summaryrefslogtreecommitdiff
path: root/modules/networkd/default.nix
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2021-10-17 20:50:47 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2021-10-17 20:50:47 +0200
commit3a2161ef205c432db0053e9a82893069b54e55ed (patch)
tree4557c7c6c97fba7de6585729210a0ab8c1eec3cf /modules/networkd/default.nix
parent65d0b738ab8e25042f1568ed313b001101c3f628 (diff)
downloadnixos-3a2161ef205c432db0053e9a82893069b54e55ed.tar
nixos-3a2161ef205c432db0053e9a82893069b54e55ed.tar.gz
nixos-3a2161ef205c432db0053e9a82893069b54e55ed.tar.bz2
nixos-3a2161ef205c432db0053e9a82893069b54e55ed.tar.xz
nixos-3a2161ef205c432db0053e9a82893069b54e55ed.zip
yggdrasil-wg: ...
Diffstat (limited to 'modules/networkd/default.nix')
-rw-r--r--modules/networkd/default.nix1686
1 files changed, 1686 insertions, 0 deletions
diff --git a/modules/networkd/default.nix b/modules/networkd/default.nix
new file mode 100644
index 00000000..007f14c6
--- /dev/null
+++ b/modules/networkd/default.nix
@@ -0,0 +1,1686 @@
1{ config, lib, pkgs, ... }:
2
3with lib;
4with import ./systemd-unit-options.nix { inherit config lib; };
5with import ./systemd-lib.nix { inherit config lib pkgs; };
6
7let
8
9 cfg = config.systemd.network;
10
11 check = {
12
13 link = {
14
15 sectionLink = checkUnitConfig "Link" [
16 (assertOnlyFields [
17 "Description"
18 "Alias"
19 "MACAddressPolicy"
20 "MACAddress"
21 "NamePolicy"
22 "Name"
23 "AlternativeNamesPolicy"
24 "AlternativeName"
25 "MTUBytes"
26 "BitsPerSecond"
27 "Duplex"
28 "AutoNegotiation"
29 "WakeOnLan"
30 "Port"
31 "Advertise"
32 "ReceiveChecksumOffload"
33 "TransmitChecksumOffload"
34 "TCPSegmentationOffload"
35 "TCP6SegmentationOffload"
36 "GenericSegmentationOffload"
37 "GenericReceiveOffload"
38 "LargeReceiveOffload"
39 "RxChannels"
40 "TxChannels"
41 "OtherChannels"
42 "CombinedChannels"
43 "RxBufferSize"
44 "TxBufferSize"
45 ])
46 (assertValueOneOf "MACAddressPolicy" ["persistent" "random" "none"])
47 (assertMacAddress "MACAddress")
48 (assertByteFormat "MTUBytes")
49 (assertByteFormat "BitsPerSecond")
50 (assertValueOneOf "Duplex" ["half" "full"])
51 (assertValueOneOf "AutoNegotiation" boolValues)
52 (assertValueOneOf "WakeOnLan" ["phy" "unicast" "multicast" "broadcast" "arp" "magic" "secureon" "off"])
53 (assertValueOneOf "Port" ["tp" "aui" "bnc" "mii" "fibre"])
54 (assertValueOneOf "ReceiveChecksumOffload" boolValues)
55 (assertValueOneOf "TransmitChecksumOffload" boolValues)
56 (assertValueOneOf "TCPSegmentationOffload" boolValues)
57 (assertValueOneOf "TCP6SegmentationOffload" boolValues)
58 (assertValueOneOf "GenericSegmentationOffload" boolValues)
59 (assertValueOneOf "GenericReceiveOffload" boolValues)
60 (assertValueOneOf "LargeReceiveOffload" boolValues)
61 (assertInt "RxChannels")
62 (assertRange "RxChannels" 1 4294967295)
63 (assertInt "TxChannels")
64 (assertRange "TxChannels" 1 4294967295)
65 (assertInt "OtherChannels")
66 (assertRange "OtherChannels" 1 4294967295)
67 (assertInt "CombinedChannels")
68 (assertRange "CombinedChannels" 1 4294967295)
69 (assertInt "RxBufferSize")
70 (assertInt "TxBufferSize")
71 ];
72 };
73
74 netdev = let
75
76 tunChecks = [
77 (assertOnlyFields [
78 "MultiQueue"
79 "PacketInfo"
80 "VNetHeader"
81 "User"
82 "Group"
83 ])
84 (assertValueOneOf "MultiQueue" boolValues)
85 (assertValueOneOf "PacketInfo" boolValues)
86 (assertValueOneOf "VNetHeader" boolValues)
87 ];
88 in {
89
90 sectionNetdev = checkUnitConfig "Netdev" [
91 (assertOnlyFields [
92 "Description"
93 "Name"
94 "Kind"
95 "MTUBytes"
96 "MACAddress"
97 ])
98 (assertHasField "Name")
99 (assertHasField "Kind")
100 (assertValueOneOf "Kind" [
101 "bond"
102 "bridge"
103 "dummy"
104 "gre"
105 "gretap"
106 "erspan"
107 "ip6gre"
108 "ip6tnl"
109 "ip6gretap"
110 "ipip"
111 "ipvlan"
112 "macvlan"
113 "macvtap"
114 "sit"
115 "tap"
116 "tun"
117 "veth"
118 "vlan"
119 "vti"
120 "vti6"
121 "vxlan"
122 "geneve"
123 "l2tp"
124 "macsec"
125 "vrf"
126 "vcan"
127 "vxcan"
128 "wireguard"
129 "netdevsim"
130 "nlmon"
131 "fou"
132 "xfrm"
133 "ifb"
134 "bareudp"
135 "batadv"
136 ])
137 (assertByteFormat "MTUBytes")
138 (assertMacAddress "MACAddress")
139 ];
140
141 sectionVLAN = checkUnitConfig "VLAN" [
142 (assertOnlyFields [
143 "Id"
144 "GVRP"
145 "MVRP"
146 "LooseBinding"
147 "ReorderHeader"
148 ])
149 (assertInt "Id")
150 (assertRange "Id" 0 4094)
151 (assertValueOneOf "GVRP" boolValues)
152 (assertValueOneOf "MVRP" boolValues)
153 (assertValueOneOf "LooseBinding" boolValues)
154 (assertValueOneOf "ReorderHeader" boolValues)
155 ];
156
157 sectionMACVLAN = checkUnitConfig "MACVLAN" [
158 (assertOnlyFields [
159 "Mode"
160 ])
161 (assertValueOneOf "Mode" ["private" "vepa" "bridge" "passthru"])
162 ];
163
164 sectionVXLAN = checkUnitConfig "VXLAN" [
165 (assertOnlyFields [
166 "VNI"
167 "Remote"
168 "Local"
169 "Group"
170 "TOS"
171 "TTL"
172 "MacLearning"
173 "FDBAgeingSec"
174 "MaximumFDBEntries"
175 "ReduceARPProxy"
176 "L2MissNotification"
177 "L3MissNotification"
178 "RouteShortCircuit"
179 "UDPChecksum"
180 "UDP6ZeroChecksumTx"
181 "UDP6ZeroChecksumRx"
182 "RemoteChecksumTx"
183 "RemoteChecksumRx"
184 "GroupPolicyExtension"
185 "GenericProtocolExtension"
186 "DestinationPort"
187 "PortRange"
188 "FlowLabel"
189 "IPDoNotFragment"
190 ])
191 (assertInt "VNI")
192 (assertRange "VNI" 1 16777215)
193 (assertValueOneOf "MacLearning" boolValues)
194 (assertInt "MaximumFDBEntries")
195 (assertValueOneOf "ReduceARPProxy" boolValues)
196 (assertValueOneOf "L2MissNotification" boolValues)
197 (assertValueOneOf "L3MissNotification" boolValues)
198 (assertValueOneOf "RouteShortCircuit" boolValues)
199 (assertValueOneOf "UDPChecksum" boolValues)
200 (assertValueOneOf "UDP6ZeroChecksumTx" boolValues)
201 (assertValueOneOf "UDP6ZeroChecksumRx" boolValues)
202 (assertValueOneOf "RemoteChecksumTx" boolValues)
203 (assertValueOneOf "RemoteChecksumRx" boolValues)
