networkmanager/modemmanager: get closer to nixpkgs upstream

i've seen enough, that there's a path toward getting nixos proper to sandbox this in a way i'm happy with -- in time

hosts/common/programs/modemmanager.nix

@@ -50,8 +50,13 @@ in
     ];
   };
 
+  networking.modemmanager = lib.mkIf cfg.enabled {
+    enable = true;
+    package = cfg.package;
+  };
+
   systemd.services.ModemManager = lib.mkIf cfg.enabled {
-    aliases = [ "dbus-org.freedesktop.ModemManager1.service" ];
+    # aliases = [ "dbus-org.freedesktop.ModemManager1.service" ];
     after = [ "polkit.service" ];
     requires = [ "polkit.service" ];
     wantedBy = [ "network.target" ];
@@ -77,5 +82,5 @@ in
   };
 
   # so that ModemManager can discover when the modem appears
-  services.udev.packages = lib.mkIf cfg.enabled [ cfg.package ];
+  # services.udev.packages = lib.mkIf cfg.enabled [ cfg.package ];
 }

hosts/common/programs/networkmanager.nix

@@ -78,14 +78,17 @@ in
 
     (lib.mkIf cfg.enabled {
       # add to systemd.packages so we get the service file it ships, then override what we need to customize (taken from nixpkgs)
-      systemd.packages = [ cfg.package ];
+      # systemd.packages = [ cfg.package ];
+      networking.networkmanager.enable = true;
+      networking.networkmanager.enableDefaultPlugins = false;
+      networking.networkmanager.package = cfg.package;
       systemd.services.NetworkManager = {
-        wantedBy = [ "network.target" ];
+        # wantedBy = [ "network.target" ];
         aliases = [ "dbus-org.freedesktop.NetworkManager.service" ];
 
         path = [ "/run/current-system/sw" ];  #< so it can find `sanebox`
         serviceConfig.RuntimeDirectory = "NetworkManager";  #< tells systemd to create /run/NetworkManager
-        serviceConfig.StateDirectory = "NetworkManager";  #< tells systemd to create /var/lib/NetworkManager
+        # serviceConfig.StateDirectory = "NetworkManager";  #< tells systemd to create /var/lib/NetworkManager
         serviceConfig.User = "networkmanager";
         serviceConfig.Group = "networkmanager";
         serviceConfig.AmbientCapabilities = [
@@ -101,13 +104,13 @@ in
 
       systemd.services.NetworkManager-wait-online = {
         path = [ "/run/current-system/sw" ];  #< so `nm-online` can find `sanebox`
-        wantedBy = [ "network-online.target" ];
+        # wantedBy = [ "network-online.target" ];
         serviceConfig.User = "networkmanager";
         serviceConfig.Group = "networkmanager";
       };
 
       systemd.services.NetworkManager-dispatcher = {
-        wantedBy = [ "NetworkManager.service" ];
+        # wantedBy = [ "NetworkManager.service" ];
         after = [ "trust-dns-localhost.service" ];  #< so that /var/lib/trust-dns will exist
         path = [ "/run/current-system/sw" ];  #< so it can find `sanebox`
         # to debug, add NM_DISPATCHER_DEBUG_LOG=1
@@ -121,88 +124,106 @@ in
         serviceConfig.Group = "networkmanager";
       };
 
-      environment.etc = {
+      networking.networkmanager.settings = {
-        "NetworkManager/system-connections".source = "/var/lib/NetworkManager/system-connections";
+        # wifi.backend = "wpa_supplicant";
-        "NetworkManager/NetworkManager.conf".text = ''
+        # wifi.scan-rand-mac-address = true;
-          [device]
-          # wifi.backend: wpa_supplicant or iwd
-          wifi.backend=wpa_supplicant
-          wifi.scan-rand-mac-address=true
 
-          [logging]
+        # logging.audit = false;
-          audit=false
+        logging.level = "INFO";
-          # level: TRACE, DEBUG, INFO, WARN, ERR, OFF
-          level=INFO
-          # domain=...
 
-          [main]
+        # main.dhcp = "internal";
-          # dhcp:
+        main.dns = if config.services.resolved.enable then
-          # - `internal` (default)
+          "systemd-resolved"
-          # - `dhclient` (requires dhclient to be installed)
+        else if config.sane.services.trust-dns.enable && config.sane.services.trust-dns.asSystemResolver then
-          # - `dhcpcd`   (requires dhcpcd to be installed)
+          "none"
-          dhcp=internal
+        else
-          # dns:
+          "internal"
-          # - `default`: update /etc/resolv.conf with nameservers provided by the active connection
+        ;
-          # - `none`: NM won't update /etc/resolv.conf
+        main.systemd-resolved = false;
-          # - `systemd-resolved`: push DNS config to systemd-resolved
-          # - `dnsmasq`: run a local caching nameserver
-          dns=${if config.services.resolved.enable then
-            "systemd-resolved"
-          else if config.sane.services.trust-dns.enable && config.sane.services.trust-dns.asSystemResolver then
-            "none"
-          else
-            "internal"
-          }
-          plugins=keyfile
-          # rc-manager: how NM should write to /etc/resolv.conf
-          # - regardless of this setting, NM will write /var/lib/NetworkManager/resolv.conf
-          rc-manager=unmanaged
-          # systemd-resolved: send DNS config to systemd-resolved?
-          # this setting has no effect if dns="systemd-resolved"; it's supplementary, not absolute.
-          systemd-resolved=false
-          # debug=...  (see also: NM_DEBUG env var)
-        '';
       };
 
