Unverified Commit d86e8d4d authored by Martin Weinelt's avatar Martin Weinelt
Browse files

nixos/resolved: fix regressions after interface change 

With the options being only set when `services.resolved.enable` was
enabled, they were only available if the host resolver was resolved. That
broke the resolved config used when initrd networking is enabled.

A good indicator that something is wrong is if the config section of
a module configures the options itself. That means non introspectable
settings are being put in place.

Additionally DNS= and Domains= need to be space-separated lists. The
manpage does not indicate that they can be set multiple times.

I decided not to port the LLMNR enablement over, since it never gained
widespread traction and is generally being phased out in favor of mDNS.

Fixes: #480964
parent 66a780ae

nixos/modules/system/boot/resolved.nix

+67 −22
Original line number Diff line number Diff line
@@ -10,11 +10,13 @@ let 
  inherit (utils.systemdUtils.unitOptions) unitOption;



  inherit (lib)

    concatStringsSep

    elem

    isList

    literalExpression

    mkIf

    mkMerge

    mkOption

    mkOptionDefault

    mkOrder

    mkRenamedOptionModule

    mkRemovedOptionModule
@@ -26,7 +28,25 @@ let 


  dnsmasqResolve = config.services.dnsmasq.enable && config.services.dnsmasq.resolveLocalQueries;



  resolvedConf = settingsToSections cfg.settings;

  transformSettings =

    settings:

    lib.mapAttrs (

      key: value:

      # concat lists for options that should result in space-separated values

      if

        elem key [

          "DNS"

          "Domains"

          "FallbackDNS"

        ]

        && isList value

      then

        concatStringsSep " " value

      else

        value

    ) settings;



  resolvedConf = settingsToSections (transformSettings cfg.settings);

in

{

  imports = [
@@ -60,22 +80,56 @@ in 
  options = {

    services.resolved = {

      enable = lib.mkEnableOption "the Systemd DNS resolver daemon (systemd-resolved)";



      settings.Resolve = mkOption {

        description = ''

          Settings option for systemd-resolved.

          See {manpage}`resolved.conf(5)` for all available options.

        '';

        # Remember to keep this in sync to the actual settings at the bottom of the page.

        defaultText = literalExpression ''

          {

            DNS = config.networking.nameservers;

            DNSOverTLS = false;

            DNSSEC = false;

            Domains = config.networking.search;

            LLMNR = true;

          }

        default = { };

        type = types.submodule {

          freeformType = types.attrsOf unitOption;

          options = {

            DNS = mkOption {

              type = unitOption;

              default = config.networking.nameservers;

              defaultText = literalExpression "config.networking.nameservers";

              description = ''

                List of IP addresses to query as recursive DNS resolvers.

              '';

            };



            DNSOverTLS = mkOption {

              type = unitOption;

              default = false;

              description = ''

                Whether to use TLS encryption for DNS queries. Requires

                nameservers that support DNS-over-TLS.

              '';

        type = types.attrsOf unitOption;

            };



            DNSSEC = mkOption {

              type = unitOption;

              default = false;

              description = ''

                Whether to validate DNSSEC for DNS lookups.

              '';

            };



            Domains = mkOption {

              type = unitOption;

              default = config.networking.search;

              defaultText = literalExpression "config.networking.search";

              example = [

                "scope.example.com"

                "example.com"

              ];

              description = ''

                List of search domains used to complete unqualified name lookups.

              '';

            };

          };

        };

      };



    };
@@ -101,15 +155,6 @@ in 
        }

      ];



      # If updating any of these attrs, also update the defaultText above.

      services.resolved.settings.Resolve = {

        DNS = config.networking.nameservers;

        DNSOverTLS = mkOptionDefault false;

        DNSSEC = mkOptionDefault false;

        Domains = mkOptionDefault config.networking.search;

        LLMNR = mkOptionDefault true;

      };



      users.users.systemd-resolve.group = "systemd-resolve";



      # add resolve to nss hosts database if enabled and nscd enabled