nixpkgs/nixos/modules/system/boot/resolved.nix

{
  config,
  lib,
  pkgs,
  ...
}:

with lib;
let
  cfg = config.services.resolved;

  dnsmasqResolve = config.services.dnsmasq.enable && config.services.dnsmasq.resolveLocalQueries;

  resolvedConf = ''
    [Resolve]
    ${optionalString (
      config.networking.nameservers != [ ]
    ) "DNS=${concatStringsSep " " config.networking.nameservers}"}
    ${optionalString (cfg.fallbackDns != null) "FallbackDNS=${concatStringsSep " " cfg.fallbackDns}"}
    ${optionalString (cfg.domains != [ ]) "Domains=${concatStringsSep " " cfg.domains}"}
    LLMNR=${cfg.llmnr}
    DNSSEC=${cfg.dnssec}
    DNSOverTLS=${cfg.dnsovertls}
    ${config.services.resolved.extraConfig}
  '';

in
{

  options = {

    services.resolved.enable = mkOption {
      default = false;
      type = types.bool;
      description = ''
        Whether to enable the systemd DNS resolver daemon, `systemd-resolved`.

        Search for `services.resolved` to see all options.
      '';
    };

    services.resolved.fallbackDns = mkOption {
      default = null;
      example = [
        "8.8.8.8"
        "2001:4860:4860::8844"
      ];
      type = types.nullOr (types.listOf types.str);
      description = ''
        A list of IPv4 and IPv6 addresses to use as the fallback DNS servers.
        If this option is null, a compiled-in list of DNS servers is used instead.
        Setting this option to an empty list will override the built-in list to an empty list, disabling fallback.
      '';
    };

    services.resolved.domains = mkOption {
      default = config.networking.search;
      defaultText = literalExpression "config.networking.search";
      example = [ "example.com" ];
      type = types.listOf types.str;
      description = ''
        A list of domains. These domains are used as search suffixes
        when resolving single-label host names (domain names which
        contain no dot), in order to qualify them into fully-qualified
        domain names (FQDNs).

        For compatibility reasons, if this setting is not specified,
        the search domains listed in
        {file}`/etc/resolv.conf` are used instead, if
        that file exists and any domains are configured in it.
      '';
    };

    services.resolved.llmnr = mkOption {
      default = "true";
      example = "false";
      type = types.enum [
        "true"
        "resolve"
        "false"
      ];
      description = ''
        Controls Link-Local Multicast Name Resolution support
        (RFC 4795) on the local host.

        If set to
        - `"true"`: Enables full LLMNR responder and resolver support.
        - `"false"`: Disables both.
        - `"resolve"`: Only resolution support is enabled, but responding is disabled.
      '';
    };

    services.resolved.dnssec = mkOption {
      default = "false";
      example = "true";
      type = types.enum [
        "true"
        "allow-downgrade"
        "false"
      ];
      description = ''
        If set to
        - `"true"`:
            all DNS lookups are DNSSEC-validated locally (excluding
            LLMNR and Multicast DNS). Note that this mode requires a
            DNS server that supports DNSSEC. If the DNS server does
            not properly support DNSSEC all validations will fail.
        - `"allow-downgrade"`:
            DNSSEC validation is attempted, but if the server does not
            support DNSSEC properly, DNSSEC mode is automatically
            disabled. Note that this mode makes DNSSEC validation
            vulnerable to "downgrade" attacks, where an attacker might
            be able to trigger a downgrade to non-DNSSEC mode by
            synthesizing a DNS response that suggests DNSSEC was not
            supported.
        - `"false"`: DNS lookups are not DNSSEC validated.

