nixos/modules/tasks/network-interfaces-scripted.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / tasks / network-interfaces-scripted.nix
at 24.11-pre 28 kB view raw
  1{ config, lib, pkgs, utils, ... }:
  2
  3with utils;
  4with lib;
  5
  6let
  7
  8  cfg = config.networking;
  9  interfaces = attrValues cfg.interfaces;
 10
 11  slaves = concatMap (i: i.interfaces) (attrValues cfg.bonds)
 12    ++ concatMap (i: i.interfaces) (attrValues cfg.bridges)
 13    ++ concatMap (i: attrNames (filterAttrs (_: config: config.type != "internal") i.interfaces)) (attrValues cfg.vswitches)
 14    ++ concatMap (i: [i.interface]) (attrValues cfg.macvlans)
 15    ++ concatMap (i: [i.interface]) (attrValues cfg.vlans);
 16
 17  # We must escape interfaces due to the systemd interpretation
 18  subsystemDevice = interface:
 19    "sys-subsystem-net-devices-${escapeSystemdPath interface}.device";
 20
 21  interfaceIps = i:
 22    i.ipv4.addresses
 23    ++ optionals cfg.enableIPv6 i.ipv6.addresses;
 24
 25  destroyBond = i: ''
 26    while true; do
 27      UPDATED=1
 28      SLAVES=$(ip link | grep 'master ${i}' | awk -F: '{print $2}')
 29      for I in $SLAVES; do
 30        UPDATED=0
 31        ip link set dev "$I" nomaster
 32      done
 33      [ "$UPDATED" -eq "1" ] && break
 34    done
 35    ip link set dev "${i}" down 2>/dev/null || true
 36    ip link del dev "${i}" 2>/dev/null || true
 37  '';
 38
 39  # warn that these attributes are deprecated (2017-2-2)
 40  # Should be removed in the release after next
 41  bondDeprecation = rec {
 42    deprecated = [ "lacp_rate" "miimon" "mode" "xmit_hash_policy" ];
 43    filterDeprecated = bond: (filterAttrs (attrName: attr:
 44                         elem attrName deprecated && attr != null) bond);
 45  };
 46
 47  bondWarnings =
 48    let oneBondWarnings = bondName: bond:
 49          mapAttrsToList (bondText bondName) (bondDeprecation.filterDeprecated bond);
 50        bondText = bondName: optName: _:
 51          "${bondName}.${optName} is deprecated, use ${bondName}.driverOptions";
 52    in {
 53      warnings = flatten (mapAttrsToList oneBondWarnings cfg.bonds);
 54    };
 55
 56  normalConfig = {
 57    systemd.network.links = let
 58      createNetworkLink = i: nameValuePair "40-${i.name}" {
 59        matchConfig.OriginalName = i.name;
 60        linkConfig = optionalAttrs (i.macAddress != null) {
 61          MACAddress = i.macAddress;
 62        } // optionalAttrs (i.mtu != null) {
 63          MTUBytes = toString i.mtu;
 64        };
 65      };
 66    in listToAttrs (map createNetworkLink interfaces);
 67    systemd.services =
 68      let
 69
 70        deviceDependency = dev:
 71          # Use systemd service if we manage device creation, else
 72          # trust udev when not in a container
 73          if (dev == null || dev == "lo") then []
 74          else if (hasAttr dev (filterAttrs (k: v: v.virtual) cfg.interfaces)) ||
 75             (hasAttr dev cfg.bridges) ||
 76             (hasAttr dev cfg.bonds) ||
 77             (hasAttr dev cfg.macvlans) ||
 78             (hasAttr dev cfg.sits) ||
 79             (hasAttr dev cfg.vlans) ||
 80             (hasAttr dev cfg.vswitches)
 81          then [ "${dev}-netdev.service" ]
 82          else optional (!config.boot.isContainer) (subsystemDevice dev);
 83
 84        hasDefaultGatewaySet = (cfg.defaultGateway != null && cfg.defaultGateway.address != "")
 85                            || (cfg.enableIPv6 && cfg.defaultGateway6 != null && cfg.defaultGateway6.address != "");
 86
 87        needNetworkSetup = cfg.resolvconf.enable || cfg.defaultGateway != null || cfg.defaultGateway6 != null;
 88
 89        networkLocalCommands = lib.mkIf needNetworkSetup {
 90          after = [ "network-setup.service" ];
 91          bindsTo = [ "network-setup.service" ];
 92        };
 93
 94        networkSetup = lib.mkIf needNetworkSetup
 95          { description = "Networking Setup";
 96
 97            after = [ "network-pre.target" "systemd-udevd.service" "systemd-sysctl.service" ];
 98            before = [ "network.target" "shutdown.target" ];
 99            wants = [ "network.target" ];
100            # exclude bridges from the partOf relationship to fix container networking bug #47210
101            partOf = map (i: "network-addresses-${i.name}.service") (filter (i: !(hasAttr i.name cfg.bridges)) interfaces);
102            conflicts = [ "shutdown.target" ];
103            wantedBy = [ "multi-user.target" ] ++ optional hasDefaultGatewaySet "network-online.target";
104
105            unitConfig.ConditionCapability = "CAP_NET_ADMIN";
106
107            path = [ pkgs.iproute2 ];
108
109            serviceConfig = {
110              Type = "oneshot";
111              RemainAfterExit = true;
112            };
113
114            unitConfig.DefaultDependencies = false;
115
116            script =
117              ''
118                ${optionalString config.networking.resolvconf.enable ''
119                  # Set the static DNS configuration, if given.
120                  ${pkgs.openresolv}/sbin/resolvconf -m 1 -a static <<EOF
121                  ${optionalString (cfg.nameservers != [] && cfg.domain != null) ''
122                    domain ${cfg.domain}
123                  ''}
124                  ${optionalString (cfg.search != []) ("search " + concatStringsSep " " cfg.search)}
125                  ${flip concatMapStrings cfg.nameservers (ns: ''
126                    nameserver ${ns}
127                  '')}
128                  EOF
129                ''}
130
131                # Set the default gateway.
132                ${optionalString (cfg.defaultGateway != null && cfg.defaultGateway.address != "") ''
133                  ${optionalString (cfg.defaultGateway.interface != null) ''
134                    ip route replace ${cfg.defaultGateway.address} dev ${cfg.defaultGateway.interface} ${optionalString (cfg.defaultGateway.metric != null)
135                      "metric ${toString cfg.defaultGateway.metric}"
136                    } proto static
137                  ''}
138                  ip route replace default ${optionalString (cfg.defaultGateway.metric != null)
139                      "metric ${toString cfg.defaultGateway.metric}"
140                    } via "${cfg.defaultGateway.address}" ${
141                    optionalString (cfg.defaultGatewayWindowSize != null)
142                      "window ${toString cfg.defaultGatewayWindowSize}"} ${
143                    optionalString (cfg.defaultGateway.interface != null)
144                      "dev ${cfg.defaultGateway.interface}"} proto static
145                ''}
146                ${optionalString (cfg.defaultGateway6 != null && cfg.defaultGateway6.address != "") ''
147                  ${optionalString (cfg.defaultGateway6.interface != null) ''
148                    ip -6 route replace ${cfg.defaultGateway6.address} dev ${cfg.defaultGateway6.interface} ${optionalString (cfg.defaultGateway6.metric != null)
149                      "metric ${toString cfg.defaultGateway6.metric}"
150                    } proto static
151                  ''}
152                  ip -6 route replace default ${optionalString (cfg.defaultGateway6.metric != null)
153                      "metric ${toString cfg.defaultGateway6.metric}"
154                    } via "${cfg.defaultGateway6.address}" ${
155                    optionalString (cfg.defaultGatewayWindowSize != null)
156                      "window ${toString cfg.defaultGatewayWindowSize}"} ${
157                    optionalString (cfg.defaultGateway6.interface != null)
158                      "dev ${cfg.defaultGateway6.interface}"} proto static
159                ''}
160              '';
161          };
162
163        # For each interface <foo>, create a job ‘network-addresses-<foo>.service"
164        # that performs static address configuration.  It has a "wants"
165        # dependency on ‘<foo>.service’, which is supposed to create
166        # the interface and need not exist (i.e. for hardware
167        # interfaces).  It has a binds-to dependency on the actual
168        # network device, so it only gets started after the interface
169        # has appeared, and it's stopped when the interface
170        # disappears.
