hostapd basic

Author: randomizedcoder

desktop/l/hosts.nix

@@ -2,16 +2,17 @@
 
 {
   networking.hosts = {
-    "172.16.40.198" = ["hp0" "hp0eth"]; # adi's room
-    "172.16.40.141" = ["hp0wifi"];
-    "172.16.40.142" = ["hp1" "hp1eth"];
-    "172.16.40.212" = ["hp2" "hp2eth"];
-    "172.16.40.146" = ["hp3" "hp3eth"]; # savi's room
-    "172.16.40.130" = ["hp3wifi"];
-    "172.16.50.232" = ["hp4" "hp4eth"]; # rack
-    "172.16.40.70"  = ["hp5" "hp5eth"];
-    "172.16.40.122" = ["pi5-1" "pi5-1-eth"];
-    "172.16.40.62" = ["chromebox3" "chromebox3-eth"];
-    "127.0.0.1" = ["redpanda-0"];
+    "172.16.40.198" = [ "hp0" "hp0eth" ]; # adi's room
+    "172.16.40.141" = [ "hp0wifi" ];
+    "172.16.40.142" = [ "hp1" "hp1eth" ];
+    "172.16.40.212" = [ "hp2" "hp2eth" ];
+    "172.16.40.146" = [ "hp3" "hp3eth" ]; # savi's room
+    "172.16.40.130" = [ "hp3wifi" ];
+    "172.16.50.232" = [ "hp4" "hp4eth" ]; # rack
+    "172.16.40.70"  = [ "hp5" "hp5eth" ];
+    "172.16.40.122" = [ "pi5-1" "pi5-1-eth" ];
+    "172.16.40.62" =  [ "chromebox3" "chromebox3-eth" ];
+    "172.16.40.46" =  [ "l2" ];
+    "127.0.0.1" = ["redpanda-0" ];
   };
 }

desktop/l2/Makefile

@@ -34,8 +34,7 @@ update:
 	sudo nix flake update;
 
 sync:
-	rsync -av /home/das/nixos/desktop/"${EXPECTED_HOSTNAME}"/ "${EXPECTED_HOSTNAME}":/home/das/nixos/desktop/"${EXPECTED_HOSTNAME}"/
-	#rsync -av /home/das/nixos/modules/ hp1:/home/das/nixos/modules/
+	rsync -avz /home/das/nixos/ "${EXPECTED_HOSTNAME}":/home/das/nixos/
 
 rebuild_old:
 	# sudo cp ./flake.nix /etc/nixos/

desktop/l2/flake.nix

@@ -21,8 +21,13 @@
   outputs = { self, nixpkgs, home-manager, hyprland, ... }:
     let
       system = "x86_64-linux";
+      overlays = [
+        (final: prev: {
+          hostapd = import ./hostapd-80211r.nix { pkgs = prev; };
+        })
+      ];
       pkgs = import nixpkgs {
-        inherit system;
+        inherit system overlays;
         config = {
           allowUnfree = true;
             allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
@@ -35,6 +40,7 @@
               ];
         };
       };
+
       lib = nixpkgs.lib;
     in {
     nixosConfigurations = {
@@ -63,5 +69,10 @@
         ];
       };
     };
+    packages = {
+      x86_64-linux = {
+        hostapd = pkgs.hostapd;
+      };
+    };
   };
 }

desktop/l2/hostapd-80211r.nix

@@ -0,0 +1,27 @@
+#
+# hostapd-80211r.nix
+#
+
+{ pkgs ? import <nixpkgs> {} }:
+
+pkgs.hostapd.override {
+  extraConfig = ''
+    CONFIG_DRIVER_NL80211=y
+    CONFIG_IEEE80211R=y
+    CONFIG_IEEE80211W=y
+    CONFIG_IEEE80211N=y
+    CONFIG_IEEE80211AC=y
+    CONFIG_IEEE80211AX=y
+    CONFIG_ACS=y
+    CONFIG_SAE=y
+    CONFIG_FULL_DYNAMIC_VLAN=y
+    CONFIG_VLAN_NETLINK=y
+    CONFIG_RADIUS_SERVER=y
+    CONFIG_HS20=y
+    CONFIG_WNM=y
+    CONFIG_MBO=y
+    CONFIG_FST=y
+    CONFIG_FST_TEST=y
+    CONFIG_CTRL_IFACE=y
+  '';
+}

