wifi: Make more user-friendly

install_os.sh

@@ -115,6 +115,7 @@ echo "- Boot into the system"
 echo "- Transfer necessary private keys (or use ssh -A for testing)"
 echo "- Run git-sync"
 echo "- Run install-passwords"
+echo "- Run install-wifi"
 echo "- Run rb"
 echo "- Change root and user password"
 

os/default.nix

@@ -12,6 +12,6 @@
     ./geoffrey.nix
     ./printing
     ./style
-    ./wireless.nix
+    ./wireless
   ];
 }

os/wireless.nix

@@ -1,13 +0,0 @@
-{ pkgs, ... }:
-{
-  # wireless support via wpa_supplicant
-  networking.wireless = {
-    enable = true;
-    extraConfig = ''
-      country=NL
-    '';
-  };
-  networking.wireless.userControlled.enable = true; # Allow some control with wpa_cli
-  environment.systemPackages = with pkgs; [ wirelesstools ];
-  services.chrony.serverOption = "offline";
-}

os/wireless/default.nix

@@ -0,0 +1,54 @@
+{ pkgs, lib, config, ... }:
+{
+  environment.systemPackages = [
+    (pkgs.writeShellApplication {
+      name = "install-wifi";
+      text = ''
+        temp="$(mktemp --directory --suffix="-install-wifi")"
+        cd "$temp"
+        ${
+          pkgs.writers.writePython3 "install-wifi-import" {
+            libraries = [ pkgs.python3Packages.pyaml ];
+          } (builtins.readFile ./import.py)
+        }
+        sudo chown root:root wireless_networks.{env,json}
+        sudo chmod "u=r" wireless_networks.env
+        sudo chmod "u=r,g=r,o=r" wireless_networks.json
+        sudo mkdir -p /etc/keys
+        sudo mv -f wireless_networks.{env,json} /etc/keys
+        cd -
+        rmdir "$temp"
+        rb
+      '';
+      # This relies on multiple off-repo things:
+      # - pass password store with wifi/${name} entries, containing wpa_supplicant networks
+      #   loosely converted to YAML (see import.py script)
+      # - In a (private) flake:
+      #   inputs.wirelessNetworks.url = "path:/etc/keys/wireless_networks.json";
+      #   inputs.wirelessNetworks.flake = false;
+      # - In NixOS config (using flake inputs):
+      #   networking.wireless.environmentFile = "/etc/keys/wireless_networks.env";
+      #   networking.wireless.networks = builtins.fromJSON (builtins.readFile wirelessNetworks);
+    })
+  ];
+  # wireless support via wpa_supplicant
+  networking.wireless = {
+    enable = true;
+    extraConfig = ''
+      country=NL
+    '';
+    # Public wireless networks
+    networks = lib.genAttrs [
+      "EurostarTrainsWiFi"
+      "_SNCF gare-gratuit"
+      "_SNCF_WIFI_INOUI"
+      "Wifi in de trein"
+      "WiFi in de trein"
+      "_WIFI_LYRIA"
+      "WIFIonICE"
+    ]
+      (ssid: { });
+    userControlled.enable = true; # Allow some control with wpa_cli
+  };
+  services.chrony.serverOption = "offline";
+}

os/wireless/import.py

@@ -1,9 +1,6 @@
-#!/usr/bin/env nix-shell
-#! nix-shell -i python3
-#! nix-shell -p python3 python3Packages.pyaml
-
 """
-Exports Wi-Fi networks configuration stored in pass into a format readable by Nix.
+Exports Wi-Fi networks configuration stored in pass
+into a format readable by Nix.
 """
 
 # TODO EAP ca_cert=/etc/ssl/... probably won't work. Example fix:
@@ -11,7 +8,6 @@ Exports Wi-Fi networks configuration stored in pass into a format readable by Ni
 #     url = "https://letsencrypt.org/certs/isrgrootx1.pem";
 #     sha256 = "sha256:1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92";
 # }
-# TODO Very ugly, can probably do better
 
 import hashlib
 import json
@@ -22,10 +18,9 @@ import yaml
 
 # passpy doesn't handle encoding properly, so doing this with calls
 
-PASSWORD_STORE = os.path.expanduser("~/.local/share/pass")
+PASSWORD_STORE = os.environ["PASSWORD_STORE_DIR"]
 SUBFOLDER = "wifi"
-SEPARATE_PASSWORDS = False
-# TODO Find a way to make then env file available at whatever time it is needed
+SEPARATE_PASSWORDS = True
 
 
 class Password:
@@ -41,7 +36,7 @@ class Password:
         # return self.path.split("/")[-1].upper()
         m = hashlib.sha256()
         m.update(self.path.encode())
-        return m.hexdigest().upper()
+        return "p" + m.hexdigest().upper()
 
     def val(self) -> str:
         return self.content
@@ -148,7 +143,9 @@ for path in list_networks():
     if psk:
         network["psk"] = psk.key()
         if data:
-            raise NotImplementedError(f"{path}: Unhandled non-auth extra: {data}")
+            raise NotImplementedError(
+                f"{path}: Unhandled non-auth extra: {data}"
+            )
     else:
         if data:
             network["auth"] = format_wpa_supplicant_conf(data)
@@ -164,8 +161,4 @@ with open("wireless_networks.json", "w") as fd:
 with open("wireless_networks.env", "w") as fd:
     if SEPARATE_PASSWORDS:
         for k, v in Password.vars().items():
-            print(f"{k}={v}", file=fd)
-
-print("Now, execute:")
-print("sudo mv -f wireless_networks.* /etc/keys")
-print("rb")
+            print(f'{k}="{v}"', file=fd)