        At the time of September 2023, systemd upstream advise
        to disable DNSSEC by default as the current code
        is not robust enough to deal with "in the wild" non-compliant
        servers, which will usually give you a broken bad experience
        in addition of insecure.
      '';
    };

    services.resolved.dnsovertls = mkOption {
      default = "false";
      example = "true";
      type = types.enum [
        "true"
        "opportunistic"
        "false"
      ];
      description = ''
        If set to
        - `"true"`:
            all DNS lookups will be encrypted. This requires
            that the DNS server supports DNS-over-TLS and
            has a valid certificate. If the hostname was specified
            via the `address#hostname` format in {option}`services.resolved.domains`
            then the specified hostname is used to validate its certificate.
        - `"opportunistic"`:
            all DNS lookups will attempt to be encrypted, but will fallback
            to unecrypted requests if the server does not support DNS-over-TLS.
            Note that this mode does allow for a malicious party to conduct a
            downgrade attack by immitating the DNS server and pretending to not
            support encryption.
        - `"false"`:
            all DNS lookups are done unencrypted.
      '';
    };

    services.resolved.extraConfig = mkOption {
      default = "";
      type = types.lines;
      description = ''
        Extra config to append to resolved.conf.
      '';
    };

    boot.initrd.services.resolved.enable = mkOption {
      default = config.boot.initrd.systemd.network.enable;
      defaultText = "config.boot.initrd.systemd.network.enable";
      description = ''
        Whether to enable resolved for stage 1 networking.
        Uses the toplevel 'services.resolved' options for 'resolved.conf'
      '';
    };

  };

  config = mkMerge [
    (mkIf cfg.enable {

      assertions = [
        {
          assertion = !config.networking.useHostResolvConf;
          message = "Using host resolv.conf is not supported with systemd-resolved";
        }
      ];

      users.users.systemd-resolve.group = "systemd-resolve";

      # add resolve to nss hosts database if enabled and nscd enabled
      # system.nssModules is configured in nixos/modules/system/boot/systemd.nix
      # added with order 501 to allow modules to go before with mkBefore
      system.nssDatabases.hosts = (mkOrder 501 [ "resolve [!UNAVAIL=return]" ]);

      systemd.additionalUpstreamSystemUnits = [
        "systemd-resolved.service"
      ];

      systemd.services.systemd-resolved = {
        wantedBy = [ "sysinit.target" ];
        aliases = [ "dbus-org.freedesktop.resolve1.service" ];
        reloadTriggers = [ config.environment.etc."systemd/resolved.conf".source ];
        stopIfChanged = false;
      };

      environment.etc =
        {
          "systemd/resolved.conf".text = resolvedConf;

          # symlink the dynamic stub resolver of resolv.conf as recommended by upstream:
          # https://www.freedesktop.org/software/systemd/man/systemd-resolved.html#/etc/resolv.conf
          "resolv.conf".source = "/run/systemd/resolve/stub-resolv.conf";
        }
        // optionalAttrs dnsmasqResolve {
          "dnsmasq-resolv.conf".source = "/run/systemd/resolve/resolv.conf";
        };

      # If networkmanager is enabled, ask it to interface with resolved.
      networking.networkmanager.dns = "systemd-resolved";

      networking.resolvconf.package = pkgs.systemd;

    })

    (mkIf config.boot.initrd.services.resolved.enable {

      assertions = [
        {
          assertion = config.boot.initrd.systemd.enable;
          message = "'boot.initrd.services.resolved.enable' can only be enabled with systemd stage 1.";
        }
      ];

      boot.initrd.systemd = {
        contents = {
          "/etc/systemd/resolved.conf".text = resolvedConf;
        };

        tmpfiles.settings.systemd-resolved-stub."/etc/resolv.conf".L.argument =
          "/run/systemd/resolve/stub-resolv.conf";

        additionalUpstreamUnits = [ "systemd-resolved.service" ];
        users.systemd-resolve = { };
        groups.systemd-resolve = { };
        storePaths = [ "${config.boot.initrd.systemd.package}/lib/systemd/systemd-resolved" ];
        services.systemd-resolved = {
          wantedBy = [ "sysinit.target" ];
          aliases = [ "dbus-org.freedesktop.resolve1.service" ];
        };
      };

    })
  ];

