diff --git a/nixos/modules/config/networking.nix b/nixos/modules/config/networking.nix
index eab4e73e19a..4b9086022ed 100644
--- a/nixos/modules/config/networking.nix
+++ b/nixos/modules/config/networking.nix
@@ -7,16 +7,6 @@ with lib;
let
cfg = config.networking;
- dnsmasqResolve = config.services.dnsmasq.enable &&
- config.services.dnsmasq.resolveLocalQueries;
- hasLocalResolver = config.services.bind.enable ||
- config.services.unbound.enable ||
- dnsmasqResolve;
-
- resolvconfOptions = cfg.resolvconfOptions
- ++ optional cfg.dnsSingleRequest "single-request"
- ++ optional cfg.dnsExtensionMechanism "edns0";
-
localhostMapped4 = cfg.hosts ? "127.0.0.1" && elem "localhost" cfg.hosts."127.0.0.1";
localhostMapped6 = cfg.hosts ? "::1" && elem "localhost" cfg.hosts."::1";
@@ -64,48 +54,6 @@ in
'';
};
- networking.dnsSingleRequest = lib.mkOption {
- type = types.bool;
- default = false;
- description = ''
- Recent versions of glibc will issue both ipv4 (A) and ipv6 (AAAA)
- address queries at the same time, from the same port. Sometimes upstream
- routers will systemically drop the ipv4 queries. The symptom of this problem is
- that 'getent hosts example.com' only returns ipv6 (or perhaps only ipv4) addresses. The
- workaround for this is to specify the option 'single-request' in
- /etc/resolv.conf. This option enables that.
- '';
- };
-
- networking.dnsExtensionMechanism = lib.mkOption {
- type = types.bool;
- default = true;
- description = ''
- Enable the edns0
option in resolv.conf. With
- that option set, glibc
supports use of the extension mechanisms for
- DNS (EDNS) specified in RFC 2671. The most popular user of that feature is DNSSEC,
- which does not work without it.
- '';
- };
-
- networking.extraResolvconfConf = lib.mkOption {
- type = types.lines;
- default = "";
- example = "libc=NO";
- description = ''
- Extra configuration to append to resolvconf.conf.
- '';
- };
-
- networking.resolvconfOptions = lib.mkOption {
- type = types.listOf types.str;
- default = [];
- example = [ "ndots:1" "rotate" ];
- description = ''
- Set the options in /etc/resolv.conf.
- '';
- };
-
networking.timeServers = mkOption {
default = [
"0.nixos.pool.ntp.org"
@@ -240,35 +188,6 @@ in
# /etc/host.conf: resolver configuration file
"host.conf".text = cfg.hostConf;
- # /etc/resolvconf.conf: Configuration for openresolv.
- "resolvconf.conf".text =
- ''
- # This is the default, but we must set it here to prevent
- # a collision with an apparently unrelated environment
- # variable with the same name exported by dhcpcd.
- interface_order='lo lo[0-9]*'
- '' + optionalString config.services.nscd.enable ''
- # Invalidate the nscd cache whenever resolv.conf is
- # regenerated.
- libc_restart='${pkgs.systemd}/bin/systemctl try-restart --no-block nscd.service 2> /dev/null'
- '' + optionalString (length resolvconfOptions > 0) ''
- # Options as described in resolv.conf(5)
- resolv_conf_options='${concatStringsSep " " resolvconfOptions}'
- '' + optionalString hasLocalResolver ''
- # This hosts runs a full-blown DNS resolver.
