nixos/modules/services/networking/netns.nix

   1 { pkgs, lib, config, ... }:
   2 with lib;
   3 let
   4   cfg = config.services.netns;
   5   # Escape as required by: https://www.freedesktop.org/software/systemd/man/systemd.unit.html
   6   escapeUnitName = name:
   7     lib.concatMapStrings (s: if lib.isList s then "-" else s)
   8     (builtins.split "[^a-zA-Z0-9_.\\-]+" name);
   9 in
  10 {
  11 options.services.netns = {
  12   namespaces = mkOption {
  13     description = "netns namespaces to create";
  14     type = types.attrsOf (types.submodule ({ name, ... }: {
  15       options = {
  16         nftables = mkOption {
  17           type = types.lines;
  18           default = "";
  19           description = ''
  20             Nftables ruleset.
  21           '';
  22         };
  23         sysctl = mkOption {
  24           type = with types; attrsOf (nullOr (oneOf [bool str int]));
  25           default = {};
  26           description = ''
  27             Kernel sysctl.
  28           '';
  29         };
  30         service = mkOption {
  31           type = types.attrs;
  32           default = {};
  33           description = ''
  34             Systemd configuration specific to this netns service.
  35           '';
  36         };
  37       };
  38     }));
  39     default = {};
  40   };
  41 };
  42 config = {
  43   systemd.services = mapAttrs' (name: c:
  44     nameValuePair "netns-${escapeUnitName name}" (mkMerge [
  45       { description = "${name} network namespace";
  46         before = [ "network.target" ];
  47         serviceConfig = {
  48           Type = "oneshot";
  49           RemainAfterExit = true;
  50           PrivateNetwork = true;
  51           ExecStart = "${pkgs.iproute}/bin/ip netns add ${escapeShellArg name}";
  52           ExecStartPost = optional config.networking.nftables.enable
  53             "${pkgs.iproute}/bin/ip netns exec ${escapeShellArg name} ${pkgs.writeScript "nftables-ruleset" ''
  54               #!${pkgs.nftables}/bin/nft -f
  55               flush ruleset
  56               ${c.nftables}
  57             ''}";
  58           ExecStop = "${pkgs.iproute}/bin/ip netns del ${escapeShellArg name}";
  59         };
  60       }
  61       #cfg.service
  62       c.service
  63     ])) cfg.namespaces;
  64   meta.maintainers = with lib.maintainers; [ julm ];
  65 };
  66 }