nixos/dhcpcd: don't solicit or accept ipv6 router advertisements if use static addresses

nixos/doc/manual/from_md/release-notes/rl-2305.section.xml

@@ -377,6 +377,13 @@
           security.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          <literal>services.dhcpcd</literal> service now don’t solicit
+          or accept IPv6 Router Advertisements on interfaces that use
+          static IPv6 addresses.
+        </para>
+      </listitem>
       <listitem>
         <para>
           The module <literal>services.headscale</literal> was

nixos/doc/manual/release-notes/rl-2305.section.md

@@ -104,6 +104,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - `services.chronyd` is now started with additional systemd sandbox/hardening options for better security.
 
+- `services.dhcpcd` service now don't solicit or accept IPv6 Router Advertisements on interfaces that use static IPv6 addresses.
+
 - The module `services.headscale` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed:
 
   - Most settings has been migrated under [services.headscale.settings](#opt-services.headscale.settings) which is an attribute-set that

nixos/modules/services/networking/dhcpcd.nix

@@ -33,6 +33,13 @@ let
     (if !config.networking.useDHCP && enableDHCP then
       map (i: i.name) (filter (i: i.useDHCP == true) interfaces) else null);
 
+  staticIPv6Addresses = map (i: i.name) (filter (i: i.ipv6.addresses != [ ]) interfaces);
+
+  noIPv6rs = concatStringsSep "\n" (map (name: ''
+    interface ${name}
+    noipv6rs
+  '') staticIPv6Addresses);
+
   # Config file adapted from the one that ships with dhcpcd.
   dhcpcdConf = pkgs.writeText "dhcpcd.conf"
     ''
@@ -75,6 +82,8 @@ let
       ''}
 
       ${cfg.extraConfig}
+
+      ${optionalString config.networking.enableIPv6 noIPv6rs}
     '';
 
   exitHook = pkgs.writeText "dhcpcd.exit-hook"