IfState: Difference between revisions

(5 intermediate revisions by one other user not shown)

Line 4:

=== Examples ===

You can find several examples on the [https://ifstate.net/2.0/examples/ IfState website]. Some include NixOS configuration instructions, while the more complex examples are covered in detail here.

You can find several examples on the [https://ifstate.net/2.2/examples/ IfState website]. Some include NixOS configuration instructions, while the more complex examples are covered in detail here.

==== Network Namespaces (netns) ====

Line 15:

systemd.services."<name>".serviceConfig.NetworkNamespacePath = "/var/run/netns/<netnsName>";

}

</syntaxhighlight>When using [~~https://nixos.wiki/wiki/NixOS_Containers~~ nixos-containers], network namespaces allow you to configure the network outside the container. This separation simplifies management and ensures the container’s network setup is independent of its internal configuration.<syntaxhighlight lang="nixos">

</syntaxhighlight>When using [[NixOS Containers|nixos-containers]], network namespaces allow you to configure the network outside the container. This separation simplifies management and ensures the container’s network setup is independent of its internal configuration.<syntaxhighlight lang="nixos">

{

containers."<name>".networkNamespace = "/var/run/netns/<netnsName>";

Line 65:

To achieve this, you might want to isolate the provider network from your Global Routing Table (GRT) and bind the WireGuard endpoints. The <code>IfState</code> tool offers a link configuration option called <code>bind_netns</code>, which can be used with tunnel links (such as WireGuard, GRE, SIT, etc.) to implement this separation.

[[File:Ifstate-vpn-gw.png|~~thumb~~|~~345x345px~~]]

[[File:Ifstate-vpn-gw.png|center|frameless]]

'''Important Note:''' If <code>enp0s3</code> is your provider interface, this configuration will move it into an external network namespace that contains nothing except the bound WireGuard endpoint. As a result, you won’t be able to access systemd services like your SSH server without an active WireGuard connection. Plan accordingly to avoid losing access to critical services.<syntaxhighlight lang="nixos">

Line 170:

Line 164:

</syntaxhighlight>

==== DHCPv4 ====

{ lib, pkgs, ... }:

{

networking.ifstate = {

enable = true;

settings = {

parameters.hooks.dhcp.script = pkgs.writeScript "ifstate-udhcp-wrapper-script.sh" ''

${lib.getExe' pkgs.busybox "udhcpc"} --quit --now -i $IFS_IFNAME -b --script ${pkgs.busybox}/default.script

'';

interfaces.eth1 = {

addresses = [ ];

hooks = [

{ name = "dhcp"; }

];

link = {

state = "up";

kind = "physical";

};

}

</syntaxhighlight>

=== Known Issues ===

@@ Line 4: / Line 4: @@
 === Examples ===
-You can find several examples on the [https://ifstate.net/2.0/examples/ IfState website]. Some include NixOS configuration instructions, while the more complex examples are covered in detail here.
+You can find several examples on the [https://ifstate.net/2.2/examples/ IfState website]. Some include NixOS configuration instructions, while the more complex examples are covered in detail here.
 ==== Network Namespaces (netns) ====
@@ Line 15: / Line 15: @@
    systemd.services."<name>".serviceConfig.NetworkNamespacePath = "/var/run/netns/<netnsName>";
 }
-</syntaxhighlight>When using [https://nixos.wiki/wiki/NixOS_Containers nixos-containers], network namespaces allow you to configure the network outside the container. This separation simplifies management and ensures the container’s network setup is independent of its internal configuration.<syntaxhighlight lang="nixos">
+</syntaxhighlight>When using [[NixOS Containers|nixos-containers]], network namespaces allow you to configure the network outside the container. This separation simplifies management and ensures the container’s network setup is independent of its internal configuration.<syntaxhighlight lang="nixos">
 {
    containers."<name>".networkNamespace = "/var/run/netns/<netnsName>";
@@ Line 65: / Line 65: @@
 To achieve this, you might want to isolate the provider network from your Global Routing Table (GRT) and bind the WireGuard endpoints. The <code>IfState</code> tool offers a link configuration option called <code>bind_netns</code>, which can be used with tunnel links (such as WireGuard, GRE, SIT, etc.) to implement this separation.
-[[File:Ifstate-vpn-gw.png|thumb|345x345px]]
+[[File:Ifstate-vpn-gw.png|center|frameless]]
 '''Important Note:''' If <code>enp0s3</code> is your provider interface, this configuration will move it into an external network namespace that contains nothing except the bound WireGuard endpoint. As a result, you won’t be able to access systemd services like your SSH server without an active WireGuard connection. Plan accordingly to avoid losing access to critical services.<syntaxhighlight lang="nixos">
@@ Line 170: / Line 164: @@
 </syntaxhighlight>
+==== DHCPv4 ====
+<syntaxhighlight lang="nixos">
+{ lib, pkgs, ... }:
+{
+  networking.ifstate = {
+    enable = true;
+    settings = {
+      parameters.hooks.dhcp.script = pkgs.writeScript "ifstate-udhcp-wrapper-script.sh" ''
+        ${lib.getExe' pkgs.busybox "udhcpc"} --quit --now -i $IFS_IFNAME -b --script ${pkgs.busybox}/default.script
+      '';
+      interfaces.eth1 = {
+        addresses = [ ];
+        hooks = [
+          { name = "dhcp"; }
+        ];
+        link = {
+          state = "up";
+          kind = "physical";
+        };
+      };
+    };
+  };
+}
+</syntaxhighlight>
 === Known Issues ===