Hello, I’m new to NixOS but the premise really excites me.
Unfortunately I’ve fallen at the first hurdle and I’ve spent the last few hours trying to get wpa_supplicant working with secrets so I can push my nix configuration to public git repos.
I found networking.wireless.secretsFile but I cannot get it working.
I have been successful with hard coding my SSID with:
ext:<name>, is a wpa-supplicant thing for PSKs, so you won’t be able to use it for network ssids in nixos. Not wanting to share your SSID is valid, considering a unique ssid could be mapped to your home address…
Edit: don’t do the below suggestion, I intended it as a hacky suggestion to just get it working but on review, tlater’s right that it is too hacky.
The simplest answer for a nix newbie is to use copy the wpa_supplicant.conf entry for your network, put it in a file outside your git repo, and use builtins.readFile in extraConfig to pass it back in. It’ll still be globally readable in your store, but it will be outside your git repo.
Avoid doing that, please, not only is getting into the habit of reading secrets with builtins.readFile a bad idea, this will also confuse the hell out of you when you try to do pure evaluation since you won’t be able to depend on files outside the project directory at eval time.
I’d really suggest NetworkManager, it’s much more suited for desktop use cases anyway.
It’s certainly not a good idea long term, networkmanager is definitely preferable. I probably should have made clear that it would be tempory solution at best until OP learned ecosystem better.
When just getting started with nix; flakes, git crypt, agenix, sops, etc, can all be a bit overwhelming. I know my nix configs have had plenty ill advised bodges which later got cleaned up simply because I lacked the knowledge to learn all the proper ways of doing things at once. In the meantime, you want a working system.
I’ve had a look at sops and it doesn’t let you reference the secrets at build time - wpa_supplicant would have to pull them in as a file.
I’ve also been told it’s unwise to gitignore a wifi.nix as that’ll cause me issues when I get to flakes.
The only option I see is from @nicolas-goudry but I don’t really want to depend on an old version.
So I don’t have a solution and unfortunately this is a sticking point as this laptop will need to be able to connect to different wifi networks with ease.
Has anyone else got suggestions? I can’t believe it’s this hard to setup wifi in a Linux distribution.
Ultimately, the issue is not with NixOS, it’s with wpa_supplicant… The current NixOS implementation is just following upstream way of doing things. It would be the same with any other Linux distribution.
Again, just use networkmanager if wpa_supplicant is too cumbersome or doesn’t match your use case. wpa_supplicant is just the backend for proper network management services, it’s barely intended to be usable directly.
The equivalent of your configuration for networkmanager is:
networking.networkmanager = {
enable = true;
ensureProfiles = {
environmentFiles = "/home/joe/.wifi";
# Note the network will be called `REDACTED` in your UIs, but that
# does not have to be the same as the SSID
profiles."REDACTED" = {
connection = {
id = "REDACTED";
type = "wifi";
autoconnect = true;
};
wifi = {
mode = "infrastructure";
ssid = "$REDACTED_SSID";
};
wifi-security = {
key-mgmt = "sae"; # For WPA3
# key-mgmt = "wpa-psk"; For WPA2
psk = "$REDACTED_PSK";
};
};
}:
}
It will autoconnect, but you can see connected networks with nmcli. networkmanagerapplet can also be used as a GUI to control your connections. Creating imperative profiles works fine too, for if you want to temporarily connect to a cafe network or something without rebuilding your system.
Just overall much more polished for desktop use than wpa_supplicant, even with those half-functional patches to allow imperative configuration.
I mean, you can also just not use the NixOS module and write /etc/wpa_supplicant.conf by hand. Or use wpa_supplicant_gui. Or use networking.networkmanger.enable and the GUI/nmtui/nmcli.
All of these options are imperative and not the “nix way”, but they’re exactly the same as on other distros. There is no declarative option on other distros, but on NixOS you can do either - you’re just choosing to do it the declarative way.
You’re also just used to the imperative ways, so those seem easier to you. Which is fair! Nobody is forcing you to do things the hard way, feel free to just use any of the imperative options I listed.
I’ve had a go at using NetworkManager’s wifi but after an hour of it failing to connect to my WiFi I’m going to go back to wpa_supplicant and use extraConfig for the time being.
You can try using sudo nmtui to connect and then copy stuff from the profile it generates for you.
Chances are you’re setting the wrong key-mgmt - if you share the output of the journalctl command it tells you to run, we can also help tell you what you’ve set wrong.
In my opinion the SSID or the WPA passphrase are not secrets in a sense that after obtaining them a local user could do something nefarious: they’re already connected to the network. So, using agenix or such mechanism is overkill.
If you want to hide the networks to protect your privacy just don’t share them: put the wireless networks options in an external file and import it, or put the file in the repository but encrypt it using git-crypt.