steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

router0-dmz0: disable SAE options

Browse source
This commit is contained in:
steveej 2024-06-12 22:18:52 +02:00
parent 2f60cd571a
commit cd0835f6dc
1 changed files with 16 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

27
nix/os/devices/router0-dmz0/configuration.nix
View file

@ -125,7 +125,7 @@ in {
sops.secrets.passwords-root.neededForUsers = true; sops.secrets.passwords-root.neededForUsers = true;
sops.secrets.wlan0_saePasswordsFile = {}; # sops.secrets.wlan0_saePasswordsFile = {};
sops.secrets.wlan0_wpaPskFile = {}; sops.secrets.wlan0_wpaPskFile = {};
} }
]; ];
@ -614,8 +614,8 @@ in {
"10-lan0-wan" = { "10-lan0-wan" = {
matchConfig.Name = "lan0"; matchConfig.Name = "lan0";
networkConfig = { networkConfig = {
# start a DHCP Client for IPv4 Addressing/Routing # start a DHCP Client for IPv4/6 Addressing/Routing
DHCP = "ipv4"; DHCP = true;
# accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
IPv6AcceptRA = true; IPv6AcceptRA = true;
DNSOverTLS = true; DNSOverTLS = true;
@ -639,8 +639,8 @@ in {
"10-wan" = { "10-wan" = {
matchConfig.Name = "wan"; matchConfig.Name = "wan";
networkConfig = { networkConfig = {
# start a DHCP Client for IPv4 Addressing/Routing # start a DHCP Client for IPv4/6 Addressing/Routing
DHCP = "ipv4"; DHCP = true;
# accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
IPv6AcceptRA = true; IPv6AcceptRA = true;
DNSOverTLS = true; DNSOverTLS = true;
@ -914,11 +914,16 @@ in {
ssid = "mlsia"; ssid = "mlsia";
bssid = mkBssid 0; bssid = mkBssid 0;
# authentication.mode = "wpa3-sae"; authentication.mode =
authentication.mode = "wpa3-sae-transition"; "wpa2-sha256"
# "wpa3-sae-transition"
# "wpa3-sae"
;
authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path;
authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path;
# TODO: unfortunately SAE passwords don't work per VLAN like PSKs do
# authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path;
# see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference
settings = { settings = {
@ -988,9 +993,9 @@ in {
# IEEE 802.11i (authentication) related configuration # IEEE 802.11i (authentication) related configuration
# Encrypt management frames to protect against deauthentication and similar attacks # Encrypt management frames to protect against deauthentication and similar attacks
ieee80211w = 1; ieee80211w = 0;
sae_require_mfp = 1; sae_require_mfp = 0;
sae_groups = "19 20 21"; # sae_groups = "19 20 21";
# [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default)
tls_flags = "[ENABLE-TLSv1.3]"; tls_flags = "[ENABLE-TLSv1.3]";