204 (assertValueOneOf "GroupPolicyExtension" boolValues)
205 (assertValueOneOf "GenericProtocolExtension" boolValues)
206 (assertInt "FlowLabel")
207 (assertRange "FlowLabel" 0 1048575)
208 (assertValueOneOf "IPDoNotFragment" (boolValues + ["inherit"]))
209 ];
210
211 sectionTunnel = checkUnitConfig "Tunnel" [
212 (assertOnlyFields [
213 "Local"
214 "Remote"
215 "TOS"
216 "TTL"
217 "DiscoverPathMTU"
218 "IPv6FlowLabel"
219 "CopyDSCP"
220 "EncapsulationLimit"
221 "Key"
222 "InputKey"
223 "OutputKey"
224 "Mode"
225 "Independent"
226 "AssignToLoopback"
227 "AllowLocalRemote"
228 "FooOverUDP"
229 "FOUDestinationPort"
230 "FOUSourcePort"
231 "Encapsulation"
232 "IPv6RapidDeploymentPrefix"
233 "ISATAP"
234 "SerializeTunneledPackets"
235 "ERSPANIndex"
236 ])
237 (assertInt "TTL")
238 (assertRange "TTL" 0 255)
239 (assertValueOneOf "DiscoverPathMTU" boolValues)
240 (assertValueOneOf "CopyDSCP" boolValues)
241 (assertValueOneOf "Mode" ["ip6ip6" "ipip6" "any"])
242 (assertValueOneOf "Independent" boolValues)
243 (assertValueOneOf "AssignToLoopback" boolValues)
244 (assertValueOneOf "AllowLocalRemote" boolValues)
245 (assertValueOneOf "FooOverUDP" boolValues)
246 (assertPort "FOUDestinationPort")
247 (assertPort "FOUSourcePort")
248 (assertValueOneOf "Encapsulation" ["FooOverUDP" "GenericUDPEncapsulation"])
249 (assertValueOneOf "ISATAP" boolValues)
250 (assertValueOneOf "SerializeTunneledPackets" boolValues)
251 (assertInt "ERSPANIndex")
252 (assertRange "ERSPANIndex" 1 1048575)
253 ];
254
255 sectionPeer = checkUnitConfig "Peer" [
256 (assertOnlyFields [
257 "Name"
258 "MACAddress"
259 ])
260 (assertMacAddress "MACAddress")
261 ];
262
263 sectionTun = checkUnitConfig "Tun" tunChecks;
264
265 sectionTap = checkUnitConfig "Tap" tunChecks;
266
267 # NOTE The PrivateKey directive is missing on purpose here, please
268 # do not add it to this list. The nix store is world-readable let's
269 # refrain ourselves from providing a footgun.
270 sectionWireGuard = checkUnitConfig "WireGuard" [
271 (assertOnlyFields [
272 "PrivateKeyFile"
273 "ListenPort"
274 "FirewallMark"
275 ])
276 (assertInt "FirewallMark")
277 (assertRange "FirewallMark" 1 4294967295)
278 ];
279
280 # NOTE The PresharedKey directive is missing on purpose here, please
281 # do not add it to this list. The nix store is world-readable,let's
282 # refrain ourselves from providing a footgun.
283 sectionWireGuardPeer = checkUnitConfig "WireGuardPeer" [
284 (assertOnlyFields [
285 "PublicKey"
286 "PresharedKeyFile"
287 "AllowedIPs"
288 "Endpoint"
289 "PersistentKeepalive"
290 ])
291 (assertInt "PersistentKeepalive")
292 (assertRange "PersistentKeepalive" 0 65535)
293 ];
294
295 sectionBond = checkUnitConfig "Bond" [
296 (assertOnlyFields [
297 "Mode"
298 "TransmitHashPolicy"
299 "LACPTransmitRate"
300 "MIIMonitorSec"
301 "UpDelaySec"
302 "DownDelaySec"
303 "LearnPacketIntervalSec"
304 "AdSelect"
305 "AdActorSystemPriority"
306 "AdUserPortKey"
307 "AdActorSystem"
308 "FailOverMACPolicy"
309 "ARPValidate"
310 "ARPIntervalSec"
311 "ARPIPTargets"
312 "ARPAllTargets"
313 "PrimaryReselectPolicy"
314 "ResendIGMP"
315 "PacketsPerSlave"
316 "GratuitousARP"
317 "AllSlavesActive"
318 "DynamicTransmitLoadBalancing"
319 "MinLinks"
320 ])
321 (assertValueOneOf "Mode" [
322 "balance-rr"
323 "active-backup"
324 "balance-xor"
325 "broadcast"
326 "802.3ad"
327 "balance-tlb"
328 "balance-alb"
329 ])
330 (assertValueOneOf "TransmitHashPolicy" [
331 "layer2"
332 "layer3+4"
333 "layer2+3"
334 "encap2+3"
335 "encap3+4"
336 ])
337 (assertValueOneOf "LACPTransmitRate" ["slow" "fast"])
338 (assertValueOneOf "AdSelect" ["stable" "bandwidth" "count"])
339 (assertInt "AdActorSystemPriority")
340 (assertRange "AdActorSystemPriority" 1 65535)
341 (assertInt "AdUserPortKey")
342 (assertRange "AdUserPortKey" 0 1023)
343 (assertValueOneOf "FailOverMACPolicy" ["none" "active" "follow"])
344 (assertValueOneOf "ARPValidate" ["none" "active" "backup" "all"])
345 (assertValueOneOf "ARPAllTargets" ["any" "all"])
346 (assertValueOneOf "PrimaryReselectPolicy" ["always" "better" "failure"])
347 (assertInt "ResendIGMP")
348 (assertRange "ResendIGMP" 0 255)
349 (assertInt "PacketsPerSlave")
350 (assertRange "PacketsPerSlave" 0 65535)
351 (assertInt "GratuitousARP")
352 (assertRange "GratuitousARP" 0 255)
353 (assertValueOneOf "AllSlavesActive" boolValues)
354 (assertValueOneOf "DynamicTransmitLoadBalancing" boolValues)
355 (assertInt "MinLinks")
356 (assertMinimum "MinLinks" 0)
357 ];
358
359 sectionXfrm = checkUnitConfig "Xfrm" [
360 (assertOnlyFields [
361 "InterfaceId"
362 "Independent"
363 ])
364 (assertInt "InterfaceId")
365 (assertRange "InterfaceId" 1 4294967295)
366 (assertValueOneOf "Independent" boolValues)
367 ];
368
369 sectionVRF = checkUnitConfig "VRF" [
370 (assertOnlyFields [
371 "Table"
372 ])
373 (assertInt "Table")
374 (assertMinimum "Table" 0)
375 ];
376 };
377
378 network = {
379
380 sectionLink = checkUnitConfig "Link" [
381 (assertOnlyFields [
382 "MACAddress"
383 "MTUBytes"
384 "ARP"
385 "Multicast"
386 "AllMulticast"
387 "Unmanaged"
388 "RequiredForOnline"
389 "ActivationPolicy"
390 ])
391 (assertMacAddress "MACAddress")
392 (assertByteFormat "MTUBytes")
393 (assertValueOneOf "ARP" boolValues)
394 (assertValueOneOf "Multicast" boolValues)
395 (assertValueOneOf "AllMulticast" boolValues)
396 (assertValueOneOf "Unmanaged" boolValues)
397 (assertValueOneOf "RequiredForOnline" (boolValues ++ [
398 "missing"
399 "off"
400 "no-carrier"
401 "dormant"
402 "degraded-carrier"
403 "carrier"
404 "degraded"
405 "enslaved"
406 "routable"
407 ]))
408 (assertValueOneOf "ActivationPolicy" ([
409 "up"
410 "always-up"
411 "manual"
412 "always-down"
413 "down"
414 "bound"
415 ]))
416 ];
417
418 sectionNetwork = checkUnitConfig "Network" [
419 (assertOnlyFields [
420 "Description"
421 "DHCP"
422 "DHCPServer"
423 "LinkLocalAddressing"
424 "IPv4LLRoute"
