1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
|
{ config, lib, pkgs, utils, ... }:
# All hope abandon ye who enter here. hostapd's configuration
# format is ... special, and you won't be able to infer any
# of their assumptions from just reading the "documentation"
# (i.e. the example config). Assume footguns at all points -
# to make informed decisions you will probably need to look
# at hostapd's code. You have been warned, proceed with care.
let
inherit
(lib)
attrNames
attrValues
concatLists
concatMap
concatMapStrings
concatStringsSep
count
escapeShellArg
filter
flip
generators
getAttr
hasPrefix
imap0
isInt
isString
length
literalExpression
maintainers
mapAttrsToList
mdDoc
mkDefault
mkEnableOption
mkIf
mkOption
mkPackageOption
mkRemovedOptionModule
optional
optionalAttrs
optionalString
optionals
singleton
stringLength
toLower
types
unique
;
cfg = config.services.hostapd;
extraSettingsFormat = {
type = let
singleAtom = types.oneOf [ types.bool types.int types.str ];
atom = types.either singleAtom (types.listOf singleAtom) // {
description = "atom (bool, int or string) or a list of them for duplicate keys";
};
in types.attrsOf atom;
generate = name: value: pkgs.writeText name (generators.toKeyValue {
listsAsDuplicateKeys = true;
mkKeyValue = generators.mkKeyValueDefault {
mkValueString = v:
if isInt v then toString v
else if isString v then v
else if true == v then "1"
else if false == v then "0"
else throw "unsupported type ${builtins.typeOf v}: ${(generators.toPretty {}) v}";
} "=";
} value);
};
# Generates the header for a single BSS (i.e. WiFi network)
writeBssHeader = radio: bss: bssIdx: pkgs.writeText "hostapd-radio-${radio}-bss-${bss}.conf" ''
''\n''\n# BSS ${toString bssIdx}: ${bss}
################################
${if bssIdx == 0 then "interface" else "bss"}=${bss}
'';
makeRadioRuntimeFiles = radio: radioCfg:
pkgs.writeShellScript "make-hostapd-${radio}-files" (''
set -euo pipefail
hostapd_config_file=/run/hostapd/${escapeShellArg radio}.hostapd.conf
rm -f "$hostapd_config_file"
cat > "$hostapd_config_file" <<EOF
# Radio base configuration: ${radio}
################################
EOF
cat ${escapeShellArg (extraSettingsFormat.generate "hostapd-radio-${radio}-extra.conf" radioCfg.settings)} >> "$hostapd_config_file"
${concatMapStrings (script: "${script} \"$hostapd_config_file\"\n") (attrValues radioCfg.dynamicConfigScripts)}
''
+ concatMapStrings (x: "${x}\n") (imap0 (i: f: f i)
(mapAttrsToList (bss: bssCfg: bssIdx: ''
''\n# BSS configuration: ${bss}
mac_allow_file=/run/hostapd/${escapeShellArg bss}.mac.allow
rm -f "$mac_allow_file"
touch "$mac_allow_file"
mac_deny_file=/run/hostapd/${escapeShellArg bss}.mac.deny
rm -f "$mac_deny_file"
touch "$mac_deny_file"
cat ${writeBssHeader radio bss bssIdx} >> "$hostapd_config_file"
cat ${escapeShellArg (extraSettingsFormat.generate "hostapd-radio-${radio}-bss-${bss}-extra.conf" bssCfg.settings)} >> "$hostapd_config_file"
${concatMapStrings (script: "${script} \"$hostapd_config_file\" \"$mac_allow_file\" \"$mac_deny_file\"\n") (attrValues bssCfg.dynamicConfigScripts)}
'') radioCfg.networks)));
runtimeConfigFiles = mapAttrsToList (radio: _: "/run/hostapd/${radio}.hostapd.conf") cfg.radios;
in {
meta.maintainers = with maintainers; [ oddlama ];
options = {
services.hostapd = {
enable = mkEnableOption (mdDoc ''
Whether to enable hostapd. hostapd is a user space daemon for access point and
authentication servers. It implements IEEE 802.11 access point management,
IEEE 802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and RADIUS
authentication server.
'');
package = mkPackageOption pkgs "hostapd" {};
radios = mkOption {
default = {};
example = literalExpression ''
{
# Simple 2.4GHz AP
wlp2s0 = {
# countryCode = "US";
networks.wlp2s0 = {
ssid = "AP 1";
authentication.saePasswords = [{ password = "a flakey password"; }]; # Use saePasswordsFile if possible.
};
};
# WiFi 5 (5GHz) with two advertised networks
wlp3s0 = {
band = "5g";
channel = 0; # Enable automatic channel selection (ACS). Use only if your hardware supports it.
# countryCode = "US";
networks.wlp3s0 = {
ssid = "My AP";
authentication.saePasswords = [{ password = "a flakey password"; }]; # Use saePasswordsFile if possible.
};
networks.wlp3s0-1 = {
ssid = "Open AP with WiFi5";
authentication.mode = "none";
};
};
# Legacy WPA2 example
wlp4s0 = {
# countryCode = "US";
networks.wlp4s0 = {
ssid = "AP 2";
authentication = {
mode = "wpa2-sha256";
wpaPassword = "a flakey password"; # Use wpaPasswordFile if possible.
};
};
};
}
'';
description = mdDoc ''
This option allows you to define APs for one or multiple physical radios.
At least one radio must be specified.
For each radio, hostapd requires a separate logical interface (like wlp3s0, wlp3s1, ...).
A default interface is usually be created automatically by your system, but to use
multiple radios of a single device, it may be required to create additional logical interfaces
for example by using {option}`networking.wlanInterfaces`.
