nix-files/hosts/common/programs/wpa_supplicant.nix

{ config, lib, pkgs, ... }:
let
  cfg = config.sane.programs.wpa_supplicant;
in
{
  config = lib.mkMerge [
    {
      sane.programs.wpa_supplicant = {
        packageUnwrapped = pkgs.wpa_supplicant.overrideAttrs (upstream: {
          postPatch = (upstream.postPatch or "") + ''
            substituteInPlace wpa_supplicant/dbus/dbus-wpa_supplicant.conf --replace-fail \
              'user="root"' 'user="networkmanager"'
          '';
          # nixpkgs wpa_supplicant generates a dbus file which has a path like
          # /nix/store/abc-wpa_supplicant/nix/store/abc-wpa_supplicant/sbin/...
          # upstreaming status: <https://github.com/NixOS/nixpkgs/pull/315346>
          postInstall = upstream.postInstall + ''
            substituteInPlace $out/share/dbus-1/system-services/* --replace-fail \
              "$out$out" "$out"
          ''
          # remove unused services to avoid unexpected interactions
          + ''
            rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service
          '';
        });
        sandbox.method = "landlock";  #< 'bwrap' (likely) can't work, because it needs to manipulate net interfaces in the root namespace
        sandbox.capabilities = [
          # see also: <https://github.com/NixOS/nixpkgs/pull/305722>
          "net_admin" "net_raw"
        ];
        sandbox.extraPaths = [
          "/dev/net"
          "/dev/rfkill"
          "/proc/sys/net"
          "/sys/class/net"
          "/sys/devices"
        ];
        sandbox.whitelistDbus = [ "system" ];
      };
    }
    (lib.mkIf cfg.enabled {
      services.udev.packages = [ cfg.package ];
      systemd.packages = [ cfg.package ];  #< needs to be on systemd.packages so we get its service file
      systemd.services.wpa_supplicant = {
        path = [ "/run/current-system/sw" ];  #< so it can find `sanebox`
        serviceConfig.User = "networkmanager";
        serviceConfig.Group = "networkmanager";
        serviceConfig.AmbientCapabilities = [
          "CAP_NET_ADMIN"
          "CAP_NET_RAW"
        ];
      };
      # systemd.services.wpa_supplicant = {
      #   aliases = [ "dbus-fi.w1.wpa_supplicant1.service" ];
      #   before = [ "network.target" ];
      #   wantedBy = [ "network.target" ];
      #   serviceConfig = {
      #     Type = "dbus";
      #     BusName = "fi.w1.wpa_supplicant1";
      #     ExecStart = "${cfg.package}/bin/wpa_supplicant -u";
      #     Restart = "always";
      #   };
      # };
    })
  ];
}