Merge pull request #222536 from oddlama/master

- FoundationDB now defaults to major version 7.

- Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the `hostapd` package, along with a significant rework of the hostapd module.

## New Services {#sec-release-23.11-new-services}

- [MCHPRS](https://github.com/MCHPR/MCHPRS), a multithreaded Minecraft server built for redstone. Available as [services.mchprs](#opt-services.mchprs.enable).

- The latest version of `clonehero` now stores custom content in `~/.clonehero`. See the [migration instructions](https://clonehero.net/2022/11/29/v23-to-v1-migration-instructions.html). Typically, these content files would exist along side the binary, but the previous build used a wrapper script that would store them in `~/.config/unity3d/srylain Inc_/Clone Hero`.

- The `services.hostapd` module was rewritten to support `passwordFile` like options, WPA3-SAE, and management of multiple interfaces. This breaks compatibility with older configurations.

  - `hostapd` is now started with additional systemd sandbox/hardening options for better security.

  - `services.hostapd.interface` was replaced with a per-radio and per-bss configuration scheme using [services.hostapd.radios](#opt-services.hostapd.radios).

  - `services.hostapd.wpa` has been replaced by [services.hostapd.radios.<name>.networks.<name>.authentication.wpaPassword](#opt-services.hostapd.radios._name_.networks._name_.authentication.wpaPassword) and [services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords](#opt-services.hostapd.radios._name_.networks._name_.authentication.saePasswords) which configure WPA2-PSK and WP3-SAE respectively.

  - The default authentication has been changed to WPA3-SAE. Options for other (legacy) schemes are still available.

- `python3.pkgs.fetchPypi` (and `python3Packages.fetchPypi`) has been deprecated in favor of top-level `fetchPypi`.

- `mariadb` now defaults to `mariadb_1011` instead of `mariadb_106`, meaning the default version was upgraded from 10.6.x to 10.11.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for potential issues.

{

  name = "wpa_supplicant";

  meta = with lib.maintainers; {

    maintainers = [ rnhmjoj ];

    maintainers = [ oddlama rnhmjoj ];

  };

  nodes.machine = { ... }: {

    imports = [ ../modules/profiles/minimal.nix ];

  nodes = let

    machineWithHostapd = extraConfigModule: { ... }: {

      imports = [

        ../modules/profiles/minimal.nix

        extraConfigModule

      ];

      # add a virtual wlan interface

      boot.kernelModules = [ "mac80211_hwsim" ];

      # wireless access point

      services.hostapd = {

        enable = true;

      wpa = true;

      interface = "wlan0";

      ssid = "nixos-test";

      wpaPassphrase = "reproducibility";

        radios.wlan0 = {

          band = "2g";

          countryCode = "US";

          networks = {

            wlan0 = {

              ssid = "nixos-test-sae";

              authentication = {

                mode = "wpa3-sae";

                saePasswords = [ { password = "reproducibility"; } ];

              };

              bssid = "02:00:00:00:00:00";

            };

            wlan0-1 = {

              ssid = "nixos-test-mixed";

              authentication = {

                mode = "wpa3-sae-transition";

                saePasswordsFile = pkgs.writeText "password" "reproducibility";

                wpaPasswordFile = pkgs.writeText "password" "reproducibility";

              };

              bssid = "02:00:00:00:00:01";

            };

            wlan0-2 = {

              ssid = "nixos-test-wpa2";

              authentication = {

                mode = "wpa2-sha256";

                wpaPassword = "reproducibility";

              };

              bssid = "02:00:00:00:00:02";

            };

          };

        };

      };

      # wireless client

      networking.wireless = {

        # the override is needed because the wifi is

        # disabled with mkVMOverride in qemu-vm.nix.

        enable = lib.mkOverride 0 true;

        userControlled.enable = true;

        interfaces = [ "wlan1" ];

        fallbackToWPA2 = lib.mkDefault true;

        # networks will be added on-demand below for the specific

        # network that should be tested

        # secrets

        environmentFile = pkgs.writeText "wpa-secrets" ''

          PSK_NIXOS_TEST="reproducibility"

        '';

      };