}
nixos/resolvconf: add `package` Expose the package that provides the system-wide `resolvconf` command (either openresolv or systemd) to allow implementation-agnostic modules. 2022-03-29 21:14:13 +02:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}:`
systemd: Move networkd into separate modules The systemd module was getting rather bloated. 2015-04-19 21:05:12 +02:00
			`with lib;`
modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`let`
			`cfg = config.services.resolved;`
resolvconf service: init This is a refactor of how resolvconf is managed on NixOS. We split it into a separate service which is enabled internally depending on whether we want /etc/resolv.conf to be managed by it. Various services now take advantage of those configuration options. We also now use systemd instead of activation scripts to update resolv.conf. NetworkManager now uses the right option for rc-manager DNS automatically, so the configuration option shouldn't be exposed. 2019-07-15 20:18:49 +03:00
			`dnsmasqResolve = config.services.dnsmasq.enable && config.services.dnsmasq.resolveLocalQueries;`

nixos/systemd-stage-1: Support systemd-resolved 2024-04-07 21:18:59 -04:00			`resolvedConf = ''`
			`[Resolve]`
			`${optionalString (`
			`config.networking.nameservers != [ ]`
			`) "DNS=${concatStringsSep " " config.networking.nameservers}"}`
			`${optionalString (cfg.fallbackDns != null) "FallbackDNS=${concatStringsSep " " cfg.fallbackDns}"}`
			`${optionalString (cfg.domains != [ ]) "Domains=${concatStringsSep " " cfg.domains}"}`
			`LLMNR=${cfg.llmnr}`
			`DNSSEC=${cfg.dnssec}`
			`DNSOverTLS=${cfg.dnsovertls}`
			`${config.services.resolved.extraConfig}`
			`'';`

modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`in`
systemd: Move networkd into separate modules The systemd module was getting rather bloated. 2015-04-19 21:05:12 +02:00			`{`

			`options = {`

			`services.resolved.enable = mkOption {`
			`default = false;`
			`type = types.bool;`
nixos/resolved: convert option docs to MD 2022-07-19 15:05:45 +02:00			`description = ''`
nixos: Make services.resolved discoverable via "systemd-resolved" search This query yielded no results on search.nixos.org. I don't think I can make all options magically appear, but you can the other options by reading the text. 2023-04-07 01:09:05 +02:00			Whether to enable the systemd DNS resolver daemon, `systemd-resolved`.

			Search for `services.resolved` to see all options.
systemd: Move networkd into separate modules The systemd module was getting rather bloated. 2015-04-19 21:05:12 +02:00			`'';`
			`};`

modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`services.resolved.fallbackDns = mkOption {`
nixos/resolved: Allow upstream fallback override The previous code did not apply any changes to the upstream defaults on being presented with an empty list. This changes the code to use the above behaviour on a `null` value while an empty list is passed through as normal which yields a systemd configuration line with empty value which resets it to an empty value. Signed-off-by: benaryorg <binary@benary.org> 2023-12-08 16:00:42 +00:00			`default = null;`
modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`example = [`
			`"8.8.8.8"`
			`"2001:4860:4860::8844"`
			`];`
nixos/resolved: Allow upstream fallback override The previous code did not apply any changes to the upstream defaults on being presented with an empty list. This changes the code to use the above behaviour on a `null` value while an empty list is passed through as normal which yields a systemd configuration line with empty value which resets it to an empty value. Signed-off-by: benaryorg <binary@benary.org> 2023-12-08 16:00:42 +00:00			`type = types.nullOr (types.listOf types.str);`
nixos/resolved: convert option docs to MD 2022-07-19 15:05:45 +02:00			`description = ''`
modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`A list of IPv4 and IPv6 addresses to use as the fallback DNS servers.`
nixos/resolved: Allow upstream fallback override The previous code did not apply any changes to the upstream defaults on being presented with an empty list. This changes the code to use the above behaviour on a `null` value while an empty list is passed through as normal which yields a systemd configuration line with empty value which resets it to an empty value. Signed-off-by: benaryorg <binary@benary.org> 2023-12-08 16:00:42 +00:00			`If this option is null, a compiled-in list of DNS servers is used instead.`
			`Setting this option to an empty list will override the built-in list to an empty list, disabling fallback.`
modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`'';`
			`};`

