fix: esphome & hostapd systemd restrictions, hostapd ACS disable

2025-10-10 23:00:39 +02:00 · 2023-03-18 01:46:56 +01:00 · 2023-03-18 01:46:56 +01:00 · 20e539020c
commit 20e539020c
parent 711c97b393
5 changed files with 57 additions and 31 deletions
--- a/hosts/zackbiene/esphome.nix
+++ b/hosts/zackbiene/esphome.nix
@ -21,11 +21,12 @@ in {

      # Hardening
      CapabilityBoundingSet = "";
-      DevicePolicy = "closed";
      LockPersonality = true;
-      MemoryDenyWriteExecute = false; # NodeJs-JIT :/
+      MemoryDenyWriteExecute = true;
+      DevicePolicy = "closed";
+      DeviceAllow = "/dev/serial/by-id/usb-Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001-if00-port0";
+      SupplementaryGroups = ["dialout"];
      NoNewPrivileges = true;
-      PrivateDevices = true;
      PrivateUsers = true;
      PrivateTmp = true;
      ProtectClock = true;
@ -41,11 +42,15 @@ in {
      ReadWritePaths = dataDir;
      RemoveIPC = true;
      RestrictAddressFamilies = ["AF_UNIX" "AF_NETLINK" "AF_INET" "AF_INET6"];
-      RestrictNamespaces = true;
+      RestrictNamespaces = false; # Required by platformio for chroot
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
-      SystemCallFilter = ["@system-service" "~@privileged"];
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+        "@mount" # Required by platformio for chroot
+      ];
      UMask = "0077";
    };
  };
@ -58,4 +63,25 @@ in {
  };

  users.groups.esphome.gid = 316;
+
+  services.nginx.upstreams = {
+    "esphome" = {
+      servers = {"unix:/run/esphome/esphome.sock" = {};};
+      extraConfig = ''
+        zone esphome 64k;
+        keepalive 2;
+      '';
+    };
+  };
+  services.nginx.virtualHosts = {
+    #"${nodeSecrets.esphome.domain}" = {
+    #  forceSSL = true;
+    #  enableACME = true;
+    "192.168.1.22" = {
+      locations."/" = {
+        proxyPass = "http://esphome";
+        proxyWebsockets = true;
+      };
+    };
+  };
 }
--- a/hosts/zackbiene/hostapd.nix
+++ b/hosts/zackbiene/hostapd.nix
@ -11,8 +11,8 @@
    wpa = false;
    # Use 2.4GHz, this network is ment for dumb embedded devices
    hwMode = "g";
-    # Automatically select channel at runtime using acs_survey
-    channel = 0;
+    # Automatic Channel Selection (ACS) is unfortunately not implemented for mt7612u.
+    channel = 13;
    # Respect the local regulations
    countryCode = "DE";

@ -28,16 +28,14 @@
      # Ensure TX Power and frequencies compliance with local regulatory requirements
      ieee80211h=1

-      # IEEE 802.11ac (WiFi 4)
-      # MIMO and channel bonding support
+      # IEEE 802.11ac (WiFi 4) - MIMO and channel bonding support
      ieee80211n=1
-      # Add wider channel-width support and MU-MIMO (multi user MIMO)
+      ht_capab=[LDPC][HT40+][HT40-][GF][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1]

-      # IEEE 802.11ac (WiFi 5)
+      # IEEE 802.11ac (WiFi 5) - adds wider channel-width support and MU-MIMO (multi user MIMO)
      ieee80211ac=1
-      ht_capab=[HT40+][HT40-][GF][SHORT-GI-20][SHORT-GI-40]
-      vht_capab=[RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN]
-      vht_oper_chwidth=1
+      #vht_capab=[SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN]
+      #vht_oper_chwidth=1

      # WPA3
      wpa=2
@ -53,7 +51,7 @@
      # Derive PWE using both hunting-and-pecking loop and hash-to-element
      sae_pwe=2
      # SAE can also use wpa_psk, which allows us to use a separate file,
-      # but it restricts the password length to [2,63] which is ok.
+      # but it restricts the password length to [8,63] which is ok.
      # This conatins a list of passwords for each client MAC.
      wpa_psk_file=${config.rekey.secrets.wifi-clients.path}

@ -62,11 +60,12 @@
      accept_mac_file=/run/hostapd/client-macs

      # Hide network and require devices to know the ssid in advance
-      ignore_broadcast_ssid=1
+      #ignore_broadcast_ssid=1
      # Don't allow clients to communicate with each other
      ap_isolate=1
    '';
  };
+  # TODO dont adverttise!

