulations
     countryCode = "DE";
+    logLevel = 0;
 
     # This is made for a Mediatek mt7612u based device (ALFA AWUS036ACM)
     extraConfig = ''
@@ -50,10 +52,9 @@
       transition_disable=0x01
       # Derive PWE using both hunting-and-pecking loop and hash-to-element
       sae_pwe=2
-      # SAE can also use wpa_psk, which allows us to use a separate file,
-      # but it restricts the password length to [8,63] which is ok.
-      # This conatins a list of passwords for each client MAC.
-      wpa_psk_file=${config.rekey.secrets.wifi-clients.path}
+      # SAE passwords can be set via wpa_passphrase but not via wpa_psk_file. This sucks
+      # and means we have to add the passwords in pre-start to prevent them being visible here
+      {{SAE_PASSWORDS}}
 
       # Use a MAC-address access control list
       macaddr_acl=1
@@ -66,17 +67,24 @@
     '';
   };
   # TODO dont adverttise!
+  #wpa_psk_file=${config.rekey.secrets.wifi-clients.path}
 
   # Associates each known client to a unique password
   rekey.secrets.wifi-clients.file = ./secrets/wifi-clients.age;
   systemd.services.hostapd = {
-    # Filter the clients to get a list of all known MAC addresses,
-    # which we then use for MAC access control.
+    # Filter the clients to get a list of all known MAC addresses, which we
+    # then use for MAC access control. Afterwards, add the password for each
+    # client to the hostapd config.
     preStart = lib.mkBefore ''
       grep -o '^..:..:..:..:..:..' ${config.rekey.secrets.wifi-clients.path} > /run/hostapd/client-macs
+      hostapd_conf=$(cat ''${systemd.services.hostapd.serviceConfig.ExecStart})
+      sae_passwords=$(echo -e "sae_password=aa|mac=13:13:13:13:13:13\nsae_password=aa|mac=12:12:12:12:12:12")
+      hostapd_conf=''${hostapd_conf//"{{SAE_PASSWORDS}}"/$sae_passwords}
+      echo "$hostapd_conf" > /run/hostapd/config
     '';
     # Add some missing options to the upstream config
     serviceConfig = {
+      ExecStart = lib.mkForce "${pkgs.hostapd}/bin/hostapd /run/hostapd/config";
       ExecReload = "/bin/kill -HUP $MAINPID";
       RuntimeDirectory = "hostapd";