From f961ee9b177b448a2c501df7c1318ffc6a70b95d Mon Sep 17 00:00:00 2001
From: Patrick <patrick@failmail.dev>
Date: Fri, 10 Jan 2025 16:36:41 +0100
Subject: [PATCH] fix: hostapd broke again

---
 hosts/nucnix/hostapd.nix | 29 ++++++++++++++++++++---------
 patches/PR/365727.diff   |  4 ++--
 2 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/hosts/nucnix/hostapd.nix b/hosts/nucnix/hostapd.nix
index 1053248..942291d 100644
--- a/hosts/nucnix/hostapd.nix
+++ b/hosts/nucnix/hostapd.nix
@@ -2,6 +2,7 @@
   globals,
   config,
   pkgs,
+  lib,
   ...
 }:
 {
@@ -17,15 +18,21 @@
     guestWlan = {
       generator.script = "alnum";
     };
+    iotWlan = {
+      generator.script = "alnum";
+    };
   };
+  systemd.services.hostapd.stopIfChanged = false;
+  systemd.services.hostapd.restartIfChanged = false;
+  systemd.services.hostapd.reloadTriggers = lib.mkForce [ ];
 
-  networking.nftables.firewall.zones.wlan.interfaces = [ "wlan1" ];
-  networking.nftables.firewall.zones.home.interfaces = [ "br-home" ];
-  networking.nftables.firewall.rules.wifi-forward = {
-    from = [ "wlan" ];
-    to = [ "home" ];
-    verdict = "accept";
-  };
+  # networking.nftables.firewall.zones.wlan.interfaces = [ "wlan1" ];
+  # networking.nftables.firewall.zones.home.interfaces = [ "br-home" ];
+  # networking.nftables.firewall.rules.wifi-forward = {
+  #   from = [ "wlan" ];
+  #   to = [ "home" ];
+  #   verdict = "accept";
+  # };
   services.hostapd = {
     enable = true;
     radios.wlan01 = {
@@ -57,10 +64,10 @@
         apIsolate = true;
         # not supporte by laptop :(
         # settings.ieee80211w = 0;
-        settings.bridge = "br-home";
         settings.vlan_file = "${pkgs.writeText "hostaps.vlans" ''
           10 wifi-home br-home
-          50 wifi-guest br-guest
+          40 wifi-iot br-iot
+          50 wifi-guests br-guests
         ''}";
         authentication = {
           saePasswords = [
@@ -68,6 +75,10 @@
               passwordFile = config.age.secrets.homeWlan.path;
               vlanid = 10;
             }
+            {
+              passwordFile = config.age.secrets.iotWlan.path;
+              vlanid = 40;
+            }
             {
               passwordFile = config.age.secrets.guestWlan.path;
               vlanid = 50;
diff --git a/patches/PR/365727.diff b/patches/PR/365727.diff
index 880f849..727c1f2 100644
--- a/patches/PR/365727.diff
+++ b/patches/PR/365727.diff
@@ -1,5 +1,5 @@
 diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix
-index 8635dea738ce2..12821fc9f07c1 100644
+index 8635dea738ce2..28dd6db874bc4 100644
 --- a/nixos/modules/services/networking/hostapd.nix
 +++ b/nixos/modules/services/networking/hostapd.nix
 @@ -1,4 +1,10 @@
@@ -2000,7 +2000,7 @@ index 8635dea738ce2..12821fc9f07c1 100644
 +                                    (
 +                                      echo -n 'sae_password='
 +                                      ${optionalString (entry.passwordFile != null) ''tr -d '\n' < ${entry.passwordFile}''}
-+                                      cat <<< '${escapeShellArg lineSuffix}'
++                                      echo ${escapeShellArg lineSuffix}
 +                                    ) >> "$HOSTAPD_CONFIG_FILE"
 +                                  ''
 +                                ) bssCfg.authentication.saePasswords