diff --git a/nix/lib/config/options.nix b/nix/lib/config/options.nix index 787a88d..5337841 100644 --- a/nix/lib/config/options.nix +++ b/nix/lib/config/options.nix @@ -442,23 +442,28 @@ let type = int; }; ssids = mkOption { - type = attrsOf (submodule ( - { ... }: { - options = { - net = mkOption { - type = str; - }; - psk = mkOption { - type = nullOr str; - default = null; - }; - mode = mkOption { - type = enum [ "ap" "sta" ]; - default = "ap"; - }; + type = attrsOf (submodule ({ config, ... }: { + options = { + net = mkOption { + type = str; }; - } - )); + psk = mkOption { + type = nullOr str; + default = null; + }; + encryption = mkOption { + type = enum [ "none" "owe" "wpa2" "wpa3" ]; + default = + if config.psk == null + then "owe" + else "wpa3"; + }; + mode = mkOption { + type = enum [ "ap" "sta" ]; + default = "ap"; + }; + }; + })); }; }; } @@ -735,5 +740,27 @@ in assertion = builtins.length (linksOfGroup group) == 1; message = "${hostName}: group ${group} is used in more than one link: ${lib.concatStringsSep " " (linksOfGroup group)}"; }) groups + ) (builtins.attrNames config.site.hosts) + ++ + # wifi psk checks + builtins.concatMap (hostName: + builtins.concatMap (wifiPath: + map (ssid: + let + ssidConf = config.site.hosts.${hostName}.wifi.${wifiPath}.ssids.${ssid}; + in + if builtins.elem ssidConf.encryption [ "none" "owe" ] + then { + assertion = ssidConf.psk == null; + message = "${hostName}: SSID ${ssid} has encryption ${ssidConf.encryption} but a PSK is set"; + } + else if builtins.elem ssidConf.encryption [ "wpa2" "wpa3" ] + then { + assertion = ssidConf.psk != null; + message = "${hostName}: SSID ${ssid} has encryption ${ssidConf.encryption} but no PSK is set"; + } + else throw "Unsupported WiFi encryption ${ssidConf.encryption}" + ) (builtins.attrNames config.site.hosts.${hostName}.wifi.${wifiPath}.ssids) + ) (builtins.attrNames config.site.hosts.${hostName}.wifi) ) (builtins.attrNames config.site.hosts); } diff --git a/nix/pkgs/openwrt/uci-config.nix b/nix/pkgs/openwrt/uci-config.nix index 74845ce..8a1ddee 100644 --- a/nix/pkgs/openwrt/uci-config.nix +++ b/nix/pkgs/openwrt/uci-config.nix @@ -267,6 +267,13 @@ in ${concatMapStrings (ssid: let ssidConfig = radioConfig.ssids.${ssid}; + # mapping our option to openwrt/hostapd setting + encryption = { + none = "none"; + owe = "owe"; + wpa2 = "psk2"; + wpa3 = "sae-mixed"; + }.${radioConfig.ssids.${ssid}.encryption}; in '' uci add wireless wifi-iface uci set wireless.@wifi-iface[-1].ifname=${ifPrefix}-${ssidConfig.net} @@ -275,13 +282,12 @@ in uci set wireless.@wifi-iface[-1].mode=${ssidConfig.mode} uci set wireless.@wifi-iface[-1].network=${ssidConfig.net} uci set wireless.@wifi-iface[-1].mcast_rate=18000 + uci set wireless.@wifi-iface[-1].encryption='${encryption}' ${if (ssidConfig.psk != null) then '' - uci set wireless.@wifi-iface[-1].encryption='sae-mixed' uci set wireless.@wifi-iface[-1].key='${ssidConfig.psk}' '' else '' - uci set wireless.@wifi-iface[-1].encryption='owe' uci -q delete wireless.@wifi-iface[-1].key || true ''} ''