Each physical radio can only support a single hardware-mode that is configured via
({option}`services.hostapd.radios.<radio>.band`). To create a dual-band
or tri-band AP, you will have to use a device that has multiple physical radios
and supports configuring multiple APs (Refer to valid interface combinations in
{command}`iw list`).
'';
type = types.attrsOf (types.submodule (radioSubmod: {
options = {
driver = mkOption {
default = "nl80211";
example = "none";
type = types.str;
description = mdDoc ''
The driver {command}`hostapd` will use.
{var}`nl80211` is used with all Linux mac80211 drivers.
{var}`none` is used if building a standalone RADIUS server that does
not control any wireless/wired driver.
Most applications will probably use the default.
'';
};
noScan = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Disables scan for overlapping BSSs in HT40+/- mode.
Caution: turning this on will likely violate regulatory requirements!
'';
};
countryCode = mkOption {
default = null;
example = "US";
type = types.nullOr types.str;
description = mdDoc ''
Country code (ISO/IEC 3166-1). Used to set regulatory domain.
Set as needed to indicate country in which device is operating.
This can limit available channels and transmit power.
These two octets are used as the first two octets of the Country String
(dot11CountryString).
Setting this will force you to also enable IEEE 802.11d and IEEE 802.11h.
IEEE 802.11d: This advertises the countryCode and the set of allowed channels
and transmit power levels based on the regulatory limits.
IEEE802.11h: This enables radar detection and DFS (Dynamic Frequency Selection)
support if available. DFS support is required on outdoor 5 GHz channels in most
countries of the world.
'';
};
band = mkOption {
default = "2g";
type = types.enum ["2g" "5g" "6g" "60g"];
description = mdDoc ''
Specifies the frequency band to use, possible values are 2g for 2.4 GHz,
5g for 5 GHz, 6g for 6 GHz and 60g for 60 GHz.
'';
};
channel = mkOption {
default = 7;
example = 11;
type = types.int;
description = mdDoc ''
The channel to operate on. Use 0 to enable ACS (Automatic Channel Selection).
Beware that not every device supports ACS in which case {command}`hostapd`
will fail to start.
'';
};
settings = mkOption {
default = {};
example = { acs_exclude_dfs = true; };
type = types.submodule {
freeformType = extraSettingsFormat.type;
};
description = mdDoc ''
Extra configuration options to put at the end of global initialization, before defining BSSs.
To find out which options are global and which are per-bss you have to read hostapd's source code,
which is non-trivial and not documented otherwise.
Lists will be converted to multiple definitions of the same key, and booleans to 0/1.
Otherwise, the inputs are not modified or checked for correctness.
'';
};
dynamicConfigScripts = mkOption {
default = {};
type = types.attrsOf types.path;
example = literalExpression ''
{
exampleDynamicConfig = pkgs.writeShellScript "dynamic-config" '''
HOSTAPD_CONFIG=$1
cat >> "$HOSTAPD_CONFIG" << EOF
# Add some dynamically generated statements here,
# for example based on the physical adapter in use
EOF
''';
}
'';
description = mdDoc ''
All of these scripts will be executed in lexicographical order before hostapd
is started, right after the global segment was generated and may dynamically
append global options the generated configuration file.
The first argument will point to the configuration file that you may append to.
'';
};
#### IEEE 802.11n (WiFi 4) related configuration
wifi4 = {
enable = mkOption {
default = true;
type = types.bool;
description = mdDoc ''
Enables support for IEEE 802.11n (WiFi 4, HT).
This is enabled by default, since the vase majority of devices
are expected to support this.
'';
};
capabilities = mkOption {
type = types.listOf types.str;
default = ["HT40" "HT40-" "SHORT-GI-20" "SHORT-GI-40"];
example = ["LDPC" "HT40+" "HT40-" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1"];
description = mdDoc ''
HT (High Throughput) capabilities given as a list of flags.
Please refer to the hostapd documentation for allowed values and
only set values supported by your physical adapter.
The default contains common values supported by most adapters.
'';
};
require = mkOption {
default = false;
type = types.bool;
description = mdDoc "Require stations (clients) to support WiFi 4 (HT) and disassociate them if they don't.";
};
};
#### IEEE 802.11ac (WiFi 5) related configuration
wifi5 = {
enable = mkOption {
default = true;
type = types.bool;
description = mdDoc "Enables support for IEEE 802.11ac (WiFi 5, VHT)";
};
capabilities = mkOption {
type = types.listOf types.str;
default = [];
example = ["SHORT-GI-80" "TX-STBC-2BY1" "RX-STBC-1" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN"];
description = mdDoc ''
VHT (Very High Throughput) capabilities given as a list of flags.
Please refer to the hostapd documentation for allowed values and
only set values supported by your physical adapter.
'';
};
require = mkOption {
default = false;
type = types.bool;
description = mdDoc "Require stations (clients) to support WiFi 5 (VHT) and disassociate them if they don't.";
};
operatingChannelWidth = mkOption {
default = "20or40";
type = types.enum ["20or40" "80" "160" "80+80"];
apply = x:
getAttr x {
"20or40" = 0;
"80" = 1;
"160" = 2;
"80+80" = 3;
};
description = mdDoc ''
Determines the operating channel width for VHT.
