feat(router0-dmz0): tune wifi for compatibility with x13s windows

nix/os/devices/router0-dmz0/configuration.nix

@@ -1,3 +1,4 @@
+# TODO: don't pull in bluez (or any bluetooth components)
 {
   repoFlake,
   pkgs,
@@ -904,13 +905,53 @@ in {
       wlan0 = {
         band = "2g";
         countryCode = "CH";
-        channel = 0; # ACS
+        channel = 0; # 0 would mean Automatic Channel Selection
+
+        settings = {
+          # TODO: with 1 the x13s on windows can't connect, however this slows the AP down.
+          # ieee80211n = 1;
+
+          # Exclude DFS channels from ACS
+          # This option can be used to exclude all DFS channels from the ACS channel list
+          # in cases where the driver supports DFS channels.
+          acs_exclude_dfs = 0;
+
+          # Disassociate stations based on excessive transmission failures or other
+          # indications of connection loss. This depends on the driver capabilities and
+          # may not be available with all drivers.
+          disassoc_low_ack = 0;
+        };
 
         # use 'iw phy#1 info' to determine your VHT capabilities
         wifi4 = {
           enable = true;
-          capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"];
+          require = false;
+          capabilities = [
+            "HT20"
+            "HT40+"
+            "LDPC"
+            "SHORT-GI-20"
+            "SHORT-GI-40"
+            "TX-STBC"
+            "RX-STBC1"
+            "MAX-AMSDU-7935"
+
+            # "DELAYED-BA"
+            # "DSSS_CCK-40"
+            "40-INTOLERANT"
+          ];
         };
+
+        wifi5 = {
+          enable = false;
+          require = false;
+        };
+
+        wifi6 = {
+          enable = false;
+          require = false;
+        };
+
         networks = {
           wlan0 = let
             iface = "wlan0";
@@ -918,6 +959,9 @@ in {
             ssid = "mlsia";
             bssid = mkBssid 0;
 
+            # enables debug logging
+            logLevel = 0;
+
             authentication.mode =
               "wpa2-sha256"
               # "wpa3-sae-transition"
@@ -931,23 +975,20 @@ in {
 
             # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference
             settings = {
+              # disable syslog because it duplicates stdout
+              logger_syslog = lib.mkForce 0;
+
               # bridge = bridgeInterfaceName;
 
               # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path;
               # not yet supported on hostapd 2.10
               # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path;
 
-              # enables debug logging
-              logger_stdout_level = lib.mkForce 0;
-              logger_stdout = -1;
-              # logger_syslog_level= lib.mkForce 0;
-
               # resources on vlan tagging
               # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging
               # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4
 
               dynamic_vlan = 1;
-
               # this option currently requires a patch to hostapd
               vlan_no_bridge = 1;
 
@@ -997,15 +1038,15 @@ in {
 
               # IEEE 802.11i (authentication) related configuration
               # Encrypt management frames to protect against deauthentication and similar attacks
-              ieee80211w = 0;
+              ieee80211w = 1;
-              sae_require_mfp = 0;
+              # sae_require_mfp = 1;
               # sae_groups = "19 20 21";
 
               # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default)
               tls_flags = "[ENABLE-TLSv1.3]";
 
-              ieee8021x = 0;
+              ieee8021x = 1;
-              eap_server = 0;
+              eap_server = 1;
             };
           };
 
@@ -1276,7 +1317,7 @@ in {
 
   environment.systemPackages = [
     pkgs.ethtool
-    pkgs.neovim
+    pkgs.vim
 
     pkgs.wireguard-tools
     pkgs.tshark