nixpkgs/nixos/modules/system/boot/resolved.nix

{ config, lib, ... }:

with lib;
let
  cfg = config.services.resolved;

  dnsmasqResolve = config.services.dnsmasq.enable &&
                   config.services.dnsmasq.resolveLocalQueries;

in
{

  options = {

    services.resolved.enable = mkOption {
      default = false;
      type = types.bool;
      description = ''
        Whether to enable the systemd DNS resolver daemon.
      '';
    };

    services.resolved.fallbackDns = mkOption {
      default = [ ];
      example = [ "8.8.8.8" "2001:4860:4860::8844" ];
      type = types.listOf types.str;
      description = ''
        A list of IPv4 and IPv6 addresses to use as the fallback DNS servers.
        If this option is empty, a compiled-in list of DNS servers is used instead.
      '';
    };

    services.resolved.domains = mkOption {
      default = config.networking.search;
      example = [ "example.com" ];
      type = types.listOf types.str;
      description = ''
        A list of domains. These domains are used as search suffixes
        when resolving single-label host names (domain names which
        contain no dot), in order to qualify them into fully-qualified
        domain names (FQDNs).

        For compatibility reasons, if this setting is not specified,
        the search domains listed in
        <filename>/etc/resolv.conf</filename> are used instead, if
        that file exists and any domains are configured in it.
      '';
    };

    services.resolved.llmnr = mkOption {
      default = "true";
      example = "false";
      type = types.enum [ "true" "resolve" "false" ];
      description = ''
        Controls Link-Local Multicast Name Resolution support
        (RFC 4795) on the local host.

        If set to

        <variablelist>
        <varlistentry>
          <term><literal>"true"</literal></term>
          <listitem><para>
            Enables full LLMNR responder and resolver support.
          </para></listitem>
        </varlistentry>
        <varlistentry>
          <term><literal>"false"</literal></term>
          <listitem><para>
            Disables both.
          </para></listitem>
        </varlistentry>
        <varlistentry>
          <term><literal>"resolve"</literal></term>
          <listitem><para>
            Only resolution support is enabled, but responding is disabled.
          </para></listitem>
        </varlistentry>
        </variablelist>
      '';
    };

    services.resolved.dnssec = mkOption {
      default = "allow-downgrade";
      example = "true";
      type = types.enum [ "true" "allow-downgrade" "false" ];
      description = ''
        If set to
        <variablelist>
        <varlistentry>
          <term><literal>"true"</literal></term>
          <listitem><para>
            all DNS lookups are DNSSEC-validated locally (excluding
            LLMNR and Multicast DNS). Note that this mode requires a
            DNS server that supports DNSSEC. If the DNS server does
            not properly support DNSSEC all validations will fail.
          </para></listitem>
        </varlistentry>
        <varlistentry>
          <term><literal>"allow-downgrade"</literal></term>
          <listitem><para>
            DNSSEC validation is attempted, but if the server does not
            support DNSSEC properly, DNSSEC mode is automatically
            disabled. Note that this mode makes DNSSEC validation
            vulnerable to "downgrade" attacks, where an attacker might
            be able to trigger a downgrade to non-DNSSEC mode by
            synthesizing a DNS response that suggests DNSSEC was not
            supported.
          </para></listitem>
        </varlistentry>
        <varlistentry>
          <term><literal>"false"</literal></term>
          <listitem><para>
            DNS lookups are not DNSSEC validated.
          </para></listitem>
        </varlistentry>
        </variablelist>
      '';
    };

    services.resolved.extraConfig = mkOption {
      default = "";
      type = types.lines;
      description = ''
        Extra config to append to resolved.conf.
      '';
    };

  };

  config = mkIf cfg.enable {

    assertions = [
      { assertion = !config.networking.useHostResolvConf;
        message = "Using host resolv.conf is not supported with systemd-resolved";
      }
    ];

    users.users.systemd-resolve.group = "systemd-resolve";

