pkgs/openwrt/uci-config: add wifi encryption option

2022-09-14 17:23:13 +02:00 · 2022-09-14 17:23:13 +02:00 · ff5d750697
parent 0f9246d4ba
commit ff5d750697
2 changed files with 51 additions and 18 deletions
--- a/nix/lib/config/options.nix
+++ b/nix/lib/config/options.nix
@ -442,23 +442,28 @@ let
                type = int;
              };
              ssids = mkOption {
-                type = attrsOf (submodule (
-                  { ... }: {
-                    options = {
-                      net = mkOption {
-                        type = str;
-                      };
-                      psk = mkOption {
-                        type = nullOr str;
-                        default = null;
-                      };
-                      mode = mkOption {
-                        type = enum [ "ap" "sta" ];
-                        default = "ap";
-                      };
+                type = attrsOf (submodule ({ config, ... }: {
+                  options = {
+                    net = mkOption {
+                      type = str;
                    };
-                  }
-                ));
+                    psk = mkOption {
+                      type = nullOr str;
+                      default = null;
+                    };
+                    encryption = mkOption {
+                      type = enum [ "none" "owe" "wpa2" "wpa3" ];
+                      default =
+                        if config.psk == null
+                        then "owe"
+                        else "wpa3";
+                    };
+                    mode = mkOption {
+                      type = enum [ "ap" "sta" ];
+                      default = "ap";
+                    };
+                  };
+                }));
              };
            };
          }
@ -735,5 +740,27 @@ in
        assertion = builtins.length (linksOfGroup group) == 1;
        message = "${hostName}: group ${group} is used in more than one link: ${lib.concatStringsSep " " (linksOfGroup group)}";
      }) groups
+    ) (builtins.attrNames config.site.hosts)
+    ++
+    # wifi psk checks
+    builtins.concatMap (hostName:
+      builtins.concatMap (wifiPath:
+        map (ssid:
+          let
+            ssidConf = config.site.hosts.${hostName}.wifi.${wifiPath}.ssids.${ssid};
+          in
+            if builtins.elem ssidConf.encryption [ "none" "owe" ]
+            then {
+              assertion = ssidConf.psk == null;
+              message = "${hostName}: SSID ${ssid} has encryption ${ssidConf.encryption} but a PSK is set";
+            }
+            else if builtins.elem ssidConf.encryption [ "wpa2" "wpa3" ]
+            then {
+              assertion = ssidConf.psk != null;
+              message = "${hostName}: SSID ${ssid} has encryption ${ssidConf.encryption} but no PSK is set";
+            }
+            else throw "Unsupported WiFi encryption ${ssidConf.encryption}"
+        ) (builtins.attrNames config.site.hosts.${hostName}.wifi.${wifiPath}.ssids)
+      ) (builtins.attrNames config.site.hosts.${hostName}.wifi)
    ) (builtins.attrNames config.site.hosts);
 }
--- a/nix/pkgs/openwrt/uci-config.nix
+++ b/nix/pkgs/openwrt/uci-config.nix
@ -267,6 +267,13 @@ in
      ${concatMapStrings (ssid:
        let
          ssidConfig = radioConfig.ssids.${ssid};
+          # mapping our option to openwrt/hostapd setting
+          encryption = {
+            none = "none";
+            owe = "owe";
+            wpa2 = "psk2";
+            wpa3 = "sae-mixed";
+          }.${radioConfig.ssids.${ssid}.encryption};
        in ''
          uci add wireless wifi-iface
          uci set wireless.@wifi-iface[-1].ifname=${ifPrefix}-${ssidConfig.net}
@ -275,13 +282,12 @@ in
          uci set wireless.@wifi-iface[-1].mode=${ssidConfig.mode}
          uci set wireless.@wifi-iface[-1].network=${ssidConfig.net}
          uci set wireless.@wifi-iface[-1].mcast_rate=18000
+          uci set wireless.@wifi-iface[-1].encryption='${encryption}'
          ${if (ssidConfig.psk != null)
            then ''
-              uci set wireless.@wifi-iface[-1].encryption='sae-mixed'
              uci set wireless.@wifi-iface[-1].key='${ssidConfig.psk}'
            ''
            else ''
-              uci set wireless.@wifi-iface[-1].encryption='owe'
              uci -q delete wireless.@wifi-iface[-1].key || true
            ''}
        ''