nix-config/hosts/nucnix/hostapd.nix

{
  globals,
  config,
  pkgs,
  lib,
  ...
}:
{
  hardware.firmware = with pkgs; [
    linux-firmware
    intel2200BGFirmware
  ];
  #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  age.secrets = {
    homeWlan = {
      generator.script = "alnum";
    };
    guestWlan = {
      generator.script = "alnum";
    };
    iotWlan = {
      generator.script = "alnum";
    };
  };
  # Hostapd tries to delete any bridges it uses when restarting
  # If any other service dares also using the bridges, thats too bad
  # Have fun resetting your server because they're not coming back
  systemd.services.hostapd.stopIfChanged = false;
  systemd.services.hostapd.restartIfChanged = false;
  systemd.services.hostapd.reloadTriggers = lib.mkForce [ ];

  # networking.nftables.firewall.zones.wlan.interfaces = [ "wlan1" ];
  # networking.nftables.firewall.zones.home.interfaces = [ "br-home" ];
  # networking.nftables.firewall.rules.wifi-forward = {
  #   from = [ "wlan" ];
  #   to = [ "home" ];
  #   verdict = "accept";
  # };
  services.hostapd = {
    enable = true;
    radios.wlan01 = {
      band = "2g";
      countryCode = "DE";
      channel = 5;
      wifi4.capabilities = [
        "LDPC"
        "HT40+"
        "HT40-"
        "SHORT-GI-20"
        "SHORT-GI-40"
        "TX-STBC"
        "RX-STBC1"
      ];
      wifi5.capabilities = [
        "LDPC"
        "HT40+"
        "HT40-"
        "SHORT-GI-20"
        "SHORT-GI-40"
        "TX-STBC"
        "RX-STBC1"
      ];
      wifi6.enable = true;
      wifi7.enable = true;
      networks.wlan01 = {
        inherit (globals.hostapd) ssid;
        apIsolate = true;
        # not supporte by laptop :(
        # settings.ieee80211w = 0;
        logLevel = 0;
        settings = {
          vlan_file = "${pkgs.writeText "hostaps.vlans" ''
            10 wifi-home br-home
            40 wifi-iot br-iot
            50 wifi-guests br-guests
          ''}";
          dynamic_vlan = 1;
        };
        authentication = {
          saePasswords = [
            {
              passwordFile = config.age.secrets.homeWlan.path;
              vlanid = 10;
            }
            {
              passwordFile = config.age.secrets.iotWlan.path;
              vlanid = 40;
            }
            {
              passwordFile = config.age.secrets.guestWlan.path;
              vlanid = 50;
            }
          ];
          pairwiseCiphers = [
            "CCMP"
            "GCMP"
            "GCMP-256"
          ];
          #enableRecommendedPairwiseCiphers = true;
        };
        bssid = "44:38:e8:db:a5:b5";
      };
    };
  };
}
feat: hostapd back on bare 2025-01-04 23:25:48 +01:00			`{`
			`globals,`
WIP: homeassistant 2025-01-05 22:27:49 +01:00			`config,`
feat: hostapd back on bare 2025-01-04 23:25:48 +01:00			`pkgs,`
fix: hostapd broke again 2025-01-10 16:36:41 +01:00			`lib,`
feat: hostapd back on bare 2025-01-04 23:25:48 +01:00			`...`
			`}:`
			`{`
			`hardware.firmware = with pkgs; [`
			`linux-firmware`
			`intel2200BGFirmware`
			`];`