			`services.resolved.domains = mkOption {`
			`default = config.networking.search;`
			`defaultText = literalExpression "config.networking.search";`
			`example = [ "example.com" ];`
			`type = types.listOf types.str;`
nixos/resolved: convert option docs to MD 2022-07-19 15:05:45 +02:00			`description = ''`
nixos/resolved: clean up option descriptions Also change LLMNR RFC to the correct id 4795. 2017-10-16 14:30:36 +02:00			`A list of domains. These domains are used as search suffixes`
			`when resolving single-label host names (domain names which`
			`contain no dot), in order to qualify them into fully-qualified`
			`domain names (FQDNs).`
FIx some malformed XML in option descriptions E.g. these were using "<para>" at the end of a description. The real WTF is that this is possible at all... 2019-05-13 09:15:17 +02:00
nixos/resolved: clean up option descriptions Also change LLMNR RFC to the correct id 4795. 2017-10-16 14:30:36 +02:00			`For compatibility reasons, if this setting is not specified,`
			`the search domains listed in`
nixos/resolved: convert option docs to MD 2022-07-19 15:05:45 +02:00			{file}`/etc/resolv.conf` are used instead, if
nixos/resolved: clean up option descriptions Also change LLMNR RFC to the correct id 4795. 2017-10-16 14:30:36 +02:00			`that file exists and any domains are configured in it.`
modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`'';`
			`};`

			`services.resolved.llmnr = mkOption {`
			`default = "true";`
			`example = "false";`
			`type = types.enum [`
			`"true"`
			`"resolve"`
			`"false"`
			`];`
nixos/resolved: convert option docs to MD 2022-07-19 15:05:45 +02:00			`description = ''`
nixos/resolved: clean up option descriptions Also change LLMNR RFC to the correct id 4795. 2017-10-16 14:30:36 +02:00			`Controls Link-Local Multicast Name Resolution support`
			`(RFC 4795) on the local host.`
FIx some malformed XML in option descriptions E.g. these were using "<para>" at the end of a description. The real WTF is that this is possible at all... 2019-05-13 09:15:17 +02:00
nixos/resolved: clean up option descriptions Also change LLMNR RFC to the correct id 4795. 2017-10-16 14:30:36 +02:00			`If set to`
nixos/resolved: convert option docs to MD 2022-07-19 15:05:45 +02:00			- `"true"`: Enables full LLMNR responder and resolver support.
			- `"false"`: Disables both.
			- `"resolve"`: Only resolution support is enabled, but responding is disabled.
modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`'';`
			`};`

			`services.resolved.dnssec = mkOption {`
nixos/modules/system/resolved: disable DNSSEC validation by default Historically, we allowed downgrade of DNSSEC, but some folks argue this may decrease actually the security posture to do opportunistic DNSSEC. In addition, the current implementation of (opportunistic) DNSSEC validation is broken against "in the wild" servers which are usually slightly non-compliant. systemd upstream recommended to me (in personal communication surrounding the All Systems Go 2023 conference) to disable DNSSEC validation until they work on it in a significant capacity, ideally, by next year. 2023-09-13 11:49:16 +02:00			`default = "false";`
modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`example = "true";`
			`type = types.enum [`
			`"true"`
			`"allow-downgrade"`
			`"false"`
			`];`
nixos/resolved: convert option docs to MD 2022-07-19 15:05:45 +02:00			`description = ''`
nixos/resolved: clean up option descriptions Also change LLMNR RFC to the correct id 4795. 2017-10-16 14:30:36 +02:00			`If set to`
nixos/resolved: convert option docs to MD 2022-07-19 15:05:45 +02:00			- `"true"`:
nixos/resolved: clean up option descriptions Also change LLMNR RFC to the correct id 4795. 2017-10-16 14:30:36 +02:00			`all DNS lookups are DNSSEC-validated locally (excluding`
			`LLMNR and Multicast DNS). Note that this mode requires a`
			`DNS server that supports DNSSEC. If the DNS server does`
			`not properly support DNSSEC all validations will fail.`
nixos/resolved: convert option docs to MD 2022-07-19 15:05:45 +02:00			- `"allow-downgrade"`:
nixos/resolved: clean up option descriptions Also change LLMNR RFC to the correct id 4795. 2017-10-16 14:30:36 +02:00			`DNSSEC validation is attempted, but if the server does not`
			`support DNSSEC properly, DNSSEC mode is automatically`
			`disabled. Note that this mode makes DNSSEC validation`
			`vulnerable to "downgrade" attacks, where an attacker might`
			`be able to trigger a downgrade to non-DNSSEC mode by`
			`synthesizing a DNS response that suggests DNSSEC was not`
			`supported.`
nixos/resolved: convert option docs to MD 2022-07-19 15:05:45 +02:00			- `"false"`: DNS lookups are not DNSSEC validated.
nixos/modules/system/resolved: disable DNSSEC validation by default Historically, we allowed downgrade of DNSSEC, but some folks argue this may decrease actually the security posture to do opportunistic DNSSEC. In addition, the current implementation of (opportunistic) DNSSEC validation is broken against "in the wild" servers which are usually slightly non-compliant. systemd upstream recommended to me (in personal communication surrounding the All Systems Go 2023 conference) to disable DNSSEC validation until they work on it in a significant capacity, ideally, by next year. 2023-09-13 11:49:16 +02:00
			`At the time of September 2023, systemd upstream advise`
			`to disable DNSSEC by default as the current code`
			`is not robust enough to deal with "in the wild" non-compliant`
			`servers, which will usually give you a broken bad experience`
			`in addition of insecure.`
modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`'';`
			`};`

