From 0ccd0743ef845084a1b410fa1f0a36946dbb9e8d Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Fri, 29 May 2026 11:18:12 +0100
Subject: feat(iwd): per-SSID MAC randomisation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

AddressRandomization=network: iwd generates a deterministic per-SSID
random MAC. Hardware MAC is never exposed on Wi-Fi; reconnects to the
same network reuse the same MAC, so DHCP leases, WPA-EAP creds and
captive portals stay stable.

EnableNetworkConfiguration=false keeps systemd-networkd authoritative
for IP — the existing 30-wifi-bond0.network setup is unaffected and
the wlan interface still gets enslaved into bond0.
---
 etc/iwd/main.conf | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 etc/iwd/main.conf

diff --git a/etc/iwd/main.conf b/etc/iwd/main.conf
new file mode 100644
index 0000000..cfeed7e
--- /dev/null
+++ b/etc/iwd/main.conf
@@ -0,0 +1,23 @@
+# iwd is started as the Wi-Fi backend; systemd-networkd remains the
+# authoritative IP-layer manager (see etc/systemd/network/30-wifi-bond0.network
+# which enslaves the wlan interface into bond0).
+#
+# AddressRandomization=network — iwd picks a deterministic random MAC
+# per SSID. Same network always reconnects with the same MAC (so DHCP
+# leases, WPA-EAP creds, and captive-portal sessions stay stable across
+# reconnects), but a hostile AP on a different SSID never sees the
+# hardware MAC. Better than per-association random which trips captive
+# portals on every reconnect.
+
+[General]
+EnableNetworkConfiguration=false
+UseDefaultInterface=false
+AddressRandomization=network
+
+[Network]
+EnableIPv6=true
+NameResolvingService=systemd
+RoutePriorityOffset=200
+
+[Scan]
+DisablePeriodicScan=false
-- 
cgit v1.3.1