nixos/modules/tasks/network-interfaces-scripted.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / tasks / network-interfaces-scripted.nix
at 23.11-pre 28 kB view raw
  1{ config, lib, pkgs, utils, ... }:
  2
  3with utils;
  4with lib;
  5
  6let
  7
  8  cfg = config.networking;
  9  interfaces = attrValues cfg.interfaces;
 10
 11  slaves = concatMap (i: i.interfaces) (attrValues cfg.bonds)
 12    ++ concatMap (i: i.interfaces) (attrValues cfg.bridges)
 13    ++ concatMap (i: attrNames (filterAttrs (_: config: config.type != "internal") i.interfaces)) (attrValues cfg.vswitches)
 14    ++ concatMap (i: [i.interface]) (attrValues cfg.macvlans)
 15    ++ concatMap (i: [i.interface]) (attrValues cfg.vlans);
 16
 17  # We must escape interfaces due to the systemd interpretation
 18  subsystemDevice = interface:
 19    "sys-subsystem-net-devices-${escapeSystemdPath interface}.device";
 20
 21  interfaceIps = i:
 22    i.ipv4.addresses
 23    ++ optionals cfg.enableIPv6 i.ipv6.addresses;
 24
 25  destroyBond = i: ''
 26    while true; do
 27      UPDATED=1
 28      SLAVES=$(ip link | grep 'master ${i}' | awk -F: '{print $2}')
 29      for I in $SLAVES; do
 30        UPDATED=0
 31        ip link set "$I" nomaster
 32      done
 33      [ "$UPDATED" -eq "1" ] && break
 34    done
 35    ip link set "${i}" down 2>/dev/null || true
 36    ip link del "${i}" 2>/dev/null || true
 37  '';
 38
 39  # warn that these attributes are deprecated (2017-2-2)
 40  # Should be removed in the release after next
 41  bondDeprecation = rec {
 42    deprecated = [ "lacp_rate" "miimon" "mode" "xmit_hash_policy" ];
 43    filterDeprecated = bond: (filterAttrs (attrName: attr:
 44                         elem attrName deprecated && attr != null) bond);
 45  };
 46
 47  bondWarnings =
 48    let oneBondWarnings = bondName: bond:
 49          mapAttrsToList (bondText bondName) (bondDeprecation.filterDeprecated bond);
 50        bondText = bondName: optName: _:
 51          "${bondName}.${optName} is deprecated, use ${bondName}.driverOptions";
 52    in {
 53      warnings = flatten (mapAttrsToList oneBondWarnings cfg.bonds);
 54    };
 55
 56  normalConfig = {
 57    systemd.network.links = let
 58      createNetworkLink = i: nameValuePair "40-${i.name}" {
 59        matchConfig.OriginalName = i.name;
 60        linkConfig = optionalAttrs (i.macAddress != null) {
 61          MACAddress = i.macAddress;
 62        } // optionalAttrs (i.mtu != null) {
 63          MTUBytes = toString i.mtu;
 64        } // optionalAttrs (i.wakeOnLan.enable == true) {
 65          WakeOnLan = "magic";
 66        };
 67      };
 68    in listToAttrs (map createNetworkLink interfaces);
 69    systemd.services =
 70      let
 71
 72        deviceDependency = dev:
 73          # Use systemd service if we manage device creation, else
 74          # trust udev when not in a container
 75          if (hasAttr dev (filterAttrs (k: v: v.virtual) cfg.interfaces)) ||
 76             (hasAttr dev cfg.bridges) ||
 77             (hasAttr dev cfg.bonds) ||
 78             (hasAttr dev cfg.macvlans) ||
 79             (hasAttr dev cfg.sits) ||
 80             (hasAttr dev cfg.vlans) ||
 81             (hasAttr dev cfg.vswitches)
 82          then [ "${dev}-netdev.service" ]
 83          else optional (dev != null && dev != "lo" && !config.boot.isContainer) (subsystemDevice dev);
 84
 85        hasDefaultGatewaySet = (cfg.defaultGateway != null && cfg.defaultGateway.address != "")
 86                            || (cfg.enableIPv6 && cfg.defaultGateway6 != null && cfg.defaultGateway6.address != "");
 87
 88        needNetworkSetup = cfg.resolvconf.enable || cfg.defaultGateway != null || cfg.defaultGateway6 != null;
 89
 90        networkLocalCommands = lib.mkIf needNetworkSetup {
 91          after = [ "network-setup.service" ];
 92          bindsTo = [ "network-setup.service" ];
 93        };
 94
 95        networkSetup = lib.mkIf needNetworkSetup
 96          { description = "Networking Setup";
 97
 98            after = [ "network-pre.target" "systemd-udevd.service" "systemd-sysctl.service" ];
 99            before = [ "network.target" "shutdown.target" ];
