diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/networking/networkmanager.nix')
-rw-r--r-- | nixpkgs/nixos/modules/services/networking/networkmanager.nix | 109 |
1 files changed, 24 insertions, 85 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/networkmanager.nix b/nixpkgs/nixos/modules/services/networking/networkmanager.nix index 05a78d1c448..90d1032c41b 100644 --- a/nixpkgs/nixos/modules/services/networking/networkmanager.nix +++ b/nixpkgs/nixos/modules/services/networking/networkmanager.nix @@ -17,9 +17,6 @@ let networkmanager-vpnc ] ++ optional (!delegateWireless && !enableIwd) wpa_supplicant; - dynamicHostsEnabled = - cfg.dynamicHosts.enable && cfg.dynamicHosts.hostsDirs != {}; - delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != []; enableIwd = cfg.wifi.backend == "iwd"; @@ -335,55 +332,20 @@ in { so you don't need to to that yourself. ''; }; - - dynamicHosts = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enabling this option requires the - <option>networking.networkmanager.dns</option> option to be - set to <literal>dnsmasq</literal>. If enabled, the directories - defined by the - <option>networking.networkmanager.dynamicHosts.hostsDirs</option> - option will be set up when the service starts. The dnsmasq instance - managed by NetworkManager will then watch those directories for - hosts files (see the <literal>--hostsdir</literal> option of - dnsmasq). This way a non-privileged user can add or override DNS - entries on the local system (depending on what hosts directories - that are configured).. - ''; - }; - hostsDirs = mkOption { - type = with types; attrsOf (submodule { - options = { - user = mkOption { - type = types.str; - default = "root"; - description = '' - The user that will own the hosts directory. - ''; - }; - group = mkOption { - type = types.str; - default = "root"; - description = '' - The group that will own the hosts directory. - ''; - }; - }; - }); - default = {}; - description = '' - Defines a set of directories (relative to - <literal>/run/NetworkManager/hostdirs</literal>) that dnsmasq will - watch for hosts files. - ''; - }; - }; }; }; + imports = [ + (mkRemovedOptionModule ["networking" "networkmanager" "dynamicHosts"] '' + This option was removed because allowing (multiple) regular users to + override host entries affecting the whole system opens up a huge attack + vector. There seem to be very rare cases where this might be useful. + Consider setting system-wide host entries using networking.hosts, provide + them via the DNS server in your network, or use environment.etc + to add a file into /etc/NetworkManager/dnsmasq.d reconfiguring hostsdir. + '') + ]; + ###### implementation @@ -396,12 +358,6 @@ in { Except if you mark some interfaces as <literal>unmanaged</literal> by NetworkManager. ''; } - { assertion = !dynamicHostsEnabled || (dynamicHostsEnabled && cfg.dns == "dnsmasq"); - message = '' - To use networking.networkmanager.dynamicHosts you also need to set - `networking.networkmanager.dns = "dnsmasq"` - ''; - } ]; environment.etc = with pkgs; [ @@ -435,12 +391,6 @@ in { target = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}"; mode = "0544"; }) cfg.dispatcherScripts - ++ optional dynamicHostsEnabled - { target = "NetworkManager/dnsmasq.d/dyndns.conf"; - text = concatMapStrings (n: '' - hostsdir=/run/NetworkManager/hostsdirs/${n} - '') (attrNames cfg.dynamicHosts.hostsDirs); - } ++ optional cfg.enableStrongSwan { source = "${pkgs.networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name"; target = "NetworkManager/VPN/nm-strongswan-service.name"; @@ -496,21 +446,6 @@ in { systemd.services.ModemManager.aliases = [ "dbus-org.freedesktop.ModemManager1.service" ]; - systemd.services.nm-setup-hostsdirs = mkIf dynamicHostsEnabled { - wantedBy = [ "NetworkManager.service" ]; - before = [ "NetworkManager.service" ]; - partOf = [ "NetworkManager.service" ]; - script = concatStrings (mapAttrsToList (n: d: '' - mkdir -p "/run/NetworkManager/hostsdirs/${n}" - chown "${d.user}:${d.group}" "/run/NetworkManager/hostsdirs/${n}" - chmod 0775 "/run/NetworkManager/hostsdirs/${n}" - '') cfg.dynamicHosts.hostsDirs); - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - }; - systemd.services.NetworkManager-dispatcher = { wantedBy = [ "network.target" ]; restartTriggers = [ configFile ]; @@ -521,15 +456,19 @@ in { }; # Turn off NixOS' network management when networking is managed entirely by NetworkManager - networking = (mkIf (!delegateWireless) { - useDHCP = false; - # Use mkDefault to trigger the assertion about the conflict above - wireless.enable = mkDefault false; - }) // (mkIf cfg.enableStrongSwan { - networkmanager.packages = [ pkgs.networkmanager_strongswan ]; - }) // (mkIf enableIwd { - wireless.iwd.enable = true; - }); + networking = mkMerge [ + (mkIf (!delegateWireless) { + useDHCP = false; + }) + + (mkIf cfg.enableStrongSwan { + networkmanager.packages = [ pkgs.networkmanager_strongswan ]; + }) + + (mkIf enableIwd { + wireless.iwd.enable = true; + }) + ]; security.polkit.extraConfig = polkitConf; |