desktop/l2/hostapd.nix

@@ -2,81 +2,91 @@
 # hostapd.nix
 #
 
-{ config, pkgs, ... }:
+#
+# NOT using service.hostapd, because it has limited configuration capabilities
+# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/hostapd.nix
+#
+# Using custom systemd services to run hostapd per interface
+#
+# systemctl status hostapd-wlp35s0
+# systemctl status hostapd-wlp65s0
+# systemctl status hostapd-wlp70s0
+#
+# nix pkgs source
+# https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/ho/hostapd/package.nix
+# https://w1.fi/hostapd/
+# https://github.com/latelee/hostapd
+#
+# Giant NixPkgs PR: https://github.com/NixOS/nixpkgs/pull/222536
+#
+#
+{ config, pkgs, lib, ... }:
 
 let
-  interface1 = "wlp35s0"; # e.g. 2.4GHz channel 6
-  interface2 = "wlp65s0"; # e.g. 5GHz channel 100
-  interface3 = "wlp70s0"; # e.g. 5GHz channel 149
+  radios = {
+    wlp35s0 = {
+      channel = 6;
+      hwMode = "g";
+    };
+    wlp65s0 = {
+      channel = 100;
+      hwMode = "a";
+    };
+    wlp70s0 = {
+      channel = 149;
+      hwMode = "a";
+    };
+  };
 
-  commonHostapdSettings = ''
-    ssid=myssid
-    wpa=2
-    wpa_key_mgmt=SAE
-    rsn_pairwise=CCMP
-    sae_require_mfp=1
-    ieee80211w=2
-    ieee80211n=1
-    ieee80211ac=1
-    ieee80211ax=1
-    wmm_enabled=1
+  mkHostapdConf = iface: cfg:
 
-    # WMM tuning for Best Effort (AC_BE)
-    wmm_ac_be_aifs=1
-    wmm_ac_be_cwmin=4
-    wmm_ac_be_cwmax=4
-    wmm_ac_be_txop_limit=32
-    wmm_ac_be_acm=0
+    pkgs.writeText "hostapd-${iface}.conf" ''
+      driver=nl80211
+      ssid=myssid
+      hw_mode=${cfg.hwMode}
+      channel=${toString cfg.channel}
+      ctrl_interface=/run/hostapd-${iface}
+      ctrl_interface_group=0
 
-    # 802.11r (Fast BSS Transition)
-    ieee80211r=1
-    mobility_domain=4f57
-    ft_over_ds=1
-    ft_psk_generate_local=1
-    nas_identifier=myssid-ap
-  '';
-in
-{
-  services.hostapd = {
-    enable = true;
-    radios = {
-      "${interface1}" = {
-        config = pkgs.writeText "hostapd-1.conf" (''
-          interface=${interface1}
-          hw_mode=g
-          channel=6
-          ${commonHostapdSettings}
-        '');
-      };
-      "${interface2}" = {
-        config = pkgs.writeText "hostapd-2.conf" (''
-          interface=${interface2}
-          hw_mode=a
-          channel=100
-          ${commonHostapdSettings}
-        '');
-      };
-      "${interface3}" = {
-        config = pkgs.writeText "hostapd-3.conf" (''
-          interface=${interface3}
-          hw_mode=a
-          channel=149
-          ${commonHostapdSettings}
-        '');
-      };
-    };
-  };
+      # WPA3 (SAE) configuration
+      wpa=2
+      wpa_key_mgmt=SAE
+      rsn_pairwise=CCMP
+      sae_require_mfp=1
+      ieee80211w=2
+      wpa_passphrase=mysecurepassword
 
-  # Disable DHCP on all interfaces, use static IP or bridge later
-  networking.interfaces.${interface1}.useDHCP = false;
-  networking.interfaces.${interface2}.useDHCP = false;
-  networking.interfaces.${interface3}.useDHCP = false;
+      # Enable 802.11n/ac/ax
+      ieee80211n=1
+      ieee80211ac=1
+      ieee80211ax=1
 
-  networking.interfaces.${interface1}.ipv4.addresses = [ { address = "192.168.30.1"; prefixLength = 24; } ];
-  networking.interfaces.${interface2}.ipv4.addresses = [ { address = "192.168.31.1"; prefixLength = 24; } ];
-  networking.interfaces.${interface3}.ipv4.addresses = [ { address = "192.168.32.1"; prefixLength = 24; } ];
+      wmm_enabled=1
 