    # add resolve to nss hosts database if enabled and nscd enabled
    # system.nssModules is configured in nixos/modules/system/boot/systemd.nix
    system.nssDatabases.hosts = optional config.services.nscd.enable "resolve [!UNAVAIL=return]";

    systemd.additionalUpstreamSystemUnits = [
      "systemd-resolved.service"
    ];

    systemd.services.systemd-resolved = {
      wantedBy = [ "multi-user.target" ];
      aliases = [ "dbus-org.freedesktop.resolve1.service" ];
      restartTriggers = [ config.environment.etc."systemd/resolved.conf".source ];
    };

    environment.etc = {
      "systemd/resolved.conf".text = ''
        [Resolve]
        ${optionalString (config.networking.nameservers != [])
          "DNS=${concatStringsSep " " config.networking.nameservers}"}
        ${optionalString (cfg.fallbackDns != [])
          "FallbackDNS=${concatStringsSep " " cfg.fallbackDns}"}
        ${optionalString (cfg.domains != [])
          "Domains=${concatStringsSep " " cfg.domains}"}
        LLMNR=${cfg.llmnr}
        DNSSEC=${cfg.dnssec}
        ${config.services.resolved.extraConfig}
      '';

      # symlink the dynamic stub resolver of resolv.conf as recommended by upstream:
      # https://www.freedesktop.org/software/systemd/man/systemd-resolved.html#/etc/resolv.conf
      "resolv.conf".source = "/run/systemd/resolve/stub-resolv.conf";
    } // optionalAttrs dnsmasqResolve {
      "dnsmasq-resolv.conf".source = "/run/systemd/resolve/resolv.conf";
    };

    # If networkmanager is enabled, ask it to interface with resolved.
    networking.networkmanager.dns = "systemd-resolved";

  };

}
[bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00			`{ config, lib, ... }:`
systemd: Move networkd into separate modules The systemd module was getting rather bloated. 2015-04-19 21:05:12 +02:00
			`with lib;`
modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`let`
			`cfg = config.services.resolved;`
resolvconf service: init This is a refactor of how resolvconf is managed on NixOS. We split it into a separate service which is enabled internally depending on whether we want /etc/resolv.conf to be managed by it. Various services now take advantage of those configuration options. We also now use systemd instead of activation scripts to update resolv.conf. NetworkManager now uses the right option for rc-manager DNS automatically, so the configuration option shouldn't be exposed. 2019-07-15 20:18:49 +03:00
			`dnsmasqResolve = config.services.dnsmasq.enable &&`
			`config.services.dnsmasq.resolveLocalQueries;`

modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`in`
systemd: Move networkd into separate modules The systemd module was getting rather bloated. 2015-04-19 21:05:12 +02:00			`{`

			`options = {`

			`services.resolved.enable = mkOption {`
			`default = false;`
			`type = types.bool;`
			`description = ''`
			`Whether to enable the systemd DNS resolver daemon.`
			`'';`
			`};`

modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`services.resolved.fallbackDns = mkOption {`
			`default = [ ];`
			`example = [ "8.8.8.8" "2001:4860:4860::8844" ];`
			`type = types.listOf types.str;`
			`description = ''`
			`A list of IPv4 and IPv6 addresses to use as the fallback DNS servers.`
			`If this option is empty, a compiled-in list of DNS servers is used instead.`
			`'';`
			`};`

			`services.resolved.domains = mkOption {`
			`default = config.networking.search;`
			`example = [ "example.com" ];`
			`type = types.listOf types.str;`
			`description = ''`
nixos/resolved: clean up option descriptions Also change LLMNR RFC to the correct id 4795. 2017-10-16 14:30:36 +02:00			`A list of domains. These domains are used as search suffixes`
			`when resolving single-label host names (domain names which`
			`contain no dot), in order to qualify them into fully-qualified`
			`domain names (FQDNs).`
FIx some malformed XML in option descriptions E.g. these were using "<para>" at the end of a description. The real WTF is that this is possible at all... 2019-05-13 09:15:17 +02:00
nixos/resolved: clean up option descriptions Also change LLMNR RFC to the correct id 4795. 2017-10-16 14:30:36 +02:00			`For compatibility reasons, if this setting is not specified,`
			`the search domains listed in`
			`<filename>/etc/resolv.conf</filename> are used instead, if`
			`that file exists and any domains are configured in it.`
modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`'';`
			`};`

