nixos/modules/system/boot/resolved.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / system / boot / resolved.nix
at 23.05-pre 5.3 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4let
  5  cfg = config.services.resolved;
  6
  7  dnsmasqResolve = config.services.dnsmasq.enable &&
  8                   config.services.dnsmasq.resolveLocalQueries;
  9
 10in
 11{
 12
 13  options = {
 14
 15    services.resolved.enable = mkOption {
 16      default = false;
 17      type = types.bool;
 18      description = lib.mdDoc ''
 19        Whether to enable the systemd DNS resolver daemon.
 20      '';
 21    };
 22
 23    services.resolved.fallbackDns = mkOption {
 24      default = [ ];
 25      example = [ "8.8.8.8" "2001:4860:4860::8844" ];
 26      type = types.listOf types.str;
 27      description = lib.mdDoc ''
 28        A list of IPv4 and IPv6 addresses to use as the fallback DNS servers.
 29        If this option is empty, a compiled-in list of DNS servers is used instead.
 30      '';
 31    };
 32
 33    services.resolved.domains = mkOption {
 34      default = config.networking.search;
 35      defaultText = literalExpression "config.networking.search";
 36      example = [ "example.com" ];
 37      type = types.listOf types.str;
 38      description = lib.mdDoc ''
 39        A list of domains. These domains are used as search suffixes
 40        when resolving single-label host names (domain names which
 41        contain no dot), in order to qualify them into fully-qualified
 42        domain names (FQDNs).
 43
 44        For compatibility reasons, if this setting is not specified,
 45        the search domains listed in
 46        {file}`/etc/resolv.conf` are used instead, if
 47        that file exists and any domains are configured in it.
 48      '';
 49    };
 50
 51    services.resolved.llmnr = mkOption {
 52      default = "true";
 53      example = "false";
 54      type = types.enum [ "true" "resolve" "false" ];
 55      description = lib.mdDoc ''
 56        Controls Link-Local Multicast Name Resolution support
 57        (RFC 4795) on the local host.
 58
 59        If set to
 60        - `"true"`: Enables full LLMNR responder and resolver support.
 61        - `"false"`: Disables both.
 62        - `"resolve"`: Only resolution support is enabled, but responding is disabled.
 63      '';
 64    };
 65
 66    services.resolved.dnssec = mkOption {
 67      default = "allow-downgrade";
 68      example = "true";
 69      type = types.enum [ "true" "allow-downgrade" "false" ];
 70      description = lib.mdDoc ''
 71        If set to
 72        - `"true"`:
 73            all DNS lookups are DNSSEC-validated locally (excluding
 74            LLMNR and Multicast DNS). Note that this mode requires a
 75            DNS server that supports DNSSEC. If the DNS server does
 76            not properly support DNSSEC all validations will fail.
 77        - `"allow-downgrade"`:
 78            DNSSEC validation is attempted, but if the server does not
 79            support DNSSEC properly, DNSSEC mode is automatically
 80            disabled. Note that this mode makes DNSSEC validation
 81            vulnerable to "downgrade" attacks, where an attacker might
 82            be able to trigger a downgrade to non-DNSSEC mode by
 83            synthesizing a DNS response that suggests DNSSEC was not
 84            supported.
 85        - `"false"`: DNS lookups are not DNSSEC validated.
 86      '';
 87    };
 88
 89    services.resolved.extraConfig = mkOption {
 90      default = "";
 91      type = types.lines;
 92      description = lib.mdDoc ''
 93        Extra config to append to resolved.conf.
 94      '';
 95    };
 96
 97  };
 98
 99  config = mkIf cfg.enable {
100
101    assertions = [
102      { assertion = !config.networking.useHostResolvConf;
103        message = "Using host resolv.conf is not supported with systemd-resolved";
104      }
105    ];
106
107    users.users.systemd-resolve.group = "systemd-resolve";
108
109    # add resolve to nss hosts database if enabled and nscd enabled
110    # system.nssModules is configured in nixos/modules/system/boot/systemd.nix
111    # added with order 501 to allow modules to go before with mkBefore
112    system.nssDatabases.hosts = (mkOrder 501 ["resolve [!UNAVAIL=return]"]);
113
114    systemd.additionalUpstreamSystemUnits = [
115      "systemd-resolved.service"
116    ];
117
118    systemd.services.systemd-resolved = {
119      wantedBy = [ "multi-user.target" ];
120      aliases = [ "dbus-org.freedesktop.resolve1.service" ];
121      restartTriggers = [ config.environment.etc."systemd/resolved.conf".source ];
122    };
123
124    environment.etc = {
125      "systemd/resolved.conf".text = ''
126        [Resolve]
127        ${optionalString (config.networking.nameservers != [])
128          "DNS=${concatStringsSep " " config.networking.nameservers}"}
129        ${optionalString (cfg.fallbackDns != [])
130          "FallbackDNS=${concatStringsSep " " cfg.fallbackDns}"}
131        ${optionalString (cfg.domains != [])
132          "Domains=${concatStringsSep " " cfg.domains}"}
133        LLMNR=${cfg.llmnr}
134        DNSSEC=${cfg.dnssec}
135        ${config.services.resolved.extraConfig}
136      '';
137
138      # symlink the dynamic stub resolver of resolv.conf as recommended by upstream:
139      # https://www.freedesktop.org/software/systemd/man/systemd-resolved.html#/etc/resolv.conf
140      "resolv.conf".source = "/run/systemd/resolve/stub-resolv.conf";
141    } // optionalAttrs dnsmasqResolve {
142      "dnsmasq-resolv.conf".source = "/run/systemd/resolve/resolv.conf";
143    };
144
145    # If networkmanager is enabled, ask it to interface with resolved.
146    networking.networkmanager.dns = "systemd-resolved";
147
148    networking.resolvconf.package = pkgs.systemd;
149
150  };
151
152}