nixos/hostapd: rewrite to support multi-AP, password from file, and more
At this point this is basically a full rewrite of this module, which is a breaking change and was necessary to properly expose the useful parts of hostapd's config. The notable changes are: - `hostapd` is now started with additional systemd sandbox/hardening options - A single-daemon can now manage multiple distinct radios and BSSs, which is why all configuration had to be moved into `hostapd.radios` - By default WPA3-SAE will be used, but WPA2 and WPA3-SAE-TRANSITION are supported, too - Added passwordFile-like options for wpa and sae - Add new relevant options for MAC ACL, WiFi5, WiFi6 and WiFi7 configuration - Implements RFC42 as far as reasonable for hostapd - Removes `with lib;`
This commit is contained in:
parent
4bec3f2043
commit
1fa9f03eec
@ -4,6 +4,8 @@
|
|||||||
|
|
||||||
- FoundationDB now defaults to major version 7.
|
- FoundationDB now defaults to major version 7.
|
||||||
|
|
||||||
|
- Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the `hostapd` package, along with a significant rework of the hostapd module.
|
||||||
|
|
||||||
## New Services {#sec-release-23.11-new-services}
|
## New Services {#sec-release-23.11-new-services}
|
||||||
|
|
||||||
- Create the first release note entry in this section!
|
- Create the first release note entry in this section!
|
||||||
@ -22,8 +24,6 @@
|
|||||||
|
|
||||||
- [Apache Guacamole](https://guacamole.apache.org/), a cross-platform, clientless remote desktop gateway. Available as [services.guacamole-server](#opt-services.guacamole-server.enable) and [services.guacamole-client](#opt-services.guacamole-client.enable) services.
|
- [Apache Guacamole](https://guacamole.apache.org/), a cross-platform, clientless remote desktop gateway. Available as [services.guacamole-server](#opt-services.guacamole-server.enable) and [services.guacamole-client](#opt-services.guacamole-client.enable) services.
|
||||||
|
|
||||||
- Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the `hostapd` package.
|
|
||||||
|
|
||||||
## Backward Incompatibilities {#sec-release-23.11-incompatibilities}
|
## Backward Incompatibilities {#sec-release-23.11-incompatibilities}
|
||||||
|
|
||||||
- `python3.pkgs.sequoia` was removed in favor of `python3.pkgs.pysequoia`. The latter package is based on upstream's dedicated repository for sequoia's Python bindings, where the Python bindings from [gitlab:sequoia-pgp/sequoia](https://gitlab.com/sequoia-pgp/sequoia) were removed long ago.
|
- `python3.pkgs.sequoia` was removed in favor of `python3.pkgs.pysequoia`. The latter package is based on upstream's dedicated repository for sequoia's Python bindings, where the Python bindings from [gitlab:sequoia-pgp/sequoia](https://gitlab.com/sequoia-pgp/sequoia) were removed long ago.
|
||||||
@ -32,6 +32,12 @@
|
|||||||
|
|
||||||
- The latest version of `clonehero` now stores custom content in `~/.clonehero`. See the [migration instructions](https://clonehero.net/2022/11/29/v23-to-v1-migration-instructions.html). Typically, these content files would exist along side the binary, but the previous build used a wrapper script that would store them in `~/.config/unity3d/srylain Inc_/Clone Hero`.
|
- The latest version of `clonehero` now stores custom content in `~/.clonehero`. See the [migration instructions](https://clonehero.net/2022/11/29/v23-to-v1-migration-instructions.html). Typically, these content files would exist along side the binary, but the previous build used a wrapper script that would store them in `~/.config/unity3d/srylain Inc_/Clone Hero`.
|
||||||
|
|
||||||
|
- The `services.hostapd` module was rewritten to support `passwordFile` like options, WPA3-SAE, and management of multiple interfaces. This breaks compatibility with older configurations.
|
||||||
|
- `hostapd` is now started with additional systemd sandbox/hardening options for better security.
|
||||||
|
- `services.hostapd.interface` was replaced with a per-radio and per-bss configuration scheme using [services.hostapd.radios](#opt-services.hostapd.radios).
|
||||||
|
- `services.hostapd.wpa` has been replaced by [services.hostapd.radios.<name>.networks.<name>.authentication.wpaPassword](#opt-services.hostapd.radios._name_.networks._name_.authentication.wpaPassword) and [services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords](#opt-services.hostapd.radios._name_.networks._name_.authentication.saePasswords) which configure WPA2-PSK and WP3-SAE respectively.
|
||||||
|
- The default authentication has been changed to WPA3-SAE. Options for other (legacy) schemes are still available.
|
||||||
|
|
||||||
- `python3.pkgs.fetchPypi` (and `python3Packages.fetchPypi`) has been deprecated in favor of top-level `fetchPypi`.
|
- `python3.pkgs.fetchPypi` (and `python3Packages.fetchPypi`) has been deprecated in favor of top-level `fetchPypi`.
|
||||||
|
|
||||||
- `mariadb` now defaults to `mariadb_1011` instead of `mariadb_106`, meaning the default version was upgraded from 10.6.x to 10.11.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for potential issues.
|
- `mariadb` now defaults to `mariadb_1011` instead of `mariadb_106`, meaning the default version was upgraded from 10.6.x to 10.11.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for potential issues.
