From 0e9cb9fcfda189bde0cd6bbd47773b5e7b041e3d Mon Sep 17 00:00:00 2001
From: Izorkin <izorkin@elven.pw>
Date: Wed, 4 Jan 2023 18:05:13 +0300
Subject: nixos/dhcpcd: don't solicit or accept ipv6 router advertisements if
 use static addresses

---
 nixos/doc/manual/from_md/release-notes/rl-2305.section.xml | 7 +++++++
 nixos/doc/manual/release-notes/rl-2305.section.md          | 2 ++
 nixos/modules/services/networking/dhcpcd.nix               | 9 +++++++++
 3 files changed, 18 insertions(+)

(limited to 'nixos')

diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
index 518a89688b95b..6db398db4c809 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
@@ -377,6 +377,13 @@
           security.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          <literal>services.dhcpcd</literal> service now don’t solicit
+          or accept IPv6 Router Advertisements on interfaces that use
+          static IPv6 addresses.
+        </para>
+      </listitem>
       <listitem>
         <para>
           The module <literal>services.headscale</literal> was
diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md
index 312ff3463039a..d6a2c7b67e83f 100644
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@@ -104,6 +104,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - `services.chronyd` is now started with additional systemd sandbox/hardening options for better security.
 
+- `services.dhcpcd` service now don't solicit or accept IPv6 Router Advertisements on interfaces that use static IPv6 addresses.
+
 - The module `services.headscale` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed:
 
   - Most settings has been migrated under [services.headscale.settings](#opt-services.headscale.settings) which is an attribute-set that
diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix
index ac5d45a65e3b8..9a0b29fbe5a7f 100644
--- a/nixos/modules/services/networking/dhcpcd.nix
+++ b/nixos/modules/services/networking/dhcpcd.nix
@@ -33,6 +33,13 @@ let
     (if !config.networking.useDHCP && enableDHCP then
       map (i: i.name) (filter (i: i.useDHCP == true) interfaces) else null);
 
+  staticIPv6Addresses = map (i: i.name) (filter (i: i.ipv6.addresses != [ ]) interfaces);
+
+  noIPv6rs = concatStringsSep "\n" (map (name: ''
+    interface ${name}
+    noipv6rs
+  '') staticIPv6Addresses);
+
   # Config file adapted from the one that ships with dhcpcd.
   dhcpcdConf = pkgs.writeText "dhcpcd.conf"
     ''
@@ -75,6 +82,8 @@ let
       ''}
 
       ${cfg.extraConfig}
+
+      ${optionalString config.networking.enableIPv6 noIPv6rs}
     '';
 
   exitHook = pkgs.writeText "dhcpcd.exit-hook"
-- 
cgit 1.4.1