nixos/wireguard-networkd: disable by default

Enabling networking.wireguard.useNetworkd currently requires users to
modify the permissions of their private key files. Since that is a bad
upgrade experience, the module should be disabled by default for now.
Once systemd credential support is added to the module, it should be
safe to once again enable it by default for networkd users.

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -121,7 +121,7 @@
 
 - Cinnamon has been updated to 6.4.
 
-- `networking.wireguard` now has an optional networkd backend. It is enabled by default when `networking.useNetworkd` is enabled, and it can be enabled alongside scripted networking with `networking.wireguard.useNetworkd`. Some `networking.wireguard` options have slightly different behavior with the networkd and script-based backends, documented in each option. Before upgrading, make sure the `privateKeyFile` and `presharedKeyFile` paths are readable by the `systemd-network` user if using the networkd backend.
+- `networking.wireguard` now has an optional networkd backend, enabled with `networking.wireguard.useNetworkd`. Some `networking.wireguard` options have slightly different behavior with the networkd and script-based backends, documented in each option. Before upgrading, make sure the `privateKeyFile` and `presharedKeyFile` paths are readable by the `systemd-network` user if using the networkd backend.
 
 - `services.avahi.ipv6` now defaults to true.
 

nixos/modules/services/networking/wireguard-networkd.nix

@@ -96,8 +96,7 @@ in
 
   options.networking.wireguard = {
     useNetworkd = mkOption {
-      default = config.networking.useNetworkd;
-      defaultText = literalExpression "config.networking.useNetworkd";
+      default = false;
       type = types.bool;
       description = ''
         Whether to use networkd as the network configuration backend for