diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/networking/networkmanager.nix')
| -rw-r--r-- | nixpkgs/nixos/modules/services/networking/networkmanager.nix | 272 |
1 files changed, 117 insertions, 155 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/networkmanager.nix b/nixpkgs/nixos/modules/services/networking/networkmanager.nix index 887c89ddf3ab..e817f295a445 100644 --- a/nixpkgs/nixos/modules/services/networking/networkmanager.nix +++ b/nixpkgs/nixos/modules/services/networking/networkmanager.nix @@ -5,13 +5,21 @@ with lib; let cfg = config.networking.networkmanager; - dynamicHostsEnabled = - cfg.dynamicHosts.enable && cfg.dynamicHosts.hostsDirs != {}; + basePackages = with pkgs; [ + crda + modemmanager + networkmanager + networkmanager-fortisslvpn + networkmanager-iodine + networkmanager-l2tp + networkmanager-openconnect + networkmanager-openvpn + networkmanager-vpnc + ] ++ optional (!delegateWireless && !enableIwd) wpa_supplicant; delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != []; - # /var/lib/misc is for dnsmasq.leases. - stateDirs = "/var/lib/NetworkManager /var/lib/dhclient /var/lib/misc"; + enableIwd = cfg.wifi.backend == "iwd"; configFile = pkgs.writeText "NetworkManager.conf" '' [main] @@ -38,6 +46,7 @@ let [device] wifi.scan-rand-mac-address=${if cfg.wifi.scanRandMacAddress then "yes" else "no"} + wifi.backend=${cfg.wifi.backend} ${cfg.extraConfig} ''; @@ -176,30 +185,18 @@ in { ''; }; - # Ugly hack for using the correct gnome3 packageSet - basePackages = mkOption { - type = types.attrsOf types.package; - default = { inherit (pkgs) - networkmanager modemmanager crda - networkmanager-openvpn networkmanager-vpnc - networkmanager-openconnect networkmanager-fortisslvpn - networkmanager-l2tp networkmanager-iodine; } - // optionalAttrs (!delegateWireless) { inherit (pkgs) wpa_supplicant; }; - internal = true; - }; - packages = mkOption { - type = types.listOf types.path; + type = types.listOf types.package; default = [ ]; description = '' Extra packages that provide NetworkManager plugins. ''; - apply = list: (attrValues cfg.basePackages) ++ list; + apply = list: basePackages ++ list; }; dhcp = mkOption { type = types.enum [ "dhclient" "dhcpcd" "internal" ]; - default = "dhclient"; + default = "internal"; description = '' Which program (or internal library) should be used for DHCP. ''; @@ -236,6 +233,15 @@ in { wifi = { macAddress = macAddressOpt; + backend = mkOption { + type = types.enum [ "wpa_supplicant" "iwd" ]; + default = "wpa_supplicant"; + description = '' + Specify the Wi-Fi backend used for the device. + Currently supported are <option>wpa_supplicant</option> or <option>iwd</option> (experimental). + ''; + }; + powersave = mkOption { type = types.nullOr types.bool; default = null; @@ -302,6 +308,7 @@ in { if [ "$2" != "up" ]; then logger "exit: event $2 != up" + exit fi # coreutils and iproute are in PATH too @@ -326,55 +333,21 @@ in { so you don't need to to that yourself. ''; }; - - dynamicHosts = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enabling this option requires the - <option>networking.networkmanager.dns</option> option to be - set to <literal>dnsmasq</literal>. If enabled, the directories - defined by the - <option>networking.networkmanager.dynamicHosts.hostsDirs</option> - option will be set up when the service starts. The dnsmasq instance - managed by NetworkManager will then watch those directories for - hosts files (see the <literal>--hostsdir</literal> option of - dnsmasq). This way a non-privileged user can add or override DNS - entries on the local system (depending on what hosts directories - that are configured).. - ''; - }; - hostsDirs = mkOption { - type = with types; attrsOf (submodule { - options = { - user = mkOption { - type = types.str; - default = "root"; - description = '' - The user