magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-22 16:04:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

basic hostap config

Browse source 
Signed-off-by: Magic_RB <magic_rb@redalder.org>
This commit is contained in:
Magic_RB 2023-02-14 20:18:11 +01:00
parent 87d0a38d52
commit 648e6cf8c1
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
8 changed files with 774 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
nixos/hardware/blowhole.nix
View file

@ -28,6 +28,8 @@ in {
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
};
hardware.enableRedistributableFirmware = true;
fileSystems =
{
"/boot" = {

12
nixos/secret-lib/network.nix
View file

@ -37,9 +37,17 @@ in
media = mkIpOption;
};
network.dhcpd.blowhole = mkOption {
network.dhcpd.blowhole-lan = mkOption {
description = ''
Secret config specific to blowhole's dhcpcd.
Secret config specific to blowhole's lan dhcpcd.
'';
type = types.str;
default = "";
};
network.dhcpd.blowhole-wlan = mkOption {
description = ''
Secret config specific to blowhole's wlan dhcpcd.
'';
type = types.str;
default = "";

106
nixos/systems/blowhole/999-hostapd-2.10-lar.patch Normal file
View file

@ -0,0 +1,106 @@
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -3459,6 +3459,8 @@
conf->noscan = atoi(pos);
} else if (os_strcmp(buf, "ht_coex") == 0) {
conf->no_ht_coex = !atoi(pos);
+ } else if (os_strcmp(buf, "intel_lar") == 0) {
+ conf->intel_lar = atoi(pos);
} else if (os_strcmp(buf, "ieee80211n") == 0) {
conf->ieee80211n = atoi(pos);
} else if (os_strcmp(buf, "ht_capab") == 0) {
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -1050,6 +1050,7 @@
u16 ht_capab;
int noscan;
int no_ht_coex;
+ int intel_lar;
int ieee80211n;
int secondary_channel;
int no_pri_sec_switch;
--- a/src/ap/hw_features.c
+++ b/src/ap/hw_features.c
@@ -26,6 +26,17 @@
#include "beacon.h"
#include "hw_features.h"
+static void ieee80211n_do_nothing(struct hostapd_iface *iface)
+{
+ wpa_printf(MSG_DEBUG,
+ "Scan finished!");
+}
+
+static void ieee80211n_scan_channels_2g4(struct hostapd_iface *iface,
+ struct wpa_driver_scan_params *params);
+static void ieee80211n_scan_channels_5g(struct hostapd_iface *iface,
+ struct wpa_driver_scan_params *params);
+
void hostapd_free_hw_features(struct hostapd_hw_modes *hw_features,
size_t num_hw_features)
@@ -82,6 +93,33 @@
if (hostapd_drv_none(hapd))
return -1;
+
+ //if (!iface->conf->noscan) {
+ if (iface->conf->intel_lar && !iface->conf->noscan) {
+ // scan
+ struct wpa_driver_scan_params params;
+ int ret1;
+
+ os_memset(&params, 0, sizeof(params));
+ ieee80211n_scan_channels_5g(iface, &params);
+
+ ret1 = hostapd_driver_scan(iface->bss[0], &params);
+
+ if (ret1 == -EBUSY) {
+ wpa_printf(MSG_ERROR,
+ "Failed to request a scan of neighboring BSSes ret=%d (%s)!",
+ ret1, strerror(-ret1));
+ }
+
+ if (ret1 == 0) {
+ iface->scan_cb = ieee80211n_do_nothing;
+ wpa_printf(MSG_DEBUG,
+ "Sleeping...");
+ for (int i=0; i<110; i++) {
+ usleep(100000);
+ }
+ }
+ }
modes = hostapd_get_hw_feature_data(hapd, &num_modes, &flags,
&dfs_domain);
if (modes == NULL) {
@@ -308,7 +346,6 @@
sec_chan);
}
-
static void ieee80211n_check_scan(struct hostapd_iface *iface)
{
struct wpa_scan_results *scan_res;
@@ -517,8 +554,10 @@
int ret;
/* Check that HT40 is used and PRI / SEC switch is allowed */
- if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch)
+ if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch || iface->conf->noscan) {
+ wpa_printf(MSG_DEBUG, "Not scanning due to noscan?");
return 0;
+ }
hostapd_set_state(iface, HAPD_IFACE_HT_SCAN);
wpa_printf(MSG_DEBUG, "Scan for neighboring BSSes prior to enabling "
@@ -916,7 +954,7 @@
if (!hostapd_is_usable_edmg(iface))
return 0;
- if (!iface->conf->secondary_channel)
+ if (!iface->conf->secondary_channel || iface->conf->noscan)
return 1;
if (hostapd_is_usable_chan(iface, iface->freq +

