!tCyGickeVqkHsYjWnh:nixos.org

NixOS Networking

915 Members
Declaratively manage your switching, routing, wireless, tunneling and more.273 Servers

Load older messages

SenderMessageTime
16 Apr 2026
@rasmata:matrix.org@rasmata:matrix.org left the room.12:22:16
@antifuchs:asf.computerantifuchs 17:35:35
@antifuchs:asf.computerantifuchs so, hm, I have not rebooted this host in a while (47 days since last boot on nixos-unstable, using systemd.networkd.enable=true) but now that I have rebooted it, it is refusing to set up its hostbr0 bridge, networkctl reports that hostbr0 is in "no-carrier configuring" state, ip -br l shows that interface as DOWN in NO-CARRIER state; it's backed by an ethernet device that also shows no carrier (but ... has a lit link LED)? I'm really at a loss how to debug this, all signs say this should work but it doesn't come up. 18:58:21
@antifuchs:asf.computerantifuchs(deleting the bridge and setting the ethernet interface up shows traffic if I tcpdump it, I should add)18:59:20
@antifuchs:asf.computerantifuchsoh, that's right, there should be VLAN netdevs that aren't created19:06:55
@antifuchs:asf.computerantifuchs yeuuuup, looks like [Match] block semantics changed: previously in a .network file I had to match the "old" name (enp*) when now I have to match the renamed name that a preceding .link file effects 19:09:41
@magic_rb:matrix.redalder.orgmagic_rbHow wonderful20:28:33
@oddlama:matrix.orgoddlama
In reply to @antifuchs:asf.computer
yeuuuup, looks like [Match] block semantics changed: previously in a .network file I had to match the "old" name (enp*) when now I have to match the renamed name that a preceding .link file effects
I always had the least amount of pain when I matched hardware interfaces by MACAddress 		20:44:22
@tyisi:matrix.orgTyIsI joined the room.23:14:12
17 Apr 2026
@antifuchs:asf.computerantifuchs
In reply to @oddlama:matrix.org
I always had the least amount of pain when I matched hardware interfaces by MACAddress
Well, I did that in addition but since there are bridges with inherited Mac’s in the mix, the config also has to match on device names 		02:59:52
@antifuchs:asf.computerantifuchsIt’s supremely annoying and makes me want to redo the whole thing but also … not03:00:11
@hexa:lossy.networkhexathat breaks with vlans though03:06:55
@hexa:lossy.networkhexaRedacted or Malformed Event03:07:07
@c4lliope:matrix.orgc4lliope set a profile picture.08:36:58
@c4lliope:matrix.orgc4lliope changed their profile picture.08:41:50
@pyrox:pyrox.devdish [Fox/It/She] changed their profile picture.16:58:37
@antifuchs:asf.computerantifuchsKind= might be a bit less painful tbh, but ughhh testing this means a reboot each time17:47:45
@hexa:lossy.networkhexayou can check networkctl for the correct kind18:08:16
22 Apr 2026
@gamayagama:tchncs.degamayagama joined the room.19:19:00
24 Apr 2026
@d:bugpara.de@d:bugpara.de left the room.20:52:21
25 Apr 2026
@luke:vuksta.comLukeI just tried to swap a wireguard client from wg-quick to systemd.network, and did not have a good time00:11:34
@hexa:lossy.networkhexahow so00:12:28
@luke:vuksta.comLuke

Well, I made an attempt to go from this:

  networking.wg-quick.interfaces = {
    wg0 = {
      address = [
        "10.0.0.2/24"
        "fdc9:281f:04d7:9ee9::2/64"
      ];
      dns = [
        "10.0.0.1"
        "fdc9:281f:04d7:9ee9::1"
      ];
      privateKeyFile = "/root/wireguard-keys/privatekey";

      peers = [
        {
          publicKey = "key1";
          presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key";
          allowedIPs = [
            # only route vpn related services
            #"10.0.0.0/24"
            #"fdc9:281f:04d7:9ee9::/64"
            # send everything and do NAT
            "0.0.0.0/0"
            "::/0"
          ];
          endpoint = "ip1:ip1";
          persistentKeepalive = 25;
        }
      ];
    };
    wg1 = {
      address = [
        "10.0.1.2/24"
        "fdc9:281f:04d7:9eea::2/64"
      ];
      dns = [
        "10.0.1.1"
        "fdc9:281f:04d7:9eea::1"
      ];
      privateKeyFile = "/root/wireguard-keys/privatekey_wg1";