that will own the hosts directory. - ''; - }; - group = mkOption { - type = types.str; - default = "root"; - description = '' - The group that will own the hosts directory. - ''; - }; - }; - }); - default = {}; - description = '' - Defines a set of directories (relative to - <literal>/run/NetworkManager/hostdirs</literal>) that dnsmasq will - watch for hosts files. - ''; - }; - }; }; }; + imports = [ + (mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ]) + (mkRemovedOptionModule ["networking" "networkmanager" "dynamicHosts"] '' + This option was removed because allowing (multiple) regular users to + override host entries affecting the whole system opens up a huge attack + vector. There seem to be very rare cases where this might be useful. + Consider setting system-wide host entries using networking.hosts, provide + them via the DNS server in your network, or use environment.etc + to add a file into /etc/NetworkManager/dnsmasq.d reconfiguring hostsdir. + '') + ]; + ###### implementation @@ -387,108 +360,90 @@ in { Except if you mark some interfaces as <literal>unmanaged</literal> by NetworkManager. ''; } - { assertion = !dynamicHostsEnabled || (dynamicHostsEnabled && cfg.dns == "dnsmasq"); - message = '' - To use networking.networkmanager.dynamicHosts you also need to set - networking.networkmanager.dns = "dnsmasq" - ''; - } ]; - environment.etc = with cfg.basePackages; [ - { source = configFile; - target = "NetworkManager/NetworkManager.conf"; - } - { source = "${networkmanager-openvpn}/lib/NetworkManager/VPN/nm-openvpn-service.name"; - target = "NetworkManager/VPN/nm-openvpn-service.name"; - } - { source = "${networkmanager-vpnc}/lib/NetworkManager/VPN/nm-vpnc-service.name"; - target = "NetworkManager/VPN/nm-vpnc-service.name"; - } - { source = "${networkmanager-openconnect}/lib/NetworkManager/VPN/nm-openconnect-service.name"; - target = "NetworkManager/VPN/nm-openconnect-service.name"; - } - { source = "${networkmanager-fortisslvpn}/lib/NetworkManager/VPN/nm-fortisslvpn-service.name"; - target = "NetworkManager/VPN/nm-fortisslvpn-service.name"; - } - { source = "${networkmanager-l2tp}/lib/NetworkManager/VPN/nm-l2tp-service.name"; - target = "NetworkManager/VPN/nm-l2tp-service.name"; - } - { source = "${networkmanager-iodine}/lib/NetworkManager/VPN/nm-iodine-service.name"; - target = "NetworkManager/VPN/nm-iodine-service.name"; + environment.etc = with pkgs; { + "NetworkManager/NetworkManager.conf".source = configFile; + + "NetworkManager/VPN/nm-openvpn-service.name".source = + "${networkmanager-openvpn}/lib/NetworkManager/VPN/nm-openvpn-service.name"; + + "NetworkManager/VPN/nm-vpnc-service.name".source = + "${networkmanager-vpnc}/lib/NetworkManager/VPN/nm-vpnc-service.name"; + + "NetworkManager/VPN/nm-openconnect-service.name".source = + "${networkmanager-openconnect}/lib/NetworkManager/VPN/nm-openconnect-service.name"; + + "NetworkManager/VPN/nm-fortisslvpn-service.name".source = + "${networkmanager-fortisslvpn}/lib/NetworkManager/VPN/nm-fortisslvpn-service.name"; + + "NetworkManager/VPN/nm-l2tp-service.name".source = + "${networkmanager-l2tp}/lib/NetworkManager/VPN/nm-l2tp-service.name"; + + "NetworkManager/VPN/nm-iodine-service.name".source = + "${networkmanager-iodine}/lib/NetworkManager/VPN/nm-iodine-service.name"; } - ] ++ optional (cfg.appendNameservers != [] || cfg.insertNameservers != []) - { source = overrideNameserversScript; - target = "NetworkManager/dispatcher.d/02overridedns"; - } - ++ lib.imap1 (i: s: { - inherit (s) source; - target = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}"; - mode = "0544"; - }) cfg.dispatcherScripts - ++ optional dynamicHostsEnabled - { target = "NetworkManager/dnsmasq.d/dyndns.conf"; - text = concatMapStrings (n: '' - hostsdir=/run/NetworkManager/hostsdirs/${n} - '') (attrNames cfg.dynamicHosts.hostsDirs); - } - ++ optional cfg.enableStrongSwan - { source = "${pkgs.networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name"; - target = "NetworkManager/VPN/nm-strongswan-service.name"; - }; + // optionalAttrs (cfg.appendNameservers != [] || cfg.insertNameservers != []) + { + "NetworkManager/dispatcher.d/02overridedns".source = overrideNameserversScript; + } + // optionalAttrs cfg.enableStrongSwan + { + "NetworkManager/VPN/nm-strongswan-service.name".source = + "${pkgs.networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name"; + } + // listToAttrs (lib.imap1 (i: s: + { + name = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}"; + value = { mode = "0544"; inherit (s) source; }; + }) cfg.dispatcherScripts); environment.systemPackages = cfg.packages; - users.groups = [{ - name = "networkmanager"; - gid = config.ids.gids.networkmanager; - } - { - name = "nm-openvpn"; - gid = config.ids.gids.nm-openvpn; - }]; - users.users = [{ - name = "nm-openvpn"; - uid = config.ids.uids.nm-openvpn; - extraGroups = [ "networkmanager" ]; - } - { - name = "nm-iodine"; - isSystemUser = true; - group = "networkmanager"; - }]; + users.groups = { + networkmanager.gid = config.ids.gids.networkmanager; + nm-openvpn.gid = config.ids.gids.nm-openvpn; + }; + + users.users = { + nm-openvpn = { + uid = config.ids.uids.nm-openvpn; + extraGroups = [ "networkmanager" ]; + }; + nm-iodine = { + isSystemUser = true; + group = "networkmanager"; + }; + }; systemd.packages = cfg.packages; + systemd.tmpfiles.rules = [ + "d /etc/NetworkManager/system-connections 0700 root root -" + "d /etc/ipsec.d 0700 root root -" + "d /var/lib/NetworkManager-fortisslvpn 0700 root root -" + + "d /var/lib/dhclient 0755 root root -" + "d /var/lib/misc 0755 root root -" # for dnsmasq.leases + ]; + systemd.services.NetworkManager = { wantedBy = [ "network.target" ]; restartTriggers = [ configFile ]; - preStart = '' - mkdir -m 700 -p /etc/NetworkManager/system-connections - mkdir -m 700 -p /etc/ipsec.d - mkdir -m 755 -p ${stateDirs} - ''; + aliases = [ "dbus-org.freedesktop.NetworkManager.service" ]; + + serviceConfig = { + StateDirectory = "NetworkManager"; + StateDirectoryMode = 755; # not sure if this really needs to be 755 + }; }; systemd.services.NetworkManager-wait-online = { wantedBy = [ "network-online.target" ]; }; - systemd.services.nm-setup-hostsdirs = mkIf dynamicHostsEnabled { - wantedBy = [ "NetworkManager.service" ]; - before = [ "NetworkManager.service" ]; - partOf = [ "NetworkManager.service" ]; - script = concatStrings (mapAttrsToList (n: d: '' - mkdir -p "/run/NetworkManager/hostsdirs/${n}" - chown "${d.user}:${d.group}" "/run/NetworkManager/hostsdirs/${n}" - chmod 0775 "/run/NetworkManager/hostsdirs/${n}" - '') cfg.dynamicHosts.hostsDirs); - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - }; + systemd.services.ModemManager.aliases = [ "dbus-org.freedesktop.ModemManager1.service" ]; systemd.services.NetworkManager-dispatcher = { wantedBy = [ "network.target" ]; @@ -496,16 +451,23 @@ in { # useful binaries for user-specified hooks path = [ pkgs.iproute pkgs.utillinux pkgs.coreutils ]; + aliases = [ "dbus-org.freedesktop.nm-dispatcher.service" ]; }; # Turn off NixOS' network management when networking is managed entirely by NetworkManager - networking = (mkIf (!delegateWireless) { - useDHCP = false; - # Use mkDefault to trigger the assertion about the conflict above - wireless.enable = mkDefault false; - }) // (mkIf cfg.enableStrongSwan { - networkmanager.packages = [ pkgs.networkmanager_strongswan ]; - }); + networking = mkMerge [ + (mkIf (!delegateWireless) { + useDHCP = false; + }) + + (mkIf cfg.enableStrongSwan { + networkmanager.packages = [ pkgs.networkmanager_strongswan ]; + }) + + (mkIf enableIwd { + wireless.iwd.enable = true; + }) + ]; security.polkit.extraConfig = polkitConf; |