NixOS access point via hostapd


I would like to make available an access point from my NixOS laptop:

services.hostapd.enable = true;
services.hostapd.interface = “wlp4s0”;
services.hostapd.ssid = “myname”;
services.hostapd.wpaPassphrase = “mysecret”;

However, when another laptop tries to connect to it, it’s immediately disconnected and tries to connect again in an infinite loop.

I think we should have a module where you only need to put in the password and an ssid name and then it should work. hostapd should only be an implementation detail.

An interface like services.wifi_hotspot = {wpaPassPhrase = “mysecret”; ssid = “myname”};

Any other configuration options are just line noise as far as I am concerned.


This doesn’t solve your problem declaratively, but I think the easiest option currently available is creating a “shared connection” using network-manager.

Since networking has an overhaul on its way with systemd-networkd anyway, I imagine this might also bring in an easier way to set up a wireless network declaratively.

That aside, I agree it would be nice to have this work simply.


@lheckemann do you know if the overhaul will touch how the firewall works? I have a few grievances how forwarding (isn’t) handled and might put a bit of time in improving it otherwise. is there a discussion somewhere what will be done?


I am using the code below
It allows to configure “shared connection” declaratively, and disallow network-manager to use the virtual interface used by hostapd

# "wlp3s0" is the hardware device, "wlan-station0" is for wifi-client managed by network manager, "wlan-ap0" is for hostap
networking.wlanInterfaces = {
  "wlan-station0" = { device = "wlp3s0";                            };
  "wlan-ap0"      = { device = "wlp3s0"; mac = "08:11:96:0e:08:0a"; };

networking.networkmanager.unmanaged = [ "interface-name:wlp*" ]
    ++ lib.optional "interface-name:${}";

services.hostapd = {
  enable        = true;
  interface     = "wlan-ap0";
  hwMode        = "g";
  ssid          = "nix";
  wpaPassphrase = "mysekret";

networking.interfaces."wlan-ap0".ipv4.addresses =
  lib.optionals [{ address = ""; prefixLength = 24; }];

services.dnsmasq = lib.optionalAttrs {
  enable = true;
  extraConfig = ''
networking.firewall.allowedUDPPorts = lib.optionals [53 67]; # DNS & DHCP
services.haveged.enable =;

And there is also NAT settings