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -2,63 +2,159 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
|
|||||||
{
|
{
|
||||||
name = "wpa_supplicant";
|
name = "wpa_supplicant";
|
||||||
meta = with lib.maintainers; {
|
meta = with lib.maintainers; {
|
||||||
maintainers = [ rnhmjoj ];
|
maintainers = [ oddlama rnhmjoj ];
|
||||||
};
|
};
|
||||||
|
|
||||||
nodes.machine = { ... }: {
|
nodes = let
|
||||||
imports = [ ../modules/profiles/minimal.nix ];
|
machineWithHostapd = extraConfigModule: { ... }: {
|
||||||
|
imports = [
|
||||||
|
../modules/profiles/minimal.nix
|
||||||
|
extraConfigModule
|
||||||
|
];
|
||||||
|
|
||||||
# add a virtual wlan interface
|
# add a virtual wlan interface
|
||||||
boot.kernelModules = [ "mac80211_hwsim" ];
|
boot.kernelModules = [ "mac80211_hwsim" ];
|
||||||
|
|
||||||
# wireless access point
|
# wireless access point
|
||||||
services.hostapd = {
|
services.hostapd = {
|
||||||
enable = true;
|
enable = true;
|
||||||
wpa = true;
|
radios.wlan0 = {
|
||||||
interface = "wlan0";
|
band = "2g";
|
||||||
ssid = "nixos-test";
|
countryCode = "US";
|
||||||
wpaPassphrase = "reproducibility";
|
networks = {
|
||||||
};
|
wlan0 = {
|
||||||
|
ssid = "nixos-test-sae";
|
||||||
# wireless client
|
authentication = {
|
||||||
networking.wireless = {
|
mode = "wpa3-sae";
|
||||||
# the override is needed because the wifi is
|
saePasswords = [ { password = "reproducibility"; } ];
|
||||||
# disabled with mkVMOverride in qemu-vm.nix.
|
};
|
||||||
enable = lib.mkOverride 0 true;
|
bssid = "02:00:00:00:00:00";
|
||||||
userControlled.enable = true;
|
};
|
||||||
interfaces = [ "wlan1" ];
|
wlan0-1 = {
|
||||||
fallbackToWPA2 = true;
|
ssid = "nixos-test-mixed";
|
||||||
|
authentication = {
|
||||||
networks = {
|
mode = "wpa3-sae-transition";
|
||||||
# test WPA2 fallback
|
saePasswordsFile = pkgs.writeText "password" "reproducibility";
|
||||||
mixed-wpa = {
|
wpaPasswordFile = pkgs.writeText "password" "reproducibility";
|
||||||
psk = "password";
|
};
|
||||||
authProtocols = [ "WPA-PSK" "SAE" ];
|
bssid = "02:00:00:00:00:01";
|
||||||
|
};
|
||||||
|
wlan0-2 = {
|
||||||
|
ssid = "nixos-test-wpa2";
|
||||||
|
authentication = {
|
||||||
|
mode = "wpa2-sha256";
|
||||||
|
wpaPassword = "reproducibility";
|
||||||
|
};
|
||||||
|
bssid = "02:00:00:00:00:02";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
sae-only = {
|
|
||||||
psk = "password";
|
|
||||||
authProtocols = [ "SAE" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
# test network
|
|
||||||
nixos-test.psk = "@PSK_NIXOS_TEST@";
|
|
||||||
|
|
||||||
# secrets substitution test cases
|
|
||||||
test1.psk = "@PSK_VALID@"; # should be replaced
|
|
||||||
test2.psk = "@PSK_SPECIAL@"; # should be replaced
|
|
||||||
test3.psk = "@PSK_MISSING@"; # should not be replaced
|
|
||||||
test4.psk = "P@ssowrdWithSome@tSymbol"; # should not be replaced
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# secrets
|
# wireless client
|
||||||
environmentFile = pkgs.writeText "wpa-secrets" ''
|
networking.wireless = {
|
||||||
PSK_NIXOS_TEST="reproducibility"
|
# the override is needed because the wifi is
|
||||||
PSK_VALID="S0m3BadP4ssw0rd";
