router0-dmz0: disable SAE options

2024-06-12 22:18:52 +02:00 · 2024-06-12 22:18:52 +02:00 · cd0835f6dc
commit cd0835f6dc
parent 2f60cd571a
1 changed files with 16 additions and 11 deletions
--- a/nix/os/devices/router0-dmz0/configuration.nix
+++ b/nix/os/devices/router0-dmz0/configuration.nix
@ -125,7 +125,7 @@ in {

      sops.secrets.passwords-root.neededForUsers = true;

-      sops.secrets.wlan0_saePasswordsFile = {};
+      # sops.secrets.wlan0_saePasswordsFile = {};
      sops.secrets.wlan0_wpaPskFile = {};
    }
  ];
@ -614,8 +614,8 @@ in {
        "10-lan0-wan" = {
          matchConfig.Name = "lan0";
          networkConfig = {
-            # start a DHCP Client for IPv4 Addressing/Routing
-            DHCP = "ipv4";
+            # start a DHCP Client for IPv4/6 Addressing/Routing
+            DHCP = true;
            # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
            IPv6AcceptRA = true;
            DNSOverTLS = true;
@ -639,8 +639,8 @@ in {
        "10-wan" = {
          matchConfig.Name = "wan";
          networkConfig = {
-            # start a DHCP Client for IPv4 Addressing/Routing
-            DHCP = "ipv4";
+            # start a DHCP Client for IPv4/6 Addressing/Routing
+            DHCP = true;
            # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
            IPv6AcceptRA = true;
            DNSOverTLS = true;
@ -914,11 +914,16 @@ in {
            ssid = "mlsia";
            bssid = mkBssid 0;

-            # authentication.mode = "wpa3-sae";
-            authentication.mode = "wpa3-sae-transition";
+            authentication.mode =
+              "wpa2-sha256"
+              # "wpa3-sae-transition"
+              # "wpa3-sae"
+              ;

            authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path;
-            authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path;
+
+            # TODO: unfortunately SAE passwords don't work per VLAN like PSKs do
+            # authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path;

            # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference
            settings = {
@ -988,9 +993,9 @@ in {

              # IEEE 802.11i (authentication) related configuration
              # Encrypt management frames to protect against deauthentication and similar attacks
-              ieee80211w = 1;
-              sae_require_mfp = 1;
-              sae_groups = "19 20 21";
+              ieee80211w = 0;
+              sae_require_mfp = 0;
+              # sae_groups = "19 20 21";

              # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default)
              tls_flags = "[ENABLE-TLSv1.3]";