Merge pull request #252283 from flokli/fcc-unlock-extra

  using the `pomerium-cli` command, you should now install the `pomerium-cli`

  package.

- The option

  [services.networking.networkmanager.enableFccUnlock](#opt-networking.networkmanager.enableFccUnlock)

- The option `services.networking.networkmanager.enableFccUnlock`

  was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager

  daemon no longer automatically performs the FCC unlock procedure by default. See

  [the docs](https://modemmanager.org/docs/modemmanager/fcc-unlock/) for more details.

- Emacs macport version 29 was introduced.

- The option `services.networking.networkmanager.enableFccUnlock` was removed in favor of `networking.networkmanager.fccUnlockScripts`, which allows specifying unlock scripts explicitly. The previous option simply did enable all unlock scripts bundled with ModemManager, which is risky, and didn't allow using vendor-provided unlock scripts at all.

- The `html-proofer` package has been updated from major version 3 to major version 5, which includes [breaking changes](https://github.com/gjtorikian/html-proofer/blob/v5.0.8/UPGRADING.md).

- `kratos` has been updated from 0.10.1 to the first stable version 1.0.0, please read the [0.10.1 to 0.11.0](https://github.com/ory/kratos/releases/tag/v0.11.0), [0.11.0 to 0.11.1](https://github.com/ory/kratos/releases/tag/v0.11.1), [0.11.1 to 0.13.0](https://github.com/ory/kratos/releases/tag/v0.13.0) and [0.13.0 to 1.0.0](https://github.com/ory/kratos/releases/tag/v1.0.0) upgrade guides. The most notable breaking change is the introduction of one-time passwords (`code`) and update of the default recovery strategy from `link` to `code`.

    pkgs.wpa_supplicant

  ];

in {

in

{

  meta = {

    maintainers = teams.freedesktop.members;

        '';

      };

      enableFccUnlock = mkOption {

        type = types.bool;

        default = false;

      fccUnlockScripts = mkOption {

        type = types.listOf (types.submodule {

          options = {

            id = mkOption {

              type = types.str;

              description = lib.mdDoc "vid:pid of either the PCI or USB vendor and product ID";

            };

            path = mkOption {

              type = types.path;

              description = lib.mdDoc "Path to the unlock script";

            };

          };

        });

        default = [ ];

        example = literalExpression ''[{ name = "03f0:4e1d"; script = "''${pkgs.modemmanager}/share/ModemManager/fcc-unlock.available.d/03f0:4e1d"; }]'';

        description = lib.mdDoc ''

          Enable FCC unlock procedures. Since release 1.18.4, the ModemManager daemon no longer

          automatically performs the FCC unlock procedure by default. See

          [the docs](https://modemmanager.org/docs/modemmanager/fcc-unlock/)

          for more details.

          List of FCC unlock scripts to enable on the system, behaving as described in

          https://modemmanager.org/docs/modemmanager/fcc-unlock/#integration-with-third-party-fcc-unlock-tools.

        '';

      };

    };

      [ "networking" "networkmanager" "packages" ]

      [ "networking" "networkmanager" "plugins" ])

    (mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ])

    (mkRemovedOptionModule [ "networking" "networkmanager" "enableFccUnlock" ] ''

      This option was removed, because using bundled FCC unlock scripts is risky,

      might conflict with vendor-provided unlock scripts, and should

      be a conscious decision on a per-device basis.

      Instead it's recommended to use the

      `networking.networkmanager.fccUnlockScripts` option.

    '')

    (mkRemovedOptionModule [ "networking" "networkmanager" "dynamicHosts" ] ''

      This option was removed because allowing (multiple) regular users to

      override host entries affecting the whole system opens up a huge attack

  config = mkIf cfg.enable {

    assertions = [

      { assertion = config.networking.wireless.enable == true -> cfg.unmanaged != [];

      {

        assertion = config.networking.wireless.enable == true -> cfg.unmanaged != [ ];

        message = ''

          You can not use networking.networkmanager with networking.wireless.

          Except if you mark some interfaces as <literal>unmanaged</literal> by NetworkManager.

    environment.etc = {

      "NetworkManager/NetworkManager.conf".source = configFile;

    }

      // builtins.listToAttrs (map (pkg: nameValuePair "NetworkManager/${pkg.networkManagerPlugin}" {

    // builtins.listToAttrs (map

      (pkg: nameValuePair "NetworkManager/${pkg.networkManagerPlugin}" {

        source = "${pkg}/lib/NetworkManager/${pkg.networkManagerPlugin}";

      }) cfg.plugins)

      // optionalAttrs cfg.enableFccUnlock

         {

           "ModemManager/fcc-unlock.d".source =

             "${pkgs.modemmanager}/share/ModemManager/fcc-unlock.available.d/*";

         }

      })

      cfg.plugins)

    // builtins.listToAttrs (map

      (e: nameValuePair "ModemManager/fcc-unlock.d/${e.id}" {

        source = e.path;

      })

      cfg.fccUnlockScripts)

    // optionalAttrs (cfg.appendNameservers != [ ] || cfg.insertNameservers != [ ])

      {

        "NetworkManager/dispatcher.d/02overridedns".source = overrideNameserversScript;

      }

      // listToAttrs (lib.imap1 (i: s:

    // listToAttrs (lib.imap1

      (i: s:

        {

          name = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}";

          value = { mode = "0544"; inherit (s) source; };

         }) cfg.dispatcherScripts);

        })

      cfg.dispatcherScripts);

    environment.systemPackages = packages;