diff --git a/modules/programs/default.nix b/modules/programs/default.nix
index 257a2e284..5ba33a194 100644
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -84,11 +84,12 @@ let
             "/etc"  #< especially for /etc/profiles/per-user/$USER/bin
             "/run/current-system"  #< for basics like `ls`, and all this program's `suggestedPrograms` (/run/current-system/sw/bin)
             "/run/wrappers"  #< SUID wrappers, in this case so that firejail can be re-entrant. TODO: remove!
-            # "/run/systemd/resolve"  #< to allow reading /etc/resolv.conf, which ultimately symlinks here (if using systemd-resolved)
             # /run/opengl-driver is a symlink into /nix/store; needed by e.g. mpv
             "/run/opengl-driver"
             "/run/opengl-driver-32"  #< XXX: doesn't exist on aarch64?
             "/usr/bin/env"
+          ] ++ lib.optionals (config.services.resolved.enable) [
+            "/run/systemd/resolve"  #< to allow reading /etc/resolv.conf, which ultimately symlinks here (if using systemd-resolved)
           ] ++ lib.optionals (builtins.elem "system" sandbox.whitelistDbus) [ "/run/dbus/system_bus_socket" ]
             ++ sandbox.extraPaