!tCyGickeVqkHsYjWnh:nixos.org

NixOS Networking

894 Members
Declaratively manage your switching, routing, wireless, tunneling and more.261 Servers

Load older messages

SenderMessageTime
9 Jul 2025
@zhaofeng:zhaofeng.liZhaofeng Lido we need to disable the start limit as well?01:15:32
@zhaofeng:zhaofeng.liZhaofeng Li* do we need to disable the restart limit as well?01:16:32
@hexa:lossy.networkhexaboth services only failed once, so I don't think we do 😄 01:16:43
@zhaofeng:zhaofeng.liZhaofeng Li * do we need to disable the restart limit as well? also Restart = "on-failure" should be the default? 01:16:48
@hexa:lossy.networkhexayeah, they fail just the first time round01:17:28
* @hexa:lossy.networkhexa screams 01:17:32
@zhaofeng:zhaofeng.liZhaofeng Li * do we need to disable the restart limit as well? also Restart = "on-failure" should be the default? no, it isn't aaaa 01:18:27
@zhaofeng:zhaofeng.liZhaofeng Litheoretically there is still a chance that systemd will keep fighting against itself forever 🤓01:19:59
@alina:catgirl.cloudalina arielle amelie🏳️‍⚧️🐾 changed their profile picture.21:01:32
@alina:catgirl.cloudalina arielle amelie🏳️‍⚧️🐾 changed their display name from alina to alina arielle amelie🏳️‍⚧️🐾.21:02:18
10 Jul 2025
@maciel310:matrix.orgmaciel310 joined the room.02:58:34
@maciel310:matrix.orgmaciel310

Hey all, hoping someone might be able to help with an issue I'm hitting configuring VLANs. Use case is pretty simple, the only connection should be over the vlan, no untagged traffic or IP assigned. Following the docs (https://nixos.wiki/wiki/Systemd-networkd#VLAN) I came up with this systemd-networkd config, but pinging even local addresses returns unreachable. Any thoughts, or ideas on how to debug?

systemd.network = {
    enable = true;

    netdevs = {
      "20-vlan30" = {
        netdevConfig = {
          Kind = "vlan";
          Name = "vlan30";
        };
        vlanConfig.Id = 30;
      };
    };

    networks = {
      "30-enp0s20f0u1u2" = {
        matchConfig.Name = "enp0s20f0u1u2";
        vlan = [ "vlan30" ];
        networkConfig.LinkLocalAddressing = "no";
        linkConfig.RequiredForOnline = "carrier";
      };
      "40-vlan30" = {
        matchConfig.Name = "vlan30";
        address = [ "192.168.30.7/24" ];
        routes = [
          { Gateway = "192.168.30.1"; }
        ];
        linkConfig.RequiredForOnline = "routable";
      };
    };
  };
04:43:33
@maciel310:matrix.orgmaciel310

And here's the output of a couple commands to show the state, LMK if there are any other commands that would be helpful

$ networkctl
IDX LINK          TYPE     OPERATIONAL SETUP
  1 lo            loopback carrier     unmanaged
  2 enp0s20f0u1u2 ether    carrier     configured
  3 vlan30        vlan     routable    configured

3 links listed.

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: enp0s20f0u1u2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 1c:bf:ce:a7:84:b8 brd ff:ff:ff:ff:ff:ff
    altname enx1cbfcea784b8
3: vlan30@enp0s20f0u1u2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 1c:bf:ce:a7:84:b8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.30.7/24 brd 192.168.30.255 scope global vlan30
       valid_lft forever preferred_lft forever
    inet6 fe80::1ebf:ceff:fea7:84b8/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
05:42:58
@hexa:lossy.networkhexalooks good from here12:10:14
@hexa:lossy.networkhexaI'd expect the issue will be on the switchport or the other endpoint12:10:36
@hexa:lossy.networkhexadifferent question … what is the least awful way to make sure a consumer of a module I'm providing uses a DNSSEC validating resolver?14:21:04
@hexa:lossy.networkhexagiven that the resolver can be on the local machine (preferable) or not this seems a bit difficult to assert on 🤪14:22:50
@emilazy:matrix.orgemilyseems like not really something you can detect before runtime14:23:05
@sandro:supersandro.deSandro 🐧within reason probably not at all14:23:10
@hexa:lossy.networkhexaso I'm wondering what the right approximation would be14:23:11
@sandro:supersandro.deSandro 🐧You could check if kresd is used with dnssec checks on14:23:24
@emilazy:matrix.orgemily I would just do nothing or have services.X.yesIPromiseImUsingDNSSec 14:23:25
@emilazy:matrix.orgemilyespecially for remote it's hopeless, but even locally there can be all kinds of layers between an enabled service and what actually ends up being used for DNS resolution14:23:49
@hexa:lossy.networkhexa so one thing I could do is check for networking.resolvconf.useLocalResolver 14:24:14
@hexa:lossy.networkhexa

the other thing, that I found super awful was

         lib.any (with config; [
          services.bind.enable
          services.dnsmasq.enable
          services.kresd.enable
          services.unbound.enable
          services.pdns-recursor.enable
        ]);
14:25:03
@hexa:lossy.networkhexa *

the other thing, that I found super awful was

        lib.any (with config; [
          services.bind.enable
          services.dnsmasq.enable
          services.kresd.enable
          services.unbound.enable
          services.pdns-recursor.enable
        ]);
14:25:05
@emilazy:matrix.orgemilythat would (sorry) break resolved with DNSSEC14:25:24
@hexa:lossy.networkhexabut then I found people used dnscrypt2-proxy and other weird stuff14:25:28
@emilazy:matrix.orgemily dnscrypt-proxy2 doesn't do DNSSEC validation 14:25:42
@hexa:lossy.networkhexaresolved is fucked for this use case, I don't care 🙂 14:25:47

Show newer messages

Back to Room ListRoom Version: 6