commit 5af7724cbb00e5ebff9de2402b4ef25866becaf4 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #154130 from rnhmjoj/fix-wpa

nixos/wireless: enable PMF by default

authored by Michele Guerini Rocco and committed by GitHub 4 years ago 5af7724c 37246842

+42 -3

1 changed file

expand all

unified split

nixos

modules

services

networking

wpa_supplicant.nix

+42 -3

nixos/modules/services/networking/wpa_supplicant.nix

··· 10 10 cfg = config.networking.wireless; 11 11 opt = options.networking.wireless; 12 12 13 + wpa3Protocols = [ "SAE" "FT-SAE" ]; 14 + hasWPA3 = opts: !mutuallyExclusive opts.authProtocols wpa3Protocols; 15 + 16 + # Gives a WPA3 network higher priority 17 + increaseWPA3Priority = opts: 18 + opts // optionalAttrs (hasWPA3 opts) 19 + { priority = if opts.priority == null 20 + then 1 21 + else opts.priority + 1; 22 + }; 23 + 24 + # Creates a WPA2 fallback network 25 + mkWPA2Fallback = opts: 26 + opts // { authProtocols = subtractLists wpa3Protocols opts.authProtocols; }; 27 + 28 + # Networks attrset as a list 29 + networkList = mapAttrsToList (ssid: opts: opts // { inherit ssid; }) 30 + cfg.networks; 31 + 32 + # List of all networks (normal + generated fallbacks) 33 + allNetworks = 34 + if cfg.fallbackToWPA2 35 + then map increaseWPA3Priority networkList 36 + ++ map mkWPA2Fallback (filter hasWPA3 networkList) 37 + else networkList; 38 + 13 39 # Content of wpa_supplicant.conf 14 40 generatedConfig = concatStringsSep "\n" ( 15 - (mapAttrsToList mkNetwork cfg.networks) 41 + (map mkNetwork allNetworks) 16 42 ++ optional cfg.userControlled.enable (concatStringsSep "\n" 17 43 [ "ctrl_interface=/run/wpa_supplicant" 18 44 "ctrl_interface_group=${cfg.userControlled.group}" 19 45 "update_config=1" 20 46 ]) 47 + ++ [ "pmf=1" ] 21 48 ++ optional cfg.scanOnLowSignal ''bgscan="simple:30:-70:3600"'' 22 49 ++ optional (cfg.extraConfig != "") cfg.extraConfig); 23 50 ··· 33 60 finalConfig = ''"$RUNTIME_DIRECTORY"/wpa_supplicant.conf''; 34 61 35 62 # Creates a network block for wpa_supplicant.conf 36 - mkNetwork = ssid: opts: 63 + mkNetwork = opts: 37 64 let 38 65 quote = x: ''"${x}"''; 39 66 indent = x: " " + x; ··· 43 70 else opts.pskRaw; 44 71 45 72 options = [ 46 - "ssid=${quote ssid}" 73 + "ssid=${quote opts.ssid}" 47 74 (if pskString != null || opts.auth != null 48 75 then "key_mgmt=${concatStringsSep " " opts.authProtocols}" 49 76 else "key_mgmt=NONE") ··· 172 199 Whether to periodically scan for (better) networks when the signal of 173 200 the current one is low. This will make roaming between access points 174 201 faster, but will consume more power. 202 + ''; 203 + }; 204 + 205 + fallbackToWPA2 = mkOption { 206 + type = types.bool; 207 + default = true; 208 + description = '' 209 + Whether to fall back to WPA2 authentication protocols if WPA3 failed. 210 + This allows old wireless cards (that lack recent features required by 211 + WPA3) to connect to mixed WPA2/WPA3 access points. 212 + 213 + To avoid possible downgrade attacks, disable this options. 175 214 ''; 176 215 }; 177 216