    };

  in {

    basic = { ... }: {

      imports = [ ../modules/profiles/minimal.nix ];

      # add a virtual wlan interface

      boot.kernelModules = [ "mac80211_hwsim" ];

      # wireless client

      networking.wireless = {

        # the override is needed because the wifi is

            authProtocols = [ "SAE" ];

          };

        # test network

        nixos-test.psk = "@PSK_NIXOS_TEST@";

          # secrets substitution test cases

          test1.psk = "@PSK_VALID@";              # should be replaced

          test2.psk = "@PSK_SPECIAL@";            # should be replaced

        # secrets

        environmentFile = pkgs.writeText "wpa-secrets" ''

        PSK_NIXOS_TEST="reproducibility"

          PSK_VALID="S0m3BadP4ssw0rd";

          # taken from https://github.com/minimaxir/big-list-of-naughty-strings

          PSK_SPECIAL=",./;'[]\-= <>?:\"{}|_+ !@#$%^\&*()`~";

        '';

      };

    };

    # Test connecting to the SAE-only hotspot using SAE

    machineSae = machineWithHostapd {

      networking.wireless = {

        fallbackToWPA2 = false;

        networks.nixos-test-sae = {

          psk = "@PSK_NIXOS_TEST@";

          authProtocols = [ "SAE" ];

        };

      };

    };

    # Test connecting to the SAE and WPA2 mixed hotspot using SAE

    machineMixedUsingSae = machineWithHostapd {

      networking.wireless = {

        fallbackToWPA2 = false;

        networks.nixos-test-mixed = {

          psk = "@PSK_NIXOS_TEST@";

          authProtocols = [ "SAE" ];

        };

      };

    };

    # Test connecting to the SAE and WPA2 mixed hotspot using WPA2

    machineMixedUsingWpa2 = machineWithHostapd {

      networking.wireless = {

        fallbackToWPA2 = true;

        networks.nixos-test-mixed = {

          psk = "@PSK_NIXOS_TEST@";

          authProtocols = [ "WPA-PSK-SHA256" ];

        };

      };

    };

    # Test connecting to the WPA2 legacy hotspot using WPA2

    machineWpa2 = machineWithHostapd {

      networking.wireless = {

        fallbackToWPA2 = true;

        networks.nixos-test-wpa2 = {

          psk = "@PSK_NIXOS_TEST@";

          authProtocols = [ "WPA-PSK-SHA256" ];

        };

      };

    };

  };

  testScript =

      config_file = "/run/wpa_supplicant/wpa_supplicant.conf"

      with subtest("Configuration file is inaccessible to other users"):

          machine.wait_for_file(config_file)

          machine.fail(f"sudo -u nobody ls {config_file}")

          basic.wait_for_file(config_file)

          basic.fail(f"sudo -u nobody ls {config_file}")

      with subtest("Secrets variables have been substituted"):

          machine.fail(f"grep -q @PSK_VALID@ {config_file}")

          machine.fail(f"grep -q @PSK_SPECIAL@ {config_file}")

          machine.succeed(f"grep -q @PSK_MISSING@ {config_file}")

          machine.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}")

          basic.fail(f"grep -q @PSK_VALID@ {config_file}")

          basic.fail(f"grep -q @PSK_SPECIAL@ {config_file}")

          basic.succeed(f"grep -q @PSK_MISSING@ {config_file}")

          basic.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}")

      with subtest("WPA2 fallbacks have been generated"):

          assert int(machine.succeed(f"grep -c sae-only {config_file}")) == 1

          assert int(machine.succeed(f"grep -c mixed-wpa {config_file}")) == 2

          assert int(basic.succeed(f"grep -c sae-only {config_file}")) == 1

          assert int(basic.succeed(f"grep -c mixed-wpa {config_file}")) == 2

      # save file for manual inspection

      machine.copy_from_vm(config_file)

      basic.copy_from_vm(config_file)

      with subtest("Daemon is running and accepting connections"):

          machine.wait_for_unit("wpa_supplicant-wlan1.service")

          status = machine.succeed("wpa_cli -i wlan1 status")

          basic.wait_for_unit("wpa_supplicant-wlan1.service")

          status = basic.succeed("wpa_cli -i wlan1 status")

          assert "Failed to connect" not in status, \

                 "Failed to connect to the daemon"

      with subtest("Daemon can connect to the access point"):

          machine.wait_until_succeeds(

      machineSae.wait_for_unit("hostapd.service")

      machineSae.copy_from_vm("/run/hostapd/wlan0.hostapd.conf")

      with subtest("Daemon can connect to the SAE access point using SAE"):

          machineSae.wait_until_succeeds(

            "wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"

          )

      with subtest("Daemon can connect to the SAE and WPA2 mixed access point using SAE"):

          machineMixedUsingSae.wait_until_succeeds(

            "wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"

          )

      with subtest("Daemon can connect to the SAE and WPA2 mixed access point using WPA2"):

          machineMixedUsingWpa2.wait_until_succeeds(

            "wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"

          )

      with subtest("Daemon can connect to the WPA2 access point using WPA2"):

          machineWpa2.wait_until_succeeds(

            "wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"

          )

    '';

  outputs = [ "out" "man" ];

  # Based on hostapd's defconfig. Only differences are tracked.

  extraConfig = ''

    # Use epoll(7) instead of select(2) on linux

    CONFIG_ELOOP_EPOLL=y

    # Drivers

    CONFIG_DRIVER_WIRED=y

    CONFIG_LIBNL32=y

    CONFIG_DRIVER_NONE=y

    # Integrated EAP server

    CONFIG_EAP_SIM=y

    CONFIG_EAP_AKA=y

    CONFIG_EAP_AKA_PRIME=y

    CONFIG_EAP_PAX=y

    CONFIG_EAP_PSK=y

    CONFIG_EAP_PWD=y

    CONFIG_EAP_SAKE=y

    CONFIG_EAP_GPSK=y

    CONFIG_EAP_IKEV2=y

    CONFIG_EAP_TNC=y

    CONFIG_EAP_EKE=y

    CONFIG_RADIUS_SERVER=y

    CONFIG_IEEE80211R=y

    CONFIG_IEEE80211N=y

    CONFIG_IEEE80211AC=y

    CONFIG_IEEE80211AX=y

    CONFIG_FULL_DYNAMIC_VLAN=y

    CONFIG_VLAN_NETLINK=y

    CONFIG_TLS=openssl

    CONFIG_TLSV11=y

    CONFIG_TLSV12=y

    CONFIG_INTERNETWORKING=y

    CONFIG_SAE=y

    CONFIG_SAE_PK=y

    CONFIG_OWE=y

    CONFIG_OCV=y

    # TKIP is considered insecure and upstream support will be removed in the future

    CONFIG_NO_TKIP=y

    # Misc

    CONFIG_RADIUS_SERVER=y

    CONFIG_FULL_DYNAMIC_VLAN=y

    CONFIG_VLAN_NETLINK=y

    CONFIG_GETRANDOM=y

    CONFIG_INTERWORKING=y

    CONFIG_HS20=y

    CONFIG_FST=y

    CONFIG_FST_TEST=y

    CONFIG_ACS=y

    CONFIG_GETRANDOM=y

    CONFIG_SAE=y

    CONFIG_WNM=y

    CONFIG_MBO=y

    CONFIG_IEEE80211R=y

    CONFIG_IEEE80211W=y

    CONFIG_IEEE80211N=y

    CONFIG_IEEE80211AC=y

    CONFIG_IEEE80211AX=y

  '' + lib.optionalString (sqlite != null) ''

    CONFIG_SQLITE=y

  '';

  passAsFile = [ "extraConfig" ];

  configurePhase = ''

    cd hostapd

    cp -v defconfig .config

    echo "$extraConfig" >> .config

    cat $extraConfigPath >> .config

    cat -n .config

    substituteInPlace Makefile --replace /usr/local $out

    export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE $(pkg-config --cflags libnl-3.0)"

    CONFIG_LIBNL32=y

    CONFIG_OWE=y

    CONFIG_P2P=y

    CONFIG_SAE_PK=y

    CONFIG_TDLS=y

    CONFIG_TLS=openssl

    CONFIG_TLSV11=y