171        configureAddrs = i:
172          let
173            ips = interfaceIps i;
174          in
175          nameValuePair "network-addresses-${i.name}"
176          { description = "Address configuration of ${i.name}";
177            wantedBy = [
178              "network-setup.service"
179              "network.target"
180            ];
181            # order before network-setup because the routes that are configured
182            # there may need ip addresses configured
183            before = [ "network-setup.service" ];
184            bindsTo = deviceDependency i.name;
185            after = [ "network-pre.target" ] ++ (deviceDependency i.name);
186            serviceConfig.Type = "oneshot";
187            serviceConfig.RemainAfterExit = true;
188            # Restart rather than stop+start this unit to prevent the
189            # network from dying during switch-to-configuration.
190            stopIfChanged = false;
191            path = [ pkgs.iproute2 ];
192            script =
193              ''
194                state="/run/nixos/network/addresses/${i.name}"
195                mkdir -p $(dirname "$state")
196
197                ip link set dev "${i.name}" up
198
199                ${flip concatMapStrings ips (ip:
200                  let
201                    cidr = "${ip.address}/${toString ip.prefixLength}";
202                  in
203                  ''
204                    echo "${cidr}" >> $state
205                    echo -n "adding address ${cidr}... "
206                    if out=$(ip addr add "${cidr}" dev "${i.name}" 2>&1); then
207                      echo "done"
208                    elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then
209                      echo "'ip addr add "${cidr}" dev "${i.name}"' failed: $out"
210                      exit 1
211                    fi
212                  ''
213                )}
214
215                state="/run/nixos/network/routes/${i.name}"
216                mkdir -p $(dirname "$state")
217
218                ${flip concatMapStrings (i.ipv4.routes ++ i.ipv6.routes) (route:
219                  let
220                    cidr = "${route.address}/${toString route.prefixLength}";
221                    via = optionalString (route.via != null) ''via "${route.via}"'';
222                    options = concatStrings (mapAttrsToList (name: val: "${name} ${val} ") route.options);
223                    type = toString route.type;
224                  in
225                  ''
226                     echo "${cidr}" >> $state
227                     echo -n "adding route ${cidr}... "
228                     if out=$(ip route add ${type} "${cidr}" ${options} ${via} dev "${i.name}" proto static 2>&1); then
229                       echo "done"
230                     elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then
231                       echo "'ip route add ${type} "${cidr}" ${options} ${via} dev "${i.name}"' failed: $out"
232                       exit 1
233                     fi
234                  ''
235                )}
236              '';
237            preStop = ''
238              state="/run/nixos/network/routes/${i.name}"
239              if [ -e "$state" ]; then
240                while read cidr; do
241                  echo -n "deleting route $cidr... "
242                  ip route del "$cidr" dev "${i.name}" >/dev/null 2>&1 && echo "done" || echo "failed"
243                done < "$state"
244                rm -f "$state"
245              fi
246
247              state="/run/nixos/network/addresses/${i.name}"
248              if [ -e "$state" ]; then
249                while read cidr; do
250                  echo -n "deleting address $cidr... "
251                  ip addr del "$cidr" dev "${i.name}" >/dev/null 2>&1 && echo "done" || echo "failed"
252                done < "$state"
253                rm -f "$state"
254              fi
255            '';
256          };
257
258        createTunDevice = i: nameValuePair "${i.name}-netdev"
259          { description = "Virtual Network Interface ${i.name}";
260            bindsTo = optional (!config.boot.isContainer) "dev-net-tun.device";
261            after = optional (!config.boot.isContainer) "dev-net-tun.device" ++ [ "network-pre.target" ];
262            wantedBy = [ "network-setup.service" (subsystemDevice i.name) ];
263            partOf = [ "network-setup.service" ];
264            before = [ "network-setup.service" ];
265            path = [ pkgs.iproute2 ];
266            serviceConfig = {
267              Type = "oneshot";
268              RemainAfterExit = true;
269            };
270            script = ''
271              ip tuntap add dev "${i.name}" mode "${i.virtualType}" user "${i.virtualOwner}"
272            '';
273            postStop = ''
274              ip link del dev ${i.name} || true
275            '';
276          };
277
278        createBridgeDevice = n: v: nameValuePair "${n}-netdev"
279          (let
280            deps = concatLists (map deviceDependency v.interfaces);
281          in
282          { description = "Bridge Interface ${n}";
283            wantedBy = [ "network-setup.service" (subsystemDevice n) ];
284            bindsTo = deps ++ optional v.rstp "mstpd.service";
285            partOf = [ "network-setup.service" ] ++ optional v.rstp "mstpd.service";
286            after = [ "network-pre.target" ] ++ deps ++ optional v.rstp "mstpd.service"
287              ++ map (i: "network-addresses-${i}.service") v.interfaces;
288            before = [ "network-setup.service" ];
289            serviceConfig.Type = "oneshot";
290            serviceConfig.RemainAfterExit = true;
291            path = [ pkgs.iproute2 ];
292            script = ''
293              # Remove Dead Interfaces
294              echo "Removing old bridge ${n}..."
