NetworkManager: split specific config options out of my main net/default.nix file

hosts/common/net/default.nix

@@ -26,42 +26,4 @@
   # this is required separately by servo and by any `sane-vpn` users,
   # however Nix requires this be set centrally, in only one location (i.e. here)
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-
-  # the default backend is "wpa_supplicant".
-  # wpa_supplicant reliably picks weak APs to connect to.
-  # see: <https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/474>
-  # iwd is an alternative that shouldn't have this problem
-  # docs:
-  # - <https://nixos.wiki/wiki/Iwd>
-  # - <https://iwd.wiki.kernel.org/networkmanager>
-  # - `man iwd.config`  for global config
-  # - `man iwd.network` for per-SSID config
-  # use `iwctl` to control
-  # networking.networkmanager.wifi.backend = "iwd";
-  # networking.wireless.iwd.enable = true;
-  # networking.wireless.iwd.settings = {
-  #   # auto-connect to a stronger network if signal drops below this value
-  #   # bedroom -> bedroom connection is -35 to -40 dBm
-  #   # bedroom -> living room connection is -60 dBm
-  #   General.RoamThreshold = "-52";  # default -70
-  #   General.RoamThreshold5G = "-52";  # default -76
-  # };
-
-  # plugins mostly add support for establishing different VPN connections.
-  # the default plugin set includes mostly proprietary VPNs:
-  # - fortisslvpn (Fortinet)
-  # - iodine (DNS tunnels)
-  # - l2tp
-  # - openconnect (Cisco Anyconnect / Juniper / ocserv)
-  # - openvpn
-  # - vpnc (Cisco VPN)
-  # - sstp
-  #
-  # i don't use these, and notably they drag in huge dependency sets and don't cross compile well.
-  # e.g. openconnect drags in webkitgtk (for SSO)!
-  # networking.networkmanager.plugins = lib.mkForce [];
-  networking.networkmanager.enableDefaultPlugins = false;
-
-  # keyfile.path = where networkmanager should look for connection credentials
-  networking.networkmanager.settings.keyfile.path = "/var/lib/NetworkManager/system-connections";
 }

hosts/common/net/networkmanager.nix

@@ -17,7 +17,21 @@ let
   networkmanager-split = pkgs.networkmanager-split.override { inherit networkmanager; };
 in {
   networking.networkmanager.enable = true;
+  # plugins mostly add support for establishing different VPN connections.
+  # the default plugin set includes mostly proprietary VPNs:
+  # - fortisslvpn (Fortinet)
+  # - iodine (DNS tunnels)
+  # - l2tp
+  # - openconnect (Cisco Anyconnect / Juniper / ocserv)
+  # - openvpn
+  # - vpnc (Cisco VPN)
+  # - sstp
+  #
+  # i don't use these, and notably they drag in huge dependency sets and don't cross compile well.
+  # e.g. openconnect drags in webkitgtk (for SSO)!
+  # networking.networkmanager.plugins = lib.mkForce [];
   networking.networkmanager.enableDefaultPlugins = false;
+
   networking.networkmanager.package = networkmanager-split.daemon.overrideAttrs (upstream: {
     # postPatch = (upstream.postPatch or "") + ''
     #   substituteInPlace src/{core/org.freedesktop.NetworkManager,nm-dispatcher/nm-dispatcher}.conf --replace-fail \
@@ -105,13 +119,16 @@ in {
   };
 
   networking.networkmanager.settings = {
-    # wifi.backend = "wpa_supplicant";
+    # keyfile.path = where networkmanager should look for connection credentials
-    # wifi.scan-rand-mac-address = true;
+    keyfile.path = "/var/lib/NetworkManager/system-connections";
 
-    # logging.audit = false;
+    # wifi.backend = "wpa_supplicant";  #< default
+    # wifi.scan-rand-mac-address = true;  #< default
+
+    # logging.audit = false;  #< default
     logging.level = "INFO";
 
-    # main.dhcp = "internal";
+    # main.dhcp = "internal";  #< default
     main.dns = if config.services.resolved.enable then
       "systemd-resolved"
     else if config.sane.services.trust-dns.enable && config.sane.services.trust-dns.asSystemResolver then
@@ -123,6 +140,26 @@ in {
   };
   environment.etc."NetworkManager/system-connections".source = "/var/lib/NetworkManager/system-connections";
 
+  # the default backend is "wpa_supplicant".
+  # wpa_supplicant reliably picks weak APs to connect to.
+  # see: <https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/474>
+  # iwd is an alternative that shouldn't have this problem
+  # docs:
+  # - <https://nixos.wiki/wiki/Iwd>
+  # - <https://iwd.wiki.kernel.org/networkmanager>
+  # - `man iwd.config`  for global config
+  # - `man iwd.network` for per-SSID config
+  # use `iwctl` to control
+  # networking.networkmanager.wifi.backend = "iwd";
+  # networking.wireless.iwd.enable = true;
+  # networking.wireless.iwd.settings = {
+  #   # auto-connect to a stronger network if signal drops below this value
+  #   # bedroom -> bedroom connection is -35 to -40 dBm
+  #   # bedroom -> living room connection is -60 dBm
+  #   General.RoamThreshold = "-52";  # default -70
+  #   General.RoamThreshold5G = "-52";  # default -76
+  # };
+
   # allow networkmanager to control systemd-resolved,
   # which it needs to do to apply new DNS settings when using systemd-resolved.
   security.polkit.extraConfig = ''