commit eb23738e85c5ca39ab8fc944516e19eebf30dda1

+1 -2

nixos/doc/manual/release-notes/rl-2205.section.md

··· 935 using the `pomerium-cli` command, you should now install the `pomerium-cli` 936 package. 937 938 - - The option 939 - [services.networking.networkmanager.enableFccUnlock](#opt-networking.networkmanager.enableFccUnlock) 940 was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager 941 daemon no longer automatically performs the FCC unlock procedure by default. See 942 [the docs](https://modemmanager.org/docs/modemmanager/fcc-unlock/) for more details.

··· 935 using the `pomerium-cli` command, you should now install the `pomerium-cli` 936 package. 937 938 + - The option `services.networking.networkmanager.enableFccUnlock` 939 was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager 940 daemon no longer automatically performs the FCC unlock procedure by default. See 941 [the docs](https://modemmanager.org/docs/modemmanager/fcc-unlock/) for more details.

+2

nixos/doc/manual/release-notes/rl-2311.section.md

··· 187 188 - Emacs macport version 29 was introduced. 189 190 - The `html-proofer` package has been updated from major version 3 to major version 5, which includes [breaking changes](https://github.com/gjtorikian/html-proofer/blob/v5.0.8/UPGRADING.md). 191 192 - `kratos` has been updated from 0.10.1 to the first stable version 1.0.0, please read the [0.10.1 to 0.11.0](https://github.com/ory/kratos/releases/tag/v0.11.0), [0.11.0 to 0.11.1](https://github.com/ory/kratos/releases/tag/v0.11.1), [0.11.1 to 0.13.0](https://github.com/ory/kratos/releases/tag/v0.13.0) and [0.13.0 to 1.0.0](https://github.com/ory/kratos/releases/tag/v1.0.0) upgrade guides. The most notable breaking change is the introduction of one-time passwords (`code`) and update of the default recovery strategy from `link` to `code`.

··· 187 188 - Emacs macport version 29 was introduced. 189 190 + - The option `services.networking.networkmanager.enableFccUnlock` was removed in favor of `networking.networkmanager.fccUnlockScripts`, which allows specifying unlock scripts explicitly. The previous option simply did enable all unlock scripts bundled with ModemManager, which is risky, and didn't allow using vendor-provided unlock scripts at all. 191 + 192 - The `html-proofer` package has been updated from major version 3 to major version 5, which includes [breaking changes](https://github.com/gjtorikian/html-proofer/blob/v5.0.8/UPGRADING.md). 193 194 - `kratos` has been updated from 0.10.1 to the first stable version 1.0.0, please read the [0.10.1 to 0.11.0](https://github.com/ory/kratos/releases/tag/v0.11.0), [0.11.0 to 0.11.1](https://github.com/ory/kratos/releases/tag/v0.11.1), [0.11.1 to 0.13.0](https://github.com/ory/kratos/releases/tag/v0.13.0) and [0.13.0 to 1.0.0](https://github.com/ory/kratos/releases/tag/v1.0.0) upgrade guides. The most notable breaking change is the introduction of one-time passwords (`code`) and update of the default recovery strategy from `link` to `code`.

