From cd0835f6dc74b29854c8dbb5c7ad4e3c450fff09 Mon Sep 17 00:00:00 2001
From: Stefan Junker <mail@stefanjunker.de>
Date: Wed, 12 Jun 2024 22:18:52 +0200
Subject: [PATCH] router0-dmz0: disable SAE options

---
 nix/os/devices/router0-dmz0/configuration.nix | 27 +++++++++++--------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix
index a006d60..43dd7d3 100644
--- a/nix/os/devices/router0-dmz0/configuration.nix
+++ b/nix/os/devices/router0-dmz0/configuration.nix
@@ -125,7 +125,7 @@ in {
 
       sops.secrets.passwords-root.neededForUsers = true;
 
-      sops.secrets.wlan0_saePasswordsFile = {};
+      # sops.secrets.wlan0_saePasswordsFile = {};
       sops.secrets.wlan0_wpaPskFile = {};
     }
   ];
@@ -614,8 +614,8 @@ in {
         "10-lan0-wan" = {
           matchConfig.Name = "lan0";
           networkConfig = {
-            # start a DHCP Client for IPv4 Addressing/Routing
-            DHCP = "ipv4";
+            # start a DHCP Client for IPv4/6 Addressing/Routing
+            DHCP = true;
             # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
             IPv6AcceptRA = true;
             DNSOverTLS = true;
@@ -639,8 +639,8 @@ in {
         "10-wan" = {
           matchConfig.Name = "wan";
           networkConfig = {
-            # start a DHCP Client for IPv4 Addressing/Routing
-            DHCP = "ipv4";
+            # start a DHCP Client for IPv4/6 Addressing/Routing
+            DHCP = true;
             # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
             IPv6AcceptRA = true;
             DNSOverTLS = true;
@@ -914,11 +914,16 @@ in {
             ssid = "mlsia";
             bssid = mkBssid 0;
 
-            # authentication.mode = "wpa3-sae";
-            authentication.mode = "wpa3-sae-transition";
+            authentication.mode =
+              "wpa2-sha256"
+              # "wpa3-sae-transition"
+              # "wpa3-sae"
+              ;
 
             authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path;
-            authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path;
+
+            # TODO: unfortunately SAE passwords don't work per VLAN like PSKs do
+            # authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path;
 
             # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference
             settings = {
@@ -988,9 +993,9 @@ in {
 
               # IEEE 802.11i (authentication) related configuration
               # Encrypt management frames to protect against deauthentication and similar attacks
-              ieee80211w = 1;
-              sae_require_mfp = 1;
-              sae_groups = "19 20 21";
+              ieee80211w = 0;
+              sae_require_mfp = 0;
+              # sae_groups = "19 20 21";
 
               # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default)
               tls_flags = "[ENABLE-TLSv1.3]";