|
# disabled with mkVMOverride in qemu-vm.nix.
|
||||||
# taken from https://github.com/minimaxir/big-list-of-naughty-strings
|
enable = lib.mkOverride 0 true;
|
||||||
PSK_SPECIAL=",./;'[]\-= <>?:\"{}|_+ !@#$%^\&*()`~";
|
userControlled.enable = true;
|
||||||
'';
|
interfaces = [ "wlan1" ];
|
||||||
|
fallbackToWPA2 = lib.mkDefault true;
|
||||||
|
|
||||||
|
# networks will be added on-demand below for the specific
|
||||||
|
# network that should be tested
|
||||||
|
|
||||||
|
# secrets
|
||||||
|
environmentFile = pkgs.writeText "wpa-secrets" ''
|
||||||
|
PSK_NIXOS_TEST="reproducibility"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
basic = { ... }: {
|
||||||
|
imports = [ ../modules/profiles/minimal.nix ];
|
||||||
|
|
||||||
|
# add a virtual wlan interface
|
||||||
|
boot.kernelModules = [ "mac80211_hwsim" ];
|
||||||
|
|
||||||
|
# wireless client
|
||||||
|
networking.wireless = {
|
||||||
|
# the override is needed because the wifi is
|
||||||
|
# disabled with mkVMOverride in qemu-vm.nix.
|
||||||
|
enable = lib.mkOverride 0 true;
|
||||||
|
userControlled.enable = true;
|
||||||
|
interfaces = [ "wlan1" ];
|
||||||
|
fallbackToWPA2 = true;
|
||||||
|
|
||||||
|
networks = {
|
||||||
|
# test WPA2 fallback
|
||||||
|
mixed-wpa = {
|
||||||
|
psk = "password";
|
||||||
|
authProtocols = [ "WPA-PSK" "SAE" ];
|
||||||
|
};
|
||||||
|
sae-only = {
|
||||||
|
psk = "password";
|
||||||
|
authProtocols = [ "SAE" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# secrets substitution test cases
|
||||||
|
test1.psk = "@PSK_VALID@"; # should be replaced
|
||||||
|
test2.psk = "@PSK_SPECIAL@"; # should be replaced
|
||||||
|
test3.psk = "@PSK_MISSING@"; # should not be replaced
|
||||||
|
test4.psk = "P@ssowrdWithSome@tSymbol"; # should not be replaced
|
||||||
|
};
|
||||||
|
|
||||||
|
# secrets
|
||||||
|
environmentFile = pkgs.writeText "wpa-secrets" ''
|
||||||
|
PSK_VALID="S0m3BadP4ssw0rd";
|
||||||
|
# taken from https://github.com/minimaxir/big-list-of-naughty-strings
|
||||||
|
PSK_SPECIAL=",./;'[]\-= <>?:\"{}|_+ !@#$%^\&*()`~";
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Test connecting to the SAE-only hotspot using SAE
|
||||||
|
machineSae = machineWithHostapd {
|
||||||
|
networking.wireless = {
|
||||||
|
fallbackToWPA2 = false;
|
||||||
|
networks.nixos-test-sae = {
|
||||||
|
psk = "@PSK_NIXOS_TEST@";
|
||||||
|
authProtocols = [ "SAE" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Test connecting to the SAE and WPA2 mixed hotspot using SAE
|
||||||
|
machineMixedUsingSae = machineWithHostapd {
|
||||||
|
networking.wireless = {
|
||||||
|
fallbackToWPA2 = false;
|
||||||
|
networks.nixos-test-mixed = {
|
||||||
|
psk = "@PSK_NIXOS_TEST@";
|
||||||
|
authProtocols = [ "SAE" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Test connecting to the SAE and WPA2 mixed hotspot using WPA2
|
||||||
|
machineMixedUsingWpa2 = machineWithHostapd {
|
||||||
|
networking.wireless = {
|
||||||
|
fallbackToWPA2 = true;
|
||||||
|
networks.nixos-test-mixed = {
|
||||||
|
psk = "@PSK_NIXOS_TEST@";
|
||||||
|
authProtocols = [ "WPA-PSK-SHA256" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Test connecting to the WPA2 legacy hotspot using WPA2
|
||||||
|
machineWpa2 = machineWithHostapd {
|
||||||
|
networking.wireless = {
|
||||||
|
fallbackToWPA2 = true;
|
||||||
|
networks.nixos-test-wpa2 = {
|
||||||
|
psk = "@PSK_NIXOS_TEST@";
|
||||||
|
authProtocols = [ "WPA-PSK-SHA256" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
testScript =
|
testScript =
|
||||||
@ -66,30 +162,47 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
|
|||||||
config_file = "/run/wpa_supplicant/wpa_supplicant.conf"
|
config_file = "/run/wpa_supplicant/wpa_supplicant.conf"
|
||||||
|
|
||||||
with subtest("Configuration file is inaccessible to other users"):