+70 -47

nixos/modules/services/networking/networkmanager.nix

··· 5 let 6 cfg = config.networking.networkmanager; 7 8 - delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != []; 9 10 enableIwd = cfg.wifi.backend == "iwd"; 11 ··· 40 }) 41 (mkSection "keyfile" { 42 unmanaged-devices = 43 - if cfg.unmanaged == [] then null 44 else lib.concatStringsSep ";" cfg.unmanaged; 45 }) 46 (mkSection "logging" { ··· 103 }; 104 105 macAddressOpt = mkOption { 106 - type = types.either types.str (types.enum ["permanent" "preserve" "random" "stable"]); 107 default = "preserve"; 108 example = "00:11:22:33:44:55"; 109 description = lib.mdDoc '' ··· 126 pkgs.wpa_supplicant 127 ]; 128 129 - in { 130 131 meta = { 132 maintainers = teams.freedesktop.members; ··· 156 int 157 str 158 ])); 159 - default = {}; 160 description = lib.mdDoc '' 161 Configuration for the [connection] section of NetworkManager.conf. 162 Refer to ··· 186 187 unmanaged = mkOption { 188 type = types.listOf types.str; 189 - default = []; 190 description = lib.mdDoc '' 191 List of interfaces that will not be managed by NetworkManager. 192 Interface name can be specified here, but if you need more fidelity, ··· 251 252 appendNameservers = mkOption { 253 type = types.listOf types.str; 254 - default = []; 255 description = lib.mdDoc '' 256 A list of name servers that should be appended 257 to the ones configured in NetworkManager or received by DHCP. ··· 260 261 insertNameservers = mkOption { 262 type = types.listOf types.str; 263 - default = []; 264 description = lib.mdDoc '' 265 A list of name servers that should be inserted before 266 the ones configured in NetworkManager or received by DHCP. ··· 336 }; 337 }; 338 }); 339 - default = []; 340 example = literalExpression '' 341 - [ { 342 - source = pkgs.writeText "upHook" ''' 343 344 - if [ "$2" != "up" ]; then 345 - logger "exit: event $2 != up" 346 - exit 347 - fi 348 349 - # coreutils and iproute are in PATH too 350 - logger "Device $DEVICE_IFACE coming up" 351 - '''; 352 - type = "basic"; 353 - } ]''; 354 description = lib.mdDoc '' 355 A list of scripts which will be executed in response to network events. 356 ''; ··· 369 ''; 370 }; 371 372 - enableFccUnlock = mkOption { 373 - type = types.bool; 374 - default = false; 375 description = lib.mdDoc '' 376 - Enable FCC unlock procedures. Since release 1.18.4, the ModemManager daemon no longer 377 - automatically performs the FCC unlock procedure by default. See 378 - [the docs](https://modemmanager.org/docs/modemmanager/fcc-unlock/) 379 - for more details. 380 ''; 381 }; 382 }; ··· 387 [ "networking" "networkmanager" "packages" ] 388 [ "networking" "networkmanager" "plugins" ]) 389 (mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ]) 390 - (mkRemovedOptionModule ["networking" "networkmanager" "dynamicHosts"] '' 391 This option was removed because allowing (multiple) regular users to 392 override host entries affecting the whole system opens up a huge attack 393 vector. There seem to be very rare cases where this might be useful. ··· 403 config = mkIf cfg.enable { 404 405 assertions = [ 406 - { assertion = config.networking.wireless.enable == true -> cfg.unmanaged != []; 407 message = '' 408 You can not use networking.networkmanager with networking.wireless. 409 Except if you mark some interfaces as <literal>unmanaged</literal> by NetworkManager. ··· 414 hardware.wirelessRegulatoryDatabase = true; 415 416 environment.etc = { 417 - "NetworkManager/NetworkManager.conf".source = configFile; 418 - } 419 - // builtins.listToAttrs (map (pkg: nameValuePair "NetworkManager/${pkg.networkManagerPlugin}" { 420 source = "${pkg}/lib/NetworkManager/${pkg.networkManagerPlugin}"; 421 - }) cfg.plugins) 422 - // optionalAttrs cfg.enableFccUnlock 423 - { 424 - "ModemManager/fcc-unlock.d".source = 425 - "${pkgs.modemmanager}/share/ModemManager/fcc-unlock.available.d/*"; 426 - } 427 - // optionalAttrs (cfg.appendNameservers != [] || cfg.insertNameservers != []) 428 - { 429 - "NetworkManager/dispatcher.d/02overridedns".source = overrideNameserversScript; 430 - } 431 - // listToAttrs (lib.imap1 (i: s: 432 - { 433 - name = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}"; 434 - value = { mode = "0544"; inherit (s) source; }; 435 - }) cfg.dispatcherScripts); 436 437 environment.systemPackages = packages; 438

