Merge staging-nixos into master (#509394)

# Ad-Hoc Configuration {#ad-hoc-network-config}

You can use [](#opt-networking.localCommands) to specify shell commands to be

run after the network interfaces have been created, but not necessarily fully

configured.

This is useful for doing network configuration not covered by the existing

NixOS modules. For example, you can create a network namespace and a pair

of virtual ethernet devices like this:

You can use [](#opt-networking.localCommands) to

specify shell commands to be run at the end of `network-setup.service`. This

is useful for doing network configuration not covered by the existing NixOS

modules. For instance, to statically configure an IPv6 address:

```nix

{

  networking.localCommands = ''

    ip netns add mynet

    ip link add name veth-in type veth peer name veth-out

    ip link set dev veth-out netns mynet

    ip -6 addr add 2001:610:685:1::1/64 dev eth0

  '';

}

```

::: {.note}

The commands should ideally be idempotent, so it's recommended to perform

cleanups of the state you create (e.g. virtual interfaces), or at least make

sure possible failures are handled.

:::

```

::: {.note}

Addresses and routes for statically configured interfaces and the default

gateway are set up by systemd services named

`network-addresses-<interface>.service`. The name servers configuration,

instead, is performed by `network-local-commands.service` using resolvconf.

:::

::: {.note}

If needed, for example if addresses/routes were added/removed,

you can reset the network configuration by running

`systemctl restart networking-scripted.target`

Statically configured interfaces are set up by the systemd service

`interface-name-cfg.service`. The default gateway and name server

configuration is performed by `network-setup.service`.

:::

The host name is set using [](#opt-networking.hostName):

  Note for NetworkManager users: before these changes NetworkManager used to spawn its own wpa_supplicant daemon, but now it relies on `networking.wireless`. So, if you had `networking.wireless.enable = false` in your configuration, you should remove that line.

- Some implementation details of the NixOS network-interfaces module have been changed:

  - In the "scripted" backend, `network-setup.service` has been removed and the network configuration services are now part of `network.target`, which is now directly pulled into `multi-user.target`.

  - Interface addresses, routes and default gateways are now configured asynchronously as soon as the underlying network devices become available (fixes issue [#154737](https://github.com/NixOS/nixpkgs/issues/154737)).

  - In both "networkd" and "scripted" backends, the configuration of name servers is now part of `network-local-commands.service` (fixes issue [#445496](https://github.com/NixOS/nixpkgs/issues/445496)).

  - The issue that resulted in a completely unconfigured network if both `resolvconf` was disabled and no default gateway configured, has also been fixed.

- `kratos` has been updated from 1.3.1 to [25.4.0](https://github.com/ory/kratos/releases/tag/v25.4.0). Upstream switched to a new versioning scheme (year.major.minor). Notable breaking changes:

  - The `migrate sql` CLI command is now `migrate sql up`

        description = ''

          Whether to enable U2F support in the i3lock program.

          U2F enables authentication using a hardware device, such as a security key.

          When U2F support is enabled, the i3lock program will set the setuid bit on the i3lock binary and enable the pam u2fAuth service,

          When U2F support is enabled, the i3lock program will set the setuid bit on the i3lock binary and enable the pam u2f service,

        '';

      };

    };

      source = "${cfg.package.out}/bin/i3lock";

    };

    security.pam.services.i3lock.u2fAuth = cfg.u2fSupport;

    security.pam.services.i3lock.u2f.enable = cfg.u2fSupport;

  };

      imports = [

        (lib.mkRenamedOptionModule [ "enableKwallet" ] [ "kwallet" "enable" ])

        (lib.mkRenamedOptionModule [ "u2fAuth" ] [ "u2f" "enable" ])

      ];

      options = {

          '';

        };

        u2fAuth = lib.mkOption {

        u2f = {

          enable = lib.mkOption {

            default = config.security.pam.u2f.enable;

            defaultText = lib.literalExpression "config.security.pam.u2f.enable";

            type = lib.types.bool;

            '';

          };

          control = lib.mkOption {

            default = config.security.pam.u2f.control;

            defaultText = lib.literalExpression "config.security.pam.u2f.control";

            type = lib.types.enum [

              "required"

              "requisite"

              "sufficient"

              "optional"

            ];

            description = ''

              This option sets pam "control".

              If you want to have multi factor authentication, use "required".

              If you want to use U2F device instead of regular password, use "sufficient".

              Read

              {manpage}`pam.conf(5)`

              for better understanding of this option.

            '';

          };

        };

        usshAuth = lib.mkOption {

          default = false;

          type = lib.types.bool;

                  in

                  {

                    name = "u2f";

                    enable = cfg.u2fAuth;

                    control = u2f.control;

                    enable = cfg.u2f.enable;

                    control = cfg.u2f.control;

                    modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so";

                    inherit (u2f) settings;

                  }