1
nixos/systems/blowhole/bind.nix
View file

@ -136,6 +136,7 @@ in
cacheNetworks = [
"127.0.0.0/8"
"10.64.3.0/24"
"10.64.2.0/24"
"10.64.1.0/24"
"10.64.0.0/24"

1
nixos/systems/blowhole/default.nix
View file

@ -24,6 +24,7 @@
./nas.nix
./firewall.nix
./ical2org.nix
./hostapd.nix
];
home-manager.users."main" = {...}: {

35
nixos/systems/blowhole/firewall.nix
View file

@ -1,6 +1,7 @@
{ pkgs, secret, config, lib, ... }:
with lib;
let
wlan = "wlp10s0";
lan = "enp8s0f1";
wan = "enp3s0";
doVPN = "do_vpn0";
@ -97,7 +98,7 @@ in
services.dhcpd4 = {
enable = true;
interfaces = [ "${lan}" ];
interfaces = [ "${lan}" "${wlan}" ];
extraConfig = ''
option domain-name-servers 10.64.2.1;
option subnet-mask 255.255.255.0;
@ -108,7 +109,16 @@ in
interface ${lan};
range 10.64.2.128 10.64.2.254;
${secret.network.dhcpd.blowhole}
${secret.network.dhcpd.blowhole-lan}
}
subnet 10.64.3.0 netmask 255.255.255.0 {
option broadcast-address 10.64.3.255;
option routers 10.64.3.1;
interface ${wlan};
range 10.64.3.128 10.64.3.254;
${secret.network.dhcpd.blowhole-wlan}
}
'';
};
@ -145,6 +155,13 @@ in
prefixLength = 24;
}];
};
"${wlan}" = {
useDHCP = false;
ipv4.addresses = [{
address = "10.64.3.1";
prefixLength = 24;
}];
};
# But do DHCP on the WAN interface
"${wan}".useDHCP = true;
};
@ -190,7 +207,7 @@ in
iifname != "lo" tcp dport 5353 drop comment "Drop traffic to stubby always except for localhost to localhost traffic"
iifname "nomad" oifname "nomad" accept comment "Allow Nomad to do whatever it wants in its interface"
iifname { "${lan}", "lo" } accept comment "Allow local network to access the router"
iifname { "${wlan}", "${lan}", "lo" } accept comment "Allow local network to access the router"
iifname { "${wan}", "${doVPN}", "nomad", "docker0" } jump input_out
iifname { "${doVPN}" } jump input_doVPN
@ -230,14 +247,14 @@ in
oifname { "${wan}" } udp dport 53 drop
# Allow trusted LAN to WAN"
iifname { "${lan}" } oifname { "${wan}" } accept
iifname { "${wan}" } oifname { "${lan}" } ct state established, related accept
iifname { "${lan}", "${wlan}" } oifname { "${wan}" } accept
iifname { "${wan}" } oifname { "${lan}", "${wlan}" } ct state established, related accept
iifname { "nomad" } oifname { "${doVPN}", "${lan}" } accept
iifname { "${doVPN}", "${lan}" } oifname { "nomad" } accept
iifname { "${doVPN}" } oifname { "${lan}" } accept
iifname { "${lan}" } oifname { "${doVPN}" } accept
iifname { "nomad" } oifname { "${doVPN}", "${lan}", "${wlan}" } accept
iifname { "${doVPN}", "${lan}", "${wlan}" } oifname { "nomad" } accept
iifname { "${doVPN}" } oifname { "${lan}", "${wlan}" } accept
iifname { "${lan}", "${wlan}" } oifname { "${doVPN}" } accept
# Allow containers to reach WAN
iifname { "nomad", "docker0" } oifname { "${wan}" } accept