··· 5 let 6 cfg = config.networking.networkmanager; 7 8 + delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != [ ]; 9 10 enableIwd = cfg.wifi.backend == "iwd"; 11 ··· 40 }) 41 (mkSection "keyfile" { 42 unmanaged-devices = 43 + if cfg.unmanaged == [ ] then null 44 else lib.concatStringsSep ";" cfg.unmanaged; 45 }) 46 (mkSection "logging" { ··· 103 }; 104 105 macAddressOpt = mkOption { 106 + type = types.either types.str (types.enum [ "permanent" "preserve" "random" "stable" ]); 107 default = "preserve"; 108 example = "00:11:22:33:44:55"; 109 description = lib.mdDoc '' ··· 126 pkgs.wpa_supplicant 127 ]; 128 129 + in 130 + { 131 132 meta = { 133 maintainers = teams.freedesktop.members; ··· 157 int 158 str 159 ])); 160 + default = { }; 161 description = lib.mdDoc '' 162 Configuration for the [connection] section of NetworkManager.conf. 163 Refer to ··· 187 188 unmanaged = mkOption { 189 type = types.listOf types.str; 190 + default = [ ]; 191 description = lib.mdDoc '' 192 List of interfaces that will not be managed by NetworkManager. 193 Interface name can be specified here, but if you need more fidelity, ··· 252 253 appendNameservers = mkOption { 254 type = types.listOf types.str; 255 + default = [ ]; 256 description = lib.mdDoc '' 257 A list of name servers that should be appended 258 to the ones configured in NetworkManager or received by DHCP. ··· 261 262 insertNameservers = mkOption { 263 type = types.listOf types.str; 264 + default = [ ]; 265 description = lib.mdDoc '' 266 A list of name servers that should be inserted before 267 the ones configured in NetworkManager or received by DHCP. ··· 337 }; 338 }; 339 }); 340 + default = [ ]; 341 example = literalExpression '' 342 + [ { 343 + source = pkgs.writeText "upHook" ''' 344 345 + if [ "$2" != "up" ]; then 346 + logger "exit: event $2 != up" 347 + exit 348 + fi 349 350 + # coreutils and iproute are in PATH too 351 + logger "Device $DEVICE_IFACE coming up" 352 + '''; 353 + type = "basic"; 354 + } ]''; 355 description = lib.mdDoc '' 356 A list of scripts which will be executed in response to network events. 357 ''; ··· 370 ''; 371 }; 372 373 + fccUnlockScripts = mkOption { 374 + type = types.listOf (types.submodule { 375 + options = { 376 + id = mkOption { 377 + type = types.str; 378 + description = lib.mdDoc "vid:pid of either the PCI or USB vendor and product ID"; 379 + }; 380 + path = mkOption { 381 + type = types.path; 382 + description = lib.mdDoc "Path to the unlock script"; 383 + }; 384 + }; 385 + }); 386 + default = [ ]; 387 + example = literalExpression ''[{ name = "03f0:4e1d"; script = "''${pkgs.modemmanager}/share/ModemManager/fcc-unlock.available.d/03f0:4e1d"; }]''; 388 description = lib.mdDoc '' 389 + List of FCC unlock scripts to enable on the system, behaving as described in 390 + https://modemmanager.org/docs/modemmanager/fcc-unlock/#integration-with-third-party-fcc-unlock-tools. 391 ''; 392 }; 393 }; ··· 398 [ "networking" "networkmanager" "packages" ] 399 [ "networking" "networkmanager" "plugins" ]) 400 (mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ]) 401 + (mkRemovedOptionModule [ "networking" "networkmanager" "enableFccUnlock" ] '' 402 + This option was removed, because using bundled FCC unlock scripts is risky, 403 + might conflict with vendor-provided unlock scripts, and should 404 + be a conscious decision on a per-device basis. 405 + Instead it's recommended to use the 406 + `networking.networkmanager.fccUnlockScripts` option. 407 + '') 408 + (mkRemovedOptionModule [ "networking" "networkmanager" "dynamicHosts" ] '' 409 This option was removed because allowing (multiple) regular users to 410 override host entries affecting the whole system opens up a huge attack 411 vector. There seem to be very rare cases where this might be useful. ··· 421 config = mkIf cfg.enable { 422 423 assertions = [ 424 + { 425 + assertion = config.networking.wireless.enable == true -> cfg.unmanaged != [ ]; 426 message = '' 427 You can not use networking.networkmanager with networking.wireless. 428 Except if you mark some interfaces as <literal>unmanaged</literal> by NetworkManager. ··· 433 hardware.wirelessRegulatoryDatabase = true; 434 435 environment.etc = { 436 + "NetworkManager/NetworkManager.conf".source = configFile; 437 + } 438 + // builtins.listToAttrs (map 439 + (pkg: nameValuePair "NetworkManager/${pkg.networkManagerPlugin}" { 440 source = "${pkg}/lib/NetworkManager/${pkg.networkManagerPlugin}"; 441 + }) 442 + cfg.plugins) 443 + // builtins.listToAttrs (map 444 + (e: nameValuePair "ModemManager/fcc-unlock.d/${e.id}" { 445 + source = e.path; 446 + }) 447 + cfg.fccUnlockScripts) 448 + // optionalAttrs (cfg.appendNameservers != [ ] || cfg.insertNameservers != [ ]) 449 + { 450 + "NetworkManager/dispatcher.d/02overridedns".source = overrideNameserversScript; 451 + } 452 + // listToAttrs (lib.imap1 453 + (i: s: 454 + { 455 + name = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}"; 456 + value = { mode = "0544"; inherit (s) source; }; 457 + }) 458 + cfg.dispatcherScripts); 459 460 environment.systemPackages = packages; 461