diff --git a/hosts/common/programs/modemmanager.nix b/hosts/common/programs/modemmanager.nix index aef9428e..297ee43b 100644 --- a/hosts/common/programs/modemmanager.nix +++ b/hosts/common/programs/modemmanager.nix @@ -50,32 +50,41 @@ in ]; }; + networking.modemmanager = { + enable = cfg.enabled; + package = cfg.package; + }; + systemd.services.ModemManager = lib.mkIf cfg.enabled { - aliases = [ "dbus-org.freedesktop.ModemManager1.service" ]; - after = [ "polkit.service" ]; - requires = [ "polkit.service" ]; - wantedBy = [ "network.target" ]; + # aliases = [ "dbus-org.freedesktop.ModemManager1.service" ]; + # after = [ "polkit.service" ]; + # requires = [ "polkit.service" ]; + # wantedBy = [ "network.target" ]; path = [ "/run/current-system/sw" ]; #< so it can find `sanebox` - serviceConfig.Type = "dbus"; - serviceConfig.BusName = "org.freedesktop.ModemManager1"; + # serviceConfig.Type = "dbus"; + # serviceConfig.BusName = "org.freedesktop.ModemManager1"; # only if started with `--debug` does mmcli let us issue AT commands like # `mmcli --modem any --command=` - serviceConfig.ExecStart = "${lib.getExe cfg.package} --debug"; + serviceConfig.ExecStart = [ + "" # first blank line is to clear the upstream `ExecStart` field. + "${lib.getExe cfg.package} --debug" + ]; # --debug sets DEBUG level logging: so reset serviceConfig.ExecStartPost = "${lib.getExe config.sane.programs.mmcli.package} --set-logging=INFO"; - serviceConfig.Restart = "on-abort"; - serviceConfig.StandardError = "null"; - serviceConfig.CapabilityBoundingSet = "CAP_SYS_ADMIN CAP_NET_ADMIN"; - serviceConfig.ProtectSystem = true; - serviceConfig.ProtectHome = true; - serviceConfig.PrivateTmp = true; - serviceConfig.RestrictAddressFamilies = "AF_NETLINK AF_UNIX AF_QIPCRTR"; - serviceConfig.NoNewPrivileges = true; + # v this is what upstream ships + # serviceConfig.Restart = "on-abort"; + # serviceConfig.StandardError = "null"; + # serviceConfig.CapabilityBoundingSet = "CAP_SYS_ADMIN CAP_NET_ADMIN"; + # serviceConfig.ProtectSystem = true; + # serviceConfig.ProtectHome = true; + # serviceConfig.PrivateTmp = true; + # serviceConfig.RestrictAddressFamilies = "AF_NETLINK AF_UNIX AF_QIPCRTR"; + # serviceConfig.NoNewPrivileges = true; }; # so that ModemManager can discover when the modem appears - services.udev.packages = lib.mkIf cfg.enabled [ cfg.package ]; + # services.udev.packages = lib.mkIf cfg.enabled [ cfg.package ]; } diff --git a/hosts/common/programs/networkmanager.nix b/hosts/common/programs/networkmanager.nix index 4232ab84..beab97c8 100644 --- a/hosts/common/programs/networkmanager.nix +++ b/hosts/common/programs/networkmanager.nix @@ -78,14 +78,17 @@ in (lib.mkIf cfg.enabled { # add to systemd.packages so we get the service file it ships, then override what we need to customize (taken from nixpkgs) - systemd.packages = [ cfg.package ]; + # systemd.packages = [ cfg.package ]; + networking.networkmanager.enable = true; + networking.networkmanager.enableDefaultPlugins = false; + networking.networkmanager.package = cfg.package; systemd.services.NetworkManager = { - wantedBy = [ "network.target" ]; + # wantedBy = [ "network.target" ]; aliases = [ "dbus-org.freedesktop.NetworkManager.service" ]; path = [ "/run/current-system/sw" ]; #< so it can find `sanebox` serviceConfig.RuntimeDirectory = "NetworkManager"; #< tells systemd to create /run/NetworkManager - serviceConfig.StateDirectory = "NetworkManager"; #< tells systemd to create /var/lib/NetworkManager + # serviceConfig.StateDirectory = "NetworkManager"; #< tells systemd to create /var/lib/NetworkManager serviceConfig.User = "networkmanager"; serviceConfig.Group = "networkmanager"; serviceConfig.AmbientCapabilities = [ @@ -101,13 +104,13 @@ in systemd.services.NetworkManager-wait-online = { path = [ "/run/current-system/sw" ]; #< so `nm-online` can find `sanebox` - wantedBy = [ "network-online.target" ]; + # wantedBy = [ "network-online.target" ]; serviceConfig.User = "networkmanager"; serviceConfig.Group = "networkmanager"; }; systemd.services.NetworkManager-dispatcher = { - wantedBy = [ "NetworkManager.service" ]; + # wantedBy = [ "NetworkManager.service" ]; after = [ "trust-dns-localhost.service" ]; #< so that /var/lib/trust-dns will exist path = [ "/run/current-system/sw" ]; #< so it can find `sanebox` # to debug, add NM_DISPATCHER_DEBUG_LOG=1 @@ -121,88 +124,106 @@ in serviceConfig.Group = "networkmanager"; }; - environment.etc = { - "NetworkManager/system-connections".source = "/var/lib/NetworkManager/system-connections"; - "NetworkManager/NetworkManager.conf".text = '' - [device] - # wifi.backend: wpa_supplicant or iwd - wifi.backend=wpa_supplicant - wifi.scan-rand-mac-address=true + networking.networkmanager.settings = { + # wifi.backend = "wpa_supplicant"; + # wifi.scan-rand-mac-address = true; - [logging] - audit=false - # level: TRACE, DEBUG, INFO, WARN, ERR, OFF - level=INFO - # domain=... + # logging.audit = false; + logging.level = "INFO"; - [main] - # dhcp: - # - `internal` (default) - # - `dhclient` (requires dhclient to be installed) - # - `dhcpcd` (requires dhcpcd to be installed) - dhcp=internal - # dns: - # - `default`: update /etc/resolv.conf with nameservers provided by the active connection - # - `none`: NM won't update /etc/resolv.conf - # - `systemd-resolved`: push DNS config to systemd-resolved - # - `dnsmasq`: run a local caching nameserver - dns=${if config.services.resolved.enable then - "systemd-resolved" - else if config.sane.services.trust-dns.enable && config.sane.services.trust-dns.asSystemResolver then - "none" - else - "internal" - } - plugins=keyfile - # rc-manager: how NM should write to /etc/resolv.conf - # - regardless of this setting, NM will write /var/lib/NetworkManager/resolv.conf - rc-manager=unmanaged - # systemd-resolved: send DNS config to systemd-resolved? - # this setting has no effect if dns="systemd-resolved"; it's supplementary, not absolute. - systemd-resolved=false - # debug=... (see also: NM_DEBUG env var) - ''; + # main.dhcp = "internal"; + main.dns = if config.services.resolved.enable then + "systemd-resolved" + else if config.sane.services.trust-dns.enable && config.sane.services.trust-dns.asSystemResolver then + "none" + else + "internal" + ; + main.systemd-resolved = false; }; - hardware.wirelessRegulatoryDatabase = true; - networking.useDHCP = false; - services.udev.packages = [ cfg.package ]; - security.polkit.enable = lib.mkDefault true; + environment.etc = { + "NetworkManager/system-connections".source = "/var/lib/NetworkManager/system-connections"; + # "NetworkManager/NetworkManager.conf".text = '' + # [device] + # # wifi.backend: wpa_supplicant or iwd + # wifi.backend=wpa_supplicant + # wifi.scan-rand-mac-address=true - security.polkit.extraConfig = lib.concatStringsSep "\n" [ - # allow networkmanager unbounded control over modemmanager. - # i believe this was sourced from the default nixpkgs config. - '' - polkit.addRule(function(action, subject) { - if (subject.isInGroup("networkmanager") - && ( - action.id.indexOf("org.freedesktop.NetworkManager.") == 0 - || action.id.indexOf("org.freedesktop.ModemManager") == 0 - ) - ) { - return polkit.Result.YES; - } - }); - '' - # allow networkmanager to control systemd-resolved, - # which it needs to do to apply new DNS settings when using systemd-resolved. - '' - polkit.addRule(function(action, subject) { - if (subject.isInGroup("networkmanager") && action.id.indexOf("org.freedesktop.resolve1.") == 0) { - return polkit.Result.YES; - } - }); - '' - ]; + # [logging] + # audit=false + # # level: TRACE, DEBUG, INFO, WARN, ERR, OFF + # level=INFO + # # domain=... - users.groups.networkmanager.gid = config.ids.gids.networkmanager; + # [main] + # # dhcp: + # # - `internal` (default) + # # - `dhclient` (requires dhclient to be installed) + # # - `dhcpcd` (requires dhcpcd to be installed) + # dhcp=internal + # # dns: + # # - `default`: update /etc/resolv.conf with nameservers provided by the active connection + # # - `none`: NM won't update /etc/resolv.conf + # # - `systemd-resolved`: push DNS config to systemd-resolved + # # - `dnsmasq`: run a local caching nameserver + # dns=${if config.services.resolved.enable then + # "systemd-resolved" + # else if config.sane.services.trust-dns.enable && config.sane.services.trust-dns.asSystemResolver then + # "none" + # else + # "internal" + # } + # plugins=keyfile + # # rc-manager: how NM should write to /etc/resolv.conf + # # - regardless of this setting, NM will write /var/lib/NetworkManager/resolv.conf + # rc-manager=unmanaged + # # systemd-resolved: send DNS config to systemd-resolved? + # # this setting has no effect if dns="systemd-resolved"; it's supplementary, not absolute. + # systemd-resolved=false + # # debug=... (see also: NM_DEBUG env var) + # ''; + }; + + # hardware.wirelessRegulatoryDatabase = true; + # networking.useDHCP = false; + # services.udev.packages = [ cfg.package ]; + # security.polkit.enable = lib.mkDefault true; + + # security.polkit.extraConfig = lib.concatStringsSep "\n" [ + # # allow networkmanager unbounded control over modemmanager. + # # i believe this was sourced from the default nixpkgs config. + # '' + # polkit.addRule(function(action, subject) { + # if (subject.isInGroup("networkmanager") + # && ( + # action.id.indexOf("org.freedesktop.NetworkManager.") == 0 + # || action.id.indexOf("org.freedesktop.ModemManager") == 0 + # ) + # ) { + # return polkit.Result.YES; + # } + # }); + # '' + + # allow networkmanager to control systemd-resolved, + # which it needs to do to apply new DNS settings when using systemd-resolved. + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if (subject.isInGroup("networkmanager") && action.id.indexOf("org.freedesktop.resolve1.") == 0) { + return polkit.Result.YES; + } + }); + ''; + + # users.groups.networkmanager.gid = config.ids.gids.networkmanager; users.users.networkmanager = { isSystemUser = true; group = "networkmanager"; extraGroups = [ "trust-dns" ]; }; - boot.kernelModules = [ "ctr" ]; #< TODO: needed (what even is this)? + # boot.kernelModules = [ "ctr" ]; #< TODO: needed (what even is this)? # TODO: NetworkManager-ensure-profiles? }) ]; diff --git a/hosts/common/programs/wpa_supplicant.nix b/hosts/common/programs/wpa_supplicant.nix index fc8bb9c1..535b9bd1 100644 --- a/hosts/common/programs/wpa_supplicant.nix +++ b/hosts/common/programs/wpa_supplicant.nix @@ -50,8 +50,11 @@ in }; } (lib.mkIf cfg.enabled { - services.udev.packages = [ cfg.package ]; - systemd.packages = [ cfg.package ]; #< needs to be on systemd.packages so we get its service file + #v TODO: networkmanager module enforces that it install this for us... + # if i relly want to avoid that, maybe i implement some `apply` override for `environment.systemPackages`, & others + # or switch to the `iwd` backend, which is more patchable. + # services.udev.packages = [ cfg.package ]; + # systemd.packages = [ cfg.package ]; #< needs to be on systemd.packages so we get its service file systemd.services.wpa_supplicant = { path = [ "/run/current-system/sw" ]; #< so it can find `sanebox` serviceConfig.User = "networkmanager"; diff --git a/nixpatches/list.nix b/nixpatches/list.nix index 089cdc9d..4942a1da 100644 --- a/nixpatches/list.nix +++ b/nixpatches/list.nix @@ -32,6 +32,14 @@ in [ # etc, where "date" is like "20240228181608" # and can be found with `nix-repl > :lf . > lastModifiedDate` + (fetchpatch' { + title = "nixos/networkmanager: split ModemManager bits into own module"; + saneCommit = "23bfba9b76757ffc00fc2be810009dcf92e2eaf2"; + hash = "sha256-cn6ihwO3MyzdpVoJoQNKAHyo8GuGvFP6vr//7r9pzjE="; + # saneCommit = "a0d8a55e9da56b56ab0a7d72d46cad5dd1667c95"; + # hash = "sha256-MGS1b1dC2n0FY3zizaO4lhUyuIXmVf9vBkexEo10Lr4="; + }) + (fetchpatch' { title = "trust-dns: rebrand as hickory-dns"; saneCommit = "a7613d50c58b5612a7b806ce1375d8bf0485ab55";