      peers = [
        {
          publicKey = "key2";
          allowedIPs = [
            "10.0.1.0/24"
            "fdc9:281f:04d7:9eea::/64"
          ];
          endpoint = "ip2:port2";
          persistentKeepalive = 25;
        }
      ];
    };
  };

to this:

  networking.useNetworkd = true;
  systemd.network = {
    networks."10-enp5s0" = {
      matchConfig.Name = "enp5s0";
      networkConfig.DHCP = "yes";
    };
    networks."50-wg0" = {
      matchConfig.Name = "wg0";
      address = [
        "fdc9:281f:04d7:9ee9::2/64"
        "10.0.0.2/24"
      ];
      domains = [ "~." ];
      dns = [
        "10.0.0.1"
        "fdc9:281f:04d7:9ee9::1"
      ];
      #networkConfig = {
      #  DNSDefaultRoute = true;
      #};
      routingPolicyRules = [
        {
          Family = "both";
          InvertRule = true;
          FirewallMark = 94;
          Table = 1337;
          Priority = 10;
        }
        {
          To = "ip1/32"; # use /32 for IPv4
          Priority = 5;
        }
      ];
    };
    netdevs."50-wg0" = {
      netdevConfig = {
        Kind = "wireguard";
        Name = "wg0";
      };
      wireguardConfig = {
        PrivateKeyFile = "/var/lib/wireguard-keys/privatekey";
        #RouteTable = "main";
        FirewallMark = 94;
      };
      wireguardPeers = [
        {
          PublicKey = "key1";
          PresharedKeyFile = "/var/lib/wireguard-keys/preshared_from_peer0_key";
          AllowedIPs = [
            #"10.0.0.0/24"
            #"fdc9:281f:04d7:9ee9::/64"
            # send everything and do NAT
            "0.0.0.0/0"
            "::/0"
          ];
          RouteTable = 1337;
          Endpoint = "ip1:port1";
          PersistentKeepalive = 25;
        }
      ];
    };
    networks."50-wg1" = {
      matchConfig.Name = "wg1";
      address = [
        "fdc9:281f:04d7:9eea::2/64"
        "10.0.1.2/24"
      ];
      domains = [ "~." ];
      dns = [
        "10.0.1.1"
        "fdc9:281f:04d7:9eea::1"
      ];
    };
    netdevs."50-wg1" = {
      netdevConfig = {
        Kind = "wireguard";
        Name = "wg1";
      };
      wireguardConfig = {
        PrivateKeyFile = "/var/lib/wireguard-keys/privatekey_wg1";
        RouteTable = "main";
      };
      wireguardPeers = [
        {
          PublicKey = "key2";
          AllowedIPs = [
            "10.0.1.0/24"
            "fdc9:281f:04d7:9eea::/64"
          ];
          Endpoint = "ip2:port2";
          PersistentKeepalive = 25;
        }
      ];
    };
  };

and it kinda worked.

04:54:13
@luke:vuksta.comLukeBut I have major gripes04:54:57
@luke:vuksta.comLukeFirst, systemd.network does not behave like you expect from a deterministic sense - I had to manually tear down wg interfaces multiple times because I screwed something up.04:55:50
@luke:vuksta.comLukeSecond, for some reason this broke docker container to container networking when using the host network, and I have no idea why, other than that there must be something I have massively misconfigured04:56:45
@luke:vuksta.comLukeI ended up swapping back to wg-quick for now since it's been such a pain 04:57:23
@luke:vuksta.comLukeI guess my routing table there was sending docker's traffic to the remote as well? I don't know, it's just a frustrating swap to try to make04:59:28
26 Apr 2026
@debugloop:bugpara.dedebugloop joined the room.03:44:06
@debugloop:bugpara.dedebugloop left the room.23:25:18

Show newer messages

Back to Room ListRoom Version: 6