- {var}`"20or40"`: 20 or 40 MHz operating channel width
- {var}`"80"`: 80 MHz channel width
- {var}`"160"`: 160 MHz channel width
- {var}`"80+80"`: 80+80 MHz channel width
'';
};
};
#### IEEE 802.11ax (WiFi 6) related configuration
wifi6 = {
enable = mkOption {
default = false;
type = types.bool;
description = mdDoc "Enables support for IEEE 802.11ax (WiFi 6, HE)";
};
require = mkOption {
default = false;
type = types.bool;
description = mdDoc "Require stations (clients) to support WiFi 6 (HE) and disassociate them if they don't.";
};
singleUserBeamformer = mkOption {
default = false;
type = types.bool;
description = mdDoc "HE single user beamformer support";
};
singleUserBeamformee = mkOption {
default = false;
type = types.bool;
description = mdDoc "HE single user beamformee support";
};
multiUserBeamformer = mkOption {
default = false;
type = types.bool;
description = mdDoc "HE multi user beamformee support";
};
operatingChannelWidth = mkOption {
default = "20or40";
type = types.enum ["20or40" "80" "160" "80+80"];
apply = x:
getAttr x {
"20or40" = 0;
"80" = 1;
"160" = 2;
"80+80" = 3;
};
description = mdDoc ''
Determines the operating channel width for HE.
- {var}`"20or40"`: 20 or 40 MHz operating channel width
- {var}`"80"`: 80 MHz channel width
- {var}`"160"`: 160 MHz channel width
- {var}`"80+80"`: 80+80 MHz channel width
'';
};
};
#### IEEE 802.11be (WiFi 7) related configuration
wifi7 = {
enable = mkOption {
default = false;
type = types.bool;
description = mdDoc ''
Enables support for IEEE 802.11be (WiFi 7, EHT). This is currently experimental
and requires you to manually enable CONFIG_IEEE80211BE when building hostapd.
'';
};
singleUserBeamformer = mkOption {
default = false;
type = types.bool;
description = mdDoc "EHT single user beamformer support";
};
singleUserBeamformee = mkOption {
default = false;
type = types.bool;
description = mdDoc "EHT single user beamformee support";
};
multiUserBeamformer = mkOption {
default = false;
type = types.bool;
description = mdDoc "EHT multi user beamformee support";
};
operatingChannelWidth = mkOption {
default = "20or40";
type = types.enum ["20or40" "80" "160" "80+80"];
apply = x:
getAttr x {
"20or40" = 0;
"80" = 1;
"160" = 2;
"80+80" = 3;
};
description = mdDoc ''
Determines the operating channel width for EHT.
- {var}`"20or40"`: 20 or 40 MHz operating channel width
- {var}`"80"`: 80 MHz channel width
- {var}`"160"`: 160 MHz channel width
- {var}`"80+80"`: 80+80 MHz channel width
'';
};
};
#### BSS definitions
networks = mkOption {
default = {};
example = literalExpression ''
{
wlp2s0 = {
ssid = "Primary advertised network";
authentication.saePasswords = [{ password = "a flakey password"; }]; # Use saePasswordsFile if possible.
};
wlp2s0-1 = {
ssid = "Secondary advertised network (Open)";
authentication.mode = "none";
};
}
'';
description = mdDoc ''
This defines a BSS, colloquially known as a WiFi network.
You have to specify at least one.
'';
type = types.attrsOf (types.submodule (bssSubmod: {
options = {
logLevel = mkOption {
default = 2;
type = types.int;
description = mdDoc ''
Levels (minimum value for logged events):
0 = verbose debugging
1 = debugging
2 = informational messages
3 = notification
4 = warning
'';
};
group = mkOption {
default = "wheel";
example = "network";
type = types.str;
description = mdDoc ''
Members of this group can access the control socket for this interface.
'';
};
utf8Ssid = mkOption {
default = true;
type = types.bool;
description = mdDoc "Whether the SSID is to be interpreted using UTF-8 encoding.";
};
ssid = mkOption {
example = "❄️ cool ❄️";
type = types.str;
description = mdDoc "SSID to be used in IEEE 802.11 management frames.";
};
bssid = mkOption {
type = types.nullOr types.str;
default = null;
example = "11:22:33:44:55:66";
description = mdDoc ''
Specifies the BSSID for this BSS. Usually determined automatically,
but for now you have to manually specify them when using multiple BSS.
Try assigning related addresses from the locally administered MAC address ranges,
by reusing the hardware address but replacing the second nibble with 2, 6, A or E.
(e.g. if real address is `XX:XX:XX:XX:XX`, try `X2:XX:XX:XX:XX:XX`, `X6:XX:XX:XX:XX:XX`, ...
for the second, third, ... BSS)
'';
};
macAcl = mkOption {
default = "deny";
type = types.enum ["deny" "allow" "radius"];
apply = x:
getAttr x {
"deny" = 0;
"allow" = 1;
"radius" = 2;
};
description = mdDoc ''
Station MAC address -based authentication. The following modes are available:
- {var}`"deny"`: Allow unless listed in {option}`macDeny` (default)
- {var}`"allow"`: Deny unless listed in {option}`macAllow`
- {var}`"radius"`: Use external radius server, but check both {option}`macAllow` and {option}`macDeny` first
Please note that this kind of access control requires a driver that uses
hostapd to take care of management frame processing and as such, this can be
used with driver=hostap or driver=nl80211, but not with driver=atheros.
'';
};
macAllow = mkOption {
type = types.listOf types.str;
default = [];
example = ["11:22:33:44:55:66"];
description = mdDoc ''
Specifies the MAC addresses to allow if {option}`macAcl` is set to {var}`"allow"` or {var}`"radius"`.
These values will be world-readable in the Nix store. Values will automatically be merged with
{option}`macAllowFile` if necessary.
'';
};
macAllowFile = mkOption {
type = types.nullOr types.path;
default = null;
description = mdDoc ''
Specifies a file containing the MAC addresses to allow if {option}`macAcl` is set to {var}`"allow"` or {var}`"radius"`.
The file should contain exactly one MAC address per line. Comments and empty lines are ignored,
only lines starting with a valid MAC address will be considered (e.g. `11:22:33:44:55:66`) and
any content after the MAC address is ignored.