- name_servers='127.0.0.1'
- '' + optionalString dnsmasqResolve ''
- dnsmasq_conf=/etc/dnsmasq-conf.conf
- dnsmasq_resolv=/etc/dnsmasq-resolv.conf
- '' + cfg.extraResolvconfConf + ''
- '';
-
- } // optionalAttrs config.services.resolved.enable {
- # symlink the dynamic stub resolver of resolv.conf as recommended by upstream:
- # https://www.freedesktop.org/software/systemd/man/systemd-resolved.html#/etc/resolv.conf
- "resolv.conf".source = "/run/systemd/resolve/stub-resolv.conf";
- } // optionalAttrs (config.services.resolved.enable && dnsmasqResolve) {
- "dnsmasq-resolv.conf".source = "/run/systemd/resolve/resolv.conf";
} // optionalAttrs (pkgs.stdenv.hostPlatform.libc == "glibc") {
# /etc/rpc: RPC program numbers.
"rpc".source = pkgs.glibc.out + "/etc/rpc";
@@ -295,29 +214,6 @@ in
# Install the proxy environment variables
environment.sessionVariables = cfg.proxy.envVars;
- # This is needed when /etc/resolv.conf is being overriden by networkd
- # and other configurations. If the file is destroyed by an environment
- # activation then it must be rebuilt so that applications which interface
- # with /etc/resolv.conf directly don't break.
- system.activationScripts.resolvconf = stringAfter [ "etc" "specialfs" "var" ]
- ''
- # Systemd resolved controls its own resolv.conf
- rm -f /run/resolvconf/interfaces/systemd
- ${optionalString config.services.resolved.enable ''
- rm -rf /run/resolvconf/interfaces
- mkdir -p /run/resolvconf/interfaces
- ln -s /run/systemd/resolve/resolv.conf /run/resolvconf/interfaces/systemd
- ''}
-
- # Make sure resolv.conf is up to date if not managed manually, by systemd or
- # by NetworkManager
- ${optionalString (!config.environment.etc?"resolv.conf" &&
- (cfg.networkmanager.enable ->
- cfg.networkmanager.rc-manager == "resolvconf")) ''
- ${pkgs.openresolv}/bin/resolvconf -u
- ''}
- '';
-
};
}
diff --git a/nixos/modules/config/resolvconf.nix b/nixos/modules/config/resolvconf.nix
new file mode 100644
index 00000000000..406c6a7ac32
--- /dev/null
+++ b/nixos/modules/config/resolvconf.nix
@@ -0,0 +1,149 @@
+# /etc files related to networking, such as /etc/services.
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+ cfg = config.networking.resolvconf;
+
+ resolvconfOptions = cfg.extraOptions
+ ++ optional cfg.dnsSingleRequest "single-request"
+ ++ optional cfg.dnsExtensionMechanism "edns0";
+
+ configText =
+ ''
+ # This is the default, but we must set it here to prevent
+ # a collision with an apparently unrelated environment
+ # variable with the same name exported by dhcpcd.
+ interface_order='lo lo[0-9]*'
+ '' + optionalString config.services.nscd.enable ''
+ # Invalidate the nscd cache whenever resolv.conf is
+ # regenerated.
+ libc_restart='${pkgs.systemd}/bin/systemctl try-restart --no-block nscd.service 2> /dev/null'
+ '' + optionalString (length resolvconfOptions > 0) ''
+ # Options as described in resolv.conf(5)
+ resolv_conf_options='${concatStringsSep " " resolvconfOptions}'
+ '' + optionalString cfg.useLocalResolver ''
+ # This hosts runs a full-blown DNS resolver.
+ name_servers='127.0.0.1'
+ '' + cfg.extraConfig;
+
+in
+
+{
+
+ options = {
+
+ networking.resolvconf = {
+
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ internal = true;
+ description = ''
+ DNS configuration is managed by resolvconf.
+ '';
+ };
+
+ useHostResolvConf = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ In containers, whether to use the
+ resolv.conf supplied by the host.
+ '';
+ };
+
+ dnsSingleRequest = lib.mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Recent versions of glibc will issue both ipv4 (A) and ipv6 (AAAA)
+ address queries at the same time, from the same port. Sometimes upstream
+ routers will systemically drop the ipv4 queries. The symptom of this problem is
+ that 'getent hosts example.com' only returns ipv6 (or perhaps only ipv4) addresses. The
+ workaround for this is to specify the option 'single-request' in
+ /etc/resolv.conf. This option enables that.