295              ip link show dev "${n}" >/dev/null 2>&1 && ip link del dev "${n}"
296
297              echo "Adding bridge ${n}..."
298              ip link add name "${n}" type bridge
299
300              # Enslave child interfaces
301              ${flip concatMapStrings v.interfaces (i: ''
302                ip link set dev "${i}" master "${n}"
303                ip link set dev "${i}" up
304              '')}
305              # Save list of enslaved interfaces
306              echo "${flip concatMapStrings v.interfaces (i: ''
307                ${i}
308              '')}" > /run/${n}.interfaces
309
310              ${optionalString config.virtualisation.libvirtd.enable ''
311                  # Enslave dynamically added interfaces which may be lost on nixos-rebuild
312                  #
313                  # if `libvirtd.service` is not running, do not use `virsh` which would try activate it via 'libvirtd.socket' and thus start it out-of-order.
314                  # `libvirtd.service` will set up bridge interfaces when it will start normally.
315                  #
316                  if /run/current-system/systemd/bin/systemctl --quiet is-active 'libvirtd.service'; then
317                    for uri in qemu:///system lxc:///; do
318                      for dom in $(${pkgs.libvirt}/bin/virsh -c $uri list --name); do
319                        ${pkgs.libvirt}/bin/virsh -c $uri dumpxml "$dom" | \
320                        ${pkgs.xmlstarlet}/bin/xmlstarlet sel -t -m "//domain/devices/interface[@type='bridge'][source/@bridge='${n}'][target/@dev]" -v "concat('ip link set dev ',target/@dev,' master ',source/@bridge,';')" | \
321                        ${pkgs.bash}/bin/bash
322                      done
323                    done
324                  fi
325                ''}
326
327              # Enable stp on the interface
328              ${optionalString v.rstp ''
329                echo 2 >/sys/class/net/${n}/bridge/stp_state
330              ''}
331
332              ip link set dev "${n}" up
333            '';
334            postStop = ''
335              ip link set dev "${n}" down || true
336              ip link del dev "${n}" || true
337              rm -f /run/${n}.interfaces
338            '';
339            reload = ''
340              # Un-enslave child interfaces (old list of interfaces)
341              for interface in `cat /run/${n}.interfaces`; do
342                ip link set dev "$interface" nomaster up
343              done
344
345              # Enslave child interfaces (new list of interfaces)
346              ${flip concatMapStrings v.interfaces (i: ''
347                ip link set dev "${i}" master "${n}"
348                ip link set dev "${i}" up
349              '')}
350              # Save list of enslaved interfaces
351              echo "${flip concatMapStrings v.interfaces (i: ''
352                ${i}
353              '')}" > /run/${n}.interfaces
354
355              # (Un-)set stp on the bridge
356              echo ${if v.rstp then "2" else "0"} > /sys/class/net/${n}/bridge/stp_state
357            '';
358            reloadIfChanged = true;
359          });
360
361        createVswitchDevice = n: v: nameValuePair "${n}-netdev"
362          (let
363            deps = concatLists (map deviceDependency (attrNames (filterAttrs (_: config: config.type != "internal") v.interfaces)));
364            internalConfigs = map (i: "network-addresses-${i}.service") (attrNames (filterAttrs (_: config: config.type == "internal") v.interfaces));
365            ofRules = pkgs.writeText "vswitch-${n}-openFlowRules" v.openFlowRules;
366          in
367          { description = "Open vSwitch Interface ${n}";
368            wantedBy = [ "network-setup.service" (subsystemDevice n) ] ++ internalConfigs;
369            # before = [ "network-setup.service" ];
370            # should work without internalConfigs dependencies because address/link configuration depends
371            # on the device, which is created by ovs-vswitchd with type=internal, but it does not...