425 "DefaultRouteOnDevice"
426 "IPv6Token"
427 "LLMNR"
428 "MulticastDNS"
429 "DNSOverTLS"
430 "DNSSEC"
431 "DNSSECNegativeTrustAnchors"
432 "LLDP"
433 "EmitLLDP"
434 "BindCarrier"
435 "Address"
436 "Gateway"
437 "DNS"
438 "Domains"
439 "DNSDefaultRoute"
440 "NTP"
441 "IPForward"
442 "IPMasquerade"
443 "IPv6PrivacyExtensions"
444 "IPv6AcceptRA"
445 "IPv6DuplicateAddressDetection"
446 "IPv6HopLimit"
447 "IPv4ProxyARP"
448 "IPv6ProxyNDP"
449 "IPv6ProxyNDPAddress"
450 "IPv6SendRA"
451 "DHCPv6PrefixDelegation"
452 "IPv6MTUBytes"
453 "BatmanAdvanced"
454 "Bridge"
455 "Bond"
456 "VRF"
457 "VLAN"
458 "IPVLAN"
459 "MACVLAN"
460 "VXLAN"
461 "Tunnel"
462 "MACsec"
463 "ActiveSlave"
464 "PrimarySlave"
465 "ConfigureWithoutCarrier"
466 "IgnoreCarrierLoss"
467 "Xfrm"
468 "KeepConfiguration"
469 ])
470 # Note: For DHCP the values both, none, v4, v6 are deprecated
471 (assertValueOneOf "DHCP" ["yes" "no" "ipv4" "ipv6"])
472 (assertValueOneOf "DHCPServer" boolValues)
473 (assertValueOneOf "LinkLocalAddressing" ["yes" "no" "ipv4" "ipv6" "fallback" "ipv4-fallback"])
474 (assertValueOneOf "IPv4LLRoute" boolValues)
475 (assertValueOneOf "DefaultRouteOnDevice" boolValues)
476 (assertValueOneOf "LLMNR" (boolValues ++ ["resolve"]))
477 (assertValueOneOf "MulticastDNS" (boolValues ++ ["resolve"]))
478 (assertValueOneOf "DNSOverTLS" (boolValues ++ ["opportunistic"]))
479 (assertValueOneOf "DNSSEC" (boolValues ++ ["allow-downgrade"]))
480 (assertValueOneOf "LLDP" (boolValues ++ ["routers-only"]))
481 (assertValueOneOf "EmitLLDP" (boolValues ++ ["nearest-bridge" "non-tpmr-bridge" "customer-bridge"]))
482 (assertValueOneOf "DNSDefaultRoute" boolValues)
483 (assertValueOneOf "IPForward" (boolValues ++ ["ipv4" "ipv6"]))
484 (assertValueOneOf "IPMasquerade" boolValues)
485 (assertValueOneOf "IPv6PrivacyExtensions" (boolValues ++ ["prefer-public" "kernel"]))
486 (assertValueOneOf "IPv6AcceptRA" boolValues)
487 (assertInt "IPv6DuplicateAddressDetection")
488 (assertMinimum "IPv6DuplicateAddressDetection" 0)
489 (assertInt "IPv6HopLimit")
490 (assertMinimum "IPv6HopLimit" 0)
491 (assertValueOneOf "IPv4ProxyARP" boolValues)
492 (assertValueOneOf "IPv6ProxyNDP" boolValues)
493 (assertValueOneOf "IPv6SendRA" boolValues)
494 (assertValueOneOf "DHCPv6PrefixDelegation" boolValues)
495 (assertByteFormat "IPv6MTUBytes")
496 (assertValueOneOf "ActiveSlave" boolValues)
497 (assertValueOneOf "PrimarySlave" boolValues)
498 (assertValueOneOf "ConfigureWithoutCarrier" boolValues)
499 (assertValueOneOf "IgnoreCarrierLoss" boolValues)
500 (assertValueOneOf "KeepConfiguration" (boolValues ++ ["static" "dhcp-on-stop" "dhcp"]))
501 ];
502
503 sectionAddress = checkUnitConfig "Address" [
504 (assertOnlyFields [
505 "Address"
506 "Peer"
507 "Broadcast"
508 "Label"
509 "PreferredLifetime"
510 "Scope"
511 "HomeAddress"
512 "DuplicateAddressDetection"
513 "ManageTemporaryAddress"
514 "AddPrefixRoute"
515 "AutoJoin"
516 ])
517 (assertHasField "Address")
518 (assertValueOneOf "PreferredLifetime" ["forever" "infinity" "0" 0])
519 (assertValueOneOf "HomeAddress" boolValues)
520 (assertValueOneOf "DuplicateAddressDetection" ["ipv4" "ipv6" "both" "none"])
521 (assertValueOneOf "ManageTemporaryAddress" boolValues)
522 (assertValueOneOf "AddPrefixRoute" boolValues)
523 (assertValueOneOf "AutoJoin" boolValues)
524 ];
525
526 sectionRoutingPolicyRule = checkUnitConfig "RoutingPolicyRule" [
527 (assertOnlyFields [
528 "TypeOfService"
529 "From"
530 "To"
531 "FirewallMark"
532 "Table"
533 "Priority"
534 "IncomingInterface"
535 "OutgoingInterface"
536 "SourcePort"
537 "DestinationPort"
538 "IPProtocol"
539 "InvertRule"
540 "Family"
541 "User"
542 "SuppressPrefixLength"
543 ])
544 (assertInt "TypeOfService")
545 (assertRange "TypeOfService" 0 255)
546 (assertInt "FirewallMark")
547 (assertRange "FirewallMark" 1 4294967295)
548 (assertInt "Priority")
549 (assertPort "SourcePort")
550 (assertPort "DestinationPort")
551 (assertValueOneOf "InvertRule" boolValues)
552 (assertValueOneOf "Family" ["ipv4" "ipv6" "both"])
553 (assertInt "SuppressPrefixLength")
554 (assertRange "SuppressPrefixLength" 0 128)
555 ];
556
557 sectionRoute = checkUnitConfig "Route" [
558 (assertOnlyFields [
559 "Gateway"
560 "GatewayOnLink"
561 "Destination"
562 "Source"
563 "Metric"
564 "IPv6Preference"
565 "Scope"
566 "PreferredSource"
567 "Table"
568 "Protocol"
569 "Type"
570 "InitialCongestionWindow"
571 "InitialAdvertisedReceiveWindow"
572 "QuickAck"
573 "FastOpenNoCookie"
574 "TTLPropagate"
575 "MTUBytes"
576 "IPServiceType"
577 "MultiPathRoute"
578 ])
579 (assertValueOneOf "GatewayOnLink" boolValues)
580 (assertInt "Metric")
581 (assertValueOneOf "IPv6Preference" ["low" "medium" "high"])
582 (assertValueOneOf "Scope" ["global" "site" "link" "host" "nowhere"])
583 (assertValueOneOf "Type" [
584 "unicast"
585 "local"
586 "broadcast"
587 "anycast"
588 "multicast"
589 "blackhole"
590 "unreachable"
591 "prohibit"
592 "throw"
593 "nat"
594 "xresolve"
595 ])
596 (assertValueOneOf "QuickAck" boolValues)
597 (assertValueOneOf "FastOpenNoCookie" boolValues)
598 (assertValueOneOf "TTLPropagate" boolValues)
599 (assertByteFormat "MTUBytes")
600 (assertValueOneOf "IPServiceType" ["CS6" "CS4"])
601 ];
602
603 sectionDHCPv4 = checkUnitConfig "DHCPv4" [
604 (assertOnlyFields [
605 "UseDNS"
606 "RoutesToDNS"
607 "UseNTP"
608 "UseSIP"
609 "UseMTU"
610 "Anonymize"
611 "SendHostname"
612 "UseHostname"
613 "Hostname"
614 "UseDomains"
615 "UseRoutes"
616 "UseTimezone"
617 "ClientIdentifier"
618 "VendorClassIdentifier"
619 "UserClass"
620 "MaxAttempts"
621 "DUIDType"
622 "DUIDRawData"
623 "IAID"
624 "RequestBroadcast"
625 "RouteMetric"
626 "RouteTable"
627 "RouteMTUBytes"
628 "ListenPort"
629 "SendRelease"
630 "SendDecline"
631 "BlackList"
632 "RequestOptions"
633 "SendOption"
634 ])
635 (assertValueOneOf "UseDNS" boolValues)
636 (assertValueOneOf "RoutesToDNS" boolValues)
