IfState: Difference between revisions

(5 intermediate revisions by the same user not shown)

Line 65:

To achieve this, you might want to isolate the provider network from your Global Routing Table (GRT) and bind the WireGuard endpoints. The <code>IfState</code> tool offers a link configuration option called <code>bind_netns</code>, which can be used with tunnel links (such as WireGuard, GRE, SIT, etc.) to implement this separation.

[[File:Ifstate-vpn-gw.png|center|frameless]]

'''Important Note:''' If <code>enp0s3</code> is your provider interface, this configuration will move it into an external network namespace that contains nothing except the bound WireGuard endpoint. As a result, you won’t be able to access systemd services like your SSH server without an active WireGuard connection. Plan accordingly to avoid losing access to critical services.<syntaxhighlight lang="nixos">

Line 161:

Line 162:

}

</syntaxhighlight>

==== DHCPv4 ====

{ lib, pkgs, ... }:

{

networking.ifstate = {

enable = true;

settings = {

parameters.hooks.dhcp.script = pkgs.writeScript "ifstate-udhcp-wrapper-script.sh" ''

${lib.getExe' pkgs.busybox "udhcpc"} --quit --now -i $IFS_IFNAME -b --script ${pkgs.busybox}/default.script

'';

interfaces.eth1 = {

addresses = [ ];

hooks = [

{ name = "dhcp"; }

];

link = {

state = "up";

kind = "physical";

};

}

</syntaxhighlight>

@@ Line 65: / Line 65: @@
 To achieve this, you might want to isolate the provider network from your Global Routing Table (GRT) and bind the WireGuard endpoints. The <code>IfState</code> tool offers a link configuration option called <code>bind_netns</code>, which can be used with tunnel links (such as WireGuard, GRE, SIT, etc.) to implement this separation.
+[[File:Ifstate-vpn-gw.png|center|frameless]]
 '''Important Note:''' If <code>enp0s3</code> is your provider interface, this configuration will move it into an external network namespace that contains nothing except the bound WireGuard endpoint. As a result, you won’t be able to access systemd services like your SSH server without an active WireGuard connection. Plan accordingly to avoid losing access to critical services.<syntaxhighlight lang="nixos">
@@ Line 161: / Line 162: @@
 }
+</syntaxhighlight>
+==== DHCPv4 ====
+<syntaxhighlight lang="nixos">
+{ lib, pkgs, ... }:
+{
+  networking.ifstate = {
+    enable = true;
+    settings = {
+      parameters.hooks.dhcp.script = pkgs.writeScript "ifstate-udhcp-wrapper-script.sh" ''
+        ${lib.getExe' pkgs.busybox "udhcpc"} --quit --now -i $IFS_IFNAME -b --script ${pkgs.busybox}/default.script
+      '';
+      interfaces.eth1 = {
+        addresses = [ ];
+        hooks = [
+          { name = "dhcp"; }
+        ];
+        link = {
+          state = "up";
+          kind = "physical";
+        };
+      };
+    };
+  };
+}
 </syntaxhighlight>