From 545234254b50cbb382196d9c66ea162761ab392b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9ana=20=E6=B1=9F?= <leana.jiang+git@icloud.com>
Date: Wed, 10 Sep 2025 13:24:44 +0800
Subject: [PATCH] vanadium: refactor network configuration

This generates the "key" used in a external password configuration,
reducing the boilerplate.
---
 .../vanadium/nixos/connectivity.nix           |  77 ++++++++++--------
 nix/secrets/wpa_password.age                  | Bin 627 -> 740 bytes
 2 files changed, 43 insertions(+), 34 deletions(-)

diff --git a/nix/configurations/vanadium/nixos/connectivity.nix b/nix/configurations/vanadium/nixos/connectivity.nix
index da0618bc..d9669938 100644
--- a/nix/configurations/vanadium/nixos/connectivity.nix
+++ b/nix/configurations/vanadium/nixos/connectivity.nix
@@ -32,41 +32,52 @@
       userControlled.enable = true;
       secretsFile = config.age.secrets.wpa_password.path;
       networks = let
-        orderedByGroups = networkGroups: let
-          groupsCount = builtins.length networkGroups;
-          withPriority =
-            lib.lists.imap0
-            (i: lib.mapAttrs (_: n: n // {priority = groupsCount - i;}))
-            networkGroups;
+        # The higher the more preferred
+        prio = i: lib.mapAttrs (_: conf: conf // {priority = i;});
+
+        privatePrio = prio 10;
+        limitedDataPrio = prio (-10);
+
+        openNetworks = lib.flip lib.genAttrs (_: {});
+        pskNetworks = let
+          # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`.
+          escapePwdKey = lib.replaceStrings ["="] ["_"];
         in
-          lib.mkMerge withPriority;
+          lib.flip lib.genAttrs (name: {pskRaw = "ext:${escapePwdKey name}";});
       in
-        orderedByGroups [
-          {
-            "HiddenParadize@Earth2077".pskRaw = "ext:HOME";
-            "Pei’s Wifi".pskRaw = "ext:PEI";
-            "girlypop-net".pskRaw = "ext:GIRLYPOP";
-            "annapurna".pskRaw = "ext:ANNAPURNA";
-
-            "5526-1" = {
-              pskRaw = "ext:5526-1";
-              extraConfig = ''
-                bgscan="simple:30:-70:3600"
-              '';
-            };
-          }
-          {
-            "A-WAY".pskRaw = "ext:A-WAY";
-            "CAT.jpgcafe".pskRaw = "ext:CAT.jpgcafe";
+        lib.mkMerge [
+          (privatePrio (pskNetworks [
+            "HiddenParadize@Earth2077"
+            "Pei’s Wifi"
+            "girlypop-net"
+            "annapurna"
+            "5526-1"
 
+            "A-WAY"
+            "CAT.jpgcafe"
             # TODO: Figure out how to configure networks of "same password, different ssid".
             #
             # In the following documentation, bssid can be used to match
             # Besides, is it possible to have duplicated SSID?
             # https://man.freebsd.org/cgi/man.cgi?wpa_supplicant.conf%285%29
-            "LOUISA".pskRaw = "ext:LOUISA"; # 區公所
-            "LouisaCoffee".pskRaw = "ext:LouisaCoffee"; # 七張
+            "LOUISA" # 區公所
+            "LouisaCoffee" # 七張
+          ]))
 
