RFC: hostapd: extend module to allow multiple APs. #49171
Conversation
|
[Mentioning @wkennington and @Phreedom, as folks in the maintainers list for hostapd.] |
|
A thought: given that we are faced with a breaking change anyway, would it be worthwhile to add a |
|
Well, I went for it. This actually lets me simplify the dependency list now that the bridge dependency is explicit. I rebooted my machine a bunch of times an observed stable bring-up of everything. Since it's a separate commit, it will be easy to back out if there are issues. |
|
@qolii Thanks for the PR! Sorry this went unnoticed for so long. I gave this a try together with @NinjaTrappeur. We rebased your commits on the latest master, a more recent version of the branch can be found at https://github.com/flokli/nixpkgs/commits/hostapd-multiple-ifs. I incorporated the systemd interface escaping that was done in master since your PR. I do have more comments about it. Do you still want to merge this in? If yes, could you reset your PR to that version, so I can comment in here? |
|
@flokli, thanks for getting back to me! This sounds great. Please give me another day or two, I'm a bit swamped at the moment. |
|
sure :-) |
|
Hi @flokli, so, what I did was remake the branch on my fork by cherry-picking the two commits from the branch on your fork. So I think those are now what you see here. Is this what you had in mind? If so, comment away! What are you thinking? |
|
(And just fixed merge conflicts) |
…systemd service file (and one instance of hostapd) for each AP.
|
(and just reinstated the |
|
@flokli / @NinjaTrappeur, any thoughts? |
|
@qolii this doesn't look too bad to me, but for the next two weeks, I won't have access to the hardware available to test it. I remember @NinjaTrappeur mentioning a lot of hostapd options were still missing. Instead of adding all these, do you think it might make sense to refactor this to something like https://github.com/Infinisil/rfcs/blob/config-option/rfcs/0042-config-option.md describes? |
|
@floli, I like the idea of doing a refactor. However, would you be amenable to merging this first (as I think this provides genuinely useful functionality), and doing that in a separate PR? I'm happy to give the refactor a shot myself. |
| @@ -3,6 +3,7 @@ | |||
| # TODO: | |||
| # | |||
| # asserts | |||
| # ensure interface name is set | |||
There was a problem hiding this comment.
It's probably not too complicated to add code for this inside this PR.
| @@ -3,6 +3,7 @@ | |||
| # TODO: | |||
| # | |||
| # asserts | |||
| # ensure interface name is set | |||
| # ensure that the nl80211 module is loaded/compiled in the kernel | |||
There was a problem hiding this comment.
This could be moved into the generic services.hostapd description.
| @@ -3,6 +3,7 @@ | |||
| # TODO: | |||
| # | |||
| # asserts | |||
| # ensure interface name is set | |||
| # ensure that the nl80211 module is loaded/compiled in the kernel | |||
| # wpa_supplicant and hostapd on the same wireless interface doesn't make any sense | |||
There was a problem hiding this comment.
probably the same applies for this one as well - In networking.supplicant.<name>, <name> can be separated by spaces, so matching automatically would be a bit more complicated.
| default = ""; | ||
| example = "wlp2s0"; | ||
| description = '' | ||
| The interfaces <command>hostapd</command> will use. |
| interface = mkOption { | ||
| default = ""; | ||
| example = "wlp2s0"; | ||
| APs = mkOption { |
There was a problem hiding this comment.
I'm not sure if I'm so happy with the APs = [] part - it's quite unintuitive compared to how the rest of the module system looks like, and hostapd too only knows about bssids and interfaces, not APs.
Can we make this similar to networking.supplicant? Having the description in services.hostapd, and a services.hostapd.<(interface_)name>.*, like networking.supplicant.<name>.*?
From my understanding, there can only be one hostapd process per physical interface, and configuring multiple bssids would be part of the per-interface config file, which would need to duplicated for dual/multi-band setups.
|
For the author, reviewers, and committers: this PR was scanned and appears to add a use of the deprecated
|
|
Thank you for your contributions.
|
stale
bot
added
the
2.status: stale
|
Still important to me! I'll try to rework this based on the comments so far. I know has changed in Nix-land since I first proposed this anyway. |
stale
bot
removed
the
2.status: stale
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
|
Can I help you to get this PR merged? |
stale
bot
removed
the
2.status: stale
|
Last activity from @qolii is from 2020: Closing as dead. |
…ore: At this point this is basically a full rewrite of this module, which is a breaking change and was necessary to properly expose the useful parts of hostapd's config. The notable changes are: - `hostapd` is now started with additional systemd sandbox/hardening options - A single-daemon can now manage multiple distinct interfaces, which is why all configuration had to be moved into `hostapd.interfaces` - By default WPA3-SAE will be used, but WPA2 and WPA3-SAE-TRANSITION are supported, too - Added passwordFile-like options for wpa and sae - Add new relevant options for MAC ACL, WiFi5, WiFi6 and WiFi7 configuration - Removes `with lib;` and thus makes this module conformant with [RFC42](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md), so it can be marked as done in NixOS#144575. - Related to NixOS#49171. Closes NixOS#24288.
At this point this is basically a full rewrite of this module, which is a breaking change and was necessary to properly expose the useful parts of hostapd's config. The notable changes are: - `hostapd` is now started with additional systemd sandbox/hardening options - A single-daemon can now manage multiple distinct interfaces, which is why all configuration had to be moved into `hostapd.interfaces` - By default WPA3-SAE will be used, but WPA2 and WPA3-SAE-TRANSITION are supported, too - Added passwordFile-like options for wpa and sae - Add new relevant options for MAC ACL, WiFi5, WiFi6 and WiFi7 configuration - Removes `with lib;` and thus makes this module conformant with [RFC42](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md), so it can be marked as done in NixOS#144575. - Related to NixOS#49171. Closes NixOS#24288.
