# Network Manager:
# i manage this myself because the nixos service is not flexible enough.
# - it unconditionally puts modemmanager onto the system path, preventing me from patching modemmanager's service file (without an overlay).
#
# XXX: it's normal to see error messages on an ethernet-only host, even when using nixos' official networkmanager service:
# - `Couldn't initialize supplicant interface: Failed to D-Bus activate wpa_supplicant service`
{ config, lib, pkgs, ... }:
let
  cfg = config.sane.programs.networkmanager;
in
{
  sane.programs.networkmanager = {
    suggestedPrograms = [ "wpa_supplicant" ];
    enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;
  };

  systemd.services.NetworkManager = lib.mkIf cfg.enabled {
    after = [
      "network-pre.target"
      "dbus.service"
    ];
    before = [ "network.target" ];
    bindsTo = [ "dbus.service" ];
    wants = [ "network.target" ];
    wantedBy = [ "multi-user.target" "network.target" ];
    description = "Network Manager";
    documentation = [ "man:NetworkManager(8)" ];
    serviceConfig = {
      Type = "dbus";
      BusName = "org.freedesktop.NetworkManager";
      ExecReload = "${pkgs.systemd}/bin/busctl call org.freedesktop.NetworkManager /org/freedesktop/NetworkManager org.freedesktop.NetworkManager Reload u 0";
      ExecStart = "${cfg.package}/sbin/NetworkManager --no-daemon";
      Restart = "on-failure";
      # NM doesn't want systemd to kill its children for it
      KillMode = "process";
      # TODO: decrease this capability set
      # CAP_DAC_OVERRIDE: required to open /run/openvswitch/db.sock socket.
      CapabilityBoundingSet = "CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT";
      ProtectSystem = true;
      ProtectHome = "read-only";
      StateDirectory = "NetworkManager";
      StateDirectoryMode = 755;  # TODO: might not be needed
    };
  };

  environment.etc."NetworkManager/NetworkManager.conf".text = lib.mkIf cfg.enabled ''
    # TODO: much of this is likely not needed.
    [connection]
    ethernet.cloned-mac-address=preserve
    wifi.cloned-mac-address=preserve
    wifi.powersave=null

    [device]
    wifi.backend=wpa_supplicant
    wifi.scan-rand-mac-address=true

    [keyfile]
    # keyfile.path: where to check for connection credentials
    path=/var/lib/NetworkManager/system-connections
    unmanaged-devices=null

    [logging]
    audit=false
    level=WARN

    [main]
    dhcp=internal
    dns=systemd-resolved
    plugins=keyfile
    rc-manager=unmanaged
  '';
  hardware.wirelessRegulatoryDatabase = lib.mkIf cfg.enabled true;
  users.groups = lib.mkIf cfg.enabled {
    networkmanager.gid = config.ids.gids.networkmanager;
  };
  services.udev.packages = lib.mkIf cfg.enabled [ cfg.package ];
  networking.useDHCP = lib.mkIf cfg.enabled false;

  boot.kernelModules = [ "ctr" ];  #< TODO: needed (what even is this)?
  # TODO: polkit?
  # TODO: NetworkManager-ensure-profiles?
}