637 (assertValueOneOf "UseNTP" boolValues)
638 (assertValueOneOf "UseSIP" boolValues)
639 (assertValueOneOf "UseMTU" boolValues)
640 (assertValueOneOf "Anonymize" boolValues)
641 (assertValueOneOf "SendHostname" boolValues)
642 (assertValueOneOf "UseHostname" boolValues)
643 (assertValueOneOf "UseDomains" (boolValues ++ ["route"]))
644 (assertValueOneOf "UseRoutes" boolValues)
645 (assertValueOneOf "UseTimezone" boolValues)
646 (assertValueOneOf "ClientIdentifier" ["mac" "duid" "duid-only"])
647 (assertInt "IAID")
648 (assertValueOneOf "RequestBroadcast" boolValues)
649 (assertInt "RouteMetric")
650 (assertInt "RouteTable")
651 (assertRange "RouteTable" 0 4294967295)
652 (assertByteFormat "RouteMTUBytes")
653 (assertPort "ListenPort")
654 (assertValueOneOf "SendRelease" boolValues)
655 (assertValueOneOf "SendDecline" boolValues)
656 ];
657
658 sectionDHCPv6 = checkUnitConfig "DHCPv6" [
659 (assertOnlyFields [
660 "UseAddress"
661 "UseDNS"
662 "UseNTP"
663 "RouteMetric"
664 "RapidCommit"
665 "MUDURL"
666 "RequestOptions"
667 "SendVendorOption"
668 "ForceDHCPv6PDOtherInformation"
669 "PrefixDelegationHint"
670 "WithoutRA"
671 "SendOption"
672 "UserClass"
673 "VendorClass"
674 ])
675 (assertValueOneOf "UseAddress" boolValues)
676 (assertValueOneOf "UseDNS" boolValues)
677 (assertValueOneOf "UseNTP" boolValues)
678 (assertInt "RouteMetric")
679 (assertValueOneOf "RapidCommit" boolValues)
680 (assertValueOneOf "ForceDHCPv6PDOtherInformation" boolValues)
681 (assertValueOneOf "WithoutRA" ["solicit" "information-request"])
682 (assertRange "SendOption" 1 65536)
683 ];
684
685 sectionDHCPv6PrefixDelegation = checkUnitConfig "DHCPv6PrefixDelegation" [
686 (assertOnlyFields [
687 "SubnetId"
688 "Announce"
689 "Assign"
690 "Token"
691 ])
692 (assertValueOneOf "Announce" boolValues)
693 (assertValueOneOf "Assign" boolValues)
694 ];
695
696 sectionIPv6AcceptRA = checkUnitConfig "IPv6AcceptRA" [
697 (assertOnlyFields [
698 "UseDNS"
699 "UseDomains"
700 "RouteTable"
701 "UseAutonomousPrefix"
702 "UseOnLinkPrefix"
703 "RouterDenyList"
704 "RouterAllowList"
705 "PrefixDenyList"
706 "PrefixAllowList"
707 "RouteDenyList"
708 "RouteAllowList"
709 "DHCPv6Client"
710 ])
711 (assertValueOneOf "UseDNS" boolValues)
712 (assertValueOneOf "UseDomains" (boolValues ++ ["route"]))
713 (assertRange "RouteTable" 0 4294967295)
714 (assertValueOneOf "UseAutonomousPrefix" boolValues)
715 (assertValueOneOf "UseOnLinkPrefix" boolValues)
716 (assertValueOneOf "DHCPv6Client" (boolValues ++ ["always"]))
717 ];
718
719 sectionDHCPServer = checkUnitConfig "DHCPServer" [
720 (assertOnlyFields [
721 "PoolOffset"
722 "PoolSize"
723 "DefaultLeaseTimeSec"
724 "MaxLeaseTimeSec"
725 "EmitDNS"
726 "DNS"
727 "EmitNTP"
728 "NTP"
729 "EmitSIP"
730 "SIP"
731 "EmitPOP3"
732 "POP3"
733 "EmitSMTP"
734 "SMTP"
735 "EmitLPR"
736 "LPR"
737 "EmitRouter"
738 "EmitTimezone"
739 "Timezone"
740 "SendOption"
741 "SendVendorOption"
742 ])
743 (assertInt "PoolOffset")
744 (assertMinimum "PoolOffset" 0)
745 (assertInt "PoolSize")
746 (assertMinimum "PoolSize" 0)
747 (assertValueOneOf "EmitDNS" boolValues)
748 (assertValueOneOf "EmitNTP" boolValues)
749 (assertValueOneOf "EmitSIP" boolValues)
750 (assertValueOneOf "EmitPOP3" boolValues)
751 (assertValueOneOf "EmitSMTP" boolValues)
752 (assertValueOneOf "EmitLPR" boolValues)
753 (assertValueOneOf "EmitRouter" boolValues)
754 (assertValueOneOf "EmitTimezone" boolValues)
755 ];
756
757 sectionIPv6SendRA = checkUnitConfig "IPv6SendRA" [
758 (assertOnlyFields [
759 "Managed"
760 "OtherInformation"
761 "RouterLifetimeSec"
762 "RouterPreference"
763 "EmitDNS"
764 "DNS"
765 "EmitDomains"
766 "Domains"
767 "DNSLifetimeSec"
768 ])
769 (assertValueOneOf "Managed" boolValues)
770 (assertValueOneOf "OtherInformation" boolValues)
771 (assertValueOneOf "RouterPreference" ["high" "medium" "low" "normal" "default"])
772 (assertValueOneOf "EmitDNS" boolValues)
773 (assertValueOneOf "EmitDomains" boolValues)
774 ];
775
776 sectionIPv6Prefix = checkUnitConfig "IPv6Prefix" [
777 (assertOnlyFields [
778 "AddressAutoconfiguration"
779 "OnLink"
780 "Prefix"
781 "PreferredLifetimeSec"
782 "ValidLifetimeSec"
783 ])
784 (assertValueOneOf "AddressAutoconfiguration" boolValues)
785 (assertValueOneOf "OnLink" boolValues)
786 ];
787
788 };
789 };
790
791 commonNetworkOptions = {
792
793 enable = mkOption {
794 default = true;
795 type = types.bool;
796 description = ''
797 Whether to manage network configuration using <command>systemd-network</command>.
798 '';
799 };
800
801 matchConfig = mkOption {
802 default = {};
803 example = { Name = "eth0"; };
804 type = types.attrsOf unitOption;
805 description = ''
806 Each attribute in this set specifies an option in the
807 <literal>[Match]</literal> section of the unit. See
808 <citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>
809 <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>
810 <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
811 for details.
812 '';
813 };
814
815 extraConfig = mkOption {
816 default = "";
817 type = types.lines;
818 description = "Extra configuration append to unit";
819 };
820 };
821
822 linkOptions = commonNetworkOptions // {
823 # overwrite enable option from above
824 enable = mkOption {
825 default = true;
826 type = types.bool;
827 description = ''
828 Whether to enable this .link unit. It's handled by udev no matter if <command>systemd-networkd</command> is enabled or not
829 '';
830 };
831
832 linkConfig = mkOption {
833 default = {};
834 example = { MACAddress = "00:ff:ee:aa:cc:dd"; };
835 type = types.addCheck (types.attrsOf unitOption) check.link.sectionLink;
836 description = ''
837 Each attribute in this set specifies an option in the
838 <literal>[Link]</literal> section of the unit. See
839 <citerefentry><refentrytitle>systemd.link</refentrytitle>
840 <manvolnum>5</manvolnum></citerefentry> for details.
841 '';
842 };
843
844 };
845
846 wireguardPeerOptions = {
847 options = {
848 wireguardPeerConfig = mkOption {
849 default = {};
850 example = { };
851 type = types.addCheck (types.attrsOf unitOption) check.netdev.sectionWireGuardPeer;
852 description = ''
853 Each attribute in this set specifies an option in the
854 <literal>[WireGuardPeer]</literal> section of the unit. See
855 <citerefentry><refentrytitle>systemd.network</refentrytitle>
856 <manvolnum>5</manvolnum></citerefentry> for details.
857 '';
858 };
859 };
860 };
861
862 netdevOptions = commonNetworkOptions // {
863
864 netdevConfig = mkOption {
865 default = {};
866 example = { Name = "mybridge"; Kind = "bridge"; };
867 type = types.addCheck (types.attrsOf unitOption) check.netdev.sectionNetdev;
868 description = ''
869 Each attribute in this set specifies an option in the
870 <literal>[Netdev]</literal> section of the unit. See
871 <citerefentry><refentrytitle>systemd.netdev</refentrytitle>
872 <manvolnum>5</manvolnum></citerefentry> for details.
873 '';
874 };
875
876 vlanConfig = mkOption {
877 default = {};
878 example = { Id = 4; };
879 type = types.addCheck (types.attrsOf unitOption) check.netdev.sectionVLAN;
880 description = ''
881 Each attribute in this set specifies an option in the
882 <literal>[VLAN]</literal> section of the unit. See
883 <citerefentry><refentrytitle>systemd.netdev</refentrytitle>
884 <manvolnum>5</manvolnum></citerefentry> for details.
885 '';
886 };
887
888 macvlanConfig = mkOption {
889 default = {};
890 example = { Mode = "private"; };
891 type = types.addCheck (types.attrsOf unitOption) check.netdev.sectionMACVLAN;
892 description = ''
893 Each attribute in this set specifies an option in the
894 <literal>[MACVLAN]</literal> section of the unit. See
895 <citerefentry><refentrytitle>systemd.netdev</refentrytitle>
896 <manvolnum>5</manvolnum></citerefentry> for details.
897 '';
898 };
899
900 vxlanConfig = mkOption {
901 default = {};
902 example = { Id = "4"; };
903 type = types.addCheck (types.attrsOf unitOption) check.netdev.sectionVXLAN;
904 description = ''
905 Each attribute in this set specifies an option in the
906 <literal>[VXLAN]</literal> section of the unit. See
907 <citerefentry><refentrytitle>systemd.netdev</refentrytitle>
908 <manvolnum>5</manvolnum></citerefentry> for details.
909 '';
910 };
911
912 tunnelConfig = mkOption {
913 default = {};
914 example = { Remote = "192.168.1.1"; };
915 type = types.addCheck (types.attrsOf unitOption) check.netdev.sectionTunnel;
916 description = ''
917 Each attribute in this set specifies an option in the
918 <literal>[Tunnel]</literal> section of the unit. See
919 <citerefentry><refentrytitle>systemd.netdev</refentrytitle>
920 <manvolnum>5</manvolnum></citerefentry> for details.
921 '';
922 };
923
924 peerConfig = mkOption {
925 default = {};
926 example = { Name = "veth2"; };
927 type = types.addCheck (types.attrsOf unitOption) check.netdev.sectionPeer;
928 description = ''
929 Each attribute in this set specifies an option in the
930 <literal>[Peer]</literal> section of the unit. See
931 <citerefentry><refentrytitle>systemd.netdev</refentrytitle>
932 <manvolnum>5</manvolnum></citerefentry> for details.
933 '';
934 };
935
936 tunConfig = mkOption {
937 default = {};
938 example = { User = "openvpn"; };
939 type = types.addCheck (types.attrsOf unitOption) check.netdev.sectionTun;
940 description = ''
941 Each attribute in this set specifies an option in the
942 <literal>[Tun]</literal> section of the unit. See
943 <citerefentry><refentrytitle>systemd.netdev</refentrytitle>
944 <manvolnum>5</manvolnum></citerefentry> for details.
945 '';
946 };
947
948 tapConfig = mkOption {
949 default = {};
950 example = { User = "openvpn"; };
951 type = types.addCheck (types.attrsOf unitOption) check.netdev.sectionTap;
952 description = ''
953 Each attribute in this set specifies an option in the
954 <literal>[Tap]</literal> section of the unit. See
955 <citerefentry><refentrytitle>systemd.netdev</refentrytitle>
956 <manvolnum>5</manvolnum></citerefentry> for details.
957 '';
958 };
959
960 wireguardConfig = mkOption {
961 default = {};
962 example = {
963 PrivateKeyFile = "/etc/wireguard/secret.key";
964 ListenPort = 51820;
965 FwMark = 42;
966 };
967 type = types.addCheck (types.attrsOf unitOption) check.netdev.sectionWireGuard;
968 description = ''
969 Each attribute in this set specifies an option in the
970 <literal>[WireGuard]</literal> section of the unit. See
971 <citerefentry><refentrytitle>systemd.netdev</refentrytitle>
972 <manvolnum>5</manvolnum></citerefentry> for details.
973 Use <literal>PrivateKeyFile</literal> instead of
974 <literal>PrivateKey</literal>: the nix store is
975 world-readable.
976 '';
977 };
978
979 wireguardPeers = mkOption {
980 default = [];
981 example = [ { wireguardPeerConfig={
982 Endpoint = "192.168.1.1:51820";
983 PublicKey = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g=";
984 PresharedKeyFile = "/etc/wireguard/psk.key";
985 AllowedIPs = [ "10.0.0.1/32" ];
986 PersistentKeepalive = 15;
987 };}];
988 type = with types; listOf (submodule wireguardPeerOptions);
989 description = ''
990 Each item in this array specifies an option in the
991 <literal>[WireGuardPeer]</literal> section of the unit. See
992 <citerefentry><refentrytitle>systemd.netdev</refentrytitle>
993 <manvolnum>5</manvolnum></citerefentry> for details.
994 Use <literal>PresharedKeyFile</literal> instead of
995 <literal>PresharedKey</literal>: the nix store is
996 world-readable.
997 '';
998 };
999
1000 bondConfig = mkOption {
1001 default = {};
1002 example = { Mode = "802.3ad"; };
1003 type = types.addCheck (types.attrsOf unitOption) check.netdev.sectionBond;
1004 description = ''
1005 Each attribute in this set specifies an option in the
1006 <literal>[Bond]</literal> section of the unit. See
1007 <citerefentry><refentrytitle>systemd.netdev</refentrytitle>
1008 <manvolnum>5</manvolnum></citerefentry> for details.
1009 '';
1010 };
1011
1012 xfrmConfig = mkOption {
1013 default = {};
1014 example = { InterfaceId = 1; };
1015 type = types.addCheck (types.attrsOf unitOption) check.netdev.sectionXfrm;
1016 description = ''
1017 Each attribute in this set specifies an option in the
1018 <literal>[Xfrm]</literal> section of the unit. See
1019 <citerefentry><refentrytitle>systemd.netdev</refentrytitle>
1020 <manvolnum>5</manvolnum></citerefentry> for details.
1021 '';
1022 };
1023
1024 vrfConfig = mkOption {
1025 default = {};
1026 example = { Table = 2342; };
1027 type = types.addCheck (types.attrsOf unitOption) check.netdev.sectionVRF;
1028 description = ''
1029 Each attribute in this set specifies an option in the
1030 <literal>[VRF]</literal> section of the unit. See
1031 <citerefentry><refentrytitle>systemd.netdev</refentrytitle>
1032 <manvolnum>5</manvolnum></citerefentry> for details.
1033 A detailed explanation about how VRFs work can be found in the
1034 <link xlink:href="https://www.kernel.org/doc/Documentation/networking/vrf.txt">kernel
1035 docs</link>.
1036 '';
1037 };
1038
1039 };
1040
1041 addressOptions = {
1042 options = {
1043 addressConfig = mkOption {
1044 default = {};
1045 example = { Address = "192.168.0.100/24"; };
1046 type = types.addCheck (types.attrsOf unitOption) check.network.sectionAddress;
1047 description = ''
1048 Each attribute in this set specifies an option in the
1049 <literal>[Address]</literal> section of the unit. See
1050 <citerefentry><refentrytitle>systemd.network</refentrytitle>
1051 <manvolnum>5</manvolnum></citerefentry> for details.