372            before = [ "network-setup.service" ] ++ internalConfigs;
373            partOf = [ "network-setup.service" ]; # shutdown the bridge when network is shutdown
374            bindsTo = [ "ovs-vswitchd.service" ]; # requires ovs-vswitchd to be alive at all times
375            after = [ "network-pre.target" "ovs-vswitchd.service" ] ++ deps; # start switch after physical interfaces and vswitch daemon
376            wants = deps; # if one or more interface fails, the switch should continue to run
377            serviceConfig.Type = "oneshot";
378            serviceConfig.RemainAfterExit = true;
379            path = [ pkgs.iproute2 config.virtualisation.vswitch.package ];
380            preStart = ''
381              echo "Resetting Open vSwitch ${n}..."
382              ovs-vsctl --if-exists del-br ${n} -- add-br ${n} \
383                        -- set bridge ${n} protocols=${concatStringsSep "," v.supportedOpenFlowVersions}
384            '';
385            script = ''
386              echo "Configuring Open vSwitch ${n}..."
387              ovs-vsctl ${concatStrings (mapAttrsToList (name: config: " -- add-port ${n} ${name}" + optionalString (config.vlan != null) " tag=${toString config.vlan}") v.interfaces)} \
388                ${concatStrings (mapAttrsToList (name: config: optionalString (config.type != null) " -- set interface ${name} type=${config.type}") v.interfaces)} \
389                ${concatMapStrings (x: " -- set-controller ${n} " + x)  v.controllers} \
390                ${concatMapStrings (x: " -- " + x) (splitString "\n" v.extraOvsctlCmds)}
391
392
393              echo "Adding OpenFlow rules for Open vSwitch ${n}..."
394              ovs-ofctl --protocols=${v.openFlowVersion} add-flows ${n} ${ofRules}
395            '';
396            postStop = ''
397              echo "Cleaning Open vSwitch ${n}"
398              echo "Shutting down internal ${n} interface"
399              ip link set dev ${n} down || true
400              echo "Deleting flows for ${n}"
401              ovs-ofctl --protocols=${v.openFlowVersion} del-flows ${n} || true
402              echo "Deleting Open vSwitch ${n}"
403              ovs-vsctl --if-exists del-br ${n} || true
404            '';
405          });
406
407        createBondDevice = n: v: nameValuePair "${n}-netdev"
408          (let
409            deps = concatLists (map deviceDependency v.interfaces);
410          in
411          { description = "Bond Interface ${n}";
412            wantedBy = [ "network-setup.service" (subsystemDevice n) ];
413            bindsTo = deps;
414            partOf = [ "network-setup.service" ];
415            after = [ "network-pre.target" ] ++ deps
416              ++ map (i: "network-addresses-${i}.service") v.interfaces;
417            before = [ "network-setup.service" ];
418            serviceConfig.Type = "oneshot";
419            serviceConfig.RemainAfterExit = true;
420            path = [ pkgs.iproute2 pkgs.gawk ];
421            script = ''
422              echo "Destroying old bond ${n}..."
423              ${destroyBond n}
424
425              echo "Creating new bond ${n}..."
