sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: use rewritten hostapd module

Browse source
This commit is contained in:
oddlama 2023-03-21 00:13:37 +01:00
parent 5fe125f892
commit 8088cd67fa
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
3 changed files with 63 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

19
hosts/zackbiene/hostapd.nix
View file

@ -14,19 +14,18 @@
enable = true; enable = true;
interfaces = { interfaces = {
"wlan1" = { "wlan1" = {
logLevel = 0;
ssid = "🍯🐝💨"; ssid = "🍯🐝💨";
hwMode = "g"; hwMode = "g";
#wifi4.enable = true;
#wifi5.enable = true;
countryCode = "DE"; countryCode = "DE";
# Automatic Channel Selection (ACS) is unfortunately not implemented for mt7612u. channel = 13; # Automatic Channel Selection (ACS) is unfortunately not implemented for mt7612u.
channel = 13; macAcl = "deny";
apIsolate = true;
#wpa = 3; authentication = {
# TODO dont adverttise! saePasswordsFile = config.rekey.secrets.wifi-clients.path;
saeAddToMacAllow = true;
# TODO away };
logLevel = 0; wifi4.capabilities = ["LDPC" "HT40+" "HT40-" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1"];
}; };
}; };
}; };

19
hosts/zackbiene/secrets/wifi-clients.age
View file

@ -1,11 +1,10 @@
age-encryption.org/v1 age-encryption.org/v1
-> X25519 JEieTSfpgYVOG4jpaPU2Ixo5gzKfA2jADiVp2mDzo3o -> X25519 qvpFDcOyatSXVl605QLiHsTSQglCTjw9RvEQtWJyZkM
9rqppLh1oDh5+9OOIULyRc6wO6xHtuMUWlD3Cdd92cc 5EDyHb8/v7UHfz3uvAUQmuZ6La/EN/Kdtx96WJdWQMo
-> piv-p256 xqSe8Q AhmCYR/YwLhHnFGfM8ovMFKesiCRq3KZJHhCkZCjOI8U -> piv-p256 xqSe8Q ApCZ9ehw2EwREOZND16+8iDrtqWfiHw48/kRMV5WphXT
JpsMBhEZSirrIhrJSrxzxoH3kMafZdnwSv6AqRZRqow 99+R5fAwYia0GAFEq+Bo2Z/GQ7EoIuQYKOQgTEVYniU
-> 0-grease HqN8M8 ;L H9mxj ?vjE*x$[ -> 6?-grease _E ~ e?]# X
7V9ALzJ+IJAvP9aUkCaaGCCX/DKbqhJc7Ii/WWwhbX56NNXKAnMu+St1yfUdto86 3UiNZDgFonwUPaWBPtFpRpFIQGc+5Mnz8ODw6YIF
qhxQbDuVBB17Ls42W0gJxYlfwb0 --- Tw96qV9jp6FiMfHKbfrw1bY++E7Ej6AmrcNBFMRMa2w
--- XFjv9Cuf8BHmKEgxH4g6CJaVjz0L7ojFgfWhFlHs884 uQ¶Š´ø¥[ÉélÚÞÖ<Öíäü-!™Ä‹Ù�gÆ vØÛ
�ˇ´*‹Ů.•\&ĎťŰ�;?–\"ôĺŚÉj¦`›DŚSiwŚśÉAźŐ™ j€‡’51• <_ÔXńů"{‹IµpÜ«±:Ŕ±§b=Č*µ ţ Çê!š�‰- ©6J¼²dsa�¸¦–QƒÍV‰A³ —,$ü¨¢`Dì@“PÀ@¸Ø …vþ¦
ł†~#´

