networkmanager: drop hard dependency on openconnect and cleanup plugin handling (#421042)

nixos/doc/manual/release-notes/rl-2511.section.md

@@ -10,6 +10,8 @@
 
 - The default PostgreSQL version for new NixOS installations (i.e. with `system.stateVersion >= 25.11`) is v17.
 
+- The NetworkManager module does not ship with a default set of VPN plugins anymore. All required VPN plugins must now be explicitly configured in [`networking.networkmanager.plugins`](#opt-networking.networkmanager.plugins).
+
 ## New Modules {#sec-release-25.11-new-modules}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

nixos/modules/services/networking/networkmanager.nix

@@ -127,15 +127,20 @@ let
     '';
   };
 
+  concatPluginAttrs = attr: lib.concatMap (plugin: plugin.${attr} or [ ]) cfg.plugins;
+  pluginRuntimeDeps = concatPluginAttrs "networkManagerRuntimeDeps";
+  pluginDbusDeps = concatPluginAttrs "networkManagerDbusDeps";
+  pluginTmpfilesRules = concatPluginAttrs "networkManagerTmpfilesRules";
+
   packages =
     [
       cfg.package
     ]
     ++ cfg.plugins
+    ++ pluginRuntimeDeps
     ++ lib.optionals (!delegateWireless && !enableIwd) [
       pkgs.wpa_supplicant
     ];
-
 in
 {
 
@@ -220,30 +225,37 @@ in
         type =
           let
             networkManagerPluginPackage = types.package // {
-              description = "NetworkManager plug-in";
+              description = "NetworkManager plugin package";
               check =
                 p:
                 lib.assertMsg
                   (types.package.check p && p ? networkManagerPlugin && lib.isString p.networkManagerPlugin)
                   ''
-                    Package ‘${p.name}’, is not a NetworkManager plug-in.
+                    Package ‘${p.name}’, is not a NetworkManager plugin.
                     Those need to have a ‘networkManagerPlugin’ attribute.
                   '';
             };
           in
           types.listOf networkManagerPluginPackage;
         default = [ ];
-        description = ''
-          List of NetworkManager plug-ins to enable.
-          Some plug-ins are enabled by the NetworkManager module by default.
+        example = literalExpression ''
+          [
+            networkmanager-fortisslvpn
+            networkmanager-iodine
+            networkmanager-l2tp
+            networkmanager-openconnect
+            networkmanager-openvpn
+            networkmanager-sstp
+            networkmanager-strongswan
+            networkmanager-vpnc
+          ]
         '';
-      };
-
-      enableDefaultPlugins = mkOption {
-        type = types.bool;
-        default = true;
         description = ''
-          Enable a set of recommended plugins.
+          List of plugin packages to install.
+
+          See <https://search.nixos.org/packages?query=networkmanager-> for available plugin packages.
+          and <https://networkmanager.dev/docs/vpn/> for an overview over builtin and external plugins
+          and their support status.
         '';
       };
 
@@ -390,19 +402,6 @@ in
         '';
       };
 
-      enableStrongSwan = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Enable the StrongSwan plugin.
-
-          If you enable this option the
-          `networkmanager_strongswan` plugin will be added to
-          the {option}`networking.networkmanager.plugins` option
-          so you don't need to do that yourself.
-        '';
-      };
-
       ensureProfiles = {
         profiles =
           with lib.types;
@@ -523,6 +522,16 @@ in
       [ "networking" "networkmanager" "fccUnlockScripts" ]
       [ "networking" "modemmanager" "fccUnlockScripts" ]
     )
+    (mkRemovedOptionModule [
+      "networking"
+      "networkmanager"
+      "enableStrongSwan"
+    ] "Pass `pkgs.networkmanager-strongswan` into `networking.networkmanager.plugins` instead.")
+    (mkRemovedOptionModule [
+      "networking"
+      "networkmanager"
+      "enableDefaultPlugins"
+    ] "Configure the required plugins explicitly in `networking.networkmanager.plugins`.")
   ];
 
   ###### implementation
@@ -597,13 +606,10 @@ in
 
     systemd.tmpfiles.rules = [
       "d /etc/NetworkManager/system-connections 0700 root root -"
-      "d /etc/ipsec.d 0700 root root -"
-      "d /var/lib/NetworkManager-fortisslvpn 0700 root root -"
-
       "d /var/lib/misc 0755 root root -" # for dnsmasq.leases
       # ppp isn't able to mkdir that directory at runtime
       "d /run/pppd/lock 0700 root root -"
-    ];
+    ] ++ pluginTmpfilesRules;
 
     systemd.services.NetworkManager = {
       wantedBy = [ "multi-user.target" ];
@@ -642,6 +648,7 @@ in
       wantedBy = [ "multi-user.target" ];
       before = [ "network-online.target" ];
       after = [ "NetworkManager.service" ];
+      path = pluginRuntimeDeps;
       script =
         let
           path = id: "/run/NetworkManager/system-connections/${id}.nmconnection";
@@ -668,22 +675,6 @@ in
         useDHCP = false;
       })
 
-      (mkIf cfg.enableDefaultPlugins {
-        networkmanager.plugins = with pkgs; [
-          networkmanager-fortisslvpn
-          networkmanager-iodine
-          networkmanager-l2tp
-          networkmanager-openconnect
-          networkmanager-openvpn
-          networkmanager-vpnc
-          networkmanager-sstp
-        ];
-      })
-
-      (mkIf cfg.enableStrongSwan {
-        networkmanager.plugins = [ pkgs.networkmanager_strongswan ];
-      })
-
       (mkIf enableIwd {
         wireless.iwd.enable = true;
       })
@@ -710,11 +701,10 @@ in
     security.polkit.enable = true;
     security.polkit.extraConfig = polkitConf;
 