			`services.resolved.llmnr = mkOption {`
			`default = "true";`
			`example = "false";`
			`type = types.enum [ "true" "resolve" "false" ];`
			`description = ''`
nixos/resolved: clean up option descriptions Also change LLMNR RFC to the correct id 4795. 2017-10-16 14:30:36 +02:00			`Controls Link-Local Multicast Name Resolution support`
			`(RFC 4795) on the local host.`
FIx some malformed XML in option descriptions E.g. these were using "<para>" at the end of a description. The real WTF is that this is possible at all... 2019-05-13 09:15:17 +02:00
nixos/resolved: clean up option descriptions Also change LLMNR RFC to the correct id 4795. 2017-10-16 14:30:36 +02:00			`If set to`
FIx some malformed XML in option descriptions E.g. these were using "<para>" at the end of a description. The real WTF is that this is possible at all... 2019-05-13 09:15:17 +02:00
nixos/resolved: clean up option descriptions Also change LLMNR RFC to the correct id 4795. 2017-10-16 14:30:36 +02:00			`<variablelist>`
			`<varlistentry>`
			`<term><literal>"true"</literal></term>`
			`<listitem><para>`
			`Enables full LLMNR responder and resolver support.`
			`</para></listitem>`
			`</varlistentry>`
			`<varlistentry>`
			`<term><literal>"false"</literal></term>`
			`<listitem><para>`
			`Disables both.`
			`</para></listitem>`
			`</varlistentry>`
			`<varlistentry>`
			`<term><literal>"resolve"</literal></term>`
			`<listitem><para>`
			`Only resolution support is enabled, but responding is disabled.`
			`</para></listitem>`
			`</varlistentry>`
			`</variablelist>`
modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`'';`
			`};`

			`services.resolved.dnssec = mkOption {`
			`default = "allow-downgrade";`
			`example = "true";`
			`type = types.enum [ "true" "allow-downgrade" "false" ];`
			`description = ''`
nixos/resolved: clean up option descriptions Also change LLMNR RFC to the correct id 4795. 2017-10-16 14:30:36 +02:00			`If set to`
			`<variablelist>`
			`<varlistentry>`
			`<term><literal>"true"</literal></term>`
			`<listitem><para>`
			`all DNS lookups are DNSSEC-validated locally (excluding`
			`LLMNR and Multicast DNS). Note that this mode requires a`
			`DNS server that supports DNSSEC. If the DNS server does`
			`not properly support DNSSEC all validations will fail.`
			`</para></listitem>`
			`</varlistentry>`
			`<varlistentry>`
			`<term><literal>"allow-downgrade"</literal></term>`
			`<listitem><para>`
			`DNSSEC validation is attempted, but if the server does not`
			`support DNSSEC properly, DNSSEC mode is automatically`
			`disabled. Note that this mode makes DNSSEC validation`
			`vulnerable to "downgrade" attacks, where an attacker might`
			`be able to trigger a downgrade to non-DNSSEC mode by`
			`synthesizing a DNS response that suggests DNSSEC was not`
			`supported.`
			`</para></listitem>`
			`</varlistentry>`
			`<varlistentry>`
			`<term><literal>"false"</literal></term>`
			`<listitem><para>`
			`DNS lookups are not DNSSEC validated.`
			`</para></listitem>`
			`</varlistentry>`
			`</variablelist>`
modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`'';`
			`};`

			`services.resolved.extraConfig = mkOption {`
			`default = "";`
			`type = types.lines;`
			`description = ''`
			`Extra config to append to resolved.conf.`
			`'';`
			`};`

systemd: Move networkd into separate modules The systemd module was getting rather bloated. 2015-04-19 21:05:12 +02:00			`};`

modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`config = mkIf cfg.enable {`
systemd: Move networkd into separate modules The systemd module was getting rather bloated. 2015-04-19 21:05:12 +02:00
resolvconf service: init This is a refactor of how resolvconf is managed on NixOS. We split it into a separate service which is enabled internally depending on whether we want /etc/resolv.conf to be managed by it. Various services now take advantage of those configuration options. We also now use systemd instead of activation scripts to update resolv.conf. NetworkManager now uses the right option for rc-manager DNS automatically, so the configuration option shouldn't be exposed. 2019-07-15 20:18:49 +03:00			`assertions = [`
			`{ assertion = !config.networking.useHostResolvConf;`
			`message = "Using host resolv.conf is not supported with systemd-resolved";`
			`}`
			`];`

nixos/systemd-resolved: fix incorrect user 2020-11-05 20:47:19 +08:00			`users.users.systemd-resolve.group = "systemd-resolve";`
nixos/resolved: add user systemd-resolve to group systemd-resolve 2019-11-24 22:46:10 +01:00
nixos/systemd/resolved: add resolve to nss hosts database if enabled We keep the "only add the nss module if nscd is enabled" logic for now. The assertion never was triggered, so it can be removed. 2020-05-05 13:41:12 +02:00			`# add resolve to nss hosts database if enabled and nscd enabled`
			`# system.nssModules is configured in nixos/modules/system/boot/systemd.nix`
			`system.nssDatabases.hosts = optional config.services.nscd.enable "resolve [!UNAVAIL=return]";`