+ '';
+ };
+
+ dnsExtensionMechanism = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ Enable the edns0
option in resolv.conf. With
+ that option set, glibc
supports use of the extension mechanisms for
+ DNS (EDNS) specified in RFC 2671. The most popular user of that feature is DNSSEC,
+ which does not work without it.
+ '';
+ };
+
+ extraConfig = mkOption {
+ type = types.lines;
+ default = "";
+ example = "libc=NO";
+ description = ''
+ Extra configuration to append to resolvconf.conf.
+ '';
+ };
+
+ extraOptions = mkOption {
+ type = types.listOf types.str;
+ default = [];
+ example = [ "ndots:1" "rotate" ];
+ description = ''
+ Set the options in /etc/resolv.conf.
+ '';
+ };
+
+ useLocalResolver = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Use local DNS server for resolving.
+ '';
+ };
+
+ };
+
+ };
+
+ config = mkMerge [
+ {
+ networking.resolvconf.enable = !(config.environment.etc ? "resolv.conf");
+
+ environment.etc."resolvconf.conf".text =
+ if !cfg.enable then
+ # Force-stop any attempts to use resolvconf
+ ''
+ echo "resolvconf is disabled on this system but was used anyway:" >&2
+ echo "$0 $*" >&2
+ exit 1
+ ''
+ else configText;
+ }
+
+ (mkIf cfg.enable {
+ environment.systemPackages = [ pkgs.openresolv ];
+
+ systemd.services.resolvconf = {
+ description = "resolvconf update";
+
+ before = [ "network-pre.target" ];
+ wants = [ "network-pre.target" ];
+ wantedBy = [ "multi-user.target" ];
+ restartTriggers = [ config.environment.etc."resolvconf.conf".source ];
+
+ serviceConfig = {
+ Type = "oneshot";
+ ExecStart = "${pkgs.openresolv}/bin/resolvconf -u";
+ RemainAfterExit = true;
+ };
+ };
+
+ })
+ ];
+
+}
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index db47e69bd4a..d8e8dd37af7 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -25,6 +25,7 @@
./config/nsswitch.nix
./config/power-management.nix
./config/pulseaudio.nix
+ ./config/resolvconf.nix
./config/shells-environment.nix
./config/swap.nix
./config/sysctl.nix
diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix
index e127782e85f..59542e76890 100644
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -248,6 +248,12 @@ with lib;
# KSM
(mkRenamedOptionModule [ "hardware" "enableKSM" ] [ "hardware" "ksm" "enable" ])
+ # resolvconf
+ (mkRenamedOptionModule [ "networking" "dnsSingleRequest" ] [ "networking" "resolvconf" "dnsSingleRequest" ])
+ (mkRenamedOptionModule [ "networking" "dnsExtensionMechanism" ] [ "networking" "resolvconf" "dnsExtensionMechanism" ])
+ (mkRenamedOptionModule [ "networking" "extraResolvconfConf" ] [ "networking" "resolvconf" "extraConfig" ])
+ (mkRenamedOptionModule [ "networking" "resolvconfOptions" ] [ "networking" "resolvconf" "extraOptions" ])
+
] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter"
"jsonExporter" "minioExporter" "nginxExporter" "nodeExporter"
"snmpExporter" "unifiExporter" "varnishExporter" ]
diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix
index 7f89cff2232..2097b9a3163 100644
--- a/nixos/modules/services/networking/bind.nix
+++ b/nixos/modules/services/networking/bind.nix
@@ -168,7 +168,9 @@ in
###### implementation
- config = mkIf config.services.bind.enable {
+ config = mkIf cfg.enable {
+
+ networking.resolvconf.useLocalResolver = mkDefault true;
users.users = singleton
{ name = bindUser;