615
nixos/systems/blowhole/hostapd.nix Normal file
View file

@ -0,0 +1,615 @@
{ pkgs, config,lib, ... }:
with lib;
let
in
{
# giturl="https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/"
# for patch in *.patch
# do
# nix-prefetch-url "$giturl$patch" 2>/dev/null | \
# sed -e 's~^~{ url = "'"$giturl$patch"'"; sha256 = "~' | sed -e 's~$~"; \}~'
# done
services.hashicorp.vault-agent.settings.template = singleton {
source = pkgs.writeText "hostapd_wpa_psk.vtmpl" ''
{{ with secret "kv/data/homelab-1/blowhole/hostapd/wpa_psk" }}{{ .Data.data.passphrase }}{{ end }}
'';
destination = "/run/secrets/hostapd_wpa_psk";
};
systemd.services.hostapd.serviceConfig.After = [ "hashicorp-vault-agent.service" ];
services.hostapd = {
interface = "wlp10s0";
driver = "nl80211";
ssid = "nothing";
wpa = false;
hwMode = "a";
channel = 149;
countryCode = "NL";
enable = true;
extraConfig = ''
wpa=2
wpa_passphrase=stuff
ieee80211d=1
ieee80211h=1
intel_lar=1
noscan=0
beacon_int=100
channel=149
chanlist=149
tx_queue_data2_burst=2.0
ieee80211n=1
ht_coex=0
ht_capab=[HT40+][LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][MAX-AMSDU-7935][DSSS_CCK-40]
ieee80211ac=1
vht_oper_chwidth=1
vht_oper_centr_freq_seg0_idx=155
vht_capab=[RXLDPC][SHORT-GI-80][SHORT-GI-160][TX-STBC-2BY1][SU-BEAMFORMEE][MU-BEAMFORMEE][RX-STBC-1][BF-ANTENNA-4][VHT160][MAX-MPDU-11454][MAX-A-MPDU-LEN-EXP7]
ieee80211ax=1
he_oper_chwidth=1
he_oper_centr_freq_seg0_idx=155
he_default_pe_duration=4
he_rts_threshold=1023
he_mu_edca_qos_info_param_count=0
he_mu_edca_qos_info_q_ack=0
he_mu_edca_qos_info_queue_request=0
he_mu_edca_qos_info_txop_request=0
he_mu_edca_ac_be_aifsn=8
he_mu_edca_ac_be_aci=0
he_mu_edca_ac_be_ecwmin=9
he_mu_edca_ac_be_ecwmax=10
he_mu_edca_ac_be_timer=255
he_mu_edca_ac_bk_aifsn=15
he_mu_edca_ac_bk_aci=1
he_mu_edca_ac_bk_ecwmin=9
he_mu_edca_ac_bk_ecwmax=10
he_mu_edca_ac_bk_timer=255
he_mu_edca_ac_vi_ecwmin=5
he_mu_edca_ac_vi_ecwmax=7
he_mu_edca_ac_vi_aifsn=5
he_mu_edca_ac_vi_aci=2
he_mu_edca_ac_vi_timer=255
he_mu_edca_ac_vo_aifsn=5
he_mu_edca_ac_vo_aci=3
he_mu_edca_ac_vo_ecwmin=5
he_mu_edca_ac_vo_ecwmax=7
he_mu_edca_ac_vo_timer=255
ap_isolate=1
bss_load_update_period=60
chan_util_avg_period=600
disassoc_low_ack=1
skip_inactivity_poll=0
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
utf8_ssid=1
multi_ap=0
auth_algs=1
wpa=2
wpa_pairwise=CCMP
wpa_disable_eapol_key_retries=0
wpa_key_mgmt=WPA-PSK
okc=0
disable_pmksa_caching=1
bssid=e0:d0:45:81:50:00
# bss=wlp10s1
# ssid=nothing2
# bssid=e0:d0:45:81:50:01
# hw_mode=g
# channel=9
# vht_capab=
# ht_capab=
# auth_algs=1
# wpa=2
# wpa_pairwise=CCMP
# wpa_disable_eapol_key_retries=0
# wpa_key_mgmt=WPA-PSK
# okc=0
# disable_pmksa_caching=1
# wpa_passphrase=${config.services.hostapd.wpaPassphrase}
'';
};
nixpkgs.overlays = singleton
(final: prev:
{
hostapd = prev.hostapd.overrideAttrs (old: {
buildInputs = old.buildInputs ++ (with pkgs; [
libubox
ubus
]);
src = pkgs.fetchgit {
url = "http://w1.fi/hostap.git";
rev = "cff80b4f7d3c0a47c052e8187d671710f48939e4";
sha256 = "sha256-DQ1SiaMP3CbmPFtKKpJe9ASdal3Y5+D3cBHUauKDjGg=";
};
extraConfig = ''
# Example hostapd build time configuration
#
# This file lists the configuration options that are used when building the
# hostapd binary. All lines starting with # are ignored. Configuration option
# lines must be commented out complete, if they are not to be included, i.e.,
# just setting VARIABLE=n is not disabling that variable.
#
# This file is included in Makefile, so variables like CFLAGS and LIBS can also
# be modified from here. In most cass, these lines should use += in order not
# to override previous values of the variables.
# Driver interface for Host AP driver
#CONFIG_DRIVER_HOSTAP=y
# Driver interface for wired authenticator
CONFIG_DRIVER_WIRED=y
# Driver interface for drivers using the nl80211 kernel interface
CONFIG_DRIVER_NL80211=y
# QCA vendor extensions to nl80211
#CONFIG_DRIVER_NL80211_QCA=y
# driver_nl80211.c requires libnl. If you are compiling it yourself
# you may need to point hostapd to your version of libnl.
#
#CFLAGS += -I$<path to libnl include files>
#LIBS += -L$<path to libnl library files>
# Use libnl v2.0 (or 3.0) libraries.
#CONFIG_LIBNL20=y
# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
#CONFIG_LIBNL32=y
# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
#CONFIG_DRIVER_BSD=y
#CFLAGS += -I/usr/local/include
#LIBS += -L/usr/local/lib
#LIBS_p += -L/usr/local/lib
#LIBS_c += -L/usr/local/lib
# Driver interface for no driver (e.g., RADIUS server only)
#CONFIG_DRIVER_NONE=y
# IEEE 802.11F/IAPP
CONFIG_IAPP=y
# WPA2/IEEE 802.11i RSN pre-authentication
CONFIG_RSN_PREAUTH=y
# IEEE 802.11w (management frame protection)
#CONFIG_IEEE80211W=y
# Support Operating Channel Validation
#CONFIG_OCV=y
# Integrated EAP server
CONFIG_EAP=y
# EAP Re-authentication Protocol (ERP) in integrated EAP server
CONFIG_ERP=y
# EAP-MD5 for the integrated EAP server
CONFIG_EAP_MD5=y
# EAP-TLS for the integrated EAP server
CONFIG_EAP_TLS=y
# EAP-MSCHAPv2 for the integrated EAP server
CONFIG_EAP_MSCHAPV2=y
# EAP-PEAP for the integrated EAP server
CONFIG_EAP_PEAP=y
# EAP-GTC for the integrated EAP server
CONFIG_EAP_GTC=y
# EAP-TTLS for the integrated EAP server
CONFIG_EAP_TTLS=y
# EAP-SIM for the integrated EAP server
#CONFIG_EAP_SIM=y
# EAP-AKA for the integrated EAP server
#CONFIG_EAP_AKA=y
# EAP-AKA' for the integrated EAP server
# This requires CONFIG_EAP_AKA to be enabled, too.
#CONFIG_EAP_AKA_PRIME=y
# EAP-PAX for the integrated EAP server
#CONFIG_EAP_PAX=y
# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
#CONFIG_EAP_PSK=y
# EAP-pwd for the integrated EAP server (secure authentication with a password)
#CONFIG_EAP_PWD=y
# EAP-SAKE for the integrated EAP server
#CONFIG_EAP_SAKE=y
# EAP-GPSK for the integrated EAP server
#CONFIG_EAP_GPSK=y
# Include support for optional SHA256 cipher suite in EAP-GPSK
#CONFIG_EAP_GPSK_SHA256=y
# EAP-FAST for the integrated EAP server
CONFIG_EAP_FAST=y
# EAP-TEAP for the integrated EAP server
# Note: The current EAP-TEAP implementation is experimental and should not be
# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
# of conflicting statements and missing details and the implementation has
# vendor specific workarounds for those and as such, may not interoperate with
# any other implementation. This should not be used for anything else than
# experimentation and interoperability testing until those issues has been
# resolved.
#CONFIG_EAP_TEAP=y
# Wi-Fi Protected Setup (WPS)
CONFIG_WPS=y
# Enable UPnP support for external WPS Registrars
#CONFIG_WPS_UPNP=y
# Enable WPS support with NFC config method
#CONFIG_WPS_NFC=y
# EAP-IKEv2
#CONFIG_EAP_IKEV2=y
# Trusted Network Connect (EAP-TNC)
#CONFIG_EAP_TNC=y
# EAP-EKE for the integrated EAP server
#CONFIG_EAP_EKE=y
# PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx)
CONFIG_PKCS12=y
# RADIUS authentication server. This provides access to the integrated EAP
# server from external hosts using RADIUS.
#CONFIG_RADIUS_SERVER=y
# Build IPv6 support for RADIUS operations
CONFIG_IPV6=y
# IEEE Std 802.11r-2008 (Fast BSS Transition)
CONFIG_IEEE80211R=y
# Use the hostapd's IEEE 802.11 authentication (ACL), but without
# the IEEE 802.11 Management capability (e.g., FreeBSD/net80211)
#CONFIG_DRIVER_RADIUS_ACL=y
# IEEE 802.11n (High Throughput) support
CONFIG_IEEE80211N=y
# Wireless Network Management (IEEE Std 802.11v-2011)
# Note: This is experimental and not complete implementation.
CONFIG_WNM=y
# IEEE 802.11ac (Very High Throughput) support
CONFIG_IEEE80211AC=y
# IEEE 802.11ax HE support
# Note: This is experimental and work in progress. The definitions are still
# subject to change and this should not be expected to interoperate with the
# final IEEE 802.11ax version.
CONFIG_IEEE80211AX=y
# Remove debugging code that is printing out debug messages to stdout.
# This can be used to reduce the size of the hostapd considerably if debugging
# code is not needed.
#CONFIG_NO_STDOUT_DEBUG=y
# Add support for writing debug log to a file: -f /tmp/hostapd.log
# Disabled by default.
#CONFIG_DEBUG_FILE=y
# Send debug messages to syslog instead of stdout
CONFIG_DEBUG_SYSLOG=y
# Add support for sending all debug messages (regardless of debug verbosity)
# to the Linux kernel tracing facility. This helps debug the entire stack by
# making it easy to record everything happening from the driver up into the
# same file, e.g., using trace-cmd.
#CONFIG_DEBUG_LINUX_TRACING=y
