From aab293ac1949c19e5210c5ca02b99f68330004c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Sch=C3=A4r?= <jan@soi.ch>
Date: Mon, 13 May 2024 22:59:31 +0200
Subject: [PATCH] Add contest WiFi connection

---
 contestops/configure-machines.sh              |  2 +-
 os/build.py                                   |  3 +++
 os/config-example/config.toml                 |  3 +++
 .../hooks/live/2010-contestant.hook.chroot    |  3 +++
 .../system-connections/contest.nmconnection   | 20 +++++++++++++++++++
 .../etc/polkit-1/rules.d/50-lockdown.rules    |  3 ++-
 os/readme.md                                  |  1 +
 7 files changed, 33 insertions(+), 2 deletions(-)
 create mode 100644 os/layers/contestant/includes.chroot/etc/NetworkManager/system-connections/contest.nmconnection

diff --git a/contestops/configure-machines.sh b/contestops/configure-machines.sh
index 470ec37..c3d8fd6 100755
--- a/contestops/configure-machines.sh
+++ b/contestops/configure-machines.sh
@@ -3,7 +3,7 @@
 set -ex
 
 # Disable WiFi.
-parallel-ssh -x "-F local.ssh_config" -h hostlist nmcli radio wifi off
+# parallel-ssh -x "-F local.ssh_config" -h hostlist nmcli radio wifi off
 
 # Create hosts file so we don't need DNS.
 parallel-scp -x "-F local.ssh_config" -h hostlist ./config-hosts /etc/hosts
diff --git a/os/build.py b/os/build.py
index 2c1c65a..8bae320 100755
--- a/os/build.py
+++ b/os/build.py
@@ -174,6 +174,9 @@ def main():
         mkdir("config/includes.chroot/root/.ssh")
         run(["cp", f"{script_dir}/config/contestant_authorized_keys", "config/includes.chroot/root/.ssh/authorized_keys"])
 
+        edit_file("config/includes.chroot/etc/NetworkManager/system-connections/contest.nmconnection",
+            lambda s: s.replace("@wifi_password@", config["contestant_wifi_password"]))
+
     # Configure boot options.
     grub_boot_options = '\n'.join(
         f'menuentry "{option["label"]}" {{\n'
diff --git a/os/config-example/config.toml b/os/config-example/config.toml
index ce0ff38..13dc93b 100644
--- a/os/config-example/config.toml
+++ b/os/config-example/config.toml
@@ -4,3 +4,6 @@ install_admin_password = "$y$j9T$h5VhMd4KkdmbxdZD1gO0N/$1hvwZgO8pQw13Xd6jaNXbtkb
 
 # Example password: soi
 contestant_root_password = "$y$j9T$h5VhMd4KkdmbxdZD1gO0N/$1hvwZgO8pQw13Xd6jaNXbtkbqVOC4W/ia/KXOcCGYvB"
+
+# WiFi passwords must be at least 8 characters
+contestant_wifi_password = "12345678"
diff --git a/os/layers/contestant/hooks/live/2010-contestant.hook.chroot b/os/layers/contestant/hooks/live/2010-contestant.hook.chroot
index 8a688a3..e65b6fd 100755
--- a/os/layers/contestant/hooks/live/2010-contestant.hook.chroot
+++ b/os/layers/contestant/hooks/live/2010-contestant.hook.chroot
@@ -25,3 +25,6 @@ $DISABLE_DESKTOP /usr/share/applications/gnome-sharing-panel.desktop
 # We want to load kexec manually, and execution of kexec is already done by systemd.
 systemctl disable kexec-load.service
 systemctl disable kexec.service
+
+# Restrict access to the config which contains the WiFi password.
+chmod og= /etc/NetworkManager/system-connections/contest.nmconnection
diff --git a/os/layers/contestant/includes.chroot/etc/NetworkManager/system-connections/contest.nmconnection b/os/layers/contestant/includes.chroot/etc/NetworkManager/system-connections/contest.nmconnection
new file mode 100644
index 0000000..eb3fe88
--- /dev/null
+++ b/os/layers/contestant/includes.chroot/etc/NetworkManager/system-connections/contest.nmconnection
@@ -0,0 +1,20 @@
+[connection]
+id=contest
+uuid=b4b09615-f7b9-4777-baa0-7812d58a01dd
+type=wifi
+
+[wifi]
+mode=infrastructure
+ssid=contest
+
+[wifi-security]
+auth-alg=open
+key-mgmt=wpa-psk
+psk=@wifi_password@
+
+[ipv4]
+method=auto
+
+[ipv6]
+addr-gen-mode=default
+method=auto
diff --git a/os/layers/contestant/includes.chroot/etc/polkit-1/rules.d/50-lockdown.rules b/os/layers/contestant/includes.chroot/etc/polkit-1/rules.d/50-lockdown.rules
index 16b8d86..d349da9 100644
--- a/os/layers/contestant/includes.chroot/etc/polkit-1/rules.d/50-lockdown.rules
+++ b/os/layers/contestant/includes.chroot/etc/polkit-1/rules.d/50-lockdown.rules
@@ -7,7 +7,8 @@
 polkit.addRule(function (action, subject) {
   if (
     action.id.indexOf("org.freedesktop.ModemManager1.") === 0 ||
-    action.id.indexOf("org.freedesktop.NetworkManager.") === 0 ||
+    (action.id.indexOf("org.freedesktop.NetworkManager.") === 0 &&
+      action.id !== "org.freedesktop.NetworkManager.wifi.scan") ||
     action.id === "org.freedesktop.login1.hibernate" ||
     action.id === "org.freedesktop.packagekit.system-network-proxy-configure" ||
     action.id.indexOf("org.freedesktop.udisks2.") === 0
diff --git a/os/readme.md b/os/readme.md
index 9070a90..9fc0411 100644
--- a/os/readme.md
+++ b/os/readme.md
@@ -119,6 +119,7 @@ Here is a list of features.
   - install and configure ssh server
   - set root password
   - set `authorized_keys` for root
+  - contest WiFi connection
   - automatic login
   - set browser homepage and bookmarks to https://contest.soi.ch
   - Gnome Shell extension which displays the user name in the top bar