73
modules/hostapd.nix
View file

@ -16,7 +16,6 @@
escapeShellArg escapeShellArg
filter filter
literalExpression literalExpression
mapAttrs
mapAttrsToList mapAttrsToList
mdDoc mdDoc
mkIf mkIf
@ -79,7 +78,7 @@
##### IEEE 802.11 general configuration ####################################### ##### IEEE 802.11 general configuration #######################################
ssid=${ifcfg.ssid} ssid=${ifcfg.ssid}
utf8_ssid=${ifcfg.hwMode} utf8_ssid=${bool01 ifcfg.utf8Ssid}
${optionalString (ifcfg.countryCode != null) '' ${optionalString (ifcfg.countryCode != null) ''
country_code=${ifcfg.countryCode} country_code=${ifcfg.countryCode}
# IEEE 802.11d: Limit to frequencies allowed in country # IEEE 802.11d: Limit to frequencies allowed in country
@ -92,19 +91,17 @@
noscan=${bool01 ifcfg.noScan} noscan=${bool01 ifcfg.noScan}
# Set the MAC-address access control mode # Set the MAC-address access control mode
macaddr_acl=${macaddrAclModes.${ifcfg.macAcl}} macaddr_acl=${macaddrAclModes.${ifcfg.macAcl}}
${optionalString (ifcfg.macAllow != [] || ifcfg.macAllowFile != null) '' ${optionalString (ifcfg.macAllow != [] || ifcfg.macAllowFile != null || ifcfg.authentication.saeAddToMacAllow) ''
accept_mac_file=/run/hostapd/${interface}.mac.allow accept_mac_file=/run/hostapd/${interface}.mac.allow
''} ''}
${optionalString (ifcfg.macDeny != [] || ifcfg.macDenyFile != null) '' ${optionalString (ifcfg.macDeny != [] || ifcfg.macDenyFile != null) ''
deny_mac_file=/run/hostapd/${interface}.mac.deny deny_mac_file=/run/hostapd/${interface}.mac.deny
''} ''}
# Only allow WPA, disable WEP (insecure) # Only allow WPA, disable insecure WEP
auth_algs=1 auth_algs=1
# Set ssid broadcasting mode (0=normal, 1=empty, 2=clear)
ignore_broadcast_ssid=${ignoreBroadcastSsidModes.${ifcfg.ignoreBroadcastSsid}} ignore_broadcast_ssid=${ignoreBroadcastSsidModes.${ifcfg.ignoreBroadcastSsid}}
# Always enable QoS, which is required for 802.11n/ac/ax # Always enable QoS, which is required for 802.11n and above
wmm_enabled=1 wmm_enabled=1
# Whether to disallow clients to communicate with each other
ap_isolate=${bool01 ifcfg.apIsolate} ap_isolate=${bool01 ifcfg.apIsolate}
##### IEEE 802.11n (WiFi 4) related configuration ####################################### ##### IEEE 802.11n (WiFi 4) related configuration #######################################
@ -115,30 +112,28 @@
require_ht=${bool01 ifcfg.wifi4.require} require_ht=${bool01 ifcfg.wifi4.require}
''} ''}
##### IEEE 802.11ac (WiFi 5) related configuration #####################################
ieee80211ac=${bool01 ifcfg.wifi5.enable}
${optionalString ifcfg.wifi5.enable '' ${optionalString ifcfg.wifi5.enable ''
##### IEEE 802.11ac (WiFi 5) related configuration #####################################
ieee80211ac=1
vht_capab=${concatMapStrings (x: "[${x}]") ifcfg.wifi5.capabilities} vht_capab=${concatMapStrings (x: "[${x}]") ifcfg.wifi5.capabilities}
require_vht=${bool01 ifcfg.wifi5.require} require_vht=${bool01 ifcfg.wifi5.require}
vht_oper_chwidth=${operatingChannelWidth.${ifcfg.wifi5.operatingChannelWidth}} vht_oper_chwidth=${operatingChannelWidth.${ifcfg.wifi5.operatingChannelWidth}}
''} ''}
##### IEEE 802.11ax (WiFi 6) related configuration #####################################
ieee80211ax=${bool01 ifcfg.wifi6.enable}
${optionalString ifcfg.wifi6.enable '' ${optionalString ifcfg.wifi6.enable ''
##### IEEE 802.11ax (WiFi 6) related configuration #####################################
ieee80211ax=1
require_he=${bool01 ifcfg.wifi6.require} require_he=${bool01 ifcfg.wifi6.require}
he_oper_chwidth=${operatingChannelWidth.${ifcfg.wifi6.operatingChannelWidth}} he_oper_chwidth=${operatingChannelWidth.${ifcfg.wifi6.operatingChannelWidth}}
he_su_beamformer=${bool01 ifcfg.wifi6.singleUserBeamformer} he_su_beamformer=${bool01 ifcfg.wifi6.singleUserBeamformer}