-  networking.firewall.enable = true;
-  networking.nat.enable = true;
-  networking.nat.externalInterface = "enp1s0";
+      # Optional WMM tuning
+      wmm_ac_be_aifs=1
+      wmm_ac_be_cwmin=4
+      wmm_ac_be_cwmax=4
+      wmm_ac_be_txop_limit=32
+      wmm_ac_be_acm=0
+    '';
+
+  hostapdConfigs = lib.mapAttrs (iface: cfg: mkHostapdConf iface cfg) radios;
+
+in {
+  systemd.services = lib.mapAttrs' (iface: confPath: {
+    name = "hostapd-${iface}";
+    value = {
+      description = "Hostapd on ${iface}";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.hostapd}/bin/hostapd -i ${iface} ${confPath}";
+        Restart = "on-failure";
+        RuntimeDirectory = "hostapd-${iface}";
+      };
+    };
+  }) hostapdConfigs;
 }
+
+# end

desktop/l2/hostapd.notes

@@ -0,0 +1,129 @@
+#
+# hostapd.nix
+#
+
+#
+# NOT using service.hostapd, because it has limited configuration capabilities
+# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/hostapd.nix
+#
+# Using custom systemd services to run hostapd per interface
+#
+# systemctl status hostapd-wlp35s0
+# systemctl status hostapd-wlp65s0
+# systemctl status hostapd-wlp70s0
+#
+# nix pkgs source
+# https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/ho/hostapd/package.nix
+# https://w1.fi/hostapd/
+# https://github.com/latelee/hostapd
+#
+{ config, pkgs, lib, ... }:
+
+let
+  radios = {
+    wlp35s0 = {
+      channel = 6;
+      hwMode = "g";
+      mac = "8E:37:6C:2E:40:FA";
+    };
+    wlp65s0 = {
+      channel = 100;
+      hwMode = "a";
+      mac = "F6:FB:A4:06:06:82";
+    };
+    wlp70s0 = {
+      channel = 149;
+      hwMode = "a";
+      mac = "AA:72:0E:90:28:4A";
+    };
+  };
+
+  # # 🔐 Secure unique R1KH keys per destination MAC
+  # r1khSecrets = {
+  #   "8E:37:6C:2E:40:FA" = "fdeadbeef00000000000000000000001";
+  #   "F6:FB:A4:06:06:82" = "cafef00dbabe00000000000000000002";
+  #   "AA:72:0E:90:28:4A" = "facefeedfeed00000000000000000003";
+  # };
+
+  # normalizeMac = mac: builtins.replaceStrings [":"]
+  #   [""] (lib.strings.toLower mac);
+
+  # safeNASID = mac: "ap-${normalizeMac mac}";
+
+  # r0khLines = lib.concatStringsSep "\n" (
+  #   lib.mapAttrsToList (_iface: cfg:
+  #     let mac = normalizeMac cfg.mac;
+  #     in "r0kh=${normalizeMac peer.mac},${safeNASID peer.mac},${r1khSecrets.${peer.mac}}"
+  #   ) radios
+  # );
+
+  # mkHostapdConf = iface: cfg: let
+  #   r1khLines = lib.concatStringsSep "\n" (
+  #     lib.mapAttrsToList (_peerIface: peerCfg:
+  #       if peerCfg.mac != cfg.mac then
+  #         "r1kh=${normalizeMac peerCfg.mac},${r1khSecrets.${peerCfg.mac}}"
+  #       else
+  #         ""
+  #     ) radios
+  #   );
+      #\${r0khLines}
+      #\${r1khLines}
+
+  in
+    pkgs.writeText "hostapd-${iface}.conf" ''
+      driver=nl80211
+      ssid=myssid
+      hw_mode=${cfg.hwMode}
+      channel=${toString cfg.channel}
+      ctrl_interface=/run/hostapd-${iface}
+      ctrl_interface_group=0
+
+      wpa=2
+      wpa_key_mgmt=SAE
+      rsn_pairwise=CCMP
+      sae_require_mfp=1
+      ieee80211w=2
+      ieee80211n=1
+      ieee80211ac=1
+      ieee80211ax=1
+      wmm_enabled=1
+
+      # Fast BSS Transition with push mode
+      #ieee80211r=1
+      pmk_r1_push=1
+      mobility_domain=4f57
+      ft_over_ds=1
+      ft_psk_generate_local=1
+      nas_identifier=myssid-ap
+
+      #r0khLines
+      #r1khLines
+
+      # WMM tuning
+      wmm_ac_be_aifs=1
+      wmm_ac_be_cwmin=4
+      wmm_ac_be_cwmax=4
+      wmm_ac_be_txop_limit=32
+      wmm_ac_be_acm=0
+    '';
+
+  hostapdConfigs = lib.mapAttrs (iface: cfg: mkHostapdConf iface cfg) radios;
+
+in {
+  systemd.services = lib.mapAttrs' (iface: confPath: {
+    name = "hostapd-${iface}";
+    value = {
+      description = "Hostapd on ${iface}";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.hostapd}/bin/hostapd -i ${iface} ${confPath}";
+        Restart = "on-failure";
+        RuntimeDirectory = "hostapd-${iface}";
+      };
+    };
+  }) hostapdConfigs;
+}
+
+
+# end