feat(iwd): per-SSID MAC randomisation

AddressRandomization=network: iwd generates a deterministic per-SSID
random MAC. Hardware MAC is never exposed on Wi-Fi; reconnects to the
same network reuse the same MAC, so DHCP leases, WPA-EAP creds and
captive portals stay stable.

EnableNetworkConfiguration=false keeps systemd-networkd authoritative
for IP — the existing 30-wifi-bond0.network setup is unaffected and
the wlan interface still gets enslaved into bond0.

1 files changed, 23 insertions, 0 deletions

diff --git a/etc/iwd/main.conf b/etc/iwd/main.conf
new file mode 100644
index 0000000..cfeed7e
--- /dev/null
+++ b/etc/iwd/main.conf
@@ -0,0 +1,23 @@
+# iwd is started as the Wi-Fi backend; systemd-networkd remains the
+# authoritative IP-layer manager (see etc/systemd/network/30-wifi-bond0.network
+# which enslaves the wlan interface into bond0).
+#
+# AddressRandomization=network — iwd picks a deterministic random MAC
+# per SSID. Same network always reconnects with the same MAC (so DHCP
+# leases, WPA-EAP creds, and captive-portal sessions stay stable across
+# reconnects), but a hostile AP on a different SSID never sees the
+# hardware MAC. Better than per-association random which trips captive
+# portals on every reconnect.
+
+[General]
+EnableNetworkConfiguration=false
+UseDefaultInterface=false
+AddressRandomization=network
+
+[Network]
+EnableIPv6=true
+NameResolvingService=systemd
+RoutePriorityOffset=200
+
+[Scan]
+DisablePeriodicScan=false