diff --git a/flake.lock b/flake.lock
index 90f1724..cdaa2d8 100644
--- a/flake.lock
+++ b/flake.lock
@@ -669,11 +669,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1685043448,
-        "narHash": "sha256-U3BwyDc2OzBcZ8tD09qXibyivgOtOQFTFCVgFyJ+6MM=",
+        "lastModified": 1685215858,
+        "narHash": "sha256-IRMFoDXA6cYx3ifVw3B2JcC4JrjT5v7tRAx2vro2Ffs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9886352ec9ab3945896ee8a4185e961fe29df209",
+        "rev": "ba6e4ddeb3e8ad3f3e3bec63dafbc9fe558729bb",
         "type": "github"
       },
       "original": {
@@ -954,11 +954,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1683831888,
-        "narHash": "sha256-VsUdQXrxMmYGtqOrsk7CbQUM9RJ/DcF+/UqSXAVHwqU=",
+        "lastModified": 1685300533,
+        "narHash": "sha256-4c8uc5a1K8YcgOD/URVKomTHbVmwLVGKyDiTM1vCVAc=",
         "ref": "main",
-        "rev": "e389aecbbef02cb9f0ae448a635dbb25607abc37",
-        "revCount": 51,
+        "rev": "6b2dce79889e21dd469de56e8c1cb8ffdb45cf4e",
+        "revCount": 52,
         "type": "git",
         "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
       },
diff --git a/nixos/machines/chungus/configuration.nix b/nixos/machines/chungus/configuration.nix
index ae3865c..4919db7 100644
--- a/nixos/machines/chungus/configuration.nix
+++ b/nixos/machines/chungus/configuration.nix
@@ -13,7 +13,7 @@
     ./hass.nix
     ./hass-zigbee2mqtt.nix
     ./hass-mqtt.nix
-    #./hass-wifi.nix
+    ./hass-wifi.nix
 
     #./mail-fetcher.nix
 
diff --git a/nixos/machines/chungus/hass-wifi.nix b/nixos/machines/chungus/hass-wifi.nix
new file mode 100644
index 0000000..dc7f601
--- /dev/null
+++ b/nixos/machines/chungus/hass-wifi.nix
@@ -0,0 +1,78 @@
+{ lib, pkgs, config, ... }:
+
+let
+  # you find this device using `ifconfig -a` or `ip link`
+  wifi = "wlp3s0";
+  ipAddress = "10.23.45.1";
+  prefixLength = 24;
+  servedAddressRange = "10.23.45.2,10.23.45.150,12h";
+  ssid = "home/wifi";
+in
+{
+
+  # todo only open needed ports
+  networking.firewall.trustedInterfaces = [ wifi ];
+
+  networking.networkmanager.unmanaged = [ wifi ];
+  networking.dhcpcd.denyInterfaces = [ wifi ];
+
+  networking.interfaces."${wifi}".ipv4.addresses = [{
+    address = ipAddress;
+    prefixLength = prefixLength;
+  }];
+
+  systemd.services.hostapd = {
+    description = "hostapd wireless AP";
+    path = [ pkgs.hostapd ];
+    wantedBy = [ "network.target" ];
+
+    after = [
+      "${wifi}-cfg.service"
+      "nat.service"
+      "bind.service"
+      "dhcpd.service"
+      "sys-subsystem-net-devices-${wifi}.device"
+    ];
+
+    serviceConfig = {
+      ExecStart = "${pkgs.hostapd}/bin/hostapd ${
+          pkgs.writeText "hostapd.conf" ''
+            interface=${wifi}
+            hw_mode=g
+            channel=10
+            ieee80211d=1
+            country_code=DE
+            ieee80211n=1
+            wmm_enabled=1
+
+            ssid=${ssid}
+            auth_algs=1
+            wpa=2
+            wpa_key_mgmt=WPA-PSK
+            rsn_pairwise=CCMP
+            wpa_psk_file=${config.sops.secrets.hostapd_wpa_psk.path}
+          ''
+        }";
+      Restart = "always";
+    };
+  };
+
+  sops.secrets.hostapd_wpa_psk = { };
+
+  services.dnsmasq = {
+    enable = true;
+    extraConfig = ''
+      # Only listen to routers' LAN NIC.  Doing so opens up tcp/udp port 53 to
+      # localhost and udp port 67 to world:
+      interface=${wifi}
+
+      # Explicitly specify the address to listen on
+      listen-address=${ipAddress}
+
+      # Dynamic range of IPs to make available to LAN PC and the lease time.
+      # Ideally set the lease time to 5m only at first to test everything works okay before you set long-lasting records.
+      dhcp-range=${servedAddressRange}
+    '';
+  };
+
+}