networkmanager: migrate from nixpkgs service to my own

hosts/common/programs/default.nix

@@ -80,6 +80,7 @@
     ./msmtp.nix
     ./nautilus.nix
     ./neovim.nix
+    ./networkmanager.nix
     ./newsflash.nix
     ./nheko.nix
     ./nicotine-plus.nix

hosts/common/programs/networkmanager.nix

@@ -0,0 +1,81 @@
+# Network Manager:
+# i manage this myself because the nixos service is not flexible enough.
+# - it unconditionally puts modemmanager onto the system path, preventing me from patching modemmanager's service file (without an overlay).
+#
+# XXX: it's normal to see error messages on an ethernet-only host, even when using nixos' official networkmanager service:
+# - `Couldn't initialize supplicant interface: Failed to D-Bus activate wpa_supplicant service`
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sane.programs.networkmanager;
+in
+{
+  sane.programs.networkmanager = {
+    enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;
+  };
+
+  systemd.services.NetworkManager = lib.mkIf cfg.enabled {
+    after = [
+      "network-pre.target"
+      "dbus.service"
+    ];
+    before = [ "network.target" ];
+    bindsTo = [ "dbus.service" ];
+    wants = [ "network.target" ];
+    wantedBy = [ "multi-user.target" "network.target" ];
+    description = "Network Manager";
+    documentation = [ "man:NetworkManager(8)" ];
+    serviceConfig = {
+      Type = "dbus";
+      BusName = "org.freedesktop.NetworkManager";
+      ExecReload = "${pkgs.systemd}/bin/busctl call org.freedesktop.NetworkManager /org/freedesktop/NetworkManager org.freedesktop.NetworkManager Reload u 0";
+      ExecStart = "${cfg.package}/sbin/NetworkManager --no-daemon";
+      Restart = "on-failure";
+      # NM doesn't want systemd to kill its children for it
+      KillMode = "process";
+      # TODO: decrease this capability set
+      # CAP_DAC_OVERRIDE: required to open /run/openvswitch/db.sock socket.
+      CapabilityBoundingSet = "CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT";
+      ProtectSystem = true;
+      ProtectHome = "read-only";
+      StateDirectory = "NetworkManager";
+      StateDirectoryMode = 755;  # TODO: might not be needed
+    };
+  };
+
+  environment.etc."NetworkManager/NetworkManager.conf".text = lib.mkIf cfg.enabled ''
+    # TODO: much of this is likely not needed.
+    [connection]
+    ethernet.cloned-mac-address=preserve
+    wifi.cloned-mac-address=preserve
+    wifi.powersave=null
+
+    [device]
+    wifi.backend=wpa_supplicant
+    wifi.scan-rand-mac-address=true
+
+    [keyfile]
+    # keyfile.path: where to check for connection credentials
+    path=/var/lib/NetworkManager/system-connections
+    unmanaged-devices=null
+
+    [logging]
+    audit=false
+    level=WARN
+
+    [main]
+    dhcp=internal
+    dns=systemd-resolved
+    plugins=keyfile
+    rc-manager=unmanaged
+  '';
+  hardware.wirelessRegulatoryDatabase = lib.mkIf cfg.enabled true;
+  users.groups = lib.mkIf cfg.enabled {
+    networkmanager.gid = config.ids.gids.networkmanager;
+  };
+  services.udev.packages = lib.mkIf cfg.enabled [ cfg.package ];
+  networking.useDHCP = lib.mkIf cfg.enabled false;
+
+  boot.kernelModules = [ "ctr" ];  #< TODO: needed (what even is this)?
+  # TODO: polkit?
+  # TODO: NetworkManager-ensure-profiles?
+}

hosts/common/programs/sway/default.nix

@@ -130,6 +130,7 @@ in
       "fontconfig"
       # "gnome.gnome-bluetooth"  # XXX(2023/05/14): broken
       # "gnome.gnome-control-center"  # XXX(2023/06/28): depends on webkitgtk4_1
+      "networkmanager"
       "pipewire"
       "playerctl"  # for waybar & particularly to have playerctld running
       "rofi"  # menu/launcher
@@ -258,7 +259,6 @@ in
 
 
   # TODO: this can go elsewhere
-  networking.networkmanager.enable = lib.mkIf cfg.enabled true;
   hardware.bluetooth.enable = lib.mkIf cfg.enabled true;
   services.blueman.enable = lib.mkIf cfg.enabled true;