Start declarative WiFi configuration

2025-07-21 16:34:24 +03:00 · 2025-07-21 16:34:24 +03:00 · 035a5b1b4a
commit 035a5b1b4a
parent ef702f721d
4 changed files with 114 additions and 0 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -71,3 +71,9 @@ creation_rules:
    - age:
      - *vili-bw
      - *wg-rpi
+  - path_regex: ^secrets/wireless.yaml$
+    key_groups:
+    - age:
+      - *vili-bw
+      - *helium
+      - *lithium
--- a/hosts/x86_64-linux/lithium.nix
+++ b/hosts/x86_64-linux/lithium.nix
@ -20,6 +20,7 @@
        enable = true;
        suffix = "8";
      };
+      wireless.enable = true;
    };
    hardware.intelLaptop.enable = true;
    services = {
--- a/modules/networking/wireless.nix
+++ b/modules/networking/wireless.nix
@ -0,0 +1,71 @@
+{ config, lib, ... }:
+let
+  cfg = config.custom.networking.wireless;
+in
+{
+  options.custom.networking.wireless.enable =
+    lib.mkEnableOption "wireless networking with preconfigured networks";
+
+  config = lib.mkIf cfg.enable {
+    sops = {
+      secrets = {
+        WRT_Personal_PSK.sopsFile = ../../secrets/wireless.yaml;
+        WLNPub_PSK.sopsFile = ../../secrets/wireless.yaml;
+        ViliMobile_PSK.sopsFile = ../../secrets/wireless.yaml;
+      };
+
+      templates."wpa_supplicant_secrets".content = ''
+        WRT_Personal_PSK=${config.sops.placeholder.WRT_Personal_PSK}
+        WLNPub_PSK=${config.sops.placeholder.WLNPub_PSK}
+        ViliMobile_PSK=${config.sops.placeholder.ViliMobile_PSK}
+      '';
+    };
+
+    networking.networkmanager.unmanaged = [ "except:type:wifi" ];
+
+    networking.wireless = {
+      fallbackToWPA2 = false;
+      enable = true;
+      userControlled.enable = true;
+      secretsFile = config.sops.templates."wpa_supplicant_secrets".path;
+      extraConfig = ''
+        mac_addr=1
+      '';
+      networks = {
+        WRT_Personal = {
+          authProtocols = [ "SAE" ];
+          pskRaw = "ext:WRT_Personal_PSK";
+          priority = 100;
+          extraConfig = ''
+            ieee80211w=2
+            pairwise=CCMP
+            group=CCMP
+            mac_addr=0
+          '';
+        };
+        WLNPub = {
+          # TODO Fix
+          pskRaw = "ext:WLNPub_PSK";
+          priority = 100;
+          extraConfig = ''
+            ieee80211w=2
+            pairwise=CCMP
+            group=CCMP
+            mac_addr=0
+          '';
+        };
+        ViliMobile = {
+          authProtocols = [ "SAE" ];
+          pskRaw = "ext:ViliMobile_PSK";
+          priority = 50;
+          extraConfig = ''
+            ieee80211w=2
+            pairwise=CCMP
+            group=CCMP
+            mac_addr=0
+          '';
+        };
+      };
+    };
+  };
+}
--- a/secrets/wireless.yaml
+++ b/secrets/wireless.yaml
@ -0,0 +1,36 @@
+WRT_Personal_PSK: ENC[AES256_GCM,data:14EgZsa+2+tJqBJBkF8tIhTbjdg=,iv:s7jRDOGwjEJKh+p2UJQ4lJkouM0NVkLsoz6kNQ8pmAU=,tag:cqZoXOHHskcSEnLOIFPEuw==,type:str]
+WLNPub_PSK: ENC[AES256_GCM,data:scmOwtACDv4cVjQVw7Rd,iv:wnQE1+fASxe6t88sP1k78Mkv6aPmdqMZ0pkvilYYInU=,tag:5FEFnWVm/8XG7TnrDoJueg==,type:str]
+ViliMobile_PSK: ENC[AES256_GCM,data:vqihGwqqzd/ZuZJ9TaDajA==,iv:7MXFeA4vZFVvUx8DbkdPoQek8jUTV6tNyhkBF59PjR8=,tag:pbCJbAdT2JPi9KcF4/5DJQ==,type:str]
+sops:
+    age:
+        - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsbi9sU2NjYkl0R3hNOFEr
+            UEhvV2NxTE1QQUZOMXNjKzlGNlZQOXdybzFJCm9ZVkFXbGVuKzVVQ3NkODhhc1o0
+            OHVlcElYeEt5UzZFVE9pU2wzcEt4Y0UKLS0tIGRYVjhsYm9qS0J0Z0FlMGNVQmY4
+            c0d6bUFibDhCcWN3K3lDbzg3OCtnaTgKYPkeIn83IYP/PmcrMlDhYRTMuMmGGrFs
+            ZYe5bW7Mp9Mf04IFDzAtFI4sdcND7EiZcwX6LVLBU/qCBEp21OvWKA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdnJRUzRPeXNSYzZxbFl2
+            QjBZTkpUMVZDVk5va1VNazNuTHlubFZGb3lzCmppL2hYZTZsTFpIY3BZQmQrZTVI
+            d044ZXNka3hxOHcxVHpld1FJWDlWa3cKLS0tIEwwV3VXNnFxVnB3TWFhWFdORUdy
+            OTJNVXFXYkxDZVVxNHg0YnBzMUZsN1EKNftAqBZKlcnrEyCLemXGtc1DscRHsDBU
+            P8r0mHJpeJJ99/ADTtH9dVN7HtADP1ana9LdI8kqaiJ0goI7al+v6Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yrfr0q72nqa842t0mzckeemfww28qzcd3wqmrd8mvzwvgpzssvlq9ruzlk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpaE5selZZUzl5NmFhNHhz
+            OGpFKzNhZW5vTVRWRmhzTm9ORGVZK1BoMnlVCkovYmlPK0lRUXRyMFo0Zm5JdUpC
+            STdOcjYvVzltc2lsZ0hleVI5TjRYeWsKLS0tIHB3cGJZUi9vTFpFcnZpU0p6U3lT
+            aGdnUXVCZlZDUmltdk5mMDc5Y2huLzgKjf6lENGwYqJ0tOkTDeNmIXTq8vqMUzz8
+            aNRUtHutwo4BcLPRpWpwdY13DNwQVulGm4Pca6UO12phy+OIFhE8ag==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-21T12:13:12Z"
+    mac: ENC[AES256_GCM,data:SdtWdtydEfqSoe2mMHfFpNkiHyHh/gbr40W8ke7oWeFSUiS32lz5Pmp/qrqxO2sWwjIpM4VMIBJmTgiqRLVaPVhthJqCEaR13ZUJjD/WAk6ApdAR0y46y6o+zw7FHii6dr9l9lgKwAuqYVMUuYAsdSPpD5fUVHoBLd/8Ogk8Vvo=,iv:wtBsAcu4FtqUSFgMsbFisobl0c/0p77f5HlIPy5EFJo=,tag:Vq+QsISQGq9ut9OHUNgkzw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2