100            wants = [ "network.target" ];
101            # exclude bridges from the partOf relationship to fix container networking bug #47210
102            partOf = map (i: "network-addresses-${i.name}.service") (filter (i: !(hasAttr i.name cfg.bridges)) interfaces);
103            conflicts = [ "shutdown.target" ];
104            wantedBy = [ "multi-user.target" ] ++ optional hasDefaultGatewaySet "network-online.target";
105
106            unitConfig.ConditionCapability = "CAP_NET_ADMIN";
107
108            path = [ pkgs.iproute2 ];
109
110            serviceConfig = {
111              Type = "oneshot";
112              RemainAfterExit = true;
113            };
114
115            unitConfig.DefaultDependencies = false;
116
117            script =
118              ''
119                ${optionalString config.networking.resolvconf.enable ''
120                  # Set the static DNS configuration, if given.
121                  ${pkgs.openresolv}/sbin/resolvconf -m 1 -a static <<EOF
122                  ${optionalString (cfg.nameservers != [] && cfg.domain != null) ''
123                    domain ${cfg.domain}
124                  ''}
125                  ${optionalString (cfg.search != []) ("search " + concatStringsSep " " cfg.search)}
126                  ${flip concatMapStrings cfg.nameservers (ns: ''
127                    nameserver ${ns}
128                  '')}
129                  EOF
130                ''}
131
132                # Set the default gateway.
133                ${optionalString (cfg.defaultGateway != null && cfg.defaultGateway.address != "") ''
134                  ${optionalString (cfg.defaultGateway.interface != null) ''
135                    ip route replace ${cfg.defaultGateway.address} dev ${cfg.defaultGateway.interface} ${optionalString (cfg.defaultGateway.metric != null)
136                      "metric ${toString cfg.defaultGateway.metric}"
137                    } proto static
138                  ''}
139                  ip route replace default ${optionalString (cfg.defaultGateway.metric != null)
140                      "metric ${toString cfg.defaultGateway.metric}"
141                    } via "${cfg.defaultGateway.address}" ${
142                    optionalString (cfg.defaultGatewayWindowSize != null)
143                      "window ${toString cfg.defaultGatewayWindowSize}"} ${
144                    optionalString (cfg.defaultGateway.interface != null)
145                      "dev ${cfg.defaultGateway.interface}"} proto static
146                ''}
147                ${optionalString (cfg.defaultGateway6 != null && cfg.defaultGateway6.address != "") ''
148                  ${optionalString (cfg.defaultGateway6.interface != null) ''
149                    ip -6 route replace ${cfg.defaultGateway6.address} dev ${cfg.defaultGateway6.interface} ${optionalString (cfg.defaultGateway6.metric != null)
150                      "metric ${toString cfg.defaultGateway6.metric}"
151                    } proto static
152                  ''}
153                  ip -6 route replace default ${optionalString (cfg.defaultGateway6.metric != null)
154                      "metric ${toString cfg.defaultGateway6.metric}"
155                    } via "${cfg.defaultGateway6.address}" ${
156                    optionalString (cfg.defaultGatewayWindowSize != null)
157                      "window ${toString cfg.defaultGatewayWindowSize}"} ${
158                    optionalString (cfg.defaultGateway6.interface != null)
159                      "dev ${cfg.defaultGateway6.interface}"} proto static
160                ''}
161              '';
162          };
163
164        # For each interface <foo>, create a job ‘network-addresses-<foo>.service"
165        # that performs static address configuration.  It has a "wants"
166        # dependency on ‘<foo>.service’, which is supposed to create
167        # the interface and need not exist (i.e. for hardware
168        # interfaces).  It has a binds-to dependency on the actual
169        # network device, so it only gets started after the interface
170        # has appeared, and it's stopped when the interface
171        # disappears.