-    services.dbus.packages =
-      packages
-      ++ optional cfg.enableStrongSwan pkgs.strongswanNM
-      ++ optional (cfg.dns == "dnsmasq") pkgs.dnsmasq;
+    services.dbus.packages = packages ++ pluginDbusDeps ++ optional (cfg.dns == "dnsmasq") pkgs.dnsmasq;
 
     services.udev.packages = packages;
+
+    systemd.services.NetworkManager.path = pluginRuntimeDeps;
   };
 }

pkgs/by-name/ne/networkmanager-fortisslvpn/package.nix

@@ -82,6 +82,9 @@ stdenv.mkDerivation rec {
       versionPolicy = "odd-unstable";
     };
     networkManagerPlugin = "VPN/nm-fortisslvpn-service.name";
+    networkManagerTmpfilesRules = [
+      "d /var/lib/NetworkManager-fortisslvpn 0700 root root -"
+    ];
   };
 
   meta = with lib; {

pkgs/by-name/ne/networkmanager-openconnect/package.nix

@@ -73,6 +73,7 @@ stdenv.mkDerivation rec {
       versionPolicy = "odd-unstable";
     };
     networkManagerPlugin = "VPN/nm-openconnect-service.name";
+    networkManagerRuntimeDeps = [ openconnect ];
   };
 
   meta = with lib; {

pkgs/by-name/ne/networkmanager-strongswan/package.nix

@@ -49,6 +49,10 @@ stdenv.mkDerivation rec {
 
   passthru = {
     networkManagerPlugin = "VPN/nm-strongswan-service.name";
+    networkManagerDbusDeps = [ strongswanNM ];
+    networkManagerTmpfilesRules = [
+      "d /etc/ipsec.d 0700 root root -"
+    ];
   };
 
   meta = with lib; {

pkgs/tools/networking/networkmanager/default.nix

@@ -40,7 +40,6 @@
   docbook_xml_dtd_412,
   docbook_xml_dtd_42,
   docbook_xml_dtd_43,
-  openconnect,
   curl,
   meson,
   mesonEmulatorHook,
@@ -130,7 +129,6 @@ stdenv.mkDerivation (finalAttrs: {
     (replaceVars ./fix-paths.patch {
       inherit
         iputils
-        openconnect
         ethtool
         gnused
         ;

pkgs/tools/networking/networkmanager/fix-paths.patch

@@ -11,10 +11,10 @@ index 148acade5c..6395fbfbe5 100644
  
  LABEL="nm_drivers_end"
 diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c
-index f3441508ab..7cde8d7d39 100644
+index e310a9c680..ed8d838e43 100644
 --- a/src/core/devices/nm-device.c
 +++ b/src/core/devices/nm-device.c
-@@ -14839,14 +14839,14 @@ nm_device_start_ip_check(NMDevice *self)
+@@ -15239,14 +15239,14 @@ nm_device_start_ip_check(NMDevice *self)
              gw = nm_l3_config_data_get_best_default_route(l3cd, AF_INET);
              if (gw) {
                  nm_inet4_ntop(NMP_OBJECT_CAST_IP4_ROUTE(gw)->gateway, buf);
@@ -32,7 +32,7 @@ index f3441508ab..7cde8d7d39 100644
              }
          }
 diff --git a/src/libnmc-base/nm-vpn-helpers.c b/src/libnmc-base/nm-vpn-helpers.c
-index cbe76f5f1c..8515f94994 100644
+index cbe76f5f1c..6ec684f9fe 100644
 --- a/src/libnmc-base/nm-vpn-helpers.c
 +++ b/src/libnmc-base/nm-vpn-helpers.c
 @@ -284,15 +284,6 @@ nm_vpn_openconnect_authenticate_helper(NMSettingVpn *s_vpn, GPtrArray *secrets,
@@ -51,7 +51,7 @@ index cbe76f5f1c..8515f94994 100644
      const char *oc_argv[(12 + 2 * G_N_ELEMENTS(oc_property_args))];
      const char *gw;
      int         port;
-@@ -311,15 +302,7 @@ nm_vpn_openconnect_authenticate_helper(NMSettingVpn *s_vpn, GPtrArray *secrets,
+@@ -311,13 +302,8 @@ nm_vpn_openconnect_authenticate_helper(NMSettingVpn *s_vpn, GPtrArray *secrets,
  
      port = extract_url_port(gw);
  
@@ -62,9 +62,8 @@ index cbe76f5f1c..8515f94994 100644
 -                                         NULL,
 -                                         NULL,
 -                                         error);
--    if (!path)
--        return FALSE;
-+    path = "@openconnect@/bin/openconnect";
++    path = g_find_program_in_path("openconnect");
++
+     if (!path)
+         return FALSE;
  
-     oc_argv[oc_argc++] = path;
-     oc_argv[oc_argc++] = "--authenticate";

pkgs/top-level/aliases.nix

@@ -1381,6 +1381,7 @@ mapAliases {
     or for all fonts
       fonts.packages = [ ... ] ++ builtins.filter lib.attrsets.isDerivation (builtins.attrValues pkgs.nerd-fonts)
   ''; # Added 2024-11-09
+  networkmanager_strongswan = networkmanager-strongswan; # added 2025-06-29
   newlibCross = newlib; # Added 2024-09-06
   newlib-nanoCross = newlib-nano; # Added 2024-09-06
   nix-direnv-flakes = nix-direnv;