feat: per-bss settings in hostapd module, prepare vaultwarden for later

hosts/ward/default.nix

@@ -22,9 +22,66 @@
 
   boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci"];
 
-  microvm.vms.agag = {
-    flake = self;
-    updateFlake = microvm;
-  };
-  autostart = ["guest"];
+  #services.authelia.instances.main = {
+  #  enable = true;
+  #  settings = {
+  #    theme = "dark";
+  #    log = {
+  #      level = "info";
+  #      format = "text";
+  #    };
+  #    server = {
+  #      host = "127.0.0.1";
+  #      port = 9091;
+  #    };
+  #    session = {
+  #      name = "session";
+  #      domain = "pas.sh";
+  #    };
+  #    authentication_backend.ldap = {
+  #      implementation = "custom";
+  #      url = "ldap://127.0.0.1:3890";
+  #      base_dn = "dc=pas,dc=sh";
+  #      username_attribute = "uid";
+  #      additional_users_dn = "ou=people";
+  #      users_filter = "(&({username_attribute}={input})(objectclass=person))";
+  #      additional_groups_dn = "ou=groups";
+  #      groups_filter = "(member={dn})";
+  #      group_name_attribute = "cn";
+  #      mail_attribute = "mail";
+  #      display_name_attribute = "uid";
+  #      user = "uid=authelia,ou=people,dc=pas,dc=sh";
+  #    };
+  #    storage.local = {
+  #      path = "/var/lib/authelia-${cfg.name}/db.sqlite3";
+  #    };
+  #    access_control = {
+  #      default_policy = "deny";
+  #    };
+  #    notifier.smtp = rec {
+  #      host = "smtp.fastmail.com";
+  #      port = 587;
+  #      username = "a@example.com";
+  #      sender = "noreply@example.com";
+  #      startup_check_address = sender;
+  #      disable_html_emails = true;
+  #    };
+  #    identity_providers.oidc = {
+  #      cors.allowed_origins_from_client_redirect_uris = true;
+  #      cors.endpoints = [
+  #        "authorization"
+  #          "introspection"
+  #          "revocation"
+  #          "token"
+  #          "userinfo"
+  #      ];
+  #    };
+  #  };
+  #};
+
+  #microvm.vms.agag = {
+  #  flake = self;
+  #  updateFlake = microvm;
+  #};
+  #microvm.autostart = ["guest"];
 }

hosts/ward/vaultwarden.nix

@@ -0,0 +1,81 @@
+{
+  config,
+  nodeSecrets,
+  ...
+}: {
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "sqlite";
+    settings = {
+      DATA_FOLDER = "/var/lib/vaultwarden";
+      EXTENDED_LOGGING = true;
+      USE_SYSLOG = true;
+      WEB_VAULT_ENABLED = true;
+
+      WEBSOCKET_ENABLED = true;
+      WEBSOCKET_ADDRESS = "127.0.0.1";
+      WEBSOCKET_PORT = 3012;
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 8012;
+
+      SIGNUPS_ALLOWED = false;
+      PASSWORD_ITERATIONS = 1000000;
+      INVITATIONS_ALLOWED = true;
+      INVITATION_ORG_NAME = "Vaultwarden";
+      DOMAIN = nodeSecrets.vaultwarden.domain;
+
+      SMTP_EMBED_IMAGES = true;
+    };
+    #backupDir = "/data/backup";
+    #YUBICO_CLIENT_ID=;
+    #YUBICO_SECRET_KEY=;
+    #ADMIN_TOKEN="$argon2id:TODO";
+    #SMTP_HOST={{ vaultwarden_smtp_host }};
+    #SMTP_FROM={{ vaultwarden_smtp_from }};
+    #SMTP_FROM_NAME={{ vaultwarden_smtp_from_name }};
+    #SMTP_PORT = 465;
+    #SMTP_SECURITY = "force_tls";
+    #SMTP_USERNAME={{ vaultwarden_smtp_username }};
+    #SMTP_PASSWORD={{ vaultwarden_smtp_password }};
+    #environmentFile = config.rekey.secrets.vaultwarden-env.path;
+  };
+
+  # Replace uses of old name
+  systemd.services.vaultwarden.seviceConfig.StateDirectory = "vaultwarden";
+  systemd.services.backup-vaultwarden.environment.DATA_FOLDER = "/var/lib/vaultwarden";
+
+  services.nginx = {
+    upstreams."vaultwarden" = {
+      servers = {"localhost:8012" = {};};
+      extraConfig = ''
+        zone vaultwarden 64k;
+        keepalive 2;
+      '';
+    };
+    upstreams."vaultwarden-websocket" = {
+      servers = {"localhost:3012" = {};};
+      extraConfig = ''
+        zone vaultwarden-websocket 64k;
+        keepalive 2;
+      '';
+    };
+    virtualHosts."${nodeSecrets.vaultwarden.domain}" = {
+      forceSSL = true;
+      #enableACME = true;
+      sslCertificate = config.rekey.secrets."selfcert.crt".path;
+      sslCertificateKey = config.rekey.secrets."selfcert.key".path;
+      locations."/" = {
+        proxyPass = "http://vaultwarden";
+        proxyWebsockets = true;
+      };
+      locations."/notifications/hub" = {
+        proxyPass = "http://vaultwarden-websocket";
+        proxyWebsockets = true;
+      };
+      locations."/notifications/hub/negotiate" = {
+        proxyPass = "http://vaultwarden";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

hosts/zackbiene/default.nix

@@ -16,7 +16,7 @@
     ./fs.nix
     ./net.nix
 
-    ./dnsmasq.nix
+    #./dnsmasq.nix
     ./esphome.nix
     ./home-assistant.nix
     ./hostapd.nix

hosts/zackbiene/hostapd.nix

@@ -2,6 +2,7 @@
   lib,
   config,
   pkgs,
+  nodeSecrets,
   ...
 }: {
   imports = [../../modules/hostapd.nix];
@@ -12,19 +13,24 @@
 
   services.hostapd = {
     enable = true;
-    interfaces = {
-      "wlan1" = {
-        ssid = "🍯🐝💨";
-        hwMode = "g";
-        countryCode = "DE";
-        channel = 13; # Automatic Channel Selection (ACS) is unfortunately not implemented for mt7612u.
+    radios.wlan1 = {
+      hwMode = "g";
+      countryCode = "DE";
+      channel = 13; # Automatic Channel Selection (ACS) is unfortunately not implemented for mt7612u.
+      wifi4.capabilities = ["LDPC" "HT40+" "HT40-" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1"];
+      networks.wlan1 = {
+        inherit (nodeSecrets.hostapd) ssid;
         macAcl = "deny";
         apIsolate = true;
         authentication = {
           saePasswordsFile = config.rekey.secrets.wifi-clients.path;
           saeAddToMacAllow = true;
+          enableRecommendedPairwiseCiphers = true;
         };
-        wifi4.capabilities = ["LDPC" "HT40+" "HT40-" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1"];
+      };
+      networks.wlan1-1 = {
+        ssid = "Open";
+        authentication.mode = "none";
       };
     };
   };