'';
};
macDeny = mkOption {
type = types.listOf types.str;
default = [];
example = ["11:22:33:44:55:66"];
description = mdDoc ''
Specifies the MAC addresses to deny if {option}`macAcl` is set to {var}`"deny"` or {var}`"radius"`.
These values will be world-readable in the Nix store. Values will automatically be merged with
{option}`macDenyFile` if necessary.
'';
};
macDenyFile = mkOption {
type = types.nullOr types.path;
default = null;
description = mdDoc ''
Specifies a file containing the MAC addresses to deny if {option}`macAcl` is set to {var}`"deny"` or {var}`"radius"`.
The file should contain exactly one MAC address per line. Comments and empty lines are ignored,
only lines starting with a valid MAC address will be considered (e.g. `11:22:33:44:55:66`) and
any content after the MAC address is ignored.
'';
};
ignoreBroadcastSsid = mkOption {
default = "disabled";
type = types.enum ["disabled" "empty" "clear"];
apply = x:
getAttr x {
"disabled" = 0;
"empty" = 1;
"clear" = 2;
};
description = mdDoc ''
Send empty SSID in beacons and ignore probe request frames that do not
specify full SSID, i.e., require stations to know SSID. Note that this does
not increase security, since your clients will then broadcast the SSID instead,
which can increase congestion.
- {var}`"disabled"`: Advertise ssid normally.
- {var}`"empty"`: send empty (length=0) SSID in beacon and ignore probe request for broadcast SSID
- {var}`"clear"`: clear SSID (ASCII 0), but keep the original length (this may be required with some
legacy clients that do not support empty SSID) and ignore probe requests for broadcast SSID. Only
use this if empty does not work with your clients.
'';
};
apIsolate = mkOption {
default = false;
type = types.bool;
description = mdDoc ''
Isolate traffic between stations (clients) and prevent them from
communicating with each other.
'';
};
settings = mkOption {
default = {};
example = { multi_ap = true; };
type = types.submodule {
freeformType = extraSettingsFormat.type;
};
description = mdDoc ''
Extra configuration options to put at the end of this BSS's defintion in the
hostapd.conf for the associated interface. To find out which options are global
and which are per-bss you have to read hostapd's source code, which is non-trivial
and not documented otherwise.
Lists will be converted to multiple definitions of the same key, and booleans to 0/1.
Otherwise, the inputs are not modified or checked for correctness.
'';
};
dynamicConfigScripts = mkOption {
default = {};
type = types.attrsOf types.path;
example = literalExpression ''
{
exampleDynamicConfig = pkgs.writeShellScript "dynamic-config" '''
HOSTAPD_CONFIG=$1
# These always exist, but may or may not be used depending on the actual configuration
MAC_ALLOW_FILE=$2
MAC_DENY_FILE=$3
cat >> "$HOSTAPD_CONFIG" << EOF
# Add some dynamically generated statements here
EOF
''';
}
'';
description = mdDoc ''
All of these scripts will be executed in lexicographical order before hostapd
is started, right after the bss segment was generated and may dynamically
append bss options to the generated configuration file.
The first argument will point to the configuration file that you may append to.
The second and third argument will point to this BSS's MAC allow and MAC deny file respectively.
'';
};
#### IEEE 802.11i (WPA) configuration
authentication = {
mode = mkOption {
default = "wpa3-sae";
type = types.enum ["none" "wpa2-sha256" "wpa3-sae-transition" "wpa3-sae"];
description = mdDoc ''
Selects the authentication mode for this AP.
- {var}`"none"`: Don't configure any authentication. This will disable wpa alltogether
and create an open AP. Use {option}`settings` together with this option if you
want to configure the authentication manually. Any password options will still be
effective, if set.
- {var}`"wpa2-sha256"`: WPA2-Personal using SHA256 (IEEE 802.11i/RSN). Passwords are set
using {option}`wpaPassword` or preferably by {option}`wpaPasswordFile` or {option}`wpaPskFile`.
- {var}`"wpa3-sae-transition"`: Use WPA3-Personal (SAE) if possible, otherwise fallback
to WPA2-SHA256. Only use if necessary and switch to the newer WPA3-SAE when possible.
You will have to specify both {option}`wpaPassword` and {option}`saePasswords` (or one of their alternatives).
- {var}`"wpa3-sae"`: Use WPA3-Personal (SAE). This is currently the recommended way to
setup a secured WiFi AP (as of March 2023) and therefore the default. Passwords are set
using either {option}`saePasswords` or preferably {option}`saePasswordsFile`.
'';
};
pairwiseCiphers = mkOption {
default = ["CCMP"];
example = ["CCMP-256" "GCMP-256"];
type = types.listOf types.str;
description = mdDoc ''
Set of accepted cipher suites (encryption algorithms) for pairwise keys (unicast packets).
By default this allows just CCMP, which is the only commonly supported secure option.
Use {option}`enableRecommendedPairwiseCiphers` to also enable newer recommended ciphers.
Please refer to the hostapd documentation for allowed values. Generally, only
CCMP or GCMP modes should be considered safe options. Most devices support CCMP while
GCMP is often only available with devices supporting WiFi 5 (IEEE 802.11ac) or higher.
'';
};
enableRecommendedPairwiseCiphers = mkOption {
default = false;
example = true;
type = types.bool;
description = mdDoc ''
Additionally enable the recommended set of pairwise ciphers.
This enables newer secure ciphers, additionally to those defined in {option}`pairwiseCiphers`.
You will have to test whether your hardware supports these by trial-and-error, because
even if `iw list` indicates hardware support, your driver might not expose it.
Beware {command}`hostapd` will most likely not return a useful error message in case
this is enabled despite the driver or hardware not supporting the newer ciphers.
Look out for messages like `Failed to set beacon parameters`.