172        configureAddrs = i:
173          let
174            ips = interfaceIps i;
175          in
176          nameValuePair "network-addresses-${i.name}"
177          { description = "Address configuration of ${i.name}";
178            wantedBy = [
179              "network-setup.service"
180              "network.target"
181            ];
182            # order before network-setup because the routes that are configured
183            # there may need ip addresses configured
184            before = [ "network-setup.service" ];
185            bindsTo = deviceDependency i.name;
186            after = [ "network-pre.target" ] ++ (deviceDependency i.name);
187            serviceConfig.Type = "oneshot";
188            serviceConfig.RemainAfterExit = true;
189            # Restart rather than stop+start this unit to prevent the
190            # network from dying during switch-to-configuration.
191            stopIfChanged = false;
192            path = [ pkgs.iproute2 ];
193            script =
194              ''
195                state="/run/nixos/network/addresses/${i.name}"
196                mkdir -p $(dirname "$state")
197
198                ip link set "${i.name}" up
199
200                ${flip concatMapStrings ips (ip:
201                  let
202                    cidr = "${ip.address}/${toString ip.prefixLength}";
203                  in
204                  ''
205                    echo "${cidr}" >> $state
206                    echo -n "adding address ${cidr}... "
207                    if out=$(ip addr add "${cidr}" dev "${i.name}" 2>&1); then
208                      echo "done"
209                    elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then
210                      echo "'ip addr add "${cidr}" dev "${i.name}"' failed: $out"
211                      exit 1
212                    fi
213                  ''
214                )}
215
216                state="/run/nixos/network/routes/${i.name}"
217                mkdir -p $(dirname "$state")
218
219                ${flip concatMapStrings (i.ipv4.routes ++ i.ipv6.routes) (route:
220                  let
221                    cidr = "${route.address}/${toString route.prefixLength}";
222                    via = optionalString (route.via != null) ''via "${route.via}"'';
223                    options = concatStrings (mapAttrsToList (name: val: "${name} ${val} ") route.options);
224                    type = toString route.type;
225                  in
226                  ''
227                     echo "${cidr}" >> $state
228                     echo -n "adding route ${cidr}... "
229                     if out=$(ip route add ${type} "${cidr}" ${options} ${via} dev "${i.name}" proto static 2>&1); then
230                       echo "done"
231                     elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then
232                       echo "'ip route add ${type} "${cidr}" ${options} ${via} dev "${i.name}"' failed: $out"
233                       exit 1
234                     fi
235                  ''
236                )}
237              '';
238            preStop = ''
239              state="/run/nixos/network/routes/${i.name}"
240              if [ -e "$state" ]; then
241                while read cidr; do
242                  echo -n "deleting route $cidr... "
243                  ip route del "$cidr" dev "${i.name}" >/dev/null 2>&1 && echo "done" || echo "failed"
244                done < "$state"
245                rm -f "$state"
246              fi
247
248              state="/run/nixos/network/addresses/${i.name}"
249              if [ -e "$state" ]; then
250                while read cidr; do
251                  echo -n "deleting address $cidr... "
252                  ip addr del "$cidr" dev "${i.name}" >/dev/null 2>&1 && echo "done" || echo "failed"
253                done < "$state"
254                rm -f "$state"
255              fi
256            '';
257          };
258
259        createTunDevice = i: nameValuePair "${i.name}-netdev"
260          { description = "Virtual Network Interface ${i.name}";
261            bindsTo = optional (!config.boot.isContainer) "dev-net-tun.device";
262            after = optional (!config.boot.isContainer) "dev-net-tun.device" ++ [ "network-pre.target" ];
263            wantedBy = [ "network-setup.service" (subsystemDevice i.name) ];
264            partOf = [ "network-setup.service" ];
265            before = [ "network-setup.service" ];
266            path = [ pkgs.iproute2 ];
267            serviceConfig = {
268              Type = "oneshot";
269              RemainAfterExit = true;
270            };
271            script = ''
272              ip tuntap add dev "${i.name}" mode "${i.virtualType}" user "${i.virtualOwner}"
273            '';
274            postStop = ''
275              ip link del ${i.name} || true
276            '';
277          };
278
279        createBridgeDevice = n: v: nameValuePair "${n}-netdev"
280          (let
281            deps = concatLists (map deviceDependency v.interfaces);
282          in
283          { description = "Bridge Interface ${n}";
284            wantedBy = [ "network-setup.service" (subsystemDevice n) ];
285            bindsTo = deps ++ optional v.rstp "mstpd.service";
286            partOf = [ "network-setup.service" ] ++ optional v.rstp "mstpd.service";
287            after = [ "network-pre.target" ] ++ deps ++ optional v.rstp "mstpd.service"
288              ++ map (i: "network-addresses-${i}.service") v.interfaces;
289            before = [ "network-setup.service" ];
290            serviceConfig.Type = "oneshot";
291            serviceConfig.RemainAfterExit = true;
292            path = [ pkgs.iproute2 ];
293            script = ''
294              # Remove Dead Interfaces
295              echo "Removing old bridge ${n}..."
