mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

chore: hostapd doesn't understand wpa_psk_file for SAE. prepare to restructure.

Browse source
This commit is contained in:
oddlama 2023-03-18 15:49:18 +01:00
parent 3b6503f2e2
commit 1f7b034a5e
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
1 changed files with 14 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

20
hosts/zackbiene/hostapd.nix
View file

@ -1,6 +1,7 @@
{ {
lib, lib,
config, config,
pkgs,
... ...
}: { }: {
services.hostapd = { services.hostapd = {
@ -15,6 +16,7 @@
channel = 13; channel = 13;
# Respect the local regulations # Respect the local regulations
countryCode = "DE"; countryCode = "DE";
logLevel = 0;
# This is made for a Mediatek mt7612u based device (ALFA AWUS036ACM) # This is made for a Mediatek mt7612u based device (ALFA AWUS036ACM)
extraConfig = '' extraConfig = ''
@ -50,10 +52,9 @@
transition_disable=0x01 transition_disable=0x01
# Derive PWE using both hunting-and-pecking loop and hash-to-element # Derive PWE using both hunting-and-pecking loop and hash-to-element
sae_pwe=2 sae_pwe=2
# SAE can also use wpa_psk, which allows us to use a separate file, # SAE passwords can be set via wpa_passphrase but not via wpa_psk_file. This sucks
# but it restricts the password length to [8,63] which is ok. # and means we have to add the passwords in pre-start to prevent them being visible here
# This conatins a list of passwords for each client MAC. {{SAE_PASSWORDS}}
wpa_psk_file=${config.rekey.secrets.wifi-clients.path}
# Use a MAC-address access control list # Use a MAC-address access control list
macaddr_acl=1 macaddr_acl=1
@ -66,17 +67,24 @@
''; '';
}; };
# TODO dont adverttise! # TODO dont adverttise!
#wpa_psk_file=${config.rekey.secrets.wifi-clients.path}
# Associates each known client to a unique password # Associates each known client to a unique password
rekey.secrets.wifi-clients.file = ./secrets/wifi-clients.age; rekey.secrets.wifi-clients.file = ./secrets/wifi-clients.age;
systemd.services.hostapd = { systemd.services.hostapd = {
# Filter the clients to get a list of all known MAC addresses, # Filter the clients to get a list of all known MAC addresses, which we
# which we then use for MAC access control. # then use for MAC access control. Afterwards, add the password for each
# client to the hostapd config.
preStart = lib.mkBefore '' preStart = lib.mkBefore ''
grep -o '^..:..:..:..:..:..' ${config.rekey.secrets.wifi-clients.path} > /run/hostapd/client-macs grep -o '^..:..:..:..:..:..' ${config.rekey.secrets.wifi-clients.path} > /run/hostapd/client-macs
hostapd_conf=$(cat ''${systemd.services.hostapd.serviceConfig.ExecStart})
sae_passwords=$(echo -e "sae_password=aa|mac=13:13:13:13:13:13\nsae_password=aa|mac=12:12:12:12:12:12")
hostapd_conf=''${hostapd_conf//"{{SAE_PASSWORDS}}"/$sae_passwords}
echo "$hostapd_conf" > /run/hostapd/config
''; '';
# Add some missing options to the upstream config # Add some missing options to the upstream config
serviceConfig = { serviceConfig = {
ExecStart = lib.mkForce "${pkgs.hostapd}/bin/hostapd /run/hostapd/config";
ExecReload = "/bin/kill -HUP $MAINPID"; ExecReload = "/bin/kill -HUP $MAINPID";
RuntimeDirectory = "hostapd"; RuntimeDirectory = "hostapd";