			`#boot.kernel.sysctl."net.ipv4.ip_forward" = 1;`
WIP: homeassistant 2025-01-05 22:27:49 +01:00			`age.secrets = {`
			`homeWlan = {`
			`generator.script = "alnum";`
			`};`
			`guestWlan = {`
			`generator.script = "alnum";`
			`};`
fix: hostapd broke again 2025-01-10 16:36:41 +01:00			`iotWlan = {`
			`generator.script = "alnum";`
			`};`
WIP: homeassistant 2025-01-05 22:27:49 +01:00			`};`
fix: hostapd works again 2025-01-11 19:00:41 +01:00			`# Hostapd tries to delete any bridges it uses when restarting`
			`# If any other service dares also using the bridges, thats too bad`
			`# Have fun resetting your server because they're not coming back`
fix: hostapd broke again 2025-01-10 16:36:41 +01:00			`systemd.services.hostapd.stopIfChanged = false;`
			`systemd.services.hostapd.restartIfChanged = false;`
			`systemd.services.hostapd.reloadTriggers = lib.mkForce [ ];`
feat: hostapd back on bare 2025-01-04 23:25:48 +01:00
fix: hostapd broke again 2025-01-10 16:36:41 +01:00			`# networking.nftables.firewall.zones.wlan.interfaces = [ "wlan1" ];`
			`# networking.nftables.firewall.zones.home.interfaces = [ "br-home" ];`
			`# networking.nftables.firewall.rules.wifi-forward = {`
			`# from = [ "wlan" ];`
			`# to = [ "home" ];`
			`# verdict = "accept";`
			`# };`
feat: hostapd back on bare 2025-01-04 23:25:48 +01:00			`services.hostapd = {`
			`enable = true;`
			`radios.wlan01 = {`
			`band = "2g";`
			`countryCode = "DE";`
			`channel = 5;`
			`wifi4.capabilities = [`
			`"LDPC"`
			`"HT40+"`
			`"HT40-"`
			`"SHORT-GI-20"`
			`"SHORT-GI-40"`
			`"TX-STBC"`
			`"RX-STBC1"`
			`];`
			`wifi5.capabilities = [`
			`"LDPC"`
			`"HT40+"`
			`"HT40-"`
			`"SHORT-GI-20"`
			`"SHORT-GI-40"`
			`"TX-STBC"`
			`"RX-STBC1"`
			`];`
			`wifi6.enable = true;`
			`wifi7.enable = true;`
			`networks.wlan01 = {`
			`inherit (globals.hostapd) ssid;`
			`apIsolate = true;`
			`# not supporte by laptop :(`
			`# settings.ieee80211w = 0;`
fix: hostapd with vlans 2025-01-12 00:25:46 +01:00			`logLevel = 0;`
fix: hostapd works again 2025-01-11 19:00:41 +01:00			`settings = {`
fix: hostapd with vlans 2025-01-12 00:25:46 +01:00			`vlan_file = "${pkgs.writeText "hostaps.vlans" ''`
			`10 wifi-home br-home`
			`40 wifi-iot br-iot`
			`50 wifi-guests br-guests`
			`''}";`
			`dynamic_vlan = 1;`
fix: hostapd works again 2025-01-11 19:00:41 +01:00			`};`
feat: hostapd back on bare 2025-01-04 23:25:48 +01:00			`authentication = {`
			`saePasswords = [`
			`{`
WIP: homeassistant 2025-01-05 22:27:49 +01:00			`passwordFile = config.age.secrets.homeWlan.path;`
fix: hostapd with vlans 2025-01-12 00:25:46 +01:00			`vlanid = 10;`
			`}`
			`{`
			`passwordFile = config.age.secrets.iotWlan.path;`
			`vlanid = 40;`
			`}`
			`{`
			`passwordFile = config.age.secrets.guestWlan.path;`
			`vlanid = 50;`
feat: hostapd back on bare 2025-01-04 23:25:48 +01:00			`}`
			`];`
			`pairwiseCiphers = [`
			`"CCMP"`
			`"GCMP"`
			`"GCMP-256"`
			`];`
			`#enableRecommendedPairwiseCiphers = true;`
			`};`
			`bssid = "44:38:e8:db:a5:b5";`
			`};`
			`};`
			`};`
			`}`