# Remove support for RADIUS accounting
#CONFIG_NO_ACCOUNTING=y
# Remove support for RADIUS
#CONFIG_NO_RADIUS=y
# Remove support for VLANs
#CONFIG_NO_VLAN=y
# Enable support for fully dynamic VLANs. This enables hostapd to
# automatically create bridge and VLAN interfaces if necessary.
CONFIG_FULL_DYNAMIC_VLAN=y
# Use netlink-based kernel API for VLAN operations instead of ioctl()
# Note: This requires libnl 3.1 or newer.
#CONFIG_VLAN_NETLINK=y
# Remove support for dumping internal state through control interface commands
# This can be used to reduce binary size at the cost of disabling a debugging
# option.
CONFIG_NO_DUMP_STATE=y
# Enable tracing code for developer debugging
# This tracks use of memory allocations and other registrations and reports
# incorrect use with a backtrace of call (or allocation) location.
#CONFIG_WPA_TRACE=y
# For BSD, comment out these.
#LIBS += -lexecinfo
#LIBS_p += -lexecinfo
#LIBS_c += -lexecinfo
# Use libbfd to get more details for developer debugging
# This enables use of libbfd to get more detailed symbols for the backtraces
# generated by CONFIG_WPA_TRACE=y.
#CONFIG_WPA_TRACE_BFD=y
# For BSD, comment out these.
#LIBS += -lbfd -liberty -lz
#LIBS_p += -lbfd -liberty -lz
#LIBS_c += -lbfd -liberty -lz
# hostapd depends on strong random number generation being available from the
# operating system. os_get_random() function is used to fetch random data when
# needed, e.g., for key generation. On Linux and BSD systems, this works by
# reading /dev/urandom. It should be noted that the OS entropy pool needs to be
# properly initialized before hostapd is started. This is important especially
# on embedded devices that do not have a hardware random number generator and
# may by default start up with minimal entropy available for random number
# generation.
#
# As a safety net, hostapd is by default trying to internally collect
# additional entropy for generating random data to mix in with the data
# fetched from the OS. This by itself is not considered to be very strong, but
# it may help in cases where the system pool is not initialized properly.
# However, it is very strongly recommended that the system pool is initialized
# with enough entropy either by using hardware assisted random number
# generator or by storing state over device reboots.
#
# hostapd can be configured to maintain its own entropy store over restarts to
# enhance random number generation. This is not perfect, but it is much more
# secure than using the same sequence of random numbers after every reboot.
# This can be enabled with -e<entropy file> command line option. The specified
# file needs to be readable and writable by hostapd.
#
# If the os_get_random() is known to provide strong random data (e.g., on
# Linux/BSD, the board in question is known to have reliable source of random
# data from /dev/urandom), the internal hostapd random pool can be disabled.
# This will save some in binary size and CPU use. However, this should only be
# considered for builds that are known to be used on devices that meet the
# requirements described above.
CONFIG_NO_RANDOM_POOL=y
# Should we attempt to use the getrandom(2) call that provides more reliable
# yet secure randomness source than /dev/random on Linux 3.17 and newer.
# Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
CONFIG_GETRANDOM=y
# Should we use poll instead of select? Select is used by default.
#CONFIG_ELOOP_POLL=y
# Should we use epoll instead of select? Select is used by default.
CONFIG_ELOOP_EPOLL=y
# Should we use kqueue instead of select? Select is used by default.
#CONFIG_ELOOP_KQUEUE=y
# Select TLS implementation
# openssl = OpenSSL (default)
# gnutls = GnuTLS
# internal = Internal TLSv1 implementation (experimental)
# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
# none = Empty template
CONFIG_TLS=openssl
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
# can be enabled to get a stronger construction of messages when block ciphers
# are used.
#CONFIG_TLSV11=y
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