|
with subtest("Configuration file is inaccessible to other users"):
|
||||||
machine.wait_for_file(config_file)
|
basic.wait_for_file(config_file)
|
||||||
machine.fail(f"sudo -u nobody ls {config_file}")
|
basic.fail(f"sudo -u nobody ls {config_file}")
|
||||||
|
|
||||||
with subtest("Secrets variables have been substituted"):
|
with subtest("Secrets variables have been substituted"):
|
||||||
machine.fail(f"grep -q @PSK_VALID@ {config_file}")
|
basic.fail(f"grep -q @PSK_VALID@ {config_file}")
|
||||||
machine.fail(f"grep -q @PSK_SPECIAL@ {config_file}")
|
basic.fail(f"grep -q @PSK_SPECIAL@ {config_file}")
|
||||||
machine.succeed(f"grep -q @PSK_MISSING@ {config_file}")
|
basic.succeed(f"grep -q @PSK_MISSING@ {config_file}")
|
||||||
machine.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}")
|
basic.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}")
|
||||||
|
|
||||||
with subtest("WPA2 fallbacks have been generated"):
|
with subtest("WPA2 fallbacks have been generated"):
|
||||||
assert int(machine.succeed(f"grep -c sae-only {config_file}")) == 1
|
assert int(basic.succeed(f"grep -c sae-only {config_file}")) == 1
|
||||||
assert int(machine.succeed(f"grep -c mixed-wpa {config_file}")) == 2
|
assert int(basic.succeed(f"grep -c mixed-wpa {config_file}")) == 2
|
||||||
|
|
||||||
# save file for manual inspection
|
# save file for manual inspection
|
||||||
machine.copy_from_vm(config_file)
|
basic.copy_from_vm(config_file)
|
||||||
|
|
||||||
with subtest("Daemon is running and accepting connections"):
|
with subtest("Daemon is running and accepting connections"):
|
||||||
machine.wait_for_unit("wpa_supplicant-wlan1.service")
|
basic.wait_for_unit("wpa_supplicant-wlan1.service")
|
||||||
status = machine.succeed("wpa_cli -i wlan1 status")
|
status = basic.succeed("wpa_cli -i wlan1 status")
|
||||||
assert "Failed to connect" not in status, \
|
assert "Failed to connect" not in status, \
|
||||||
"Failed to connect to the daemon"
|
"Failed to connect to the daemon"
|
||||||
|
|
||||||
with subtest("Daemon can connect to the access point"):
|
machineSae.wait_for_unit("hostapd.service")
|
||||||
machine.wait_until_succeeds(
|
machineSae.copy_from_vm("/run/hostapd/wlan0.hostapd.conf")
|
||||||
|
with subtest("Daemon can connect to the SAE access point using SAE"):
|
||||||
|
machineSae.wait_until_succeeds(
|
||||||
|
"wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
|
||||||
|
)
|
||||||
|
|
||||||
|
with subtest("Daemon can connect to the SAE and WPA2 mixed access point using SAE"):
|
||||||
|
machineMixedUsingSae.wait_until_succeeds(
|
||||||
|
"wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
|
||||||
|
)
|
||||||
|
|
||||||
|
with subtest("Daemon can connect to the SAE and WPA2 mixed access point using WPA2"):
|
||||||
|
machineMixedUsingWpa2.wait_until_succeeds(
|
||||||
|
"wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
|
||||||
|
)
|
||||||
|
|
||||||
|
with subtest("Daemon can connect to the WPA2 access point using WPA2"):
|
||||||
|
machineWpa2.wait_until_succeeds(
|
||||||
"wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
|
"wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
|
||||||
)
|
)
|
||||||
'';
|
'';
|
||||||
|
@ -60,11 +60,6 @@ stdenv.mkDerivation rec {
|
|||||||
# TKIP is considered insecure and upstream support will be removed in the future
|
# TKIP is considered insecure and upstream support will be removed in the future
|
||||||
CONFIG_NO_TKIP=y
|
CONFIG_NO_TKIP=y
|
||||||
|
|
||||||
# Enable Wi-Fi Protected Setup
|
|
||||||
CONFIG_WPS=y
|
|
||||||
CONFIG_WPS_UPNP=y
|
|
||||||
CONFIG_WPS_NFC=y
|
|
||||||
|
|
||||||
# Misc
|
# Misc
|
||||||
CONFIG_RADIUS_SERVER=y
|
CONFIG_RADIUS_SERVER=y
|
||||||
CONFIG_FULL_DYNAMIC_VLAN=y
|
CONFIG_FULL_DYNAMIC_VLAN=y
|
||||||
|
Loading…
Reference in New Issue
Block a user