systemd: 231 -> 232 Includes adding some more upstream units and removing obsolete (-.slice) ones. 2017-01-26 01:52:38 +01:00			`systemd.additionalUpstreamSystemUnits = [`
systemd: 234 -> 237 Co-Authored-By: Florian Klink <flokli@flokli.de> Co-Authored-By: Andreas Rammhold <andreas@rammhold.de> 2018-02-11 23:43:24 +01:00			`"systemd-resolved.service"`
systemd: 231 -> 232 Includes adding some more upstream units and removing obsolete (-.slice) ones. 2017-01-26 01:52:38 +01:00			`];`
Don't include networkd units unless enabled Otherwise, the enabled -> disabled transition won't be handled correctly (switch-to-configuration currently assumes that if a unit is running and exists, it should be restarted). 2015-04-19 21:11:14 +02:00
systemd: Move networkd into separate modules The systemd module was getting rather bloated. 2015-04-19 21:05:12 +02:00			`systemd.services.systemd-resolved = {`
			`wantedBy = [ "multi-user.target" ];`
nixos/resolved: Include dbus alias of resolved unit This will make dbus socket activation for it work When `systemd-resolved` is restarted; this would lead to unavailability of DNS lookups. You're supposed to use DBUS socket activation to buffer resolved requests; such that restarts happen without downtime 2020-05-08 14:15:41 +02:00			`aliases = [ "dbus-org.freedesktop.resolve1.service" ];`
systemd: Move networkd into separate modules The systemd module was getting rather bloated. 2015-04-19 21:05:12 +02:00			`restartTriggers = [ config.environment.etc."systemd/resolved.conf".source ];`
			`};`

resolvconf service: init This is a refactor of how resolvconf is managed on NixOS. We split it into a separate service which is enabled internally depending on whether we want /etc/resolv.conf to be managed by it. Various services now take advantage of those configuration options. We also now use systemd instead of activation scripts to update resolv.conf. NetworkManager now uses the right option for rc-manager DNS automatically, so the configuration option shouldn't be exposed. 2019-07-15 20:18:49 +03:00			`environment.etc = {`
			`"systemd/resolved.conf".text = ''`
			`[Resolve]`
			`${optionalString (config.networking.nameservers != [])`
			`"DNS=${concatStringsSep " " config.networking.nameservers}"}`
			`${optionalString (cfg.fallbackDns != [])`
			`"FallbackDNS=${concatStringsSep " " cfg.fallbackDns}"}`
			`${optionalString (cfg.domains != [])`
			`"Domains=${concatStringsSep " " cfg.domains}"}`
			`LLMNR=${cfg.llmnr}`
			`DNSSEC=${cfg.dnssec}`
			`${config.services.resolved.extraConfig}`
			`'';`

			`# symlink the dynamic stub resolver of resolv.conf as recommended by upstream:`
			`# https://www.freedesktop.org/software/systemd/man/systemd-resolved.html#/etc/resolv.conf`
			`"resolv.conf".source = "/run/systemd/resolve/stub-resolv.conf";`
			`} // optionalAttrs dnsmasqResolve {`
			`"dnsmasq-resolv.conf".source = "/run/systemd/resolve/resolv.conf";`
			`};`
systemd: Move networkd into separate modules The systemd module was getting rather bloated. 2015-04-19 21:05:12 +02:00
networkmanager: Expand dns description, integrate with other services (#41898) Rather than special-casing the dns options in networkmanager.nix, use the module system to let unbound and systemd-resolved contribute to the newtorkmanager config. 2018-06-29 13:41:46 -04:00			`# If networkmanager is enabled, ask it to interface with resolved.`
			`networking.networkmanager.dns = "systemd-resolved";`
resolvconf service: init This is a refactor of how resolvconf is managed on NixOS. We split it into a separate service which is enabled internally depending on whether we want /etc/resolv.conf to be managed by it. Various services now take advantage of those configuration options. We also now use systemd instead of activation scripts to update resolv.conf. NetworkManager now uses the right option for rc-manager DNS automatically, so the configuration option shouldn't be exposed. 2019-07-15 20:18:49 +03:00
systemd: Move networkd into separate modules The systemd module was getting rather bloated. 2015-04-19 21:05:12 +02:00			`};`

			`}`