# can be enabled to enable use of stronger crypto algorithms.
#CONFIG_TLSV12=y
# Select which ciphers to use by default with OpenSSL if the user does not
# specify them.
#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
# and drawbacks of this option.
CONFIG_INTERNAL_LIBTOMMATH=y
#ifndef CONFIG_INTERNAL_LIBTOMMATH
#LTM_PATH=/usr/src/libtommath-0.39
#CFLAGS += -I$(LTM_PATH)
#LIBS += -L$(LTM_PATH)
#LIBS_p += -L$(LTM_PATH)
#endif
# At the cost of about 4 kB of additional binary size, the internal LibTomMath
# can be configured to include faster routines for exptmod, sqr, and div to
# speed up DH and RSA calculation considerably
#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
# Interworking (IEEE 802.11u)
# This can be used to enable functionality to improve interworking with
# external networks.
CONFIG_INTERWORKING=y
# Hotspot 2.0
#CONFIG_HS20=y
# Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file
#CONFIG_SQLITE=y
# Enable Fast Session Transfer (FST)
#CONFIG_FST=y
# Enable CLI commands for FST testing
#CONFIG_FST_TEST=y
# Testing options
# This can be used to enable some testing options (see also the example
# configuration file) that are really useful only for testing clients that
# connect to this hostapd. These options allow, for example, to drop a
# certain percentage of probe requests or auth/(re)assoc frames.
#
#CONFIG_TESTING_OPTIONS=y
# Automatic Channel Selection
# This will allow hostapd to pick the channel automatically when channel is set
# to "acs_survey" or "0". Eventually, other ACS algorithms can be added in
# similar way.
#
# Automatic selection is currently only done through initialization, later on
# we hope to do background checks to keep us moving to more ideal channels as
# time goes by. ACS is currently only supported through the nl80211 driver and
# your driver must have survey dump capability that is filled by the driver
# during scanning.
#
# You can customize the ACS survey algorithm with the hostapd.conf variable
# acs_num_scans.
#
# Supported ACS drivers:
# * ath9k
# * ath5k
# * ath10k
#
# For more details refer to:
# http://wireless.kernel.org/en/users/Documentation/acs
#
#CONFIG_ACS=y
# Multiband Operation support
# These extentions facilitate efficient use of multiple frequency bands
# available to the AP and the devices that may associate with it.
#CONFIG_MBO=y
# Client Taxonomy
# Has the AP retain the Probe Request and (Re)Association Request frames from
# a client, from which a signature can be produced which can identify the model
# of client device like "Nexus 6P" or "iPhone 5s".
CONFIG_TAXONOMY=y
# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
#CONFIG_FILS=y
# FILS shared key authentication with PFS
#CONFIG_FILS_SK_PFS=y
# Include internal line edit mode in hostapd_cli. This can be used to provide
# limited command line editing and history support.
#CONFIG_WPA_CLI_EDIT=y
# Opportunistic Wireless Encryption (OWE)
# Experimental implementation of draft-harkins-owe-07.txt
#CONFIG_OWE=y
# Airtime policy support
CONFIG_AIRTIME_POLICY=y
# Proxy ARP support
CONFIG_PROXYARP=y
# Override default value for the wpa_disable_eapol_key_retries configuration
# parameter. See that parameter in hostapd.conf for more details.
#CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
# uBus IPC/RPC System
# Services can connect to the bus and provide methods
# that can be called by other services or clients.
CONFIG_UBUS=y
# OpenWrt patch 380-disable-ctrl-iface-mib.patch
# leads to the MIB only being compiled in if
# CONFIG_CTRL_IFACE_MIB is enabled.
CONFIG_CTRL_IFACE_MIB=y
'';
postPatch = ''
cp ${pkgs.fetchurl {
url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/src/src/ap/ubus.h";
sha256 = "sha256-qA+ISdYJkAEmojmHjWJCBCMngYPpZRGNRstdYP5JTcc=";
}} src/ap/ubus.h
cp ${pkgs.fetchurl {
url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/src/src/ap/ubus.c";
sha256 = "sha256-ZaMx+D6e02soQZIjBDs3T7BNhMcEJ9iWq1mbSbjyuUU=";
}} src/ap/ubus.c
cp ${pkgs.fetchurl {
url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/src/src/utils/build_features.h";
sha256 = "sha256-KW8RKVQAWr91ach/F1k9XQH2rQCiQNfcNiDqUbNVrkc=";
}} src/utils/build_features.h