'';
};
wpaPassword = mkOption {
default = null;
example = "a flakey password";
type = types.nullOr types.str;
description = mdDoc ''
Sets the password for WPA-PSK that will be converted to the pre-shared key.
The password length must be in the range [8, 63] characters. While some devices
may allow arbitrary characters (such as UTF-8) to be used, but the standard specifies
that each character in the passphrase must be an ASCII character in the range [0x20, 0x7e]
(IEEE Std. 802.11i-2004, Annex H.4.1). Use emojis at your own risk.
Not used when {option}`mode` is {var}`"wpa3-sae"`.
Warning: This password will get put into a world-readable file in the Nix store!
Using {option}`wpaPasswordFile` or {option}`wpaPskFile` instead is recommended.
'';
};
wpaPasswordFile = mkOption {
default = null;
type = types.nullOr types.path;
description = mdDoc ''
Sets the password for WPA-PSK. Follows the same rules as {option}`wpaPassword`,
but reads the password from the given file to prevent the password from being
put into the Nix store.
Not used when {option}`mode` is {var}`"wpa3-sae"`.
'';
};
wpaPskFile = mkOption {
default = null;
type = types.nullOr types.path;
description = mdDoc ''
Sets the password(s) for WPA-PSK. Similar to {option}`wpaPasswordFile`,
but additionally allows specifying multiple passwords, and some other options.
Each line, except for empty lines and lines starting with #, must contain a
MAC address and either a 64-hex-digit PSK or a password separated with a space.
The password must follow the same rules as outlined in {option}`wpaPassword`.
The special MAC address `00:00:00:00:00:00` can be used to configure PSKs
that any client can use.
An optional key identifier can be added by prefixing the line with `keyid=<keyid_string>`
An optional VLAN ID can be specified by prefixing the line with `vlanid=<VLAN ID>`.
An optional WPS tag can be added by prefixing the line with `wps=<0/1>` (default: 0).
Any matching entry with that tag will be used when generating a PSK for a WPS Enrollee
instead of generating a new random per-Enrollee PSK.
Not used when {option}`mode` is {var}`"wpa3-sae"`.
'';
};
saePasswords = mkOption {
default = [];
example = literalExpression ''
[
# Any client may use these passwords
{ password = "Wi-Figure it out"; }
{ password = "second password for everyone"; mac = "ff:ff:ff:ff:ff:ff"; }
# Only the client with MAC-address 11:22:33:44:55:66 can use this password
{ password = "sekret pazzword"; mac = "11:22:33:44:55:66"; }
]
'';
description = mdDoc ''
Sets allowed passwords for WPA3-SAE.
The last matching (based on peer MAC address and identifier) entry is used to
select which password to use. An empty string has the special meaning of
removing all previously added entries.
Warning: These entries will get put into a world-readable file in
the Nix store! Using {option}`saePasswordFile` instead is recommended.
Not used when {option}`mode` is {var}`"wpa2-sha256"`.
'';
type = types.listOf (types.submodule {
options = {
password = mkOption {
example = "a flakey password";
type = types.str;
description = mdDoc ''
The password for this entry. SAE technically imposes no restrictions on
password length or character set. But due to limitations of {command}`hostapd`'s
config file format, a true newline character cannot be parsed.
Warning: This password will get put into a world-readable file in
the Nix store! Using {option}`wpaPasswordFile` or {option}`wpaPskFile` is recommended.
'';
};
mac = mkOption {
default = null;
example = "11:22:33:44:55:66";
type = types.nullOr types.str;
description = mdDoc ''
If this attribute is not included, or if is set to the wildcard address (`ff:ff:ff:ff:ff:ff`),
the entry is available for any station (client) to use. If a specific peer MAC address is included,
only a station with that MAC address is allowed to use the entry.
'';
};
vlanid = mkOption {
default = null;
example = 1;
type = types.nullOr types.int;
description = mdDoc "If this attribute is given, all clients using this entry will get tagged with the given VLAN ID.";
};
pk = mkOption {
default = null;
example = "";
type = types.nullOr types.str;
description = mdDoc ''
If this attribute is given, SAE-PK will be enabled for this connection.
This prevents evil-twin attacks, but a public key is required additionally to connect.
(Essentially adds pubkey authentication such that the client can verify identity of the AP)
'';
};
id = mkOption {
default = null;
example = "";
type = types.nullOr types.str;
description = mdDoc ''
If this attribute is given with non-zero length, it will set the password identifier
for this entry. It can then only be used with that identifier.
'';
};
};
});
};
saePasswordsFile = mkOption {
default = null;
type = types.nullOr types.path;
description = mdDoc ''
Sets the password for WPA3-SAE. Follows the same rules as {option}`saePasswords`,
but reads the entries from the given file to prevent them from being
put into the Nix store.
One entry per line, empty lines and lines beginning with # will be ignored.
Each line must match the following format, although the order of optional
parameters doesn't matter:
`<password>[|mac=<peer mac>][|vlanid=<VLAN ID>][|pk=<m:ECPrivateKey-base64>][|id=<identifier>]`
Not used when {option}`mode` is {var}`"wpa2-sha256"`.
'';
};
saeAddToMacAllow = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
If set, all sae password entries that have a non-wildcard MAC associated to
them will additionally be used to populate the MAC allow list. This is
additional to any entries set via {option}`macAllow` or {option}`macAllowFile`.
'';
};
};
managementFrameProtection = mkOption {
default = "required";
type = types.enum ["disabled" "optional" "required"];
apply = x:
getAttr x {
"disabled" = 0;
"optional" = 1;
"required" = 2;
};
description = mdDoc ''
Management frame protection (MFP) authenticates management frames
to prevent deauthentication (or related) attacks.