he_su_beamformee=${bool01 ifcfg.wifi6.singleUserBeamformee} he_su_beamformee=${bool01 ifcfg.wifi6.singleUserBeamformee}
he_mu_beamformer=${bool01 ifcfg.wifi6.multiUserBeamformer} he_mu_beamformer=${bool01 ifcfg.wifi6.multiUserBeamformer}
''} ''}
##### IEEE 802.11be (WiFi 7) related configuration #####################################
ieee80211be=${bool01 ifcfg.wifi7.enable}
${optionalString ifcfg.wifi7.enable '' ${optionalString ifcfg.wifi7.enable ''
##### IEEE 802.11be (WiFi 7) related configuration #####################################
ieee80211be=1
eht_oper_chwidth=${operatingChannelWidth.${ifcfg.wifi7.operatingChannelWidth}} eht_oper_chwidth=${operatingChannelWidth.${ifcfg.wifi7.operatingChannelWidth}}
eht_su_beamformer=${bool01 ifcfg.wifi7.singleUserBeamformer} eht_su_beamformer=${bool01 ifcfg.wifi7.singleUserBeamformer}
eht_su_beamformee=${bool01 ifcfg.wifi7.singleUserBeamformee} eht_su_beamformee=${bool01 ifcfg.wifi7.singleUserBeamformee}
@ -185,7 +180,7 @@
makeInterfaceRuntimeFiles = interface: ifcfg: let makeInterfaceRuntimeFiles = interface: ifcfg: let
# All MAC addresses from SAE entries that aren't the wildcard address # All MAC addresses from SAE entries that aren't the wildcard address
saeMacs = filter (mac: mac != null && (toLower mac) != "ff:ff:ff:ff:ff:ff") (mapAttrs (x: x.mac) ifcfg.authentication.saePasswords); saeMacs = filter (mac: mac != null && (toLower mac) != "ff:ff:ff:ff:ff:ff") (map (x: x.mac) ifcfg.authentication.saePasswords);
in in
pkgs.writeShellScript "make-hostapd-${interface}-files" ('' pkgs.writeShellScript "make-hostapd-${interface}-files" (''
set -euo pipefail set -euo pipefail
@ -213,17 +208,17 @@
'' ''
# Populate mac allow list from saePasswords # Populate mac allow list from saePasswords
++ optional (ifcfg.authentication.saeAddToMacAllow && saeMacs != []) '' ++ optional (ifcfg.authentication.saeAddToMacAllow && saeMacs != []) ''
cat >> "$mac_deny_file" <<EOF cat >> "$mac_allow_file" <<EOF
${concatStringsSep "\n" saeMacs} ${concatStringsSep "\n" saeMacs}
EOF EOF
'' ''
# Populate mac allow list from saePasswordsFile # Populate mac allow list from saePasswordsFile
# (filter for lines with mac=; exclude commented lines; filter for real mac-addresses; strip mac=) # (filter for lines with mac=; exclude commented lines; filter for real mac-addresses; strip mac=)
++ optional (ifcfg.authentication.saeAddToMacAllow && ifcfg.authentication.saePasswords != []) '' ++ optional (ifcfg.authentication.saeAddToMacAllow && ifcfg.authentication.saePasswordsFile != null) ''
grep mac= ${escapeShellArg ifcfg.authentication.saePasswordsFile} \ grep mac= ${escapeShellArg ifcfg.authentication.saePasswordsFile} \
| grep -v '\s*#' \ | grep -v '\s*#' \
| grep -Eo 'mac=([0-9A-Fa-f]{2}[:]){5}([0-9A-Fa-f]{2})' \ | grep -Eo 'mac=([0-9A-Fa-f]{2}[:]){5}([0-9A-Fa-f]{2})' \
| sed 's|^mac=||' >> "$mac_deny_file" | sed 's|^mac=||' >> "$mac_allow_file"
'' ''
# Create combined mac.deny list from macDeny and macDenyFile # Create combined mac.deny list from macDeny and macDenyFile
++ optional (ifcfg.macDeny != []) '' ++ optional (ifcfg.macDeny != []) ''
@ -234,14 +229,16 @@
++ optional (ifcfg.macDenyFile != null) '' ++ optional (ifcfg.macDenyFile != null) ''
grep -Eo '^([0-9A-Fa-f]{2}[:]){5}([0-9A-Fa-f]{2})' ${escapeShellArg ifcfg.macDenyFile} >> "$mac_deny_file" grep -Eo '^([0-9A-Fa-f]{2}[:]){5}([0-9A-Fa-f]{2})' ${escapeShellArg ifcfg.macDenyFile} >> "$mac_deny_file"
'' ''
# Depending on which password sources are defined, add corresponding definitions. # Add WPA passphrase from file if necessary
++ optional (ifcfg.authentication.wpaPasswordFile != null) '' ++ optional (ifcfg.authentication.wpaPasswordFile != null) ''
cat >> "$hostapd_config_file" <<EOF cat >> "$hostapd_config_file" <<EOF
