feat: hostapd back on bare

config/services/hass.nix

@@ -0,0 +1,80 @@
+{
+  config,
+  globals,
+  nodes,
+  ...
+}:
+{
+  environment.persistence."/persist".directories = [
+    {
+      directory = config.services.home-assistant.configDir;
+      user = "hass";
+      group = "hass";
+      mode = "0700";
+    }
+  ];
+  wireguard.services = {
+    client.via = "nucnix";
+    firewallRuleForNode.nucnix-nginx.allowedTCPPorts = [ 3000 ];
+  };
+  services.home-assistant = {
+    enable = true;
+    extraComponents = [
+      "radio_browser"
+      "met"
+      "esphome"
+      "fritzbox"
+      "soundtouch"
+      "spotify"
+      "matter"
+      #"zha"
+      "mqtt"
+    ];
+    config = {
+      http = {
+        server_host = [ "0.0.0.0" ];
+        server_port = 3000;
+        use_x_forwarded_for = true;
+        trusted_proxies = [ nodes.nucnix-nginx.config.wireguard.services.ipv4 ];
+      };
+
+      homeassistant = {
+        name = "!secret ha_name";
+        latitude = "!secret ha_latitude";
+        longitude = "!secret ha_longitude";
+        elevation = "!secret ha_elevation";
+        currency = "EUR";
+        time_zone = "Europe/Berlin";
+        unit_system = "metric";
+        #external_url = "https://";
+        packages = {
+          manual = "!include manual.yaml";
+        };
+      };
+
+      default_config = { };
+      ### Components not from default_config
+
+      frontend = {
+        #themes = "!include_dir_merge_named themes";
+      };
+
+      influxdb = {
+        api_version = 2;
+        host = globals.services.influxdb.domain;
+        port = "443";
+        max_retries = 10;
+        ssl = true;
+        verify_ssl = true;
+        token = "!secret influxdb_token";
+        organization = "home";
+        bucket = "home_assistant";
+      };
+    };
+    extraPackages =
+      python3Packages: with python3Packages; [
+        psycopg2
+        gtts
+      ];
+  };
+}

config/services/hostapd.nix

@@ -1,120 +0,0 @@
-{
-  globals,
-  pkgs,
-  lib,
-  ...
-}:
-{
-  microvm.devices = [
-    {
-      bus = "pci";
-      path = "0000:01:00.0";
-    }
-  ];
-  hardware.firmware = with pkgs; [
-    linux-firmware
-    intel2200BGFirmware
-  ];
-  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-  networking.nftables.firewall.zones.untrusted.interfaces = [
-    "mv-home"
-    "br-home"
-  ];
-  hardware.wirelessRegulatoryDatabase = true;
-  systemd.network = {
-    netdevs."40-br-home" = {
-      netdevConfig = {
-        Name = "br-home";
-        Kind = "bridge";
-      };
-    };
-    networks."10-mv-home" = {
-      networkConfig = {
-        LinkLocalAddressing = "no";
-        IPv6AcceptRA = lib.mkForce false;
-        Bridge = "br-home";
-      };
-      address = lib.mkForce [ ];
-      gateway = lib.mkForce [ ];
-      DHCP = "no";
-    };
-    networks."10-home" = {
-      matchConfig.Name = "br-home";
-      DHCP = "no";
-      address = [ "10.99.10.19/24" ];
-      gateway = [ "10.99.10.1" ];
-    };
-    networks."40-wifi" = {
-      matchConfig.Name = "wlan1";
-      networkConfig = {
-        LinkLocalAddressing = "no";
-        IPv6AcceptRA = lib.mkForce false;
-        Bridge = "br-home";
-      };
-      DHCP = "no";
-    };
-  };
-
-  networking.nftables.firewall.zones.wlan.interfaces = [ "wlan1" ];
-  networking.nftables.firewall.zones.home.interfaces = [ "mv-home" ];
-  networking.nftables.firewall.rules.wifi-forward = {
-    from = [ "wlan" ];
-    to = [ "home" ];
-    verdict = "accept";
-  };
-  services.hostapd = {
-    enable = true;
-    radios.wlan1 = {
-      band = "2g";
-      countryCode = "DE";
-      channel = 5;
-      wifi4.capabilities = [
-        "LDPC"
-        "HT40+"
-        "HT40-"
-        "SHORT-GI-20"
-        "SHORT-GI-40"
-        "TX-STBC"
-        "RX-STBC1"
-      ];
-      wifi5.capabilities = [
-        "LDPC"
-        "HT40+"
-        "HT40-"
-        "SHORT-GI-20"
-        "SHORT-GI-40"
-        "TX-STBC"
-        "RX-STBC1"
-      ];
-      wifi6.enable = true;
-      wifi7.enable = true;
-      networks.wlan1 = {
-        inherit (globals.hostapd) ssid;
-        apIsolate = true;
-        # settings.vlan_file = "${pkgs.writeText "hostaps.vlans" ''
-        #   10 wifi-home br-home
-        #   50 wifi-guest br-guest
-        # ''}";
-        authentication = {
-          saePasswords = [
-            {
-              password = "ctiectie";
-              # vlanid = 10;
-            }
-            # {
-            #   password = "nrsgnrsg";
-            #   vlanid = 50;
-            # }
-          ];
-          pairwiseCiphers = [
-            "CCMP"
-            "GCMP"
-            "GCMP-256"
-          ];
-          #enableRecommendedPairwiseCiphers = true;
-        };
-        bssid = "44:38:e8:db:a5:b5";
-      };
-    };
-  };
-}

