feat(zackbiene): add hostapd config

2023-03-16 01:21:50 +01:00 · 2023-03-16 01:21:50 +01:00 · fc8b59178b
commit fc8b59178b
parent f2f8ca71bb
9 changed files with 127 additions and 34 deletions
--- a/hosts/nom/net.nix
+++ b/hosts/nom/net.nix
@ -1,4 +1,4 @@
-{ nodeSecrets, ... }: {
+{nodeSecrets, ...}: {
  networking = {
    hostId = "4313abca";
    wireless.iwd.enable = true;
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -1,4 +1,4 @@
-{ nodeSecrets, ... }: {
+{nodeSecrets, ...}: {
  networking.hostId = "49ce3b71";
  systemd.network.networks = {
--- a/hosts/zackbiene/hostapd.nix
+++ b/hosts/zackbiene/hostapd.nix
@ -3,4 +3,82 @@
  config,
  ...
 }: {
  services.hostapd = {
    enable = true;
    interface = "wlan1";
    ssid = "🍯🐝💨";
    # We'll set the options ourselves
    wpa = false;
    # Use 2.4GHz, this network is ment for dumb embedded devices
    hwMode = "g";
    # Automatically select channel at runtime using acs_survey
    channel = 0;
    # Respect the local regulations
    countryCode = "DE";
    # This is made for a Mediatek mt7612u based device (ALFA AWUS036ACM)
    extraConfig = ''
         utf8_ssid=1
         # Enable QoS, required for 802.11n/ac/ax
         wmm_enabled=1
         # DFS (IEEE 802.11d, IEEE 802.11h)
         # Limit to frequencies allowed in country
         ieee80211d=1
         # Ensure TX Power and frequencies compliance with local regulatory requirements
         ieee80211h=1
         # IEEE 802.11ac (WiFi 4)
         # MIMO and channel bonding support
         ieee80211n=1
         # Add wider channel-width support and MU-MIMO (multi user MIMO)
         # IEEE 802.11ac (WiFi 5)
         ieee80211ac=1
         ht_capab=[HT40+][HT40-][GF][SHORT-GI-20][SHORT-GI-40]
      vht_capab=[RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN]
      vht_oper_chwidth=1
         # WPA3
      wpa=2
         wpa_pairwise=CCMP CCMP-256
         rsn_pairwise=CCMP CCMP-256
         wpa_key_mgmt=SAE
         # Require WPA, disable WEP
         auth_algs=1
         # Encrypt management frames to protect against deauthentication and similar attacks
         ieee80211w=2
         # Force WPA3-Personal without transition
      transition_disable=0x01
         # Derive PWE using both hunting-and-pecking loop and hash-to-element
         sae_pwe=2
         # SAE can also use wpa_psk, which allows us to use a separate file,
      # but it restricts the password length to [2,63] which is ok.
      # This conatins a list of passwords for each client MAC.
         wpa_psk=${config.rekey.secrets.wifi-stations.path}
         # Use a MAC-address access control list
         macaddr_acl=1
         accept_mac_file=/run/hostapd/client-macs
         # Hide network and require devices to know the ssid in advance
         ignore_broadcast_ssid=1
         # Don't allow stations to communicate with each other
         ap_isolate=1
    '';
  };
  # Associates each known client to a unique password
  rekey.secrets.wifi-stations = {
    file = ./secrets/wifi-stations.age;
    owner = "hostapd";
  };
