Merge branch 'master' into staging-next

lua-resty-openidc,,,,,,

lua-resty-openssl,,,,,,

lua-resty-session,,,,,,

lua-rtoml,https://github.com/lblasc/lua-rtoml,,,,,lblasc

lua-subprocess,https://github.com/0x0ade/lua-subprocess,,,,5.1,scoder12

lua-term,,,,,,

lua-toml,,,,,,

              PrivateDevices = true;

              PrivateMounts = true;

              PrivateNetwork = mkDefault false;

              PrivateUsers = true;

              PrivateUsers = false; # Enabling this breaks on zfs-2.2.0

              ProtectClock = true;

              ProtectControlGroups = true;

              ProtectHome = true;

                      '';

                    };

                  };

                  managementFrameProtection = mkOption {

                    default = "required";

                    type = types.enum ["disabled" "optional" "required"];

                    apply = x:

                      getAttr x {

                        "disabled" = 0;

                        "optional" = 1;

                        "required" = 2;

                      };

                    description = mdDoc ''

                      Management frame protection (MFP) authenticates management frames

                      to prevent deauthentication (or related) attacks.

                      - {var}`"disabled"`: No management frame protection

                      - {var}`"optional"`: Use MFP if a connection allows it

                      - {var}`"required"`: Force MFP for all clients

                    '';

                  };

                };

                config = let

                    # IEEE 802.11i (authentication) related configuration

                    # Encrypt management frames to protect against deauthentication and similar attacks

                    ieee80211w = bssCfg.managementFrameProtection;

                    ieee80211w = mkDefault 1;

                    sae_require_mfp = mkDefault 1;

                    # Only allow WPA by default and disable insecure WEP

                    auth_algs = mkDefault 1;

                  assertion = (length (attrNames radioCfg.networks) > 1) -> (bssCfg.bssid != null);

                  message = ''hostapd radio ${radio} bss ${bss}: bssid must be specified manually (for now) since this radio uses multiple BSS.'';

                }

                {

                  assertion = auth.mode == "wpa3-sae" -> bssCfg.managementFrameProtection == 2;

                  message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE which requires managementFrameProtection="required"'';

                }

                {

                  assertion = auth.mode == "wpa3-sae-transition" -> bssCfg.managementFrameProtection != 0;

                  message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE in transition mode with WPA2-SHA256, which requires managementFrameProtection="optional" or ="required"'';

                }

                {

                  assertion = countWpaPasswordDefinitions <= 1;

                  message = ''hostapd radio ${radio} bss ${bss}: must use at most one WPA password option (wpaPassword, wpaPasswordFile, wpaPskFile)'';

              virtualisation.memorySize is above 2047, but qemu is only able to allocate 2047MB RAM on 32bit max.

            '';

          }

          { assertion = cfg.directBoot.initrd != options.virtualisation.directBoot.initrd.default -> cfg.directBoot.enable;

          { assertion = cfg.directBoot.enable || cfg.directBoot.initrd == options.virtualisation.directBoot.initrd.default;

            message =

              ''

                You changed the default of `virtualisation.directBoot.initrd` but you are not

  };

  security.sudo.wheelNeedsPassword = false;

  security.sudo-rs.wheelNeedsPassword = false;

}