hosts/nucnix/guests.nix

@@ -107,13 +107,5 @@ in
           ];
         };
     in
-    { }
+    { } // mkContainer "adguardhome" { } // mkContainer "nginx" { };
-    // mkContainer "adguardhome" { }
-    // mkContainer "nginx" { }
-    // mkMicrovm "hostapd" {
-      vlans = [
-        # "guests"
-        "home"
-      ];
-    };
 }

hosts/nucnix/hostapd.nix

@@ -0,0 +1,78 @@
+{
+  globals,
+  pkgs,
+  ...
+}:
+{
+  hardware.firmware = with pkgs; [
+    linux-firmware
+    intel2200BGFirmware
+  ];
+  #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+
+  networking.nftables.firewall.zones.wlan.interfaces = [ "wlan1" ];
+  networking.nftables.firewall.zones.home.interfaces = [ "br-home" ];
+  networking.nftables.firewall.rules.wifi-forward = {
+    from = [ "wlan" ];
+    to = [ "home" ];
+    verdict = "accept";
+  };
+  services.hostapd = {
+    enable = true;
+    radios.wlan01 = {
+      band = "2g";
+      countryCode = "DE";
+      channel = 5;
+      wifi4.capabilities = [
+        "LDPC"
+        "HT40+"
+        "HT40-"
+        "SHORT-GI-20"
+        "SHORT-GI-40"
+        "TX-STBC"
+        "RX-STBC1"
+      ];
+      wifi5.capabilities = [
+        "LDPC"
+        "HT40+"
+        "HT40-"
+        "SHORT-GI-20"
+        "SHORT-GI-40"
+        "TX-STBC"
+        "RX-STBC1"
+      ];
+      wifi6.enable = true;
+      wifi7.enable = true;
+      networks.wlan01 = {
+        inherit (globals.hostapd) ssid;
+        apIsolate = true;
+        # not supporte by laptop :(
+        # settings.ieee80211w = 0;
+        settings.bridge = "br-home";
+        settings.vlan_file = "${pkgs.writeText "hostaps.vlans" ''
+          10 wifi-home br-home
+          50 wifi-guest br-guest
+        ''}";
+        authentication = {
+          saePasswords = [
+            {
+              password = "ctiectie";
+              vlanid = 10;
+            }
+            {
+              password = "nrsgnrsg";
+              vlanid = 50;
+            }
+          ];
+          pairwiseCiphers = [
+            "CCMP"
+            "GCMP"
+            "GCMP-256"
+          ];
+          #enableRecommendedPairwiseCiphers = true;
+        };
+        bssid = "44:38:e8:db:a5:b5";
+      };
+    };
+  };
+}

