diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix
index 5a353fc0942a..c541d4fa6041 100644
--- a/nixos/modules/services/networking/dhcpcd.nix
+++ b/nixos/modules/services/networking/dhcpcd.nix
@@ -6,6 +6,8 @@ let
 
   dhcpcd = if !config.boot.isContainer then pkgs.dhcpcd else pkgs.dhcpcd.override { udev = null; };
 
+  cfg = config.networking.dhcpcd;
+
   # Don't start dhcpcd on explicitly configured interfaces or on
   # interfaces that are part of a bridge.
   ignoredInterfaces =
@@ -37,7 +39,10 @@ let
       # (Xen) and virbr* and vnet* (libvirt).
       denyinterfaces ${toString ignoredInterfaces} lo peth* vif* tap* tun* virbr* vnet* vboxnet*
 
-      ${config.networking.dhcpcd.extraConfig}
+      # Use the list of allowed interfaces if specified
+      ${optionalString (cfg.allowInterfaces != [ ]) "allowinterfaces ${toString cfg.allowInterfaces}"}
+
+      ${cfg.extraConfig}
     '';
 
   # Hook for emitting ip-up/ip-down events.
@@ -80,6 +85,17 @@ in
       '';
     };
 
+    networking.dhcpcd.allowInterfaces = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = ''
+         Enable the DHCP client for any interface whose name matches
+         any of the shell glob patterns in this list. Any interface not
+         explicitly matched by this pattern will be denied. This pattern only
+         applies when the list is non-empty.
+      '';
+    };
+
     networking.dhcpcd.extraConfig = mkOption {
       type = types.lines;
       default = "";