diff --git a/hosts/common/programs/networkmanager.nix b/hosts/common/programs/networkmanager.nix index 982c9d7f..a7d74a4e 100644 --- a/hosts/common/programs/networkmanager.nix +++ b/hosts/common/programs/networkmanager.nix @@ -148,20 +148,32 @@ in networking.useDHCP = false; services.udev.packages = [ cfg.package ]; security.polkit.enable = lib.mkDefault true; - # allow networkmanager unbounded control over modemmanager. - # i believe this was sourced from the default nixpkgs config. - security.polkit.extraConfig = '' - polkit.addRule(function(action, subject) { - if (subject.isInGroup("networkmanager") - && ( - action.id.indexOf("org.freedesktop.NetworkManager.") == 0 - || action.id.indexOf("org.freedesktop.ModemManager") == 0 - ) - ) { + + security.polkit.extraConfig = lib.concatStringsSep "\n" [ + # allow networkmanager unbounded control over modemmanager. + # i believe this was sourced from the default nixpkgs config. + '' + polkit.addRule(function(action, subject) { + if (subject.isInGroup("networkmanager") + && ( + action.id.indexOf("org.freedesktop.NetworkManager.") == 0 + || action.id.indexOf("org.freedesktop.ModemManager") == 0 + ) + ) { + return polkit.Result.YES; + } + }); + '' + # allow networkmanager to control systemd-resolved, + # which it needs to do to apply new DNS settings when using systemd-resolved. + '' + polkit.addRule(function(action, subject) { + if (subject.isInGroup("networkmanager") && action.id.indexOf("org.freedesktop.resolve1.") == 0) { return polkit.Result.YES; - } - }); - ''; + } + }); + '' + ]; users.groups.networkmanager.gid = config.ids.gids.networkmanager; users.users.networkmanager = { diff --git a/hosts/common/programs/wpa_supplicant.nix b/hosts/common/programs/wpa_supplicant.nix index b395c195..c448405d 100644 --- a/hosts/common/programs/wpa_supplicant.nix +++ b/hosts/common/programs/wpa_supplicant.nix @@ -23,7 +23,6 @@ in rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service ''; }); - # sandbox.enable = false; #< TODO: re-enable sandbox.method = "landlock"; #< 'bwrap' (likely) can't work, because it needs to manipulate net interfaces in the root namespace sandbox.capabilities = [ # see also: