feat(zackbiene): add hostapd config

hosts/zackbiene/hostapd.nix

@@ -3,4 +3,82 @@
   config,
   ...
 }: {
+  services.hostapd = {
+    enable = true;
+    interface = "wlan1";
+    ssid = "🍯🐝💨";
+    # We'll set the options ourselves
+    wpa = false;
+    # Use 2.4GHz, this network is ment for dumb embedded devices
+    hwMode = "g";
+    # Automatically select channel at runtime using acs_survey
+    channel = 0;
+    # Respect the local regulations
+    countryCode = "DE";
+
+    # This is made for a Mediatek mt7612u based device (ALFA AWUS036ACM)
+    extraConfig = ''
+         utf8_ssid=1
+         # Enable QoS, required for 802.11n/ac/ax
+         wmm_enabled=1
+
+         # DFS (IEEE 802.11d, IEEE 802.11h)
+         # Limit to frequencies allowed in country
+         ieee80211d=1
+         # Ensure TX Power and frequencies compliance with local regulatory requirements
+         ieee80211h=1
+
+         # IEEE 802.11ac (WiFi 4)
+         # MIMO and channel bonding support
+         ieee80211n=1
+         # Add wider channel-width support and MU-MIMO (multi user MIMO)
+
+         # IEEE 802.11ac (WiFi 5)
+         ieee80211ac=1
+         ht_capab=[HT40+][HT40-][GF][SHORT-GI-20][SHORT-GI-40]
+      vht_capab=[RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN]
+      vht_oper_chwidth=1
+
+         # WPA3
+      wpa=2
+         wpa_pairwise=CCMP CCMP-256
+         rsn_pairwise=CCMP CCMP-256
+         wpa_key_mgmt=SAE
+         # Require WPA, disable WEP
+         auth_algs=1
+         # Encrypt management frames to protect against deauthentication and similar attacks
+         ieee80211w=2
+         # Force WPA3-Personal without transition
+      transition_disable=0x01
+         # Derive PWE using both hunting-and-pecking loop and hash-to-element
+         sae_pwe=2
+         # SAE can also use wpa_psk, which allows us to use a separate file,
+      # but it restricts the password length to [2,63] which is ok.
+      # This conatins a list of passwords for each client MAC.
+         wpa_psk=${config.rekey.secrets.wifi-stations.path}
+
+         # Use a MAC-address access control list
+         macaddr_acl=1
+         accept_mac_file=/run/hostapd/client-macs
+
+         # Hide network and require devices to know the ssid in advance
+         ignore_broadcast_ssid=1
+         # Don't allow stations to communicate with each other
+         ap_isolate=1
+    '';
+  };
+
+  # Associates each known client to a unique password
+  rekey.secrets.wifi-stations = {
+    file = ./secrets/wifi-stations.age;
+    owner = "hostapd";
+  };
+
+  systemd.services.hostapd = {
+    # Filter the stations to get a list of all known MAC addresses,
+    # which we then use for MAC access control.
+    preStart = lib.mkBefore ''
+      grep -o '^..:..:..:..:..:..' ${config.rekey.secrets.wifi-stations.path} > /run/hostapd/client-macs
+    '';
+  };
 }

hosts/zackbiene/net.nix

@@ -9,12 +9,13 @@
       dhcpV4Config.RouteMetric = 10;
       dhcpV6Config.RouteMetric = 10;
     };
-    #"10-wlan1" = {
-    #  DHCP = "yes";
-    #  matchConfig.MACAddress = nodeSecrets.networking.interfaces.wlan1.mac;
-    #  networkConfig.IPv6PrivacyExtensions = "kernel";
-    #  dhcpV4Config.RouteMetric = 40;
-    #  dhcpV6Config.RouteMetric = 40;
-    #};
+    "10-wlan1" = {
+      DHCP = "no";
+      matchConfig.MACAddress = nodeSecrets.networking.interfaces.wlan1.mac;
+      networkConfig = {
+        Address = "10.90.0.1/24";
+        Gateway = "10.90.0.1";
+      };
+    };
   };
 }

