One more thing to consider: the script is able to run and control multiple instances of itself in parallel (i.e. via --list-running / --stop).

But when started as a service in its current implementation, only one instance is possible.

Maybe it is a good idea to replace the single instance configuration with a list of them. Then it will be possible to define multiple configs and thus create multiple access points:

  services.create_ap = [
  { enable = true;  ... }
  { enable = true;  ... }
  { enable = true;  ... }
  ];

Or maybe it is even better to handle two cases: when config.services.create_ap is a list and when it is an attribute set.

I have tested the following:

• AP creation
  • without passphrase
  • with passphrase
  • SHARE_METHOD
    • nat
    • bridge
    • none
  • ISOLATE_CLIENTS
  • HIDDEN
• dnsmasq-related
  • ETC_HOSTS
  • additional hosts (-e flag)
  • MAC_FILTER / MAC_FILTER_ACCEPT
• usage without network manager
  • AP creation (no need to retest all the options above, because nmcli is used only to set/unset the unmanaged status)
• other
  • [x] --list-running / --list-clients / --stop (does not work anymore)

Now I need some time to check all possible usage scenarios with DynamicUser again.

Without CAP_DAC_OVERRIDE it can't set unmanaged status to devices owned by NetworkManager, because of read-only file system.

If the device is already unmanaged, then everything's OK - that's why I caught this problem that late.

Strangely enough, ReadWritePaths = "-/etc/NetworkManager/" line that was added earlier didn't help (I was thinking that it did).

Try to do an strace of the process to see which path it tries to write to.

sed -i tries to create a temporary file.

It can be observed even from status output:

Jan 28 23:18:29 nixos create_ap[16451]: Network Manager found, set wlp2s0f0 as unmanaged device... sed: couldn't open temporary file /etc/NetworkManager/sedW6bpNK: Permission denied

# strace -f -o /tmp/strace.log -s 2048 -p 1 & systemctl start create_ap

21764 openat(AT_FDCWD, "/etc/NetworkManager/sedd6IF0R", O_RDWR|O_CREAT|O_EXCL, 0600) = -1 EROFS (Read-only file system)

/etc/NetworkManager/ is in ReadWritePaths at the moment.

Well, everything works as it should:

Paths listed in ReadWritePaths= are accessible from within the namespace with the same access modes as from outside of it.

It is impossible to modify files in /etc/ while under DynamicUser without CAP_DAC_OVERRIDE.

@8084 Can you please change the commit message to match https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md "init" and "create_ap" are flipped

@ryantm OK, I'll --squash and force-push the commit with correct message after I'm done.

bump? I'm interested in this.

@klntsky Would you mind if I pushed a commit to this PR to make it use the approach in NixOS/rfcs#42?

@infinisil I definitely do not mind, thank you.

I don't have enough time myself to work on this PR, sadly.

Cool, did that, somebody should test this again before merging though, I could try with my own laptop later perhaps, not sure if it can do it though

@klntsky Can you test the latest version?

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
2. Ask on the NixOS Discourse.
3. Ask on the #nixos channel on irc.freenode.net.

As for now, I believe it's best to drop the service entirely and provide the binary only, due to lack of human powers to wrap it properly.