  systemd.services.hostapd = {
    # Filter the stations to get a list of all known MAC addresses,
    # which we then use for MAC access control.
    preStart = lib.mkBefore ''
      grep -o '^..:..:..:..:..:..' ${config.rekey.secrets.wifi-stations.path} > /run/hostapd/client-macs
    '';
  };
 }
--- a/hosts/zackbiene/net.nix
+++ b/hosts/zackbiene/net.nix
@ -1,4 +1,4 @@
-{ nodeSecrets, ... }: {
+{nodeSecrets, ...}: {
  networking.hostId = "f7e6acdc";
  systemd.network.networks = {
@ -9,12 +9,13 @@
      dhcpV4Config.RouteMetric = 10;
      dhcpV6Config.RouteMetric = 10;
    };
-    #"10-wlan1" = {
+    "10-wlan1" = {
-    #  DHCP = "yes";
+      DHCP = "no";
-    #  matchConfig.MACAddress = nodeSecrets.networking.interfaces.wlan1.mac;
+      matchConfig.MACAddress = nodeSecrets.networking.interfaces.wlan1.mac;
-    #  networkConfig.IPv6PrivacyExtensions = "kernel";
+      networkConfig = {
-    #  dhcpV4Config.RouteMetric = 40;
+        Address = "10.90.0.1/24";
-    #  dhcpV6Config.RouteMetric = 40;
+        Gateway = "10.90.0.1";
-    #};
+      };
    };
  };
 }
--- a/hosts/zackbiene/secrets/secrets.nix.age
+++ b/hosts/zackbiene/secrets/secrets.nix.age
@ -1,10 +1,9 @@
 age-encryption.org/v1
-> X25519 mn3B1E/SKmnXS7G9ZZ7ptPc8IHl6NYcDjf+ajDUzKgA
+-> X25519 L/8z53x0Z1hDEfMaQWXx9INcP4xgr9kdbv4VN36tuQA
-z0Xvh/24jEWUQVirYqx5Fqft7KeIqsPf//yG+9aWXOA
+SQ2x5ojLTi2RfW/TRQAeIhW3X4e8vOyuyJ/SVyCzpVU
-> piv-p256 xqSe8Q A6NhXYe87IDSn//lXW6zEiBTcCpwf/6a2EwdqE2zBQlj
+-> piv-p256 xqSe8Q ArVpzc9Y9hcxReTGy03258oJk8y5TzK/UlybJGjLKvVy
-dqCP1xOoqzVgJxwD2uO76Xks7iw0V0MfCrS+0WUYNgE
+fbwvO09v0yaZmkxjizWS0s62I+XLQ6QYLx2Ll4Pg9/E
-> `#7R>-grease Y? }5h 8S8p-),H
+-> Xb-grease ZYp7 f?V1eA };
-hIhl
+gAcuu63D/WfKZKvGHpvNTXph+3FQV0rQgjuWBAEkYTrNjyMp3TkB9s39rL4L
--- MaFW7+5LhjSFX0UySze3TAunc1MXTCrH6nOQoLJ1LlY
+--- Bod3/cnxhiwoGi3vK3VhkDjD+YuosFPdrC6bUKgScjQ
-ë:•ÃßÜ¨(Ý
+�›{ƒÐ²àÜ÷šÍ42¶m“¹�ü…Ôé‡¸&çÌ±OãˆõÖô™|Ò[+Èm»7©$.Â¡ÝLj¡0T¤uµÜR	tÜÍwS)æšÇOs@<Eéõ<R>êBì[Ñ»×8¦¨se©8†g,Ì˜²JBœZqq-îi5Y9\&ú/-Y;›ßøt\±‰þPû‚”ÆÙ39&¸Þv©HæÇ9`\ãèåðÌ$`ê “¡¿#y[ø~ãåà
 ˜»©0‹äKÞ ˜ê“&8#Wo�æˆWÀn¼óÆ]×5�y$Í{—ãkµ[ÄMæ€Zv?	¢–mâPBÊ…2K³=˜¬é�zCž[Î(•OjeðEÍã–Ã®vïöþ•«ÀÝ0»¤àØ6*¸‘c]X[ Ã`É†,¦4éB}{‹ÈuâøJ}²+Ñÿº·ŠVe3WíH1Pµ’ÕÅ.©~ð0Í¯GÏÃ×¥<
--- a/hosts/zackbiene/secrets/wifi-stations.age
+++ b/hosts/zackbiene/secrets/wifi-stations.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> X25519 2ysSXvNBkZGUL0kP0IGg9z/FDClzt7Zk60S5OxJvcXQ
 VkEGZ/Dap1F0iyQCarSRhPSmftWoiI/sQvLM3Gw1/xA
 -> piv-p256 xqSe8Q A1wl54gEsL4r8bnGogruc1/9+2e8YjRfvgYcow+UjdSl
 6Yv9O8D0bq1EaK41WXme02Pu3BGCpHIr6D3igGnHSAE
 -> Bwz)--grease wa,. Empc cCS[Rb"L
 LnHSEKMfcX3o5znCuYuJQb11c3B0Lb+gN0tjng7Iz/Q
 --- eh8DL3+e9zxS1T4Zv1YezTAzbQdrNDwmbTRdFO0cqzQ
 ÒéðÎ�4Ëç.‘¦B÷'»OlA„Sg‚¤C'ó+¥z9ÏØãi}¥,õD'~“ŒûƒœlÈê–¼\O·‰V¯|‡Xu ä9
--- a/hosts/zackbiene/zigbee2mqtt.nix
+++ b/hosts/zackbiene/zigbee2mqtt.nix
@ -14,6 +14,7 @@
  services.zigbee2mqtt = {
    enable = true;
    settings = {
      advanced.log_level = "warn";
      homeassistant = true;
      permit_join = true;
      serial = {
@ -24,9 +25,7 @@
        user = "zigbee2mqtt";
        password = "!${config.rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml".path} password";
      };
-      frontend = {
+      frontend.port = 8072;
        port = 8072;
      };
    };
  };
 }
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@ -2,6 +2,7 @@
  lib,
  pkgs,
  config,
  nodeSecrets,
  ...
 }: let
  dummyConfig = pkgs.writeText "configuration.nix" ''
@ -55,6 +56,12 @@ in {
    firewall.enable = true;
  };
  # Rename known network interfaces
  services.udev.extraRules = lib.concatStringsSep "\n" (lib.mapAttrsToList (
      interface: attrs: ''SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="${attrs.mac}", NAME="${interface}"''
    )
    nodeSecrets.networking.interfaces);
  nix.nixPath = [
    "nixos-config=${dummyConfig}"
    "nixpkgs=/run/current-system/nixpkgs"
--- a/nix/apps.nix
+++ b/nix/apps.nix
@ -57,19 +57,19 @@ in
        )
        self.secrets.extraEncryptionPubkeys;
      formatSecret = path: ''
-        '';
+      '';
    in
      mkApp (pkgs.writeShellScript "format-secrets" ''
-        set -euo pipefail
+         set -euo pipefail
-	      [[ -d .git ]] && [[ -f flake.nix ]] || { echo "[1;31merror:[m Please execute this from the project's root folder (the folder with flake.nix)" >&2; exit 1; }
+        [[ -d .git ]] && [[ -f flake.nix ]] || { echo "[1;31merror:[m Please execute this from the project's root folder (the folder with flake.nix)" >&2; exit 1; }
-	      for f in $(find . -type f -name '*.nix.age'); do
+        for f in $(find . -type f -name '*.nix.age'); do
-	        echo "Formatting $f ..."
+          echo "Formatting $f ..."
-	        decrypted=$(${./rage-decrypt.sh} --print-out-path "$f" ${concatStringsSep " " self.secrets.masterIdentities}) \
+          decrypted=$(${./rage-decrypt.sh} --print-out-path "$f" ${concatStringsSep " " self.secrets.masterIdentities}) \
-            || { echo "[1;31merror:[m Failed to decrypt!" >&2; exit 1; }
+             || { echo "[1;31merror:[m Failed to decrypt!" >&2; exit 1; }
-	        formatted=$(${pkgs.alejandra}/bin/alejandra --quiet < "$decrypted") \
+          formatted=$(${pkgs.alejandra}/bin/alejandra --quiet < "$decrypted") \
-            || { echo "[1;31merror:[m Failed to format $decrypted!" >&2; exit 1; }
+             || { echo "[1;31merror:[m Failed to format $decrypted!" >&2; exit 1; }
-	      	${pkgs.rage}/bin/rage -e ${masterIdentityArgs} ${extraEncryptionPubkeys} <<< "$formatted" > "$f" \
+        	${pkgs.rage}/bin/rage -e ${masterIdentityArgs} ${extraEncryptionPubkeys} <<< "$formatted" > "$f" \
-            || { echo "[1;31merror:[m Failed to re-encrypt!" >&2; exit 1; }
+             || { echo "[1;31merror:[m Failed to re-encrypt!" >&2; exit 1; }
-	      done
+        done
      '');
  }