At this point this is basically a full rewrite of this module, which is a breaking change and was necessary to properly expose the useful parts of hostapd's config. The notable changes are: - `hostapd` is now started with additional systemd sandbox/hardening options - A single-daemon can now manage multiple distinct interfaces, which is why all configuration had to be moved into `hostapd.interfaces` - By default WPA3-SAE will be used, but WPA2 and WPA3-SAE-TRANSITION are supported, too - Added passwordFile-like options for wpa and sae - Add new relevant options for MAC ACL, WiFi5, WiFi6 and WiFi7 configuration - Removes `with lib;` and thus makes this module conformant with [RFC42](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md), so it can be marked as done in NixOS#144575. - Related to NixOS#49171. Closes NixOS#24288.
At this point this is basically a full rewrite of this module, which is a breaking change and was necessary to properly expose the useful parts of hostapd's config. The notable changes are: - `hostapd` is now started with additional systemd sandbox/hardening options - A single-daemon can now manage multiple distinct interfaces, which is why all configuration had to be moved into `hostapd.interfaces` - By default WPA3-SAE will be used, but WPA2 and WPA3-SAE-TRANSITION are supported, too - Added passwordFile-like options for wpa and sae - Add new relevant options for MAC ACL, WiFi5, WiFi6 and WiFi7 configuration - Removes `with lib;` and thus makes this module conformant with [RFC42](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md), so it can be marked as done in NixOS#144575. - Related to NixOS#49171. Closes NixOS#24288.
At this point this is basically a full rewrite of this module, which is a breaking change and was necessary to properly expose the useful parts of hostapd's config. The notable changes are: - `hostapd` is now started with additional systemd sandbox/hardening options - A single-daemon can now manage multiple distinct interfaces, which is why all configuration had to be moved into `hostapd.interfaces` - By default WPA3-SAE will be used, but WPA2 and WPA3-SAE-TRANSITION are supported, too - Added passwordFile-like options for wpa and sae - Add new relevant options for MAC ACL, WiFi5, WiFi6 and WiFi7 configuration - Removes `with lib;` and thus makes this module conformant with [RFC42](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md), so it can be marked as done in NixOS#144575. - Related to NixOS#49171. Closes NixOS#24288.
At this point this is basically a full rewrite of this module, which is a breaking change and was necessary to properly expose the useful parts of hostapd's config. The notable changes are: - `hostapd` is now started with additional systemd sandbox/hardening options - A single-daemon can now manage multiple distinct interfaces, which is why all configuration had to be moved into `hostapd.interfaces` - By default WPA3-SAE will be used, but WPA2 and WPA3-SAE-TRANSITION are supported, too - Added passwordFile-like options for wpa and sae - Add new relevant options for MAC ACL, WiFi5, WiFi6 and WiFi7 configuration - Removes `with lib;` and thus makes this module conformant with [RFC42](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md), so it can be marked as done in NixOS#144575. - Related to NixOS#49171. Closes NixOS#24288.
At this point this is basically a full rewrite of this module, which is a breaking change and was necessary to properly expose the useful parts of hostapd's config. The notable changes are: - `hostapd` is now started with additional systemd sandbox/hardening options - A single-daemon can now manage multiple distinct interfaces, which is why all configuration had to be moved into `hostapd.interfaces` - By default WPA3-SAE will be used, but WPA2 and WPA3-SAE-TRANSITION are supported, too - Added passwordFile-like options for wpa and sae - Add new relevant options for MAC ACL, WiFi5, WiFi6 and WiFi7 configuration - Removes `with lib;` and thus makes this module conformant with [RFC42](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md), so it can be marked as done in NixOS#144575. - Related to NixOS#49171. Closes NixOS#24288.
At this point this is basically a full rewrite of this module, which is a breaking change and was necessary to properly expose the useful parts of hostapd's config. The notable changes are: - `hostapd` is now started with additional systemd sandbox/hardening options - A single-daemon can now manage multiple distinct interfaces, which is why all configuration had to be moved into `hostapd.interfaces` - By default WPA3-SAE will be used, but WPA2 and WPA3-SAE-TRANSITION are supported, too - Added passwordFile-like options for wpa and sae - Add new relevant options for MAC ACL, WiFi5, WiFi6 and WiFi7 configuration - Removes `with lib;` and thus makes this module conformant with [RFC42](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md), so it can be marked as done in NixOS#144575. - Related to NixOS#49171. Closes NixOS#24288.
Motivation for this change
It is useful to be able to run multiple APs on a hostapd machine. The traditional ways to do this appear to be:
This change implements (1). I prefer this a bit over (2), because it gives each AP its own separate log in journald, and also means you can change configuration and restart just one AP at a time. I have found this to be more flexible in use.
I also have a version of this change implementing (2), if people feel strongly about that.
NOTE: This is a breaking change to the configuration format. My approach has been to take the existing single-AP configuration style, define a submodule around it, and modify the nixos module to take a list of this submodule called
APs, as follows:This will result in two systemd service files, namely,
hostapd-wlp7s0.serviceandhostapd-wlp5s0.service.This works well, but will not accept any working existing configurations. I also could not figure out how to extend the hostapd entry in
rename.nix. I expect these things are a big problem for the acceptance of this change, so if anyone has advice on how to achieve this more gently, please let me know.systemd ordering
Upon making this change, I noticed failures at startup due to systemd ordering, because hostapd would try to start too early. I have thus reworked the ordering a little bit, and observe a completely reliable service on my machine. However, I am not an expert in all the different types of ways to do this, so any advice on this front is also very welcome.
In summary, this change has been very functional for me in testing.
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)nix path-info -Sbefore and after)