From d52d621efbe337b74b9fd83140a20db4723cf87c Mon Sep 17 00:00:00 2001
From: Nico Felbinger <nico@felbinger.eu>
Date: Tue, 26 Nov 2024 18:41:42 +0100
Subject: [PATCH] nixos-containers: add networkNamespace option

---
 .../virtualisation/nixos-containers.nix       | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix
index cd9f4b3a5d26a5..73cff2f267a354 100644
--- a/nixos/modules/virtualisation/nixos-containers.nix
+++ b/nixos/modules/virtualisation/nixos-containers.nix
@@ -134,6 +134,10 @@ let
         extraFlags+=("--network-bridge=$HOST_BRIDGE")
       fi
 
+      if [ -n "$NETWORK_NAMESPACE_PATH" ]; then
+        extraFlags+=("--network-namespace-path=$NETWORK_NAMESPACE_PATH")
+      fi
+
       extraFlags+=(${lib.escapeShellArgs (mapAttrsToList nspawnExtraVethArgs cfg.extraVeths)})
 
       for iface in $INTERFACES; do
@@ -632,6 +636,20 @@ in
               '';
             };
 
+            networkNamespace = mkOption {
+              type = types.nullOr types.path;
+              default = null;
+              description = ''
+                Takes the path to a file representing a kernel network namespace that the container
+                shall run in. The specified path should refer to a (possibly bind-mounted) network
+                namespace file, as exposed by the kernel below /proc/<PID>/ns/net. This makes the
+                container enter the given network namespace. One of the typical use cases is to give
+                a network namespace under /run/netns created by ip-netns(8).
+                Note that this option cannot be used together with other network-related options,
+                such as --private-network or --network-interface=.
+              '';
+            };
+
             interfaces = mkOption {
               type = types.listOf types.str;
               default = [];
@@ -793,6 +811,11 @@ in
     {
       warnings = optional (!config.boot.enableContainers && config.containers != {})
         "containers.<name> is used, but boot.enableContainers is false. To use containers.<name>, set boot.enableContainers to true.";
+
+      assertions = let
+        mapper = name: cfg: optional (cfg.networkNamespace != null && (cfg.privateNetwork || cfg.interfaces != []))
+          "containers.${name}.networkNamespace is mutally exclusive to containers.${name}.privateNetwork and containers.${name}.interfaces.";
+      in mkMerge (mapAttrsToList mapper config.containers);
     }
 
     (mkIf (config.boot.enableContainers) (let
@@ -896,6 +919,9 @@ in
                 ${optionalString (cfg.localAddress6 != null) ''
                   LOCAL_ADDRESS6=${cfg.localAddress6}
                 ''}
+                ${optionalString (cfg.networkNamespace != null) ''
+                  NETWORK_NAMESPACE_PATH=${cfg.networkNamespace}
+                ''}
               ''}
               INTERFACES="${toString cfg.interfaces}"
               MACVLANS="${toString cfg.macvlans}"