nixos/hostapd: rewrite to support multi-AP, password from file, and more

At this point this is basically a full rewrite of this module, which is a breaking change and was necessary to properly expose the useful parts of hostapd's config. The notable changes are: - `hostapd` is now started with additional systemd sandbox/hardening options - A single-daemon can now manage multiple distinct interfaces, which is why all configuration had to be moved into `hostapd.interfaces` - By default WPA3-SAE will be used, but WPA2 and WPA3-SAE-TRANSITION are supported, too - Added passwordFile-like options for wpa and sae - Add new relevant options for MAC ACL, WiFi5, WiFi6 and WiFi7 configuration - Removes `with lib;` and thus makes this module conformant with [RFC42](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md), so it can be marked as done in NixOS#144575. - Related to NixOS#49171. Closes NixOS#24288.
oddlama · Mar 22, 2023 · 99e461b · 99e461b
1 parent 21580e1
commit 99e461b
Show file tree

Hide file tree

Showing 2 changed files with 987 additions and 195 deletions.
diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md
@@ -112,6 +112,13 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the `hostapd` package.
 
+- The `services.hostapd` module was rewritten to support `passwordFile` style options, configuration of WPA3-SAE, and management of multiple interfaces.
+
+  - `hostapd` is now started with additional systemd sandbox/hardening options for better security.
+  - `services.hostapd.interface` was replaced with a per-interface configuration scheme using [services.hostapd.interfaces](#opt-services.hostapd.interfaces).
+  - `services.hostapd.wpa` has been replaced by [services.hostapd.interfaces.&lt;name&gt;.authentication.wpaPassword](#opt-services.hostapd.interfaces._name_.authentication.wpaPassword) and [services.hostapd.interfaces.&lt;name&gt;.authentication.saePasswords](#opt-services.hostapd.interfaces._name_.authentication.saePasswords) which configure passwords WPA2-PSK and WP3-SAE respectively.
+  - The default authentication has been changed to WPA3-SAE. Options for other (legacy) schemes are stil availabe.
+
 - `services.sourcehut.dispatch` and the corresponding package (`sourcehut.dispatchsrht`) have been removed due to [upstream deprecation](https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/).
 
 - The [services.snapserver.openFirewall](#opt-services.snapserver.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall.