diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index d4581fe9441c..6f5a807f478a 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -935,8 +935,7 @@ In addition to numerous new and upgraded packages, this release has the followin using the `pomerium-cli` command, you should now install the `pomerium-cli` package. -- The option - [services.networking.networkmanager.enableFccUnlock](#opt-networking.networkmanager.enableFccUnlock) +- The option `services.networking.networkmanager.enableFccUnlock` was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager daemon no longer automatically performs the FCC unlock procedure by default. See [the docs](https://modemmanager.org/docs/modemmanager/fcc-unlock/) for more details. diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 1c7333e3e9cc..044d7686ae5c 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -187,6 +187,8 @@ - Emacs macport version 29 was introduced. +- The option `services.networking.networkmanager.enableFccUnlock` was removed in favor of `networking.networkmanager.fccUnlockScripts`, which allows specifying unlock scripts explicitly. The previous option simply did enable all unlock scripts bundled with ModemManager, which is risky, and didn't allow using vendor-provided unlock scripts at all. + - The `html-proofer` package has been updated from major version 3 to major version 5, which includes [breaking changes](https://github.com/gjtorikian/html-proofer/blob/v5.0.8/UPGRADING.md). - `kratos` has been updated from 0.10.1 to the first stable version 1.0.0, please read the [0.10.1 to 0.11.0](https://github.com/ory/kratos/releases/tag/v0.11.0), [0.11.0 to 0.11.1](https://github.com/ory/kratos/releases/tag/v0.11.1), [0.11.1 to 0.13.0](https://github.com/ory/kratos/releases/tag/v0.13.0) and [0.13.0 to 1.0.0](https://github.com/ory/kratos/releases/tag/v1.0.0) upgrade guides. The most notable breaking change is the introduction of one-time passwords (`code`) and update of the default recovery strategy from `link` to `code`. diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index e28f96f7a6d6..6bc46a9a90e4 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.networking.networkmanager; - delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != []; + delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != [ ]; enableIwd = cfg.wifi.backend == "iwd"; @@ -40,7 +40,7 @@ let }) (mkSection "keyfile" { unmanaged-devices = - if cfg.unmanaged == [] then null + if cfg.unmanaged == [ ] then null else lib.concatStringsSep ";" cfg.unmanaged; }) (mkSection "logging" { @@ -103,7 +103,7 @@ let }; macAddressOpt = mkOption { - type = types.either types.str (types.enum ["permanent" "preserve" "random" "stable"]); + type = types.either types.str (types.enum [ "permanent" "preserve" "random" "stable" ]); default = "preserve"; example = "00:11:22:33:44:55"; description = lib.mdDoc '' @@ -126,7 +126,8 @@ let pkgs.wpa_supplicant ]; -in { +in +{ meta = { maintainers = teams.freedesktop.members; @@ -156,7 +157,7 @@ in { int str ])); - default = {}; + default = { }; description = lib.mdDoc '' Configuration for the [connection] section of NetworkManager.conf. Refer to @@ -186,7 +187,7 @@ in { unmanaged = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; description = lib.mdDoc '' List of interfaces that will not be managed by NetworkManager. Interface name can be specified here, but if you need more fidelity, @@ -251,7 +252,7 @@ in { appendNameservers = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; description = lib.mdDoc '' A list of name servers that should be appended to the ones configured in NetworkManager or received by DHCP. @@ -260,7 +261,7 @@ in { insertNameservers = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; description = lib.mdDoc '' A list of name servers that should be inserted before the ones configured in NetworkManager or received by DHCP. @@ -336,21 +337,21 @@ in { }; }; }); - default = []; + default = [ ]; example = literalExpression '' - [ { - source = pkgs.writeText "upHook" ''' + [ { + source = pkgs.writeText "upHook" ''' - if [ "$2" != "up" ]; then - logger "exit: event $2 != up" - exit - fi + if [ "$2" != "up" ]; then + logger "exit: event $2 != up" + exit + fi - # coreutils and iproute are in PATH too - logger "Device $DEVICE_IFACE coming up" - '''; - type = "basic"; - } ]''; + # coreutils and iproute are in PATH too + logger "Device $DEVICE_IFACE coming up" + '''; + type = "basic"; + } ]''; description = lib.mdDoc '' A list of scripts which will be executed in response to network events. ''; @@ -369,14 +370,24 @@ in { ''; }; - enableFccUnlock = mkOption { - type = types.bool; - default = false; + fccUnlockScripts = mkOption { + type = types.listOf (types.submodule { + options = { + id = mkOption { + type = types.str; + description = lib.mdDoc "vid:pid of either the PCI or USB vendor and product ID"; + }; + path = mkOption { + type = types.path; + description = lib.mdDoc "Path to the unlock script"; + }; + }; + }); + default = [ ]; + example = literalExpression ''[{ name = "03f0:4e1d"; script = "''${pkgs.modemmanager}/share/ModemManager/fcc-unlock.available.d/03f0:4e1d"; }]''; description = lib.mdDoc '' - Enable FCC unlock procedures. Since release 1.18.4, the ModemManager daemon no longer - automatically performs the FCC unlock procedure by default. See - [the docs](https://modemmanager.org/docs/modemmanager/fcc-unlock/) - for more details. + List of FCC unlock scripts to enable on the system, behaving as described in + https://modemmanager.org/docs/modemmanager/fcc-unlock/#integration-with-third-party-fcc-unlock-tools. ''; }; }; @@ -387,7 +398,14 @@ in { [ "networking" "networkmanager" "packages" ] [ "networking" "networkmanager" "plugins" ]) (mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ]) - (mkRemovedOptionModule ["networking" "networkmanager" "dynamicHosts"] '' + (mkRemovedOptionModule [ "networking" "networkmanager" "enableFccUnlock" ] '' + This option was removed, because using bundled FCC unlock scripts is risky, + might conflict with vendor-provided unlock scripts, and should + be a conscious decision on a per-device basis. + Instead it's recommended to use the + `networking.networkmanager.fccUnlockScripts` option. + '') + (mkRemovedOptionModule [ "networking" "networkmanager" "dynamicHosts" ] '' This option was removed because allowing (multiple) regular users to override host entries affecting the whole system opens up a huge attack vector. There seem to be very rare cases where this might be useful. @@ -403,7 +421,8 @@ in { config = mkIf cfg.enable { assertions = [ - { assertion = config.networking.wireless.enable == true -> cfg.unmanaged != []; + { + assertion = config.networking.wireless.enable == true -> cfg.unmanaged != [ ]; message = '' You can not use networking.networkmanager with networking.wireless. Except if you mark some interfaces as unmanaged by NetworkManager. @@ -414,25 +433,29 @@ in { hardware.wirelessRegulatoryDatabase = true; environment.etc = { - "NetworkManager/NetworkManager.conf".source = configFile; - } - // builtins.listToAttrs (map (pkg: nameValuePair "NetworkManager/${pkg.networkManagerPlugin}" { + "NetworkManager/NetworkManager.conf".source = configFile; + } + // builtins.listToAttrs (map + (pkg: nameValuePair "NetworkManager/${pkg.networkManagerPlugin}" { source = "${pkg}/lib/NetworkManager/${pkg.networkManagerPlugin}"; - }) cfg.plugins) - // optionalAttrs cfg.enableFccUnlock - { - "ModemManager/fcc-unlock.d".source = - "${pkgs.modemmanager}/share/ModemManager/fcc-unlock.available.d/*"; - } - // optionalAttrs (cfg.appendNameservers != [] || cfg.insertNameservers != []) - { - "NetworkManager/dispatcher.d/02overridedns".source = overrideNameserversScript; - } - // listToAttrs (lib.imap1 (i: s: - { - name = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}"; - value = { mode = "0544"; inherit (s) source; }; - }) cfg.dispatcherScripts); + }) + cfg.plugins) + // builtins.listToAttrs (map + (e: nameValuePair "ModemManager/fcc-unlock.d/${e.id}" { + source = e.path; + }) + cfg.fccUnlockScripts) + // optionalAttrs (cfg.appendNameservers != [ ] || cfg.insertNameservers != [ ]) + { + "NetworkManager/dispatcher.d/02overridedns".source = overrideNameserversScript; + } + // listToAttrs (lib.imap1 + (i: s: + { + name = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}"; + value = { mode = "0544"; inherit (s) source; }; + }) + cfg.dispatcherScripts); environment.systemPackages = packages;