1052 '';
1053 };
1054 };
1055 };
1056
1057 routingPolicyRulesOptions = {
1058 options = {
1059 routingPolicyRuleConfig = mkOption {
1060 default = { };
1061 example = { routingPolicyRuleConfig = { Table = 10; IncomingInterface = "eth1"; Family = "both"; } ;};
1062 type = types.addCheck (types.attrsOf unitOption) check.network.sectionRoutingPolicyRule;
1063 description = ''
1064 Each attribute in this set specifies an option in the
1065 <literal>[RoutingPolicyRule]</literal> section of the unit. See
1066 <citerefentry><refentrytitle>systemd.network</refentrytitle>
1067 <manvolnum>5</manvolnum></citerefentry> for details.
1068 '';
1069 };
1070 };
1071 };
1072
1073 routeOptions = {
1074 options = {
1075 routeConfig = mkOption {
1076 default = {};
1077 example = { Gateway = "192.168.0.1"; };
1078 type = types.addCheck (types.attrsOf unitOption) check.network.sectionRoute;
1079 description = ''
1080 Each attribute in this set specifies an option in the
1081 <literal>[Route]</literal> section of the unit. See
1082 <citerefentry><refentrytitle>systemd.network</refentrytitle>
1083 <manvolnum>5</manvolnum></citerefentry> for details.
1084 '';
1085 };
1086 };
1087 };
1088
1089 ipv6PrefixOptions = {
1090 options = {
1091 ipv6PrefixConfig = mkOption {
1092 default = {};
1093 example = { Prefix = "fd00::/64"; };
1094 type = types.addCheck (types.attrsOf unitOption) check.network.sectionIPv6Prefix;
1095 description = ''
1096 Each attribute in this set specifies an option in the
1097 <literal>[IPv6Prefix]</literal> section of the unit. See
1098 <citerefentry><refentrytitle>systemd.network</refentrytitle>
1099 <manvolnum>5</manvolnum></citerefentry> for details.
1100 '';
1101 };
1102 };
1103 };
1104
1105 networkOptions = commonNetworkOptions // {
1106
1107 linkConfig = mkOption {
1108 default = {};
1109 example = { Unmanaged = true; };
1110 type = types.addCheck (types.attrsOf unitOption) check.network.sectionLink;
1111 description = ''
1112 Each attribute in this set specifies an option in the
1113 <literal>[Link]</literal> section of the unit. See
1114 <citerefentry><refentrytitle>systemd.network</refentrytitle>
1115 <manvolnum>5</manvolnum></citerefentry> for details.
1116 '';
1117 };
1118
1119 networkConfig = mkOption {
1120 default = {};
1121 example = { Description = "My Network"; };
1122 type = types.addCheck (types.attrsOf unitOption) check.network.sectionNetwork;
1123 description = ''
1124 Each attribute in this set specifies an option in the
1125 <literal>[Network]</literal> section of the unit. See
1126 <citerefentry><refentrytitle>systemd.network</refentrytitle>
1127 <manvolnum>5</manvolnum></citerefentry> for details.
1128 '';
1129 };
1130
1131 # systemd.network.networks.*.dhcpConfig has been deprecated in favor of ….dhcpV4Config
1132 # Produce a nice warning message so users know it is gone.
1133 dhcpConfig = mkOption {
1134 visible = false;
1135 apply = _: throw "The option `systemd.network.networks.*.dhcpConfig` can no longer be used since it's been removed. Please use `systemd.network.networks.*.dhcpV4Config` instead.";
1136 };
1137
1138 dhcpV4Config = mkOption {
1139 default = {};
1140 example = { UseDNS = true; UseRoutes = true; };
1141 type = types.addCheck (types.attrsOf unitOption) check.network.sectionDHCPv4;
1142 description = ''
1143 Each attribute in this set specifies an option in the
1144 <literal>[DHCPv4]</literal> section of the unit. See
1145 <citerefentry><refentrytitle>systemd.network</refentrytitle>
1146 <manvolnum>5</manvolnum></citerefentry> for details.
1147 '';
1148 };
1149
1150 dhcpV6Config = mkOption {
1151 default = {};
1152 example = { UseDNS = true; UseRoutes = true; };
1153 type = types.addCheck (types.attrsOf unitOption) check.network.sectionDHCPv6;
1154 description = ''
1155 Each attribute in this set specifies an option in the
1156 <literal>[DHCPv6]</literal> section of the unit. See
1157 <citerefentry><refentrytitle>systemd.network</refentrytitle>
1158 <manvolnum>5</manvolnum></citerefentry> for details.
1159 '';
1160 };
1161
1162 dhcpV6PrefixDelegationConfig = mkOption {
1163 default = {};
1164 example = { SubnetId = "auto"; Announce = true; };
1165 type = types.addCheck (types.attrsOf unitOption) check.network.sectionDHCPv6PrefixDelegation;
1166 description = ''
1167 Each attribute in this set specifies an option in the
1168 <literal>[DHCPv6PrefixDelegation]</literal> section of the unit. See
1169 <citerefentry><refentrytitle>systemd.network</refentrytitle>
1170 <manvolnum>5</manvolnum></citerefentry> for details.
1171 '';
1172 };
1173
1174 ipv6AcceptRAConfig = mkOption {
1175 default = {};
1176 example = { UseDNS = true; DHCPv6Client = "always"; };
1177 type = types.addCheck (types.attrsOf unitOption) check.network.sectionIPv6AcceptRA;
1178 description = ''
1179 Each attribute in this set specifies an option in the
1180 <literal>[IPv6AcceptRA]</literal> section of the unit. See
1181 <citerefentry><refentrytitle>systemd.network</refentrytitle>
1182 <manvolnum>5</manvolnum></citerefentry> for details.
1183 '';
1184 };
1185
1186 dhcpServerConfig = mkOption {
1187 default = {};
1188 example = { PoolOffset = 50; EmitDNS = false; };
1189 type = types.addCheck (types.attrsOf unitOption) check.network.sectionDHCPServer;
1190 description = ''
1191 Each attribute in this set specifies an option in the
1192 <literal>[DHCPServer]</literal> section of the unit. See
1193 <citerefentry><refentrytitle>systemd.network</refentrytitle>
1194 <manvolnum>5</manvolnum></citerefentry> for details.
1195 '';
1196 };
1197
1198 # systemd.network.networks.*.ipv6PrefixDelegationConfig has been deprecated
1199 # in 247 in favor of systemd.network.networks.*.ipv6SendRAConfig.
1200 ipv6PrefixDelegationConfig = mkOption {
1201 visible = false;
1202 apply = _: throw "The option `systemd.network.networks.*.ipv6PrefixDelegationConfig` has been replaced by `systemd.network.networks.*.ipv6SendRAConfig`.";
1203 };
1204
1205 ipv6SendRAConfig = mkOption {
1206 default = {};
1207 example = { EmitDNS = true; Managed = true; OtherInformation = true; };
1208 type = types.addCheck (types.attrsOf unitOption) check.network.sectionIPv6SendRA;
1209 description = ''
1210 Each attribute in this set specifies an option in the
1211 <literal>[IPv6SendRA]</literal> section of the unit. See
1212 <citerefentry><refentrytitle>systemd.network</refentrytitle>
1213 <manvolnum>5</manvolnum></citerefentry> for details.
1214 '';
1215 };
1216
1217 ipv6Prefixes = mkOption {
1218 default = [];
1219 example = { AddressAutoconfiguration = true; OnLink = true; };
1220 type = with types; listOf (submodule ipv6PrefixOptions);
1221 description = ''
1222 A list of ipv6Prefix sections to be added to the unit. See
1223 <citerefentry><refentrytitle>systemd.network</refentrytitle>
1224 <manvolnum>5</manvolnum></citerefentry> for details.