296              ip link show "${n}" >/dev/null 2>&1 && ip link del "${n}"
297
298              echo "Adding bridge ${n}..."
299              ip link add name "${n}" type bridge
300
301              # Enslave child interfaces
302              ${flip concatMapStrings v.interfaces (i: ''
303                ip link set "${i}" master "${n}"
304                ip link set "${i}" up
305              '')}
306              # Save list of enslaved interfaces
307              echo "${flip concatMapStrings v.interfaces (i: ''
308                ${i}
309              '')}" > /run/${n}.interfaces
310
311              ${optionalString config.virtualisation.libvirtd.enable ''
312                  # Enslave dynamically added interfaces which may be lost on nixos-rebuild
313                  #
314                  # if `libvirtd.service` is not running, do not use `virsh` which would try activate it via 'libvirtd.socket' and thus start it out-of-order.
315                  # `libvirtd.service` will set up bridge interfaces when it will start normally.
316                  #
317                  if /run/current-system/systemd/bin/systemctl --quiet is-active 'libvirtd.service'; then
318                    for uri in qemu:///system lxc:///; do
319                      for dom in $(${pkgs.libvirt}/bin/virsh -c $uri list --name); do
320                        ${pkgs.libvirt}/bin/virsh -c $uri dumpxml "$dom" | \
321                        ${pkgs.xmlstarlet}/bin/xmlstarlet sel -t -m "//domain/devices/interface[@type='bridge'][source/@bridge='${n}'][target/@dev]" -v "concat('ip link set ',target/@dev,' master ',source/@bridge,';')" | \
322                        ${pkgs.bash}/bin/bash
323                      done
324                    done
325                  fi
326                ''}
327
328              # Enable stp on the interface
329              ${optionalString v.rstp ''
330                echo 2 >/sys/class/net/${n}/bridge/stp_state
331              ''}
332
333              ip link set "${n}" up
334            '';
335            postStop = ''
336              ip link set "${n}" down || true
337              ip link del "${n}" || true
338              rm -f /run/${n}.interfaces
339            '';
340            reload = ''
341              # Un-enslave child interfaces (old list of interfaces)
342              for interface in `cat /run/${n}.interfaces`; do
343                ip link set "$interface" nomaster up
344              done
345
346              # Enslave child interfaces (new list of interfaces)
347              ${flip concatMapStrings v.interfaces (i: ''
348                ip link set "${i}" master "${n}"
349                ip link set "${i}" up
350              '')}
351              # Save list of enslaved interfaces
352              echo "${flip concatMapStrings v.interfaces (i: ''
353                ${i}
354              '')}" > /run/${n}.interfaces
355
356              # (Un-)set stp on the bridge
357              echo ${if v.rstp then "2" else "0"} > /sys/class/net/${n}/bridge/stp_state
358            '';
359            reloadIfChanged = true;
360          });
361
362        createVswitchDevice = n: v: nameValuePair "${n}-netdev"
363          (let
364            deps = concatLists (map deviceDependency (attrNames (filterAttrs (_: config: config.type != "internal") v.interfaces)));
365            internalConfigs = map (i: "network-addresses-${i}.service") (attrNames (filterAttrs (_: config: config.type == "internal") v.interfaces));
366            ofRules = pkgs.writeText "vswitch-${n}-openFlowRules" v.openFlowRules;
367          in
368          { description = "Open vSwitch Interface ${n}";
369            wantedBy = [ "network-setup.service" (subsystemDevice n) ] ++ internalConfigs;
370            # before = [ "network-setup.service" ];
371            # should work without internalConfigs dependencies because address/link configuration depends
372            # on the device, which is created by ovs-vswitchd with type=internal, but it does not...
373            before = [ "network-setup.service" ] ++ internalConfigs;
374            partOf = [ "network-setup.service" ]; # shutdown the bridge when network is shutdown
375            bindsTo = [ "ovs-vswitchd.service" ]; # requires ovs-vswitchd to be alive at all times
376            after = [ "network-pre.target" "ovs-vswitchd.service" ] ++ deps; # start switch after physical interfaces and vswitch daemon
377            wants = deps; # if one or more interface fails, the switch should continue to run
378            serviceConfig.Type = "oneshot";
379            serviceConfig.RemainAfterExit = true;
380            path = [ pkgs.iproute2 config.virtualisation.vswitch.package ];
381            preStart = ''
382              echo "Resetting Open vSwitch ${n}..."
383              ovs-vsctl --if-exists del-br ${n} -- add-br ${n} \
384                        -- set bridge ${n} protocols=${concatStringsSep "," v.supportedOpenFlowVersions}
385            '';
386            script = ''
387              echo "Configuring Open vSwitch ${n}..."
388              ovs-vsctl ${concatStrings (mapAttrsToList (name: config: " -- add-port ${n} ${name}" + optionalString (config.vlan != null) " tag=${toString config.vlan}") v.interfaces)} \
389                ${concatStrings (mapAttrsToList (name: config: optionalString (config.type != null) " -- set interface ${name} type=${config.type}") v.interfaces)} \
390                ${concatMapStrings (x: " -- set-controller ${n} " + x)  v.controllers} \
391                ${concatMapStrings (x: " -- " + x) (splitString "\n" v.extraOvsctlCmds)}
392
393
394              echo "Adding OpenFlow rules for Open vSwitch ${n}..."
395              ovs-ofctl --protocols=${v.openFlowVersion} add-flows ${n} ${ofRules}
396            '';
397            postStop = ''
398              echo "Cleaning Open vSwitch ${n}"
399              echo "Shutting down internal ${n} interface"
400              ip link set ${n} down || true
401              echo "Deleting flows for ${n}"
402              ovs-ofctl --protocols=${v.openFlowVersion} del-flows ${n} || true
403              echo "Deleting Open vSwitch ${n}"
404              ovs-vsctl --if-exists del-br ${n} || true
405            '';
406          });
407
408        createBondDevice = n: v: nameValuePair "${n}-netdev"
409          (let
410            deps = concatLists (map deviceDependency v.interfaces);
411          in
412          { description = "Bond Interface ${n}";
413            wantedBy = [ "network-setup.service" (subsystemDevice n) ];
414            bindsTo = deps;
415            partOf = [ "network-setup.service" ];
416            after = [ "network-pre.target" ] ++ deps
417              ++ map (i: "network-addresses-${i}.service") v.interfaces;
418            before = [ "network-setup.service" ];
419            serviceConfig.Type = "oneshot";
420            serviceConfig.RemainAfterExit = true;
421            path = [ pkgs.iproute2 pkgs.gawk ];
422            script = ''
423              echo "Destroying old bond ${n}..."
424              ${destroyBond n}
425
426              echo "Creating new bond ${n}..."