- {var}`"disabled"`: No management frame protection
- {var}`"optional"`: Use MFP if a connection allows it
- {var}`"required"`: Force MFP for all clients
'';
};
};
config = let
bssCfg = bssSubmod.config;
pairwiseCiphers =
concatStringsSep " " (unique (bssCfg.authentication.pairwiseCiphers
++ optionals bssCfg.authentication.enableRecommendedPairwiseCiphers ["CCMP" "CCMP-256" "GCMP" "GCMP-256"]));
in {
settings = {
ssid = bssCfg.ssid;
utf8_ssid = bssCfg.ssid;
logger_syslog = mkDefault (-1);
logger_syslog_level = bssCfg.logLevel;
logger_stdout = mkDefault (-1);
logger_stdout_level = bssCfg.logLevel;
ctrl_interface = mkDefault "/run/hostapd";
ctrl_interface_group = bssCfg.group;
macaddr_acl = bssCfg.macAcl;
ignore_broadcast_ssid = bssCfg.ignoreBroadcastSsid;
# IEEE 802.11i (authentication) related configuration
# Encrypt management frames to protect against deauthentication and similar attacks
ieee80211w = bssCfg.managementFrameProtection;
# Only allow WPA by default and disable insecure WEP
auth_algs = mkDefault 1;
# Always enable QoS, which is required for 802.11n and above
wmm_enabled = mkDefault true;
ap_isolate = bssCfg.apIsolate;
sae_password = flip map bssCfg.authentication.saePasswords (
entry:
entry.password
+ optionalString (entry.mac != null) "|mac=${entry.mac}"
+ optionalString (entry.vlanid != null) "|vlanid=${toString entry.vlanid}"
+ optionalString (entry.pk != null) "|pk=${entry.pk}"
+ optionalString (entry.id != null) "|id=${entry.id}"
);
} // optionalAttrs (bssCfg.bssid != null) {
bssid = bssCfg.bssid;
} // optionalAttrs (bssCfg.macAllow != [] || bssCfg.macAllowFile != null || bssCfg.authentication.saeAddToMacAllow) {
accept_mac_file = "/run/hostapd/${bssCfg._module.args.name}.mac.allow";
} // optionalAttrs (bssCfg.macDeny != [] || bssCfg.macDenyFile != null) {
deny_mac_file = "/run/hostapd/${bssCfg._module.args.name}.mac.deny";
} // optionalAttrs (bssCfg.authentication.mode == "none") {
wpa = mkDefault 0;
} // optionalAttrs (bssCfg.authentication.mode == "wpa3-sae") {
wpa = 2;
wpa_key_mgmt = "SAE";
# Derive PWE using both hunting-and-pecking loop and hash-to-element
sae_pwe = 2;
# Prevent downgrade attacks by indicating to clients that they should
# disable any transition modes from now on.
transition_disable = "0x01";
} // optionalAttrs (bssCfg.authentication.mode == "wpa3-sae-transition") {
wpa = 2;
wpa_key_mgmt = "WPA-PSK-SHA256 SAE";
} // optionalAttrs (bssCfg.authentication.mode == "wpa2-sha256") {
wpa = 2;
wpa_key_mgmt = "WPA-PSK-SHA256";
} // optionalAttrs (bssCfg.authentication.mode != "none") {
wpa_pairwise = pairwiseCiphers;
rsn_pairwise = pairwiseCiphers;
} // optionalAttrs (bssCfg.authentication.wpaPassword != null) {
wpa_passphrase = bssCfg.authentication.wpaPassword;
} // optionalAttrs (bssCfg.authentication.wpaPskFile != null) {
wpa_psk_file = toString bssCfg.authentication.wpaPskFile;
};
dynamicConfigScripts = let
# All MAC addresses from SAE entries that aren't the wildcard address
saeMacs = filter (mac: mac != null && (toLower mac) != "ff:ff:ff:ff:ff:ff") (map (x: x.mac) bssCfg.authentication.saePasswords);
in {
"20-addMacAllow" = mkIf (bssCfg.macAllow != []) (pkgs.writeShellScript "add-mac-allow" ''
MAC_ALLOW_FILE=$2
cat >> "$MAC_ALLOW_FILE" <<EOF
${concatStringsSep "\n" bssCfg.macAllow}
EOF
'');
"20-addMacAllowFile" = mkIf (bssCfg.macAllowFile != null) (pkgs.writeShellScript "add-mac-allow-file" ''
MAC_ALLOW_FILE=$2
grep -Eo '^([0-9A-Fa-f]{2}[:]){5}([0-9A-Fa-f]{2})' ${escapeShellArg bssCfg.macAllowFile} >> "$MAC_ALLOW_FILE"
'');
"20-addMacAllowFromSae" = mkIf (bssCfg.authentication.saeAddToMacAllow && saeMacs != []) (pkgs.writeShellScript "add-mac-allow-from-sae" ''
MAC_ALLOW_FILE=$2
cat >> "$MAC_ALLOW_FILE" <<EOF
${concatStringsSep "\n" saeMacs}
EOF
'');
# Populate mac allow list from saePasswordsFile
# (filter for lines with mac=; exclude commented lines; filter for real mac-addresses; strip mac=)
"20-addMacAllowFromSaeFile" = mkIf (bssCfg.authentication.saeAddToMacAllow && bssCfg.authentication.saePasswordsFile != null) (pkgs.writeShellScript "add-mac-allow-from-sae-file" ''
MAC_ALLOW_FILE=$2
grep mac= ${escapeShellArg bssCfg.authentication.saePasswordsFile} \
| grep -v '\s*#' \
| grep -Eo 'mac=([0-9A-Fa-f]{2}[:]){5}([0-9A-Fa-f]{2})' \
| sed 's|^mac=||' >> "$MAC_ALLOW_FILE"
'');
"20-addMacDeny" = mkIf (bssCfg.macDeny != []) (pkgs.writeShellScript "add-mac-deny" ''
MAC_DENY_FILE=$3
cat >> "$MAC_DENY_FILE" <<EOF
${concatStringsSep "\n" bssCfg.macDeny}