+          (limitedDataPrio (pskNetworks [
+            "iPhone de Léana 江"
+          ]))
+
+          (openNetworks [
+            "_SNCF_WIFI_INOUI"
+            "_WIFI_LYRIA"
+            "EurostarTrainsWiFi"
+            "SBB-FREE"
+            "AOT Airport Free Wi-Fi by NT"
+          ])
+
+          # TODO: Delete this when my account is deactivated
+          {
             eduroam = {
               authProtocols = ["WPA-EAP"];
               auth = ''
@@ -82,15 +93,13 @@
               '';
             };
           }
+
+          # Other per-network configuration
+          # bgscan has performance penalty so we don't enable it globally
           {
-            "_SNCF_WIFI_INOUI" = {};
-            "_WIFI_LYRIA" = {};
-            "EurostarTrainsWiFi" = {};
-            "SBB-FREE" = {};
-            "AOT Airport Free Wi-Fi by NT" = {};
-          }
-          {
-            "iPhone de Léana 江".pskRaw = "ext:PHONE";
+            "5526-1".extraConfig = ''
+              bgscan="simple:30:-70:3600"
+            '';
           }
         ];
     };
diff --git a/nix/secrets/wpa_password.age b/nix/secrets/wpa_password.age
index 6f1e5510045cf95287bee4da5af71d24f22af918..3359e69ebff4a3de5d6b4d7b4c2821de8d995e34 100644
GIT binary patch
delta 708
zcmV;#0z3Wl1mp#fEPqT!YkD<BT1hxbSancDM|WsWF+)mrV`Xn~QD#d<VK;O^Qa5XC
zX;V>dRSIoWSvgr^Ok!wtQA$a8MRGSea7$W7QFCN*G);AQXK-UQb$Ux~N@00YO$seO
zAaiqQEoEdfH8n9gAbDpsHDW;^b73$rQ*KvjbXsb8G&OH=H-9)nS5QnuK|wNALw7}O
zS2jp5Hga=$RzgH;3U*_3NH$}3NHKM5aWpefdP6mJWK2XiWN>I=I7&%wI7)g~aaK24
zFGMyp3N1b$DN-~wc0?z9EoX9NVRL05H&1UbeO^F5AWC9HR4_&gN;P6^FG?_VVNW)3
zS}RRXbZ#|ua({SLO)EufWL8)?d1WtCNkLgFGh{Y#Gi@(uQ+8@pMN&#wS4KBfP;5p?
zP6|;rXE`rdFhX@OR%T08Zf6QDEiE85MN)A$FJWXtQ*us4X?9X8Q(-YTGcR^+M|Ep(
zXEiudVRcJLM_OZKML`ORBez|AvxNMGD7fKDdBQ$ugMXFC!7-OBg+@L}=V?0DxwQEC
zF6^>^&4zH#P3kF`%5Qr?J6N*%s0L*@;J7O!!ulT_n6MjP{TI=&2Rid)8k5=Bk2Et^
zcpEju<V3}|^4LN}ArB7C>71BCM_-mAhbEh*1z`ajN6gEE`1RINZAs(cdL{}0QFGf3
zL-dn9)_+(2>21OaXq)S1q-bagQ&u+E_ivP263UiEc3h-~3XF;N_C@+4uemz9Er=GQ
z{P8<K>#V{tfsxQNH{G$62Y%Jan>#Bh41vJU!HQX77E=@axm2(D$nO(+vZy<XVSiEQ
ze<yK!l2zDXf~rC~wQ?=pN!U0KJy@|w?*kA4O+BJgDGEyR|H{3F-wfmFCYgER#ARxb
q%}VSN4PQjpLV=fnw|Hbctp@(81O~Kegt{?Af*l~3W<t$WA5wmti5n0A

delta 594
zcmV-Y0<Hbz1@i=uEPr84M^;2fcvDDCHB?i2LvUeFPI^%}dPZnXOKUPWct$dED@rsr
zRakXZSqg7!WJGv2Y-cfQVpv2gZ)-AoPeD{tO=&l6L~S#5b!kXcIZ$dxO)+n0K?*HC
zAaiqQEoEdfH8n9gAbDpsHDW;^F*QO$R&i8JZe&MfPHROmbbmNTOK(I~GB<NEcSLC`
zHd<*nOjmDXZB9c;3TtXiLQZCCMr&s=cy~)SWNL6}WNK_RcSA#HI8<wDH)2#}Q%gi*
zLu@c-3N1b$BT6nzO?^`&EoX9NVRK~)W;AwrY+-IpGh}Q_azR)@ZAwT*R7P`mR#tO2
zSafSfV{c~)Eq^U7AW?TYMQkf`WO;2!O*UybZAdn3OH538XG?EaY(jNqP(f8pXl!t1
zSb0J?3RPjGeSs+knlKIdaMiyFwn@B4za|`fkXccC<sA_7bdBHJJp-}}bt~cfoZ0Zw
zsxY?;p&LJbstFh8=w=@kaEth(t^fuhfx61sh<g!J|9?4h9Dmh#A=1o+a`|As{m`2l
zTezB~r(S{8w&@<^8=DyeE~sDSBl`u`r<Zc1n`o^ty`9K0)kJdGPSCw{r`=R~aA_`R
z!wEF@ym@W!pgS#t>TvvNJEv_cK*z(u%3f0eY6sJz(G@{Zu}C+Zm<|)Z{=)Y6gSIGh
z!MB|Zwo5d~Oz2UQHprD-BaqHofF#{dyr(i&WWVPWYsb0%x1FL0lTw!RpKIKKcz*^H
g!2yw{Zb*oHXpwh$jZ`{ruIhoK?{CapB(0&Hd4sI<Gynhq