hosts/nucnix/mdns.nix

@@ -23,7 +23,7 @@ let
       {
         from = "lan-home";
         to = "lan-devices";
-        allow_questions = "(printer|ipp)";
+        allow_questions = "(printer|ipp|uscans|alljoyn)";
         allow_answers = "";
       }
     ];

hosts/nucnix/net.nix

@@ -19,6 +19,7 @@ in
     ./kea.nix
     ./forwarding.nix
     ./mdns.nix
+    ./hostapd.nix
   ];
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
   networking.nftables.firewall.zones = mkMerge [
@@ -31,9 +32,6 @@ in
       adguard.ipv4Addresses = [
         (lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4)
       ];
-      samba.ipv4Addresses = [
-        (lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4)
-      ];
     }
     (genAttrs (attrNames globals.net.vlans) (name: {
       interfaces = [ "lan-${name}" ];
@@ -65,6 +63,12 @@ in
           };
           vlanConfig.Id = id;
         };
+        "50-bridge-${name}" = {
+          netdevConfig = {
+            Name = "br-${name}";
+            Kind = "bridge";
+          };
+        };
         "50-macvlan-${name}" = {
           netdevConfig = {
             Name = "lan-${name}";
@@ -115,10 +119,17 @@ in
           # this interface to gain a carrier.
           networkConfig.LinkLocalAddressing = "no";
           linkConfig.RequiredForOnline = "carrier";
-          extraConfig = ''
+          networkConfig = {
-            [Network]
+            Bridge = "br-${name}";
-            MACVLAN=lan-${name}
+          };
-          '';
+        };
+        "10-${name}" = {
+          matchConfig.Name = "br-${name}";
+          networkConfig.LinkLocalAddressing = "no";
+          linkConfig.RequiredForOnline = "carrier";
+          networkConfig = {
+            MACVLAN = "lan-${name}";
+          };
         };
         "20-lan-${name}" = {
           address = [
@@ -148,6 +159,9 @@ in
         from = [
           "home"
           "services"
+          "devices"
+          "guests"
+          "iot"
         ];
         to = [ "local" ];
         allowedUDPPorts = [ 5353 ];

hosts/nucnix/secrets/hostapd/host.pub

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOR54uUS7TdVFs8SmKEThJcwNqQhLhqIfkTneoPSNJe

hosts/nucnix/secrets/hostapd/secrets.nix.age

@@ -1,17 +0,0 @@
-age-encryption.org/v1
--> X25519 q8aZVIpO27A7gSGGepzDYQINfV9BT5Vdlck4Ywl/tw4
-f7OZDaBI1nGbWVKz7c/fCTjl5avQMZwweKuGsMZaHmw
--> piv-p256 ZFgiIw AzIXNOToQeNgxBaPr2Ay8PNbWci5KXsOO0hPzntcr9jh
-A45KdFFCcHss+yp9o1lMeyGAquweqAAYdN3rebTOV+k
--> piv-p256 XTQkUA Ams4qG3cUEr5JuhwJVl0I9vNvUBSwmeGlO4y1RjW+HM0
-09tBHurIIUJrwXfJEDnTpZppseJSxF/Rrzp81tLiEaI
--> piv-p256 ZFgiIw Ar7T0wlAqoYOPxtm8lZnWRCctOFQ3MpmPhZpzz4dm+0i
-8vfGeTyhxjU28KeCmOl59IOhxgSEK/invMRBj5y8wvE
--> piv-p256 5vmPtQ Am6sq2Wde4bMWzMTw6+o+yhkM2ZSkpBbbLGVA3RIAylz
-6y8WNKVZiMOuyolKGJjGj+Fc9hqkHw362LtYaGhl274
--> 5nt&Ew>-grease V;8yod
-bApmEO5jhTtDghPr4gisoTKEuhrFOdKxAuNH4iqUufY3dNfojeB/5IjctLLe5VG7
-vWl2CF8Tyw
---- hpy8mTYDQSOQCLhIcQ+5mHcdqRQkvWOIDQHLltWTJD0
-…2¿äUðzT§_ÜË´‹^<5E>
-¾¦}’…XZg°›éV‚Ô§ñ%áé?Mèt]vøœ:Ý;ÆwÚ˜*…XOë÷Ë‚ÔU}þþd¤Ù<C2A4>ºxKîáA¨§%<25>†6