EOF
'');
"20-addMacDenyFile" = mkIf (bssCfg.macDenyFile != null) (pkgs.writeShellScript "add-mac-deny-file" ''
MAC_DENY_FILE=$3
grep -Eo '^([0-9A-Fa-f]{2}[:]){5}([0-9A-Fa-f]{2})' ${escapeShellArg bssCfg.macDenyFile} >> "$MAC_DENY_FILE"
'');
# Add wpa_passphrase from file
"20-wpaPasswordFile" = mkIf (bssCfg.authentication.wpaPasswordFile != null) (pkgs.writeShellScript "wpa-password-file" ''
HOSTAPD_CONFIG_FILE=$1
cat >> "$HOSTAPD_CONFIG_FILE" <<EOF
wpa_passphrase=$(cat ${escapeShellArg bssCfg.authentication.wpaPasswordFile})
EOF
'');
# Add sae passwords from file
"20-saePasswordsFile" = mkIf (bssCfg.authentication.saePasswordsFile != null) (pkgs.writeShellScript "sae-passwords-file" ''
HOSTAPD_CONFIG_FILE=$1
grep -v '\s*#' ${escapeShellArg bssCfg.authentication.saePasswordsFile} \
| sed 's/^/sae_password=/' >> "$HOSTAPD_CONFIG_FILE"
'');
};
};
}));
};
};
config.settings = let
radioCfg = radioSubmod.config;
in {
driver = radioCfg.driver;
hw_mode = {
"2g" = "g";
"5g" = "a";
"6g" = "a";
"60g" = "ad";
}.${radioCfg.band};
channel = radioCfg.channel;
noscan = radioCfg.noScan;
} // optionalAttrs (radioCfg.countryCode != null) {
country_code = radioCfg.countryCode;
# IEEE 802.11d: Limit to frequencies allowed in country
ieee80211d = true;
# IEEE 802.11h: Enable radar detection and DFS (Dynamic Frequency Selection)
ieee80211h = true;
} // optionalAttrs radioCfg.wifi4.enable {
# IEEE 802.11n (WiFi 4) related configuration
ieee80211n = true;
require_ht = radioCfg.wifi4.require;
ht_capab = concatMapStrings (x: "[${x}]") radioCfg.wifi4.capabilities;
} // optionalAttrs radioCfg.wifi5.enable {
# IEEE 802.11ac (WiFi 5) related configuration
ieee80211ac = true;
require_vht = radioCfg.wifi5.require;
vht_oper_chwidth = radioCfg.wifi5.operatingChannelWidth;
vht_capab = concatMapStrings (x: "[${x}]") radioCfg.wifi5.capabilities;
} // optionalAttrs radioCfg.wifi6.enable {
# IEEE 802.11ax (WiFi 6) related configuration
ieee80211ax = true;
require_he = mkIf radioCfg.wifi6.require true;
he_oper_chwidth = radioCfg.wifi6.operatingChannelWidth;
he_su_beamformer = radioCfg.wifi6.singleUserBeamformer;
he_su_beamformee = radioCfg.wifi6.singleUserBeamformee;
he_mu_beamformer = radioCfg.wifi6.multiUserBeamformer;
} // optionalAttrs radioCfg.wifi7.enable {
# IEEE 802.11be (WiFi 7) related configuration
ieee80211be = true;
eht_oper_chwidth = radioCfg.wifi7.operatingChannelWidth;
eht_su_beamformer = radioCfg.wifi7.singleUserBeamformer;
eht_su_beamformee = radioCfg.wifi7.singleUserBeamformee;
eht_mu_beamformer = radioCfg.wifi7.multiUserBeamformer;
};
}));
};
};
};
imports = let
renamedOptionMessage = message: ''
${message}
Refer to the documentation of `services.hostapd.radios` for an example and more information.
'';
in [
(mkRemovedOptionModule ["services" "hostapd" "interface"]
(renamedOptionMessage "All other options for this interface are now set via `services.hostapd.radios.«interface».*`."))
(mkRemovedOptionModule ["services" "hostapd" "driver"]
(renamedOptionMessage "It has been replaced by `services.hostapd.radios.«interface».driver`."))
(mkRemovedOptionModule ["services" "hostapd" "noScan"]
(renamedOptionMessage "It has been replaced by `services.hostapd.radios.«interface».noScan`."))
(mkRemovedOptionModule ["services" "hostapd" "countryCode"]
(renamedOptionMessage "It has been replaced by `services.hostapd.radios.«interface».countryCode`."))
(mkRemovedOptionModule ["services" "hostapd" "hwMode"]
(renamedOptionMessage "It has been replaced by `services.hostapd.radios.«interface».band`."))
(mkRemovedOptionModule ["services" "hostapd" "channel"]
(renamedOptionMessage "It has been replaced by `services.hostapd.radios.«interface».channel`."))
(mkRemovedOptionModule ["services" "hostapd" "extraConfig"]
(renamedOptionMessage ''
It has been replaced by `services.hostapd.radios.«interface».settings` and
`services.hostapd.radios.«interface».networks.«network».settings` respectively
for per-radio and per-network extra configuration. The module now supports a lot more
options inherently, so please re-check whether using settings is still necessary.''))
(mkRemovedOptionModule ["services" "hostapd" "logLevel"]
(renamedOptionMessage "It has been replaced by `services.hostapd.radios.«interface».networks.«network».logLevel`."))
(mkRemovedOptionModule ["services" "hostapd" "group"]
(renamedOptionMessage "It has been replaced by `services.hostapd.radios.«interface».networks.«network».group`."))