nixos/resolved: add dnsovertls option 2024-01-14 20:35:02 -06:00			`services.resolved.dnsovertls = mkOption {`
			`default = "false";`
			`example = "true";`
			`type = types.enum [`
			`"true"`
			`"opportunistic"`
			`"false"`
			`];`
			`description = ''`
			`If set to`
			- `"true"`:
			`all DNS lookups will be encrypted. This requires`
			`that the DNS server supports DNS-over-TLS and`
			`has a valid certificate. If the hostname was specified`
			via the `address#hostname` format in {option}`services.resolved.domains`
			`then the specified hostname is used to validate its certificate.`
			- `"opportunistic"`:
			`all DNS lookups will attempt to be encrypted, but will fallback`
			`to unecrypted requests if the server does not support DNS-over-TLS.`
			`Note that this mode does allow for a malicious party to conduct a`
			`downgrade attack by immitating the DNS server and pretending to not`
			`support encryption.`
			- `"false"`:
			`all DNS lookups are done unencrypted.`
			`'';`
			`};`

modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`services.resolved.extraConfig = mkOption {`
			`default = "";`
			`type = types.lines;`
nixos/resolved: convert option docs to MD 2022-07-19 15:05:45 +02:00			`description = ''`
modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00			`Extra config to append to resolved.conf.`
			`'';`
			`};`

nixos/systemd-stage-1: Support systemd-resolved 2024-04-07 21:18:59 -04:00			`boot.initrd.services.resolved.enable = mkOption {`
			`default = config.boot.initrd.systemd.network.enable;`
			`defaultText = "config.boot.initrd.systemd.network.enable";`
			`description = ''`
			`Whether to enable resolved for stage 1 networking.`
			`Uses the toplevel 'services.resolved' options for 'resolved.conf'`
			`'';`
			`};`

systemd: Move networkd into separate modules The systemd module was getting rather bloated. 2015-04-19 21:05:12 +02:00			`};`

nixos/systemd-resolved: Re-indent 2024-04-07 20:32:41 -04:00			`config = mkMerge [`
			`(mkIf cfg.enable {`

			`assertions = [`
			`{`
			`assertion = !config.networking.useHostResolvConf;`
			`message = "Using host resolv.conf is not supported with systemd-resolved";`
			`}`
			`];`

			`users.users.systemd-resolve.group = "systemd-resolve";`

			`# add resolve to nss hosts database if enabled and nscd enabled`
			`# system.nssModules is configured in nixos/modules/system/boot/systemd.nix`
			`# added with order 501 to allow modules to go before with mkBefore`
			`system.nssDatabases.hosts = (mkOrder 501 [ "resolve [!UNAVAIL=return]" ]);`