427              ip link add name "${n}" type bond \
428              ${let opts = (mapAttrs (const toString)
429                             (bondDeprecation.filterDeprecated v))
430                           // v.driverOptions;
431                 in concatStringsSep "\n"
432                      (mapAttrsToList (set: val: "  ${set} ${val} \\") opts)}
433
434              # !!! There must be a better way to wait for the interface
435              while [ ! -d "/sys/class/net/${n}" ]; do sleep 0.1; done;
436
437              # Bring up the bond and enslave the specified interfaces
438              ip link set "${n}" up
439              ${flip concatMapStrings v.interfaces (i: ''
440                ip link set "${i}" down
441                ip link set "${i}" master "${n}"
442              '')}
443            '';
444            postStop = destroyBond n;
445          });
446
447        createMacvlanDevice = n: v: nameValuePair "${n}-netdev"
448          (let
449            deps = deviceDependency v.interface;
450          in
451          { description = "Vlan Interface ${n}";
452            wantedBy = [ "network-setup.service" (subsystemDevice n) ];
453            bindsTo = deps;
454            partOf = [ "network-setup.service" ];
455            after = [ "network-pre.target" ] ++ deps;
456            before = [ "network-setup.service" ];
457            serviceConfig.Type = "oneshot";
458            serviceConfig.RemainAfterExit = true;
459            path = [ pkgs.iproute2 ];
460            script = ''
461              # Remove Dead Interfaces
462              ip link show "${n}" >/dev/null 2>&1 && ip link delete "${n}"
463              ip link add link "${v.interface}" name "${n}" type macvlan \
464                ${optionalString (v.mode != null) "mode ${v.mode}"}
465              ip link set "${n}" up
466            '';
467            postStop = ''
468              ip link delete "${n}" || true
469            '';
470          });
471
472        createFouEncapsulation = n: v: nameValuePair "${n}-fou-encap"
473          (let
474            # if we have a device to bind to we can wait for its addresses to be
475            # configured, otherwise external sequencing is required.
476            deps = optionals (v.local != null && v.local.dev != null)
477              (deviceDependency v.local.dev ++ [ "network-addresses-${v.local.dev}.service" ]);
478            fouSpec = "port ${toString v.port} ${
479              if v.protocol != null then "ipproto ${toString v.protocol}" else "gue"
480            } ${
481              optionalString (v.local != null) "local ${escapeShellArg v.local.address} ${
482                optionalString (v.local.dev != null) "dev ${escapeShellArg v.local.dev}"
483              }"
484            }";
485          in
486          { description = "FOU endpoint ${n}";
487            wantedBy = [ "network-setup.service" (subsystemDevice n) ];
488            bindsTo = deps;
489            partOf = [ "network-setup.service" ];
490            after = [ "network-pre.target" ] ++ deps;
491            before = [ "network-setup.service" ];
492            serviceConfig.Type = "oneshot";
493            serviceConfig.RemainAfterExit = true;
494            path = [ pkgs.iproute2 ];
495            script = ''
496              # always remove previous incarnation since show can't filter
497              ip fou del ${fouSpec} >/dev/null 2>&1 || true
498              ip fou add ${fouSpec}
499            '';
500            postStop = ''
501              ip fou del ${fouSpec} || true
502            '';
503          });
504
505        createSitDevice = n: v: nameValuePair "${n}-netdev"
506          (let
507            deps = deviceDependency v.dev;
508          in
509          { description = "6-to-4 Tunnel Interface ${n}";
510            wantedBy = [ "network-setup.service" (subsystemDevice n) ];
511            bindsTo = deps;
512            partOf = [ "network-setup.service" ];
513            after = [ "network-pre.target" ] ++ deps;
514            before = [ "network-setup.service" ];
515            serviceConfig.Type = "oneshot";
516            serviceConfig.RemainAfterExit = true;
517            path = [ pkgs.iproute2 ];
518            script = ''
519              # Remove Dead Interfaces
520              ip link show "${n}" >/dev/null 2>&1 && ip link delete "${n}"
521              ip link add name "${n}" type sit \
522                ${optionalString (v.remote != null) "remote \"${v.remote}\""} \
523                ${optionalString (v.local != null) "local \"${v.local}\""} \
