]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/modules/services/networking/netns.nix
nix: factorize security.gnupg.store
[sourcephile-nix.git] / nixos / modules / services / networking / netns.nix
1 { pkgs, lib, config, ... }:
2 with lib;
3 let
4 cfg = config.services.netns;
5 # Escape as required by: https://www.freedesktop.org/software/systemd/man/systemd.unit.html
6 escapeUnitName = name:
7 lib.concatMapStrings (s: if lib.isList s then "-" else s)
8 (builtins.split "[^a-zA-Z0-9_.\\-]+" name);
9 in
10 {
11 options.services.netns = {
12 namespaces = mkOption {
13 description = "netns namespaces to create";
14 type = types.attrsOf (types.submodule ({ name, ... }: {
15 options = {
16 nftables = mkOption {
17 type = types.lines;
18 default = "";
19 description = ''
20 Nftables ruleset.
21 '';
22 };
23 sysctl = mkOption {
24 type = with types; attrsOf (nullOr (oneOf [bool str int]));
25 default = {};
26 description = ''
27 Kernel sysctl.
28 '';
29 };
30 service = mkOption {
31 type = types.attrs;
32 default = {};
33 description = ''
34 Systemd configuration specific to this netns service.
35 '';
36 };
37 };
38 }));
39 default = {};
40 };
41 };
42 config = {
43 systemd.services = mapAttrs' (name: c:
44 nameValuePair "netns-${escapeUnitName name}" (mkMerge [
45 { description = "${name} network namespace";
46 before = [ "network.target" ];
47 serviceConfig = {
48 Type = "oneshot";
49 RemainAfterExit = true;
50 PrivateNetwork = true;
51 ExecStart = "${pkgs.iproute}/bin/ip netns add ${escapeShellArg name}";
52 ExecStartPost = optional config.networking.nftables.enable
53 "${pkgs.iproute}/bin/ip netns exec ${escapeShellArg name} ${pkgs.writeScript "nftables-ruleset" ''
54 #!${pkgs.nftables}/bin/nft -f
55 flush ruleset
56 ${c.nftables}
57 ''}";
58 ExecStop = "${pkgs.iproute}/bin/ip netns del ${escapeShellArg name}";
59 };
60 }
61 #cfg.service
62 c.service
63 ])) cfg.namespaces;
64 meta.maintainers = with lib.maintainers; [ julm ];
65 };
66 }