			`systemd.additionalUpstreamSystemUnits = [`
			`"systemd-resolved.service"`
			`];`

			`systemd.services.systemd-resolved = {`
nixos/systemd-resolved: Should be wanted by sysinit.target As per its [Install] section upstream 2024-04-07 20:33:13 -04:00			`wantedBy = [ "sysinit.target" ];`
nixos/systemd-resolved: Re-indent 2024-04-07 20:32:41 -04:00			`aliases = [ "dbus-org.freedesktop.resolve1.service" ];`
Make systemd-resolved's config file a reload trigger It is documented to re-read its configuration file upon reload, so we can simply reload it instead of restarting the whole daemon. 2025-01-08 13:38:04 -05:00			`reloadTriggers = [ config.environment.etc."systemd/resolved.conf".source ];`
Don't stop systemd-{networkd,resolved,udevd} on config switch These daemons should not be stopped, as they're foundational to a proper functioning of the system. When switching configurations, they only need a restart instead of that stop/start cycle. 2025-01-08 12:59:33 -05:00			`stopIfChanged = false;`
nixos/systemd-resolved: Re-indent 2024-04-07 20:32:41 -04:00			`};`

			`environment.etc =`
			`{`
nixos/systemd-stage-1: Support systemd-resolved 2024-04-07 21:18:59 -04:00			`"systemd/resolved.conf".text = resolvedConf;`
nixos/systemd-resolved: Re-indent 2024-04-07 20:32:41 -04:00
			`# symlink the dynamic stub resolver of resolv.conf as recommended by upstream:`
			`# https://www.freedesktop.org/software/systemd/man/systemd-resolved.html#/etc/resolv.conf`
			`"resolv.conf".source = "/run/systemd/resolve/stub-resolv.conf";`
			`}`
			`// optionalAttrs dnsmasqResolve {`
			`"dnsmasq-resolv.conf".source = "/run/systemd/resolve/resolv.conf";`
			`};`

			`# If networkmanager is enabled, ask it to interface with resolved.`
			`networking.networkmanager.dns = "systemd-resolved";`

			`networking.resolvconf.package = pkgs.systemd;`

			`})`

nixos/systemd-stage-1: Support systemd-resolved 2024-04-07 21:18:59 -04:00			`(mkIf config.boot.initrd.services.resolved.enable {`

			`assertions = [`
			`{`
			`assertion = config.boot.initrd.systemd.enable;`
			`message = "'boot.initrd.services.resolved.enable' can only be enabled with systemd stage 1.";`
			`}`
			`];`

			`boot.initrd.systemd = {`
			`contents = {`
			`"/etc/systemd/resolved.conf".text = resolvedConf;`
			`};`

initrd: use the new tmpfiles options to create tmpfiles config Otherwise we get a clash when generating the initrd since the initrd tmpfiles options create a symlink at /etc/tmpfiles.d/ and any subsequent writes inside this directory because of initrd.systemd.contents will cause a permission denied error. 2024-09-04 11:35:44 +02:00			`tmpfiles.settings.systemd-resolved-stub."/etc/resolv.conf".L.argument =`
			`"/run/systemd/resolve/stub-resolv.conf";`

nixos/systemd-stage-1: Support systemd-resolved 2024-04-07 21:18:59 -04:00			`additionalUpstreamUnits = [ "systemd-resolved.service" ];`
			`users.systemd-resolve = { };`
			`groups.systemd-resolve = { };`
			`storePaths = [ "${config.boot.initrd.systemd.package}/lib/systemd/systemd-resolved" ];`
			`services.systemd-resolved = {`
			`wantedBy = [ "sysinit.target" ];`
			`aliases = [ "dbus-org.freedesktop.resolve1.service" ];`
			`};`
			`};`

			`})`
nixos/systemd-resolved: Re-indent 2024-04-07 20:32:41 -04:00			`];`
systemd: Move networkd into separate modules The systemd module was getting rather bloated. 2015-04-19 21:05:12 +02:00
			`}`