diff --git a/nixos/modules/services/networking/dnsmasq.nix b/nixos/modules/services/networking/dnsmasq.nix
index 24d16046c63..714a5903bff 100644
--- a/nixos/modules/services/networking/dnsmasq.nix
+++ b/nixos/modules/services/networking/dnsmasq.nix
@@ -79,7 +79,7 @@ in
###### implementation
- config = mkIf config.services.dnsmasq.enable {
+ config = mkIf cfg.enable {
networking.nameservers =
optional cfg.resolveLocalQueries "127.0.0.1";
@@ -92,6 +92,15 @@ in
description = "Dnsmasq daemon user";
};
+ networking.resolvconf = mkIf cfg.resolveLocalQueries {
+ useLocalResolver = mkDefault true;
+
+ extraConfig = ''
+ dnsmasq_conf=/etc/dnsmasq-conf.conf
+ dnsmasq_resolv=/etc/dnsmasq-resolv.conf
+ '';
+ };
+
systemd.services.dnsmasq = {
description = "Dnsmasq Daemon";
after = [ "network.target" "systemd-resolved.service" ];
diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix
index 995f548f5ce..ab6065b2008 100644
--- a/nixos/modules/services/networking/networkmanager.nix
+++ b/nixos/modules/services/networking/networkmanager.nix
@@ -16,7 +16,8 @@ let
plugins=keyfile
dhcp=${cfg.dhcp}
dns=${cfg.dns}
- rc-manager=${cfg.rc-manager}
+ # If resolvconf is disabled that means that resolv.conf is managed by some other module.
+ rc-manager=${if config.networking.resolvconf.enable then "resolvconf" else "unmanaged"}
[keyfile]
${optionalString (cfg.unmanaged != [])
@@ -268,25 +269,6 @@ in {
'';
};
- rc-manager = mkOption {
- type = types.enum [ "symlink" "file" "resolvconf" "netconfig" "unmanaged" "none" ];
- default = "resolvconf";
- description = ''
- Set the resolv.conf management mode.
-
-
- A description of these modes can be found in the main section of
-
- https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html
-
- or in
-
- NetworkManager.conf
- 5
- .
- '';
- };
-
dispatcherScripts = mkOption {
type = types.listOf (types.submodule {
options = {
@@ -513,7 +495,7 @@ in {
networking = {
useDHCP = false;
# use mkDefault to trigger the assertion about the conflict above
- wireless.enable = lib.mkDefault false;
+ wireless.enable = mkDefault false;
};
security.polkit.extraConfig = polkitConf;
diff --git a/nixos/modules/services/networking/rdnssd.nix b/nixos/modules/services/networking/rdnssd.nix
index 887772f6e5f..bccab805bee 100644
--- a/nixos/modules/services/networking/rdnssd.nix
+++ b/nixos/modules/services/networking/rdnssd.nix
@@ -35,6 +35,11 @@ in
config = mkIf config.services.rdnssd.enable {
+ assertions = [{
+ assertion = config.networking.resolvconf.enable;
+ message = "rdnssd needs resolvconf to work (probably something sets up a static resolv.conf)";
+ }];
+
systemd.services.rdnssd = {
description = "RDNSS daemon";
after = [ "network.target" ];
diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix
index 1a35979ad44..3cf82e8839b 100644
--- a/nixos/modules/services/networking/unbound.nix
+++ b/nixos/modules/services/networking/unbound.nix
@@ -101,6 +101,8 @@ in
isSystemUser = true;
};
+ networking.resolvconf.useLocalResolver = mkDefault true;
+
systemd.services.unbound = {
description = "Unbound recursive Domain Name Server";
after = [ "network.target" ];
diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix
index 5c66cf4a6e6..3ea96f8e464 100644
--- a/nixos/modules/system/boot/resolved.nix
+++ b/nixos/modules/system/boot/resolved.nix
@@ -3,6 +3,10 @@
with lib;
let
cfg = config.services.resolved;
