hosts/common: dns: cleanup hickory-dns file

hosts/common/net/dns/default.nix

@@ -23,7 +23,7 @@
 { config, pkgs, ... }:
 {
   imports = [
-    # ./hickory-dns.nix
+    ./hickory-dns.nix
     ./unbound.nix
   ];
 
@@ -49,6 +49,7 @@
   services.nscd.enable = false;
   # system.nssModules = lib.mkForce [];
   sane.silencedAssertions = [''.*Loading NSS modules from system.nssModules.*requires services.nscd.enable being set to true.*''];
+
   # add NSS modules into their own subdirectory.
   # then i can add just the NSS modules library path to the global LD_LIBRARY_PATH, rather than ALL of /run/current-system/sw/lib.
   # TODO: i'm doing this so as to achieve mdns DNS resolution (avahi). it would be better to just have hickory-dns delegate .local to avahi

hosts/common/net/dns/hickory-dns.nix

@@ -1,32 +1,31 @@
-{ config, lib }:
+{ config, lib, ... }:
-{
+lib.mkIf false  #< XXX(2024-10-xx): hickory-dns recursive resolution is too immature; switched to `unbound`
-  config = lib.mkMerge [
+(lib.mkMerge [
-    {
+ {
-      sane.services.hickory-dns.enable = lib.mkDefault config.sane.services.hickory-dns.asSystemResolver;
+   sane.services.hickory-dns.enable = lib.mkDefault config.sane.services.hickory-dns.asSystemResolver;
-      # sane.services.hickory-dns.asSystemResolver = lib.mkDefault true;
+   # sane.services.hickory-dns.asSystemResolver = lib.mkDefault true;
-    }
+ }
-    (lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver && config.sane.services.hickory-dns.enable) {
+ (lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver && config.sane.services.hickory-dns.enable) {
-      # use systemd's stub resolver.
+   # use systemd's stub resolver.
-      # /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
+   # /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
-      # instead, running the stub resolver on a known address in the root ns lets us rewrite packets
+   # instead, running the stub resolver on a known address in the root ns lets us rewrite packets
-      # in servo's ovnps namespace to use the provider's DNS resolvers.
+   # in servo's ovnps namespace to use the provider's DNS resolvers.
-      # a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
+   # a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
-      # TODO: improve hickory-dns recursive resolver and then remove this
+   # TODO: improve hickory-dns recursive resolver and then remove this
-      services.resolved.enable = true;  #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`.
+   services.resolved.enable = true;  #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`.
-      # without DNSSEC:
+   # without DNSSEC:
-      # - dig matrix.org => works
+   # - dig matrix.org => works
-      # - curl https://matrix.org => works
+   # - curl https://matrix.org => works
-      # with default DNSSEC:
+   # with default DNSSEC:
-      # - dig matrix.org => works
+   # - dig matrix.org => works
-      # - curl https://matrix.org => fails
+   # - curl https://matrix.org => fails
-      # i don't know why. this might somehow be interfering with the DNS run on this device (hickory-dns)
+   # i don't know why. this might somehow be interfering with the DNS run on this device (hickory-dns)
-      services.resolved.dnssec = "false";
+   services.resolved.dnssec = "false";
-      networking.nameservers = [
+   networking.nameservers = [
-        # use systemd-resolved resolver
+     # use systemd-resolved resolver
-        # full resolver (which understands /etc/hosts) lives on 127.0.0.53
+     # full resolver (which understands /etc/hosts) lives on 127.0.0.53
-        # stub resolver (just forwards upstream) lives on 127.0.0.54
+     # stub resolver (just forwards upstream) lives on 127.0.0.54
-        "127.0.0.53"
+     "127.0.0.53"
-      ];
+   ];
-    })
+ })
-  ];
+])
-}