wpa_passphrase=$(cat ${escapeShellArg ifcfg.authentication.wpaPasswordFile}) wpa_passphrase=$(cat ${escapeShellArg ifcfg.authentication.wpaPasswordFile})
EOF EOF
'' ''
# Add SAE passwords from file if necessary
++ optional (ifcfg.authentication.saePasswordsFile != null) '' ++ optional (ifcfg.authentication.saePasswordsFile != null) ''
sed 's/^/sae_password=/' ${escapeShellArg ifcfg.authentication.saePasswordsFile} >> "$hostapd_config_file" grep -v '\s*#' ${escapeShellArg ifcfg.authentication.saePasswordsFile} \
| sed 's/^/sae_password=/' >> "$hostapd_config_file"
'' ''
# Finally append extraConfig if necessary. # Finally append extraConfig if necessary.
++ optional (ifcfg.extraConfig != "") '' ++ optional (ifcfg.extraConfig != "") ''
@ -276,19 +273,34 @@ in {
# WiFi 4 (2.4GHz) # WiFi 4 (2.4GHz)
"wlp2s0" = { "wlp2s0" = {
ssid = "AP 1"; ssid = "AP 1";
# countryCode = "US";
authentication.saePasswords = [{ password = "a flakey password"; }]; # Use saePasswordsFile if possible. authentication.saePasswords = [{ password = "a flakey password"; }]; # Use saePasswordsFile if possible.
}; };
# Hidden hotspot for IoT devices (MAC ACL list, invisible ssid, isolated traffic)
"wlp3s0" = {
ssid = "IoT Isolated AP";
# countryCode = "US";
macAcl = "deny";
apIsolate = true;
authentication = {
saePasswords = [{ password = "a flakey password"; }]; # Use saePasswordsFile if possible.
saeAddToMacAllow = true;
};
};
# WiFi 5 (5GHz) # WiFi 5 (5GHz)
"wlp4s0" = { "wlp4s0" = {
ssid = "Open AP with WiFi5"; ssid = "Open AP with WiFi5";
# countryCode = "US";
hwMode = "a"; hwMode = "a";
authentication.mode = "none"; authentication.mode = "none";
}; };
# Legacy WPA2 example # Legacy WPA2 example
"wlp3s0" = { "wlp5s0" = {
ssid = "AP 2"; ssid = "AP 2";
# countryCode = "US";
channel = 0; # Enables automatic channel selection ACS. Use only if your hardware support's it. channel = 0; # Enables automatic channel selection ACS. Use only if your hardware support's it.
authentication = { authentication = {
mode = "wpa2-sha256"; mode = "wpa2-sha256";
@ -485,7 +497,9 @@ in {
type = types.enum ["disabled" "empty" "clear"]; type = types.enum ["disabled" "empty" "clear"];
description = mdDoc '' description = mdDoc ''
Send empty SSID in beacons and ignore probe request frames that do not Send empty SSID in beacons and ignore probe request frames that do not
specify full SSID, i.e., require stations to know SSID. specify full SSID, i.e., require stations to know SSID. Note that this does
not increase security, since your clients will then broadcast the SSID instead,
which can increase congestion.
- {var}`"disabled"`: Advertise ssid normally. - {var}`"disabled"`: Advertise ssid normally.
- {var}`"empty"`: send empty (length=0) SSID in beacon and ignore probe request for broadcast SSID - {var}`"empty"`: send empty (length=0) SSID in beacon and ignore probe request for broadcast SSID
@ -850,7 +864,10 @@ in {
enable = mkOption { enable = mkOption {
default = false; default = false;
type = types.bool; type = types.bool;
description = mdDoc "Enables support for IEEE 802.11be (WiFi 7, EHT)"; description = mdDoc ''
Enables support for IEEE 802.11be (WiFi 7, EHT). This is currently experimental
and requires you to manually enable CONFIG_IEEE80211BE when building hostapd.
'';
}; };
singleUserBeamformer = mkOption { singleUserBeamformer = mkOption {
@ -956,7 +973,7 @@ in {
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.hostapd}/bin/hostapd ${concatStringsSep " " runtimeConfigFiles}"; ExecStart = "${pkgs.hostapd}/bin/hostapd ${concatStringsSep " " runtimeConfigFiles}";
Restart = "always"; Restart = "always";
ExecReload = "/bin/kill -HUP $MAINPID"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
RuntimeDirectory = "hostapd"; RuntimeDirectory = "hostapd";
# Hardening # Hardening