  # Associates each known client to a unique password
  rekey.secrets.wifi-clients.file = ./secrets/wifi-clients.age;
@ -80,25 +79,25 @@
    serviceConfig = {
      ExecReload = "/bin/kill -HUP $MAINPID";
      RuntimeDirectory = "hostapd";
+      DeviceAllow = "/dev/rfkill rw";

      # Hardening
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
-      PrivateDevices = false; # Needs /dev/rfkill
-      PrivateUsers = true;
+      PrivateDevices = true;
+      PrivateUsers = false; # hostapd requires real system root access.
      PrivateTmp = true;
      ProtectClock = true;
-      ProtectControlGroups = false; # Needs write-access to /sys/class/net/...
+      ProtectControlGroups = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
-      ProtectKernelTunables = false;
+      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      ProtectSystem = "strict";
-      RemoveIPC = true;
      RestrictAddressFamilies = ["AF_UNIX" "AF_NETLINK" "AF_INET" "AF_INET6"];
      RestrictNamespaces = true;
      RestrictRealtime = true;
--- a/hosts/zackbiene/net.nix
+++ b/hosts/zackbiene/net.nix
@ -14,7 +14,6 @@
      matchConfig.MACAddress = nodeSecrets.networking.interfaces.wlan1.mac;
      networkConfig = {
        Address = "10.90.0.1/24";
-        Gateway = "10.90.0.1";
      };
    };
  };
--- a/hosts/zackbiene/nginx.nix
+++ b/hosts/zackbiene/nginx.nix
@ -40,4 +40,6 @@
      };
    };
  };
+
+  networking.firewall.allowedTCPPorts = [80 443];
 }
--- a/hosts/zackbiene/secrets/wifi-clients.age
+++ b/hosts/zackbiene/secrets/wifi-clients.age
@ -1,10 +1,10 @@
 age-encryption.org/v1
-> X25519 hassPBEEk/UBxKCHkOhG+xCVBRqjLzzIzx+YNxMI1XY
-yUPfWO27Ou9Kr/9+9H/QCx/s8z+xaqBknozANAUuRAY
-> piv-p256 xqSe8Q A+Mah3ymwlgxCgF/hqioFnV4dLIs7gIlCi+5Y9hGThUy
-/1ILkEDSDzuP1TNm0eAGExBAGP6GvryPwkYN/44stZI
-> yazz-grease 4O
-ELmoh/Qew+/mdgIaGxnpR9eTPGHvAEO8Y22uH/tlpwBmlVMZNHa91PQ/dksjMKA8
-7hYCLWcfWtEEF4gVUnCOokyYm3XAZyQ9Lauiw2n4JTvYSKJhmAquXW8Jmto
--- 6650BuMK5X5Z56QmkfgIZdbB6cg8+l2GG05XDZkgK4Q
-揵鎧恑蒔e�3�8P牫��!荗u3抮*	羹5嚹{礅潑錭K菱鯰磉B1欸�m&#`襽7佫挚亼 O
+-> X25519 J0OVJ0jJkIkBk0nFoeZ7QhFoH2KZtVNEaqVrPAPOMkU
+gPL8EodGaHRmGU7SjCi0A+VSHX0Jki4QTSQJqKakOmc
+-> piv-p256 xqSe8Q ApYjO1OYkLa5P5y/CUcreVv1D+XIuzmvL22b8xOn4KCo
+zXbQ2bBEoNfRBccduRzhezOHir1NoFgSaNpB2Kz9iLM
+-> 3}-b-grease vM C
+9zBNWTL08GkY4ZkDLmiQQqc2Di2oFiHko39JdKAzdF53kRcEkpojS0MwOhii5673
+Pg0s035+WayZNZkpKHelA27aA7Yo+u6kGZ0xLP2N0ZxxjgZabYau
+--- CkGhrXo9Gfpf5A1h9A4ZVRtdr3KOlE78J7wXOUyMJjI
+B6úµÖůĆ^áaµŇ@VÇ�hĘąą#ťG7›&…•ęőkË~ #¶_k™Hž™`ňxcčČÝk•ŐşËJ�ýwú¶ó±¸ĆĐ ‰hF¦®ž[HéĂťęŢ¦—�!ż}UR>•g’ÔşđÍBo¨ô�5ÂĐ9VĽ$ř’‡©Ŕ˝AŰob“g ,š/