+
+ dnsmasqResolve = config.services.dnsmasq.enable &&
+ config.services.dnsmasq.resolveLocalQueries;
+
in
{
@@ -126,6 +130,12 @@ in
config = mkIf cfg.enable {
+ assertions = [
+ { assertion = !config.networking.useHostResolvConf;
+ message = "Using host resolv.conf is not supported with systemd-resolved";
+ }
+ ];
+
systemd.additionalUpstreamSystemUnits = [
"systemd-resolved.service"
];
@@ -135,21 +145,30 @@ in
restartTriggers = [ config.environment.etc."systemd/resolved.conf".source ];
};
- environment.etc."systemd/resolved.conf".text = ''
- [Resolve]
- ${optionalString (config.networking.nameservers != [])
- "DNS=${concatStringsSep " " config.networking.nameservers}"}
- ${optionalString (cfg.fallbackDns != [])
- "FallbackDNS=${concatStringsSep " " cfg.fallbackDns}"}
- ${optionalString (cfg.domains != [])
- "Domains=${concatStringsSep " " cfg.domains}"}
- LLMNR=${cfg.llmnr}
- DNSSEC=${cfg.dnssec}
- ${config.services.resolved.extraConfig}
- '';
+ environment.etc = {
+ "systemd/resolved.conf".text = ''
+ [Resolve]
+ ${optionalString (config.networking.nameservers != [])
+ "DNS=${concatStringsSep " " config.networking.nameservers}"}
+ ${optionalString (cfg.fallbackDns != [])
+ "FallbackDNS=${concatStringsSep " " cfg.fallbackDns}"}
+ ${optionalString (cfg.domains != [])
+ "Domains=${concatStringsSep " " cfg.domains}"}
+ LLMNR=${cfg.llmnr}
+ DNSSEC=${cfg.dnssec}
+ ${config.services.resolved.extraConfig}
+ '';
+
+ # symlink the dynamic stub resolver of resolv.conf as recommended by upstream:
+ # https://www.freedesktop.org/software/systemd/man/systemd-resolved.html#/etc/resolv.conf
+ "resolv.conf".source = "/run/systemd/resolve/stub-resolv.conf";
+ } // optionalAttrs dnsmasqResolve {
+ "dnsmasq-resolv.conf".source = "/run/systemd/resolve/resolv.conf";
+ };
# If networkmanager is enabled, ask it to interface with resolved.
networking.networkmanager.dns = "systemd-resolved";
+
};
}
diff --git a/nixos/modules/system/boot/stage-2.nix b/nixos/modules/system/boot/stage-2.nix
index 55e6b19c67f..6b0b4722730 100644
--- a/nixos/modules/system/boot/stage-2.nix
+++ b/nixos/modules/system/boot/stage-2.nix
@@ -4,19 +4,20 @@ with lib;
let
+ useHostResolvConf = config.networking.resolvconf.enable && config.networking.useHostResolvConf;
+
bootStage2 = pkgs.substituteAll {
src = ./stage-2-init.sh;
shellDebug = "${pkgs.bashInteractive}/bin/bash";
shell = "${pkgs.bash}/bin/bash";
isExecutable = true;
inherit (config.nix) readOnlyStore;
- inherit (config.networking) useHostResolvConf;
+ inherit useHostResolvConf;
inherit (config.system.build) earlyMountScript;
- path = lib.makeBinPath [
+ path = lib.makeBinPath ([
pkgs.coreutils
pkgs.utillinux
- pkgs.openresolv
- ];
+ ] ++ lib.optional useHostResolvConf pkgs.openresolv);
fsPackagesPath = lib.makeBinPath config.system.fsPackages;
postBootCommands = pkgs.writeText "local-cmds"
''
diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix
index c12ada7a030..2b8a7944dc3 100644
--- a/nixos/modules/tasks/network-interfaces-scripted.nix
+++ b/nixos/modules/tasks/network-interfaces-scripted.nix
@@ -103,7 +103,7 @@ let
script =
''
- ${optionalString (!config.environment.etc?"resolv.conf") ''
+ ${optionalString config.networking.resolvconf.enable ''
# Set the static DNS configuration, if given.
${pkgs.openresolv}/sbin/resolvconf -m 1 -a static <