426              ip link add name "${n}" type bond \
427              ${let opts = (mapAttrs (const toString)
428                             (bondDeprecation.filterDeprecated v))
429                           // v.driverOptions;
430                 in concatStringsSep "\n"
431                      (mapAttrsToList (set: val: "  ${set} ${val} \\") opts)}
432
433              # !!! There must be a better way to wait for the interface
434              while [ ! -d "/sys/class/net/${n}" ]; do sleep 0.1; done;
435
436              # Bring up the bond and enslave the specified interfaces
437              ip link set dev "${n}" up
438              ${flip concatMapStrings v.interfaces (i: ''
439                ip link set dev "${i}" down
440                ip link set dev "${i}" master "${n}"
441              '')}
442            '';
443            postStop = destroyBond n;
444          });
445
446        createMacvlanDevice = n: v: nameValuePair "${n}-netdev"
447          (let
448            deps = deviceDependency v.interface;
449          in
450          { description = "Vlan Interface ${n}";
451            wantedBy = [ "network-setup.service" (subsystemDevice n) ];
452            bindsTo = deps;
453            partOf = [ "network-setup.service" ];
454            after = [ "network-pre.target" ] ++ deps;
455            before = [ "network-setup.service" ];
456            serviceConfig.Type = "oneshot";
457            serviceConfig.RemainAfterExit = true;
458            path = [ pkgs.iproute2 ];
459            script = ''
460              # Remove Dead Interfaces
461              ip link show dev "${n}" >/dev/null 2>&1 && ip link delete dev "${n}"
462              ip link add link "${v.interface}" name "${n}" type macvlan \
463                ${optionalString (v.mode != null) "mode ${v.mode}"}
464              ip link set dev "${n}" up
465            '';
466            postStop = ''
467              ip link delete dev "${n}" || true
468            '';
469          });
470
471        createFouEncapsulation = n: v: nameValuePair "${n}-fou-encap"
472          (let
473            # if we have a device to bind to we can wait for its addresses to be
474            # configured, otherwise external sequencing is required.
475            deps = optionals (v.local != null && v.local.dev != null)
476              (deviceDependency v.local.dev ++ [ "network-addresses-${v.local.dev}.service" ]);
477            fouSpec = "port ${toString v.port} ${
478              if v.protocol != null then "ipproto ${toString v.protocol}" else "gue"
479            } ${
480              optionalString (v.local != null) "local ${escapeShellArg v.local.address} ${
481                optionalString (v.local.dev != null) "dev ${escapeShellArg v.local.dev}"
482              }"
483            }";
484          in
485          { description = "FOU endpoint ${n}";
486            wantedBy = [ "network-setup.service" (subsystemDevice n) ];
487            bindsTo = deps;
488            partOf = [ "network-setup.service" ];
489            after = [ "network-pre.target" ] ++ deps;
490            before = [ "network-setup.service" ];
491            serviceConfig.Type = "oneshot";
492            serviceConfig.RemainAfterExit = true;
493            path = [ pkgs.iproute2 ];
494            script = ''
495              # always remove previous incarnation since show can't filter
496              ip fou del ${fouSpec} >/dev/null 2>&1 || true
497              ip fou add ${fouSpec}
498            '';
499            postStop = ''
500              ip fou del ${fouSpec} || true
501            '';
502          });
503
504        createSitDevice = n: v: nameValuePair "${n}-netdev"
505          (let
506            deps = deviceDependency v.dev;
507          in
508          { description = "6-to-4 Tunnel Interface ${n}";
509            wantedBy = [ "network-setup.service" (subsystemDevice n) ];
510            bindsTo = deps;
511            partOf = [ "network-setup.service" ];
512            after = [ "network-pre.target" ] ++ deps;
513            before = [ "network-setup.service" ];
514            serviceConfig.Type = "oneshot";
515            serviceConfig.RemainAfterExit = true;
516            path = [ pkgs.iproute2 ];
517            script = ''
518              # Remove Dead Interfaces
519              ip link show dev "${n}" >/dev/null 2>&1 && ip link delete dev "${n}"
520              ip link add name "${n}" type sit \
521                ${optionalString (v.remote != null) "remote \"${v.remote}\""} \
522                ${optionalString (v.local != null) "local \"${v.local}\""} \
