WIP: router0-dmz0: snapshot with working VLAN assignment for WPA-PSK

2023-12-25 00:03:23 +01:00 · 2023-12-25 00:03:23 +01:00 · c365970cdf
commit c365970cdf
parent b7e2ec02e3
2 changed files with 57 additions and 38 deletions
--- a/nix/os/devices/router0-dmz0/configuration.nix
+++ b/nix/os/devices/router0-dmz0/configuration.nix
@ -30,17 +30,29 @@
    name = "internal";
    packet_priority = 0;
  };
+
  vlans = {
-    "1".name = "dmz.${defaultVlan.name}";
-    "1".packet_priority = 0;
-    "2".name = "iot.${defaultVlan.name}";
-    "2".packet_priority = -10;
-    "3".name = "office.${defaultVlan.name}";
-    "3".packet_priority = -5;
-    "4".name = "guests.${defaultVlan.name}";
+    "1".name = "dmz";
+    "1".packet_priority = -5;
+
+    "2".name = "iot";
+    "2".packet_priority = -5;
+
+    "3".name = "office";
+    "3".packet_priority = -10;
+
+    "4".name = "guests";
    "4".packet_priority = 10;
+
+    "5".name = "smarties";
  };
-  getVlanDomain = { vlanid }: vlans."${toString vlanid}".name or defaultVlan.name;
+  getVlanDomain = { vlanid }:
+    if vlanid == 0
+    then
+      defaultVlan.name
+    else
+      vlans."${toString vlanid}".name + "." + defaultVlan.name
+      ;
 in {
  imports = [
    repoFlake.inputs.sops-nix.nixosModules.sops
@ -147,7 +159,10 @@ in {
          vlan.interfaces = builtins.map (vlanid: "br-vlan.${toString vlanid}") vlanRange;
          # lan.ipv4Addresses = ["192.168.0.0/16"];
          wan.interfaces = ["wan" "lan0"];
-        };
+        } //
+          # TODO: generate a zone for each vlan
+          {}
+        ;
        rules = let
          ipv6IcmpTypes = [
              "destination-unreachable" "echo-reply" "echo-request"
@ -373,49 +388,53 @@ in {
            ssid = "mlsia";
            bssid = mkBssid 0;

-            # manually configure something close to wpa3-sae-transition
-            authentication.mode = "none";
-            # authentication.saePasswordsFile = config.sops.secrets.wlan0_saePasswordsFile.path;
+            # authentication.mode = "wpa3-sae";
+            authentication.mode = "wpa3-sae-transition";
+
+            authentication.wpaPskFile = config.sops.secrets.wlan0_wpaPskFile.path;
+            authentication.saePasswordsFile = config.sops.secrets.wlan0_saePasswordsFile.path;

            settings = {
              # bridge = "br-lan";

-              logger_stdout_level= lib.mkForce 1;
-              logger_syslog_level= lib.mkForce 1;
+              # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path;
+              # not yet supported on hostapd 2.10
+              # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path;
+
+              logger_stdout_level= lib.mkForce 0;
+              logger_syslog_level= lib.mkForce 0;

              # resources on vlan tagging
              # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging
              # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4
+
              vlan_tagged_interface = "br-lan";
              vlan_naming = 1;
              vlan_bridge = "br-vlan.";
              dynamic_vlan = 1;
              vlan_file = toString (pkgs.writeText "hostapd.vlan" ''
+                # Optional wildcard entry matching all VLAN IDs. The first # in the interface
+                # name will be replaced with the VLAN ID. The network interfaces are created
+                # (and removed) dynamically based on the use.
+                # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan
                * wlan0.#
              '');

-              wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path;
-              sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path;
+              wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [
+                "WPA-PSK"

-              ieee80211w=1;
-              auth_algs = 3;
-              sae_require_mfp = 0;
-              sae_groups = "19 20 21";
-              wpa = 2;
-              wpa_key_mgmt = "WPA-PSK WPA-PSK-SHA256 SAE";
+                # TODO: the printer can't connect when this is on
+                # "WPA-PSK-SHA256"

-              # worked above here
-              # testing below here
-
-              # ieee80211w = 2;
+                # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them
+                # "SAE"
+              ]);

              # IEEE 802.11i (authentication) related configuration
              # Encrypt management frames to protect against deauthentication and similar attacks
-              # ieee80211w = mkDefault 1;
-              # sae_require_mfp = mkDefault 1;
-
-              # sae_require_mfp = 1;
-              # sae_groups = "19 20 21";
+              ieee80211w = 1;
+              sae_require_mfp = 1;
+              sae_groups = "19 20 21";
            };
          };

@ -565,7 +584,7 @@ in {
          (vlanid:
            mkDhcpRange { tag = mkIfName {inherit vlanid;}; inherit vlanid; }
          )
-          vlanRange
+          vlanRangeWith0
        ;

      # interface = "br-lan";
@ -585,7 +604,7 @@ in {
      # upstream DNS servers
        "9.9.9.9" "8.8.8.8" "1.1.1.1"
      ] ++ builtins.map
-        (vlanid: "/${nodeName}.${getVlanDomain {inherit vlanid;}}/")
+        (vlanid: "/${getVlanDomain {inherit vlanid;}}/")
        vlanRangeWith0
      ;

@ -601,7 +620,7 @@ in {
      ;

      dhcp-option-force = builtins.map
-        (vlanid: "option:domain-search,${getVlanDomain{inherit vlanid;}}")
+        (vlanid: "${mkIfName {inherit vlanid;}},option:domain-search,${getVlanDomain{inherit vlanid;}}")
        vlanRangeWith0
      ;