Skip to content

Network & Connectivity

The meetingscribe repository manages network connectivity through a centralized state machine in src/meeting_scribe/wifi.py, which acts as the single owner of all WiFi AP lifecycle operations including bring-up, teardown, mode switching, captive portal management, and firewall configuration 1. This module orchestrates boot-time network state and firewall rules via the reconcile_network_state function, which is triggered by CLI/REST transitions and periodic self-healing to ensure idempotent firewall application based on current interface presence 2. The architecture relies on nmcli for AP management, iptables/ipset for firewall gating, and a derived state file to maintain consistency between the radio’s actual broadcast state and the system’s view 1.

The WiFi Access Point (AP) lifecycle is managed by the wifi_up, wifi_down, and wifi_switch public entry points, which are protected by an asyncio.Lock (_wifi_lock) to prevent concurrent modifications. Internal helpers like _bring_up_ap and _teardown_ap do not acquire the lock themselves, allowing them to be composed safely without deadlock risk. The AP configuration is defined by the WifiConfig dataclass, which supports modes such as “admin” (using OWE encryption) and “off” 3.

The system maintains a derived cache of the AP’s actual broadcasting state in a JSON file located at HOTSPOT_STATE_FILE (defaulting to /tmp/meeting-hotspot.json) 1. This file is always written by reading back from nmcli --show-secrets, ensuring that the displayed QR code and system state never diverge from the radio’s actual SSID and PSK. The AP connection name is fixed as DellDemo-AP, and the AP IP is 10.42.0.1.

diagram

The captive portal and firewall rules are managed through a reconciliation process that ensures the correct posture for the current interface state 2. The reconcile_network_state function is the single authoritative trigger for re-applying firewall and sysctl rules. It first ensures that the required ipset sets (ms-allowed-admins and ms-allowed-guests) exist; if they do not, it aborts to prevent installing silently failing rules.

The firewall rules are tagged with ms-fw and are removed before re-application to prevent rule drift. The system identifies WAN interfaces by checking for the presence of the wired interface enP7s7, the STA interface wlan_sta, and the Cloudflare WARP interface wgcf-profile. The wired interface is always treated as admin-allowed, while the STA interface is explicitly denied input access. The WARP interface is included as a WAN egress to allow MASQUERADE and FORWARD ACCEPT rules when WARP is active.

diagram

The network daemon orchestrates boot-time network state by calling reconcile_network_state during the boot lifespan and periodic self-healing cycles. This ensures that firewall rules and sysctl settings are consistent with the current interface state regardless of how the system was brought up. The wifi_status function provides a view of the live WiFi state by querying nmcli and wpa_supplicant rather than relying solely on the state file, ensuring that the admin panel reflects the actual radio state 4.

The system also handles DFS (Dynamic Frequency Selection) channels by adjusting activation timeouts based on the channel type 3. Regular DFS channels have a 120-second timeout, while weather-radar DFS channels have a 660-second timeout to accommodate longer Channel Availability Checks (CAC). This ensures that the AP does not fail fast on channels that require extended silent listening for radar pulses.

diagram