(mkRemovedOptionModule ["services" "hostapd" "ssid"]
(renamedOptionMessage "It has been replaced by `services.hostapd.radios.«interface».networks.«network».ssid`."))
(mkRemovedOptionModule ["services" "hostapd" "wpa"]
(renamedOptionMessage "It has been replaced by `services.hostapd.radios.«interface».networks.«network».authentication.mode`."))
(mkRemovedOptionModule ["services" "hostapd" "wpaPassphrase"]
(renamedOptionMessage ''
It has been replaced by `services.hostapd.radios.«interface».networks.«network».authentication.wpaPassword`.
While upgrading your config, please consider using the newer SAE authentication scheme
and one of the new `passwordFile`-like options to avoid putting the password into the world readable nix-store.''))
];
config = mkIf cfg.enable {
assertions =
[
{
assertion = cfg.radios != {};
message = "At least one radio must be configured with hostapd!";
}
]
# Radio warnings
++ (concatLists (mapAttrsToList (
radio: radioCfg:
[
{
assertion = radioCfg.networks != {};
message = "hostapd radio ${radio}: At least one network must be configured!";
}
# XXX: There could be many more useful assertions about (band == xy) -> ensure other required settings.
# see https://github.com/openwrt/openwrt/blob/539cb5389d9514c99ec1f87bd4465f77c7ed9b93/package/kernel/mac80211/files/lib/netifd/wireless/mac80211.sh#L158
{
assertion = length (filter (bss: bss == radio) (attrNames radioCfg.networks)) == 1;
message = ''hostapd radio ${radio}: Exactly one network must be named like the radio, for reasons internal to hostapd.'';
}
{
assertion = (radioCfg.wifi4.enable && builtins.elem "HT40-" radioCfg.wifi4.capabilities) -> radioCfg.channel != 0;
message = ''hostapd radio ${radio}: using ACS (channel = 0) together with HT40- (wifi4.capabilities) is unsupported by hostapd'';
}
]
# BSS warnings
++ (concatLists (mapAttrsToList (bss: bssCfg: let
auth = bssCfg.authentication;
countWpaPasswordDefinitions = count (x: x != null) [
auth.wpaPassword
auth.wpaPasswordFile
auth.wpaPskFile
];
in [
{
assertion = hasPrefix radio bss;
message = "hostapd radio ${radio} bss ${bss}: The bss (network) name ${bss} is invalid. It must be prefixed by the radio name for reasons internal to hostapd. A valid name would be e.g. ${radio}, ${radio}-1, ...";
}
{
assertion = (length (attrNames radioCfg.networks) > 1) -> (bssCfg.bssid != null);
message = ''hostapd radio ${radio} bss ${bss}: bssid must be specified manually (for now) since this radio uses multiple BSS.'';
}
{
assertion = auth.mode == "wpa3-sae" -> bssCfg.managementFrameProtection == 2;
message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE which requires managementFrameProtection="required"'';
}
{
assertion = auth.mode == "wpa3-sae-transition" -> bssCfg.managementFrameProtection != 0;
message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE in transition mode with WPA2-SHA256, which requires managementFrameProtection="optional" or ="required"'';
}
{
assertion = countWpaPasswordDefinitions <= 1;
message = ''hostapd radio ${radio} bss ${bss}: must use at most one WPA password option (wpaPassword, wpaPasswordFile, wpaPskFile)'';
}
{
assertion = auth.wpaPassword != null -> (stringLength auth.wpaPassword >= 8 && stringLength auth.wpaPassword <= 63);
message = ''hostapd radio ${radio} bss ${bss}: uses a wpaPassword of invalid length (must be in [8,63]).'';
}
{
assertion = auth.saePasswords == [] || auth.saePasswordsFile == null;
message = ''hostapd radio ${radio} bss ${bss}: must use only one SAE password option (saePasswords or saePasswordsFile)'';
}
{
assertion = auth.mode == "wpa3-sae" -> (auth.saePasswords != [] || auth.saePasswordsFile != null);
message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE which requires defining a sae password option'';
}
{
assertion = auth.mode == "wpa3-sae-transition" -> (auth.saePasswords != [] || auth.saePasswordsFile != null) && countWpaPasswordDefinitions == 1;
message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE in transition mode requires defining both a wpa password option and a sae password option'';
}
{
assertion = auth.mode == "wpa2-sha256" -> countWpaPasswordDefinitions == 1;
message = ''hostapd radio ${radio} bss ${bss}: uses WPA2-SHA256 which requires defining a wpa password option'';
}
])
radioCfg.networks))
)
cfg.radios));
environment.systemPackages = [cfg.package];
services.udev.packages = with pkgs; [crda];
systemd.services.hostapd = {
description = "IEEE 802.11 Host Access-Point Daemon";
path = [cfg.package];
after = map (radio: "sys-subsystem-net-devices-${utils.escapeSystemdPath radio}.device") (attrNames cfg.radios);
bindsTo = map (radio: "sys-subsystem-net-devices-${utils.escapeSystemdPath radio}.device") (attrNames cfg.radios);
wantedBy = ["multi-user.target"];
# Create merged configuration and acl files for each radio (and their bss's) prior to starting
preStart = concatStringsSep "\n" (mapAttrsToList makeRadioRuntimeFiles cfg.radios);
serviceConfig = {
ExecStart = "${cfg.package}/bin/hostapd ${concatStringsSep " " runtimeConfigFiles}";
Restart = "always";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
RuntimeDirectory = "hostapd";
# Hardening
LockPersonality = true;
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
DeviceAllow = "/dev/rfkill rw";
NoNewPrivileges = true;
PrivateUsers = false; # hostapd requires true root access.
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
"AF_UNIX"
"AF_PACKET"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"@chown"
];
UMask = "0077";
};
};
};
}
|