523                ${optionalString (v.ttl != null) "ttl ${toString v.ttl}"} \
524                ${optionalString (v.dev != null) "dev \"${v.dev}\""} \
525                ${optionalString (v.encapsulation != null)
526                  "encap ${v.encapsulation.type} encap-dport ${toString v.encapsulation.port} ${
527                    optionalString (v.encapsulation.sourcePort != null)
528                      "encap-sport ${toString v.encapsulation.sourcePort}"
529                  }"}
530              ip link set dev "${n}" up
531            '';
532            postStop = ''
533              ip link delete dev "${n}" || true
534            '';
535          });
536
537        createGreDevice = n: v: nameValuePair "${n}-netdev"
538          (let
539            deps = deviceDependency v.dev;
540            ttlarg = if lib.hasPrefix "ip6" v.type then "hoplimit" else "ttl";
541          in
542          { description = "GRE Tunnel Interface ${n}";
543            wantedBy = [ "network-setup.service" (subsystemDevice n) ];
544            bindsTo = deps;
545            partOf = [ "network-setup.service" ];
546            after = [ "network-pre.target" ] ++ deps;
547            before = [ "network-setup.service" ];
548            serviceConfig.Type = "oneshot";
549            serviceConfig.RemainAfterExit = true;
550            path = [ pkgs.iproute2 ];
551            script = ''
552              # Remove Dead Interfaces
553              ip link show dev "${n}" >/dev/null 2>&1 && ip link delete dev "${n}"
554              ip link add name "${n}" type ${v.type} \
555                ${optionalString (v.remote != null) "remote \"${v.remote}\""} \
556                ${optionalString (v.local != null) "local \"${v.local}\""} \
557                ${optionalString (v.ttl != null) "${ttlarg} ${toString v.ttl}"} \
558                ${optionalString (v.dev != null) "dev \"${v.dev}\""}
559              ip link set dev "${n}" up
560            '';
561            postStop = ''
562              ip link delete dev "${n}" || true
563            '';
564          });
565
566        createVlanDevice = n: v: nameValuePair "${n}-netdev"
567          (let
568            deps = deviceDependency v.interface;
569          in
570          { description = "Vlan Interface ${n}";
571            wantedBy = [ "network-setup.service" (subsystemDevice n) ];
572            bindsTo = deps;
573            partOf = [ "network-setup.service" ];
574            after = [ "network-pre.target" ] ++ deps;
575            before = [ "network-setup.service" ];
576            serviceConfig.Type = "oneshot";
577            serviceConfig.RemainAfterExit = true;
578            path = [ pkgs.iproute2 ];
579            script = ''
580              # Remove Dead Interfaces
581              ip link show dev "${n}" >/dev/null 2>&1 && ip link delete dev "${n}"
582              ip link add link "${v.interface}" name "${n}" type vlan id "${toString v.id}"
583
584              # We try to bring up the logical VLAN interface. If the master
585              # interface the logical interface is dependent upon is not up yet we will
586              # fail to immediately bring up the logical interface. The resulting logical
587              # interface will brought up later when the master interface is up.
588              ip link set dev "${n}" up || true
589            '';
590            postStop = ''
591              ip link delete dev "${n}" || true
592            '';
593          });
594
595      in listToAttrs (
596           map configureAddrs interfaces ++
597           map createTunDevice (filter (i: i.virtual) interfaces))
598         // mapAttrs' createBridgeDevice cfg.bridges
599         // mapAttrs' createVswitchDevice cfg.vswitches
600         // mapAttrs' createBondDevice cfg.bonds
601         // mapAttrs' createMacvlanDevice cfg.macvlans
602         // mapAttrs' createFouEncapsulation cfg.fooOverUDP
603         // mapAttrs' createSitDevice cfg.sits
604         // mapAttrs' createGreDevice cfg.greTunnels
605         // mapAttrs' createVlanDevice cfg.vlans
606         // {
607           network-setup = networkSetup;
608           network-local-commands = networkLocalCommands;
609         };
610
611    services.udev.extraRules =
612      ''
613        KERNEL=="tun", TAG+="systemd"
614      '';
615
616
617  };
618
619in
620
621{
622  config = mkMerge [
623    bondWarnings
624    (mkIf (!cfg.useNetworkd) normalConfig)
625    { # Ensure slave interfaces are brought up
626      networking.interfaces = genAttrs slaves (i: {});
627    }
628  ];
629}