'';
patches = (map pkgs.fetchurl [
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/001-wolfssl-init-RNG-with-ECC-key.patch"; sha256 = "1h4wqn6dpc5vw19428v6s49i3xsdqc1ikwv6gvdhs2ly98cxwb91"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/010-mesh-Allow-DFS-channels-to-be-selected-if-dfs-is-ena.patch"; sha256 = "06limshm4zprqd2cnjf2911k8dg2rc5wvdkqcdlxw49r5ihb4wmh"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/011-mesh-use-deterministic-channel-on-channel-switch.patch"; sha256 = "1nkp8kmq1dxhrf19cz346jyaxh888vgvl9hnlsdqak5cb5g0k0a6"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/021-fix-sta-add-after-previous-connection.patch"; sha256 = "1nj4h8z8kz335cwz6qq1qd0k0h5c47nhqvpb6n4k0mabw3q19rd5"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/022-hostapd-fix-use-of-uninitialized-stack-variables.patch"; sha256 = "1sfy9j86550g90gw5w80773dgf6i1w22sidichxjqgkhdm507kz7"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/023-ndisc_snoop-call-dl_list_del-before-freeing-ipv6-add.patch"; sha256 = "03pq0h5lmlgn05dkd5vf0v3abaa30vza962vbp9kc66jbga38113"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/030-driver_nl80211-rewrite-neigh-code-to-not-depend-on-l.patch"; sha256 = "0vl3v7b2p17maxnz02jiy89rz6jbmj54sqxkw14j1s6mxji0x510"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/040-mesh-allow-processing-authentication-frames-in-block.patch"; sha256 = "0w56gr3lp6h2y88vc1g6ddjvrymrg9sv65bhq46dcjjc6i6fgq96"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/050-build_fix.patch"; sha256 = "19km2glb39nqd3a25dsh2mnv57yj8mywi0kln86rizncyv0wbp5f"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/100-daemonize_fix.patch"; sha256 = "1wsxnanirdjf75zqdp6ff5yny8vaxnlb9ss2b3zwwca9ixl41fr1"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/200-multicall.patch"; sha256 = "0y305476mq8zp83hy45spsb16aw8a7720s3cnmc1msj1wx0axvl2"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/300-noscan.patch"; sha256 = "0qfn9in5ly7yk8y4psvbhn3sh667b6v0yjnimga20gclabfylpyb"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/301-mesh-noscan.patch"; sha256 = "1awln2b489j3nam8b81kjjvi91xwm46f5pcjag3smks8ra0v1zw7"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/310-rescan_immediately.patch"; sha256 = "0hvmwkkd2vfhz8yf1rbz11s3x7ll21f12r6kz9pl9mcn80dljicd"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/320-optional_rfkill.patch"; sha256 = "1i243v8sjcxb3bhwy2vmgkrmy622a2v484g8b10y7pr4qzn9z2zg"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/330-nl80211_fix_set_freq.patch"; sha256 = "0zspfajraipx0p50nlj0ym69hx47g4z1hk6f7dpra3ds61l7m7fq"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/340-reload_freq_change.patch"; sha256 = "0cj4almw5aaj908jyy4h3a2klwyyvqhgy76lxml3czfcavylrf47"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/341-mesh-ctrl-iface-channel-switch.patch"; sha256 = "1avv33hghsc23hjxizkh5ppxs1jk0gskkhfy1yj8r73iabgs5m6s"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/350-nl80211_del_beacon_bss.patch"; sha256 = "1701bqy3glm26zy3c2mn3hxyj357xhjfl44c4rcnd8059bspcnxy"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/360-ctrl_iface_reload.patch"; sha256 = "07cialpbc6dl5rmijb7knaq4pgf1vnizq5m9g3caw8czczal9d46"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/370-ap_sta_support.patch"; sha256 = "0a636ihrxqq09vivvcmm6a1x7vxpprhba5izin0f5y7b2vqk4cl6"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/380-disable_ctrl_iface_mib.patch"; sha256 = "1gkf43gbpcqk1h0kjlbx1d3llzx4m23rpw9hc9ijs35zs159yfs1"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/381-hostapd_cli_UNKNOWN-COMMAND.patch"; sha256 = "1l3vdp6z0chcri32prx15mky9dk1wsdzlc6cxwhbpn1yil05yfq3"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/390-wpa_ie_cap_workaround.patch"; sha256 = "107nyd34x9kl3spcfnzwpc8jva36f72jmzdkrjapkjks685vl6sc"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/400-wps_single_auth_enc_type.patch"; sha256 = "0nzfj2fjl9pic4siadahx8wm4vy7v9immvc224k22hbmffaqz98v"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/410-limit_debug_messages.patch"; sha256 = "1nmq4gb3ff9zsrfxiqpfrnv8j9w79m77ahjw6mx53dyxwp0zmy0f"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/420-indicate-features.patch"; sha256 = "16zb20kyfhxqnh03i0nwcy4ky08x27ickh8c0im5cgw6fmggi9sh"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/430-hostapd_cli_ifdef.patch"; sha256 = "10jf1pl8jpl0yp09f6al42j63j82r869lhfpan4iprh8hvnb77mj"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/431-wpa_cli_ifdef.patch"; sha256 = "0zy5548v4d20l6m10pa4ggdcfm0nxpihj17h82kva0aqd2n53nfr"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/432-missing-typedef.patch"; sha256 = "0qw7nxriv6dmpxzgbpbl33spgllxph9qyjnsbqhqq67spii1j6cf"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/450-scan_wait.patch"; sha256 = "1jp9ffbsb537k95w3dllzivarv913i6n3znlfim5qp416yjx75yr"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/460-wpa_supplicant-add-new-config-params-to-be-used-with.patch"; sha256 = "1cpj1fh9r2g8vmhm6nhl0p8mg0sdqvsacqxda03mmpb0i8phznmh"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/461-driver_nl80211-use-new-parameters-during-ibss-join.patch"; sha256 = "0dcq4ik7bjwfpmazq0bb4p3j58inyjlnf3c8m01fkmh8ax422rl8"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/463-add-mcast_rate-to-11s.patch"; sha256 = "0sg64azsgr8d4z8my81y862r2cjxa6x06v3sjbmllz5i0a7sxgz9"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/464-fix-mesh-obss-check.patch"; sha256 = "08chf9rwwzj2aa33qmcgx2dabrmvph6gyd512nms31dvk55l8sxc"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/470-survey_data_fallback.patch"; sha256 = "195y6k22nq5y5vm1xddxrqgx7n0np5bq66xmib0b6xarnmks1m4h"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/500-lto-jobserver-support.patch"; sha256 = "0k13fgidgylv9w9ghdzrip20rxz9y9phibafcilc945rixjvr49p"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/590-rrm-wnm-statistics.patch"; sha256 = "0gmvf6f8v39z1i5ya3rsw8dxbzkblsmizdizvbi93zasbf1lslm2"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/599-wpa_supplicant-fix-warnings.patch"; sha256 = "0hssi2j0cinp028fkcvc1q9ns7q37gvs0rhbw348h61bsm1ddgij"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/600-ubus_support.patch"; sha256 = "1rd3dnjhk0lrhi8ci40zzlp5bijyyjj8gvg9pgf7d1ws36n6pvvz"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/610-hostapd_cli_ujail_permission.patch"; sha256 = "06vpg82lmnq6jkj2qx1z3dvvj6f487rpz1gkfzq61l6xh4amdaq8"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/700-wifi-reload.patch"; sha256 = "14g0nyx4gs8kfqn7vmgglysk7k9dv8ppi2vm6dsy608g8qrlr5vq"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/710-vlan_no_bridge.patch"; sha256 = "05fxjsdnzajwq8kb9znp48lhg7x3kic2l1y4z6sn2j0i1n0yqlz3"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/711-wds_bridge_force.patch"; sha256 = "1xwkpg79178qafb2qlb26blk7m58zadzwlwrgjnxylrbmh6lv79s"; }{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/720-iface_max_num_sta.patch"; sha256 = "1iy09zp1xr8mya3kzv7pv60k0h830mnxxxhs1rlgg98fd7p8i0ld"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/730-ft_iface.patch"; sha256 = "03qrd5q825a60nrh0kndgmycyzbpziqf6bz65avllcy2pm6b27ff"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/740-snoop_iface.patch"; sha256 = "07q23gixnyvz20ih87z25rcim7388jx7c63djgprp7pl4hrbnsgk"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/750-qos_map_set_without_interworking.patch"; sha256 = "1ak72l0n7s1j87671w85nyz590m0js4sm08zg5npj4ykdi8b0iz6"; }
{ url = "https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/751-qos_map_ignore_when_unsupported.patch"; sha256 = "0zp7y7zac0hf9w7bm2lzqz4mkziiq10bn077vhvxaqmyli0hq2gg"; }
]) ++ [
./999-hostapd-2.10-lar.patch
];
});
}
);
}

14
terraform/blowhole.tf
View file

@ -35,6 +35,17 @@ module "blowhole-nomad-server" {
consul_token_path = local.blowhole.nomad.consul_token_path
}
resource "vault_policy" "hostapd_wpa_psk" {
name = "blowhole-hostapd_wpa_psk"
policy = <<EOF
path "${vault_mount.kv.path}/data/homelab-1/blowhole/hostapd/wpa_psk" {
capabilities = ["read"]
}
EOF
}
module "blowhole-upload-approles" {
source = "./upload-approles"
@ -45,7 +56,8 @@ module "blowhole-upload-approles" {
policies = [
module.blowhole-consul-agent.vault_policy.name,
module.blowhole-nomad-server.vault_policy.name,
vault_policy.pki-inra-update.name
vault_policy.pki-inra-update.name,
vault_policy.hostapd_wpa_psk.name
]
metadata = {