78 lines
3.0 KiB
Nix
78 lines
3.0 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
cfg = config.sane.programs.wpa_supplicant;
|
|
in
|
|
{
|
|
config = lib.mkMerge [
|
|
{
|
|
sane.programs.wpa_supplicant = {
|
|
packageUnwrapped = pkgs.wpa_supplicant.overrideAttrs (upstream: {
|
|
# postPatch = (upstream.postPatch or "") + ''
|
|
# substituteInPlace wpa_supplicant/dbus/dbus-wpa_supplicant.conf --replace-fail \
|
|
# 'user="root"' 'user="networkmanager"'
|
|
# '';
|
|
postInstall = (upstream.postInstall or "") + ''
|
|
substitute $out/share/dbus-1/system.d/dbus-wpa_supplicant.conf \
|
|
$out/share/dbus-1/system.d/networkmanager-wpa_supplicant.conf \
|
|
--replace-fail 'user="root"' 'group="networkmanager"'
|
|
'';
|
|
|
|
postFixup = (upstream.postFixup or "") + ''
|
|
# nixpkgs wpa_supplicant generates a dbus file which has a path like
|
|
# /nix/store/abc-wpa_supplicant/nix/store/abc-wpa_supplicant/sbin/...
|
|
# upstreaming status: <https://github.com/NixOS/nixpkgs/pull/315346>
|
|
substituteInPlace $out/share/dbus-1/system-services/* --replace-fail \
|
|
"$out$out" "$out"
|
|
|
|
# remove unused services to avoid unexpected interactions
|
|
rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service
|
|
'';
|
|
});
|
|
# bwrap sandboxing works, but requires the real user to be root.
|
|
# landlock sandboxing works, and allows the real user to be someone else (like `networkmanager`).
|
|
# non-root is very important, because of how many things in e.g. /dev are r/w based on uid=0.
|
|
# sandbox.method = "bwrap";
|
|
sandbox.method = "landlock";
|
|
sandbox.capabilities = [
|
|
# see also: <https://github.com/NixOS/nixpkgs/pull/305722>
|
|
"net_admin" "net_raw"
|
|
];
|
|
# sandbox.extraConfig = [ "--sanebox-keep-namespace" "all" ];
|
|
sandbox.net = "all";
|
|
sandbox.extraPaths = [
|
|
"/dev/net"
|
|
"/dev/rfkill"
|
|
"/proc/sys/net"
|
|
"/sys/class/net"
|
|
"/sys/devices"
|
|
];
|
|
sandbox.whitelistDbus = [ "system" ];
|
|
};
|
|
}
|
|
(lib.mkIf cfg.enabled {
|
|
services.udev.packages = [ cfg.package ];
|
|
systemd.packages = [ cfg.package ]; #< needs to be on systemd.packages so we get its service file
|
|
systemd.services.wpa_supplicant = {
|
|
path = [ "/run/current-system/sw" ]; #< so it can find `sanebox`
|
|
serviceConfig.User = "networkmanager";
|
|
serviceConfig.Group = "networkmanager";
|
|
serviceConfig.AmbientCapabilities = [
|
|
"CAP_NET_ADMIN"
|
|
"CAP_NET_RAW"
|
|
];
|
|
};
|
|
# systemd.services.wpa_supplicant = {
|
|
# aliases = [ "dbus-fi.w1.wpa_supplicant1.service" ];
|
|
# before = [ "network.target" ];
|
|
# wantedBy = [ "network.target" ];
|
|
# serviceConfig = {
|
|
# Type = "dbus";
|
|
# BusName = "fi.w1.wpa_supplicant1";
|
|
# ExecStart = "${cfg.package}/bin/wpa_supplicant -u";
|
|
# Restart = "always";
|
|
# };
|
|
# };
|
|
})
|
|
];
|
|
}
|