-      hardware.wirelessRegulatoryDatabase = true;
+      environment.etc = {
-      networking.useDHCP = false;
+        "NetworkManager/system-connections".source = "/var/lib/NetworkManager/system-connections";
-      services.udev.packages = [ cfg.package ];
+        # "NetworkManager/NetworkManager.conf".text = ''
-      security.polkit.enable = lib.mkDefault true;
+        #   [device]
+        #   # wifi.backend: wpa_supplicant or iwd
+        #   wifi.backend=wpa_supplicant
+        #   wifi.scan-rand-mac-address=true
 
-      security.polkit.extraConfig = lib.concatStringsSep "\n" [
+        #   [logging]
-        # allow networkmanager unbounded control over modemmanager.
+        #   audit=false
-        # i believe this was sourced from the default nixpkgs config.
+        #   # level: TRACE, DEBUG, INFO, WARN, ERR, OFF
-        ''
+        #   level=INFO
-          polkit.addRule(function(action, subject) {
+        #   # domain=...
-            if (subject.isInGroup("networkmanager")
-              && (
-                action.id.indexOf("org.freedesktop.NetworkManager.") == 0
-                || action.id.indexOf("org.freedesktop.ModemManager")  == 0
-              )
-            ) {
-                return polkit.Result.YES;
-            }
-          });
-        ''
-        # allow networkmanager to control systemd-resolved,
-        # which it needs to do to apply new DNS settings when using systemd-resolved.
-        ''
-          polkit.addRule(function(action, subject) {
-            if (subject.isInGroup("networkmanager") && action.id.indexOf("org.freedesktop.resolve1.") == 0) {
-              return polkit.Result.YES;
-            }
-          });
-        ''
-      ];
 
-      users.groups.networkmanager.gid = config.ids.gids.networkmanager;
+        #   [main]
+        #   # dhcp:
+        #   # - `internal` (default)
+        #   # - `dhclient` (requires dhclient to be installed)
+        #   # - `dhcpcd`   (requires dhcpcd to be installed)
+        #   dhcp=internal
+        #   # dns:
+        #   # - `default`: update /etc/resolv.conf with nameservers provided by the active connection
+        #   # - `none`: NM won't update /etc/resolv.conf
+        #   # - `systemd-resolved`: push DNS config to systemd-resolved
+        #   # - `dnsmasq`: run a local caching nameserver
+        #   dns=${if config.services.resolved.enable then
+        #     "systemd-resolved"
+        #   else if config.sane.services.trust-dns.enable && config.sane.services.trust-dns.asSystemResolver then
+        #     "none"
+        #   else
+        #     "internal"
+        #   }
+        #   plugins=keyfile
+        #   # rc-manager: how NM should write to /etc/resolv.conf
+        #   # - regardless of this setting, NM will write /var/lib/NetworkManager/resolv.conf
+        #   rc-manager=unmanaged
+        #   # systemd-resolved: send DNS config to systemd-resolved?
+        #   # this setting has no effect if dns="systemd-resolved"; it's supplementary, not absolute.
+        #   systemd-resolved=false
+        #   # debug=...  (see also: NM_DEBUG env var)
+        # '';
+      };
+
+      # hardware.wirelessRegulatoryDatabase = true;
+      # networking.useDHCP = false;
+      # services.udev.packages = [ cfg.package ];
+      # security.polkit.enable = lib.mkDefault true;
+
+      # security.polkit.extraConfig = lib.concatStringsSep "\n" [
+      #   # allow networkmanager unbounded control over modemmanager.
+      #   # i believe this was sourced from the default nixpkgs config.
+      #   ''
+      #     polkit.addRule(function(action, subject) {
+      #       if (subject.isInGroup("networkmanager")
+      #         && (
+      #           action.id.indexOf("org.freedesktop.NetworkManager.") == 0
+      #           || action.id.indexOf("org.freedesktop.ModemManager")  == 0
+      #         )
+      #       ) {
+      #           return polkit.Result.YES;
+      #       }
+      #     });
+      #   ''
+
+      # allow networkmanager to control systemd-resolved,
+      # which it needs to do to apply new DNS settings when using systemd-resolved.
+      security.polkit.extraConfig = ''
+        polkit.addRule(function(action, subject) {
+          if (subject.isInGroup("networkmanager") && action.id.indexOf("org.freedesktop.resolve1.") == 0) {
+            return polkit.Result.YES;
+          }
+        });
+      '';
+
+      # users.groups.networkmanager.gid = config.ids.gids.networkmanager;
       users.users.networkmanager = {
         isSystemUser = true;
         group = "networkmanager";
         extraGroups = [ "trust-dns" ];
       };
 
-      boot.kernelModules = [ "ctr" ];  #< TODO: needed (what even is this)?
+      # boot.kernelModules = [ "ctr" ];  #< TODO: needed (what even is this)?
       # TODO: NetworkManager-ensure-profiles?
     })
   ];

nixpatches/list.nix

@@ -32,6 +32,12 @@ in [
   # etc, where "date" is like "20240228181608"
   # and can be found with `nix-repl  > :lf .  > lastModifiedDate`
 
+  (fetchpatch' {
+    title = "nixos/networkmanager: split ModemManager bits into own module";
+    saneCommit = "a0d8a55e9da56b56ab0a7d72d46cad5dd1667c95";
+    hash = "sha256-MGS1b1dC2n0FY3zizaO4lhUyuIXmVf9vBkexEo10Lr4=";
+  })
+
   (fetchpatch' {
     title = "trust-dns: rebrand as hickory-dns";
     saneCommit = "a7613d50c58b5612a7b806ce1375d8bf0485ab55";