hosts/zackbiene/secrets/secrets.nix.age

@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> X25519 mn3B1E/SKmnXS7G9ZZ7ptPc8IHl6NYcDjf+ajDUzKgA
-z0Xvh/24jEWUQVirYqx5Fqft7KeIqsPf//yG+9aWXOA
--> piv-p256 xqSe8Q A6NhXYe87IDSn//lXW6zEiBTcCpwf/6a2EwdqE2zBQlj
-dqCP1xOoqzVgJxwD2uO76Xks7iw0V0MfCrS+0WUYNgE
--> `#7R>-grease Y? }5h 8S8p-),H
-hIhl
---- MaFW7+5LhjSFX0UySze3TAunc1MXTCrH6nOQoLJ1LlY
-ë:•Ãßܨ(Ý
-˜»©0‹äKÞ ˜ê“&8#Wo�æˆWÀn¼óÆ]×5�y$Í{—ãkµ[ÄMæ€Zv?	¢–mâPBÊ…2K³=˜¬é�
zCž[Î(•OjeðEÍã–îvïöþ•«ÀÝ0»¤àØ6*¸‘c]X[ Ã`Ɇ,¦4éB
}{‹ÈuâøJ}²+Ñÿº·ŠVe3WíH1Pµ’ÕÅ.©~ð0ͯGÏÃ×¥<
+-> X25519 L/8z53x0Z1hDEfMaQWXx9INcP4xgr9kdbv4VN36tuQA
+SQ2x5ojLTi2RfW/TRQAeIhW3X4e8vOyuyJ/SVyCzpVU
+-> piv-p256 xqSe8Q ArVpzc9Y9hcxReTGy03258oJk8y5TzK/UlybJGjLKvVy
+fbwvO09v0yaZmkxjizWS0s62I+XLQ6QYLx2Ll4Pg9/E
+-> Xb-grease ZYp7 f?V1eA };
+gAcuu63D/WfKZKvGHpvNTXph+3FQV0rQgjuWBAEkYTrNjyMp3TkB9s39rL4L
+--- Bod3/cnxhiwoGi3vK3VhkDjD+YuosFPdrC6bUKgScjQ
+�›{ƒÐ²àÜ÷šÍ42¶m“¹�ü…Ô釸&ç̱OãˆõÖô™|Ò[+Èm»7©$.¡ÝLj¡0T¤uµÜR	tÜÍwS)æšÇOs@<­Eéõ<R>êBì[Ñ»×8¦¨se©8†g,̘²JBœZqq-îi5Y9\&ú/-Y;
›ßøt\±‰þPû‚”ÆÙ39&¸Þv©HæÇ9`\ãèåðÌ$`ê “¡¿#y[ø~ãåà

hosts/zackbiene/secrets/wifi-stations.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 2ysSXvNBkZGUL0kP0IGg9z/FDClzt7Zk60S5OxJvcXQ
+VkEGZ/Dap1F0iyQCarSRhPSmftWoiI/sQvLM3Gw1/xA
+-> piv-p256 xqSe8Q A1wl54gEsL4r8bnGogruc1/9+2e8YjRfvgYcow+UjdSl
+6Yv9O8D0bq1EaK41WXme02Pu3BGCpHIr6D3igGnHSAE
+-> Bwz)--grease wa,. Empc cCS[Rb"L
+LnHSEKMfcX3o5znCuYuJQb11c3B0Lb+gN0tjng7Iz/Q
+--- eh8DL3+e9zxS1T4Zv1YezTAzbQdrNDwmbTRdFO0cqzQ
+ÒéðÎ�4Ëç.‘¦B÷'»OlA„Sg‚¤C'ó+¥z9ÏØãi}¥,õD'~“ŒûƒœlÈê–­¼\O·‰V¯|‡Xu ä9

hosts/zackbiene/zigbee2mqtt.nix

@@ -14,6 +14,7 @@
   services.zigbee2mqtt = {
     enable = true;
     settings = {
+      advanced.log_level = "warn";
       homeassistant = true;
       permit_join = true;
       serial = {
@@ -24,9 +25,7 @@
         user = "zigbee2mqtt";
         password = "!${config.rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml".path} password";
       };
-      frontend = {
-        port = 8072;
-      };
+      frontend.port = 8072;
     };
   };
 }

modules/core/default.nix

@@ -2,6 +2,7 @@
   lib,
   pkgs,
   config,
+  nodeSecrets,
   ...
 }: let
   dummyConfig = pkgs.writeText "configuration.nix" ''
@@ -55,6 +56,12 @@ in {
     firewall.enable = true;
   };
 
+  # Rename known network interfaces
+  services.udev.extraRules = lib.concatStringsSep "\n" (lib.mapAttrsToList (
+      interface: attrs: ''SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="${attrs.mac}", NAME="${interface}"''
+    )
+    nodeSecrets.networking.interfaces);
+
   nix.nixPath = [
     "nixos-config=${dummyConfig}"
     "nixpkgs=/run/current-system/nixpkgs"