1225 '';
1226 };
1227
1228 name = mkOption {
1229 type = types.nullOr types.str;
1230 default = null;
1231 description = ''
1232 The name of the network interface to match against.
1233 '';
1234 };
1235
1236 DHCP = mkOption {
1237 type = types.nullOr types.str;
1238 default = null;
1239 description = ''
1240 Whether to enable DHCP on the interfaces matched.
1241 '';
1242 };
1243
1244 domains = mkOption {
1245 type = types.nullOr (types.listOf types.str);
1246 default = null;
1247 description = ''
1248 A list of domains to pass to the network config.
1249 '';
1250 };
1251
1252 address = mkOption {
1253 default = [ ];
1254 type = types.listOf types.str;
1255 description = ''
1256 A list of addresses to be added to the network section of the
1257 unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle>
1258 <manvolnum>5</manvolnum></citerefentry> for details.
1259 '';
1260 };
1261
1262 gateway = mkOption {
1263 default = [ ];
1264 type = types.listOf types.str;
1265 description = ''
1266 A list of gateways to be added to the network section of the
1267 unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle>
1268 <manvolnum>5</manvolnum></citerefentry> for details.
1269 '';
1270 };
1271
1272 dns = mkOption {
1273 default = [ ];
1274 type = types.listOf types.str;
1275 description = ''
1276 A list of dns servers to be added to the network section of the
1277 unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle>
1278 <manvolnum>5</manvolnum></citerefentry> for details.
1279 '';
1280 };
1281
1282 ntp = mkOption {
1283 default = [ ];
1284 type = types.listOf types.str;
1285 description = ''
1286 A list of ntp servers to be added to the network section of the
1287 unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle>
1288 <manvolnum>5</manvolnum></citerefentry> for details.
1289 '';
1290 };
1291
1292 bridge = mkOption {
1293 default = [ ];
1294 type = types.listOf types.str;
1295 description = ''
1296 A list of bridge interfaces to be added to the network section of the
1297 unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle>
1298 <manvolnum>5</manvolnum></citerefentry> for details.
1299 '';
1300 };
1301
1302 bond = mkOption {
1303 default = [ ];
1304 type = types.listOf types.str;
1305 description = ''
1306 A list of bond interfaces to be added to the network section of the
1307 unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle>
1308 <manvolnum>5</manvolnum></citerefentry> for details.
1309 '';
1310 };
1311
1312 vrf = mkOption {
1313 default = [ ];
1314 type = types.listOf types.str;
1315 description = ''
1316 A list of vrf interfaces to be added to the network section of the
1317 unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle>
1318 <manvolnum>5</manvolnum></citerefentry> for details.
1319 '';
1320 };
1321
1322 vlan = mkOption {
1323 default = [ ];
1324 type = types.listOf types.str;
1325 description = ''
1326 A list of vlan interfaces to be added to the network section of the
1327 unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle>
1328 <manvolnum>5</manvolnum></citerefentry> for details.
1329 '';
1330 };
1331
1332 macvlan = mkOption {
1333 default = [ ];
1334 type = types.listOf types.str;
1335 description = ''
1336 A list of macvlan interfaces to be added to the network section of the
1337 unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle>
1338 <manvolnum>5</manvolnum></citerefentry> for details.
1339 '';
1340 };
1341
1342 vxlan = mkOption {
1343 default = [ ];
1344 type = types.listOf types.str;
1345 description = ''
1346 A list of vxlan interfaces to be added to the network section of the
1347 unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle>
1348 <manvolnum>5</manvolnum></citerefentry> for details.
1349 '';
1350 };
1351
1352 tunnel = mkOption {
1353 default = [ ];
1354 type = types.listOf types.str;
1355 description = ''
1356 A list of tunnel interfaces to be added to the network section of the
1357 unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle>
1358 <manvolnum>5</manvolnum></citerefentry> for details.
1359 '';
1360 };
1361
1362 xfrm = mkOption {
1363 default = [ ];
1364 type = types.listOf types.str;
1365 description = ''
1366 A list of xfrm interfaces to be added to the network section of the
1367 unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle>
1368 <manvolnum>5</manvolnum></citerefentry> for details.
1369 '';
1370 };
1371
1372 addresses = mkOption {
1373 default = [ ];
1374 type = with types; listOf (submodule addressOptions);
1375 description = ''
1376 A list of address sections to be added to the unit. See
1377 <citerefentry><refentrytitle>systemd.network</refentrytitle>
1378 <manvolnum>5</manvolnum></citerefentry> for details.
1379 '';
1380 };
1381
1382 routingPolicyRules = mkOption {
1383 default = [ ];
1384 type = with types; listOf (submodule routingPolicyRulesOptions);
1385 description = ''
1386 A list of routing policy rules sections to be added to the unit. See
1387 <citerefentry><refentrytitle>systemd.network</refentrytitle>
1388 <manvolnum>5</manvolnum></citerefentry> for details.
1389 '';
1390 };
1391
1392 routes = mkOption {
1393 default = [ ];
1394 type = with types; listOf (submodule routeOptions);
1395 description = ''
1396 A list of route sections to be added to the unit. See
1397 <citerefentry><refentrytitle>systemd.network</refentrytitle>
1398 <manvolnum>5</manvolnum></citerefentry> for details.
1399 '';
1400 };
1401
1402 };
1403
1404 networkConfig = { config, ... }: {
1405 config = {
1406 matchConfig = optionalAttrs (config.name != null) {
1407 Name = config.name;
1408 };
1409 networkConfig = optionalAttrs (config.DHCP != null) {
1410 DHCP = config.DHCP;
1411 } // optionalAttrs (config.domains != null) {
1412 Domains = concatStringsSep " " config.domains;
1413 };
1414 };
1415 };
1416
1417 commonMatchText = def: optionalString (def.matchConfig != { }) ''
1418 [Match]
1419 ${attrsToSection def.matchConfig}
1420 '';
1421
1422 linkToUnit = name: def:
1423 { inherit (def) enable;
1424 text = commonMatchText def
1425 + ''
1426 [Link]
1427 ${attrsToSection def.linkConfig}
1428 ''
1429 + def.extraConfig;
1430 };
1431
1432 netdevToUnit = name: def:
1433 { inherit (def) enable;
1434 text = commonMatchText def
1435 + ''
1436 [NetDev]
1437 ${attrsToSection def.netdevConfig}
1438 ''
1439 + optionalString (def.vlanConfig != { }) ''
1440 [VLAN]
1441 ${attrsToSection def.vlanConfig}
1442 ''
1443 + optionalString (def.macvlanConfig != { }) ''
1444 [MACVLAN]
1445 ${attrsToSection def.macvlanConfig}
1446 ''
1447 + optionalString (def.vxlanConfig != { }) ''
1448 [VXLAN]
1449 ${attrsToSection def.vxlanConfig}
1450 ''
1451 + optionalString (def.tunnelConfig != { }) ''
1452 [Tunnel]
1453 ${attrsToSection def.tunnelConfig}
1454 ''
1455 + optionalString (def.peerConfig != { }) ''
1456 [Peer]
1457 ${attrsToSection def.peerConfig}
1458 ''
1459 + optionalString (def.tunConfig != { }) ''
1460 [Tun]
1461 ${attrsToSection def.tunConfig}
1462 ''
1463 + optionalString (def.tapConfig != { }) ''