524                ${optionalString (v.ttl != null) "ttl ${toString v.ttl}"} \
525                ${optionalString (v.dev != null) "dev \"${v.dev}\""} \
526                ${optionalString (v.encapsulation != null)
527                  "encap ${v.encapsulation.type} encap-dport ${toString v.encapsulation.port} ${
528                    optionalString (v.encapsulation.sourcePort != null)
529                      "encap-sport ${toString v.encapsulation.sourcePort}"
530                  }"}
531              ip link set "${n}" up
532            '';
533            postStop = ''
534              ip link delete "${n}" || true
535            '';
536          });
537
538        createGreDevice = n: v: nameValuePair "${n}-netdev"
539          (let
540            deps = deviceDependency v.dev;
541            ttlarg = if lib.hasPrefix "ip6" v.type then "hoplimit" else "ttl";
542          in
543          { description = "GRE Tunnel Interface ${n}";
544            wantedBy = [ "network-setup.service" (subsystemDevice n) ];
545            bindsTo = deps;
546            partOf = [ "network-setup.service" ];
547            after = [ "network-pre.target" ] ++ deps;
548            before = [ "network-setup.service" ];
549            serviceConfig.Type = "oneshot";
550            serviceConfig.RemainAfterExit = true;
551            path = [ pkgs.iproute2 ];
552            script = ''
553              # Remove Dead Interfaces
554              ip link show "${n}" >/dev/null 2>&1 && ip link delete "${n}"
555              ip link add name "${n}" type ${v.type} \
556                ${optionalString (v.remote != null) "remote \"${v.remote}\""} \
557                ${optionalString (v.local != null) "local \"${v.local}\""} \
558                ${optionalString (v.ttl != null) "${ttlarg} ${toString v.ttl}"} \
559                ${optionalString (v.dev != null) "dev \"${v.dev}\""}
560              ip link set "${n}" up
561            '';
562            postStop = ''
563              ip link delete "${n}" || true
564            '';
565          });
566
567        createVlanDevice = n: v: nameValuePair "${n}-netdev"
568          (let
569            deps = deviceDependency v.interface;
570          in
571          { description = "Vlan Interface ${n}";
572            wantedBy = [ "network-setup.service" (subsystemDevice n) ];
573            bindsTo = deps;
574            partOf = [ "network-setup.service" ];
575            after = [ "network-pre.target" ] ++ deps;
576            before = [ "network-setup.service" ];
577            serviceConfig.Type = "oneshot";
578            serviceConfig.RemainAfterExit = true;
579            path = [ pkgs.iproute2 ];
580            script = ''
581              # Remove Dead Interfaces
582              ip link show "${n}" >/dev/null 2>&1 && ip link delete "${n}"
583              ip link add link "${v.interface}" name "${n}" type vlan id "${toString v.id}"
584
585              # We try to bring up the logical VLAN interface. If the master
586              # interface the logical interface is dependent upon is not up yet we will
587              # fail to immediately bring up the logical interface. The resulting logical
588              # interface will brought up later when the master interface is up.
589              ip link set "${n}" up || true
590            '';
591            postStop = ''
592              ip link delete "${n}" || true
593            '';
594          });
595
596      in listToAttrs (
597           map configureAddrs interfaces ++
598           map createTunDevice (filter (i: i.virtual) interfaces))
599         // mapAttrs' createBridgeDevice cfg.bridges
600         // mapAttrs' createVswitchDevice cfg.vswitches
601         // mapAttrs' createBondDevice cfg.bonds
602         // mapAttrs' createMacvlanDevice cfg.macvlans
603         // mapAttrs' createFouEncapsulation cfg.fooOverUDP
604         // mapAttrs' createSitDevice cfg.sits
605         // mapAttrs' createGreDevice cfg.greTunnels
606         // mapAttrs' createVlanDevice cfg.vlans
607         // {
608           network-setup = networkSetup;
609           network-local-commands = networkLocalCommands;
610         };
611
612    services.udev.extraRules =
613      ''
614        KERNEL=="tun", TAG+="systemd"
615      '';
616
617
618  };
619
620in
621
622{
623  config = mkMerge [
624    bondWarnings
625    (mkIf (!cfg.useNetworkd) normalConfig)
626    { # Ensure slave interfaces are brought up
627      networking.interfaces = genAttrs slaves (i: {});
628    }
629  ];
630}