1464 [Tap]
1465 ${attrsToSection def.tapConfig}
1466 ''
1467 + optionalString (def.wireguardConfig != { }) ''
1468 [WireGuard]
1469 ${attrsToSection def.wireguardConfig}
1470 ''
1471 + flip concatMapStrings def.wireguardPeers (x: ''
1472 [WireGuardPeer]
1473 ${attrsToSection x.wireguardPeerConfig}
1474 '')
1475 + optionalString (def.bondConfig != { }) ''
1476 [Bond]
1477 ${attrsToSection def.bondConfig}
1478 ''
1479 + optionalString (def.xfrmConfig != { }) ''
1480 [Xfrm]
1481 ${attrsToSection def.xfrmConfig}
1482 ''
1483 + optionalString (def.vrfConfig != { }) ''
1484 [VRF]
1485 ${attrsToSection def.vrfConfig}
1486 ''
1487 + def.extraConfig;
1488 };
1489
1490 networkToUnit = name: def:
1491 { inherit (def) enable;
1492 text = commonMatchText def
1493 + optionalString (def.linkConfig != { }) ''
1494 [Link]
1495 ${attrsToSection def.linkConfig}
1496 ''
1497 + ''
1498 [Network]
1499 ''
1500 + attrsToSection def.networkConfig
1501 + optionalString (def.address != [ ]) ''
1502 ${concatStringsSep "\n" (map (s: "Address=${s}") def.address)}
1503 ''
1504 + optionalString (def.gateway != [ ]) ''
1505 ${concatStringsSep "\n" (map (s: "Gateway=${s}") def.gateway)}
1506 ''
1507 + optionalString (def.dns != [ ]) ''
1508 ${concatStringsSep "\n" (map (s: "DNS=${s}") def.dns)}
1509 ''
1510 + optionalString (def.ntp != [ ]) ''
1511 ${concatStringsSep "\n" (map (s: "NTP=${s}") def.ntp)}
1512 ''
1513 + optionalString (def.bridge != [ ]) ''
1514 ${concatStringsSep "\n" (map (s: "Bridge=${s}") def.bridge)}
1515 ''
1516 + optionalString (def.bond != [ ]) ''
1517 ${concatStringsSep "\n" (map (s: "Bond=${s}") def.bond)}
1518 ''
1519 + optionalString (def.vrf != [ ]) ''
1520 ${concatStringsSep "\n" (map (s: "VRF=${s}") def.vrf)}
1521 ''
1522 + optionalString (def.vlan != [ ]) ''
1523 ${concatStringsSep "\n" (map (s: "VLAN=${s}") def.vlan)}
1524 ''
1525 + optionalString (def.macvlan != [ ]) ''
1526 ${concatStringsSep "\n" (map (s: "MACVLAN=${s}") def.macvlan)}
1527 ''
1528 + optionalString (def.vxlan != [ ]) ''
1529 ${concatStringsSep "\n" (map (s: "VXLAN=${s}") def.vxlan)}
1530 ''
1531 + optionalString (def.tunnel != [ ]) ''
1532 ${concatStringsSep "\n" (map (s: "Tunnel=${s}") def.tunnel)}
1533 ''
1534 + optionalString (def.xfrm != [ ]) ''
1535 ${concatStringsSep "\n" (map (s: "Xfrm=${s}") def.xfrm)}
1536 ''
1537 + ''
1538
1539 ''
1540 + flip concatMapStrings def.addresses (x: ''
1541 [Address]
1542 ${attrsToSection x.addressConfig}
1543 '')
1544 + flip concatMapStrings def.routingPolicyRules (x: ''
1545 [RoutingPolicyRule]
1546 ${attrsToSection x.routingPolicyRuleConfig}
1547 '')
1548 + flip concatMapStrings def.routes (x: ''
1549 [Route]
1550 ${attrsToSection x.routeConfig}
1551 '')
1552 + optionalString (def.dhcpV4Config != { }) ''
1553 [DHCPv4]
1554 ${attrsToSection def.dhcpV4Config}
1555 ''
1556 + optionalString (def.dhcpV6Config != { }) ''
1557 [DHCPv6]
1558 ${attrsToSection def.dhcpV6Config}
1559 ''
1560 + optionalString (def.dhcpV6PrefixDelegationConfig != { }) ''
1561 [DHCPv6PrefixDelegation]
1562 ${attrsToSection def.dhcpV6PrefixDelegationConfig}
1563 ''
1564 + optionalString (def.ipv6AcceptRAConfig != { }) ''
1565 [IPv6AcceptRA]
1566 ${attrsToSection def.ipv6AcceptRAConfig}
1567 ''
1568 + optionalString (def.dhcpServerConfig != { }) ''
1569 [DHCPServer]
1570 ${attrsToSection def.dhcpServerConfig}
1571 ''
1572 + optionalString (def.ipv6SendRAConfig != { }) ''
1573 [IPv6SendRA]
1574 ${attrsToSection def.ipv6SendRAConfig}
1575 ''
1576 + flip concatMapStrings def.ipv6Prefixes (x: ''
1577 [IPv6Prefix]
1578 ${attrsToSection x.ipv6PrefixConfig}
1579 '')
1580 + def.extraConfig;
1581 };
1582
1583 unitFiles = listToAttrs (map (name: {
1584 name = "systemd/network/${name}";
1585 value.source = "${cfg.units.${name}.unit}/${name}";
1586 }) (attrNames cfg.units));
1587in
1588
1589{
1590 disabledModules = [ "system/boot/networkd.nix" ];
1591
1592 options = {
1593
1594 systemd.network.enable = mkOption {
1595 default = false;
1596 type = types.bool;
1597 description = ''
1598 Whether to enable networkd or not.
1599 '';
1600 };
1601
1602 systemd.network.links = mkOption {
1603 default = {};
1604 type = with types; attrsOf (submodule [ { options = linkOptions; } ]);
1605 description = "Definition of systemd network links.";
1606 };
1607
1608 systemd.network.netdevs = mkOption {
1609 default = {};
1610 type = with types; attrsOf (submodule [ { options = netdevOptions; } ]);
1611 description = "Definition of systemd network devices.";
1612 };
1613
1614 systemd.network.networks = mkOption {
1615 default = {};
1616 type = with types; attrsOf (submodule [ { options = networkOptions; } networkConfig ]);
1617 description = "Definition of systemd networks.";
1618 };
1619
1620 systemd.network.units = mkOption {
1621 description = "Definition of networkd units.";
1622 default = {};
1623 internal = true;
1624 type = with types; attrsOf (submodule (
1625 { name, config, ... }:
1626 { options = mapAttrs (_: x: x // { internal = true; }) concreteUnitOptions;
1627 config = {
1628 unit = mkDefault (makeUnit name config);
1629 };
1630 }));
1631 };
1632
1633 };
1634
1635 config = mkMerge [
1636
1637 # .link units are honored by udev, no matter if systemd-networkd is enabled or not.
1638 {
1639 systemd.network.units = mapAttrs' (n: v: nameValuePair "${n}.link" (linkToUnit n v)) cfg.links;
1640 environment.etc = unitFiles;
1641 }
1642
1643 (mkIf config.systemd.network.enable {
1644
1645 users.users.systemd-network.group = "systemd-network";
1646
1647 systemd.additionalUpstreamSystemUnits = [
1648 "systemd-networkd-wait-online.service"
1649 "systemd-networkd.service"
1650 "systemd-networkd.socket"
1651 ];
1652
1653 systemd.network.units = mapAttrs' (n: v: nameValuePair "${n}.netdev" (netdevToUnit n v)) cfg.netdevs
1654 // mapAttrs' (n: v: nameValuePair "${n}.network" (networkToUnit n v)) cfg.networks;
1655
1656 # systemd-networkd is socket-activated by kernel netlink route change
1657 # messages. It is important to have systemd buffer those on behalf of
1658 # networkd.
1659 systemd.sockets.systemd-networkd.wantedBy = [ "sockets.target" ];
1660
1661 systemd.services.systemd-networkd = {
1662 wantedBy = [ "multi-user.target" ];
1663 aliases = [ "dbus-org.freedesktop.network1.service" ];
1664 restartTriggers = map (x: x.source) (attrValues unitFiles);
1665 };
1666
1667 systemd.services.systemd-networkd-wait-online = {
1668 wantedBy = [ "network-online.target" ];
1669 };
1670
1671 systemd.services."systemd-network-wait-online@" = {
1672 description = "Wait for Network Interface %I to be Configured";
1673 conflicts = [ "shutdown.target" ];
1674 requisite = [ "systemd-networkd.service" ];
1675 after = [ "systemd-networkd.service" ];
1676 serviceConfig = {
1677 Type = "oneshot";
1678 RemainAfterExit = true;
1679 ExecStart = "${config.systemd.package}/lib/systemd/systemd-networkd-wait-online -i %I";
1680 };
1681 };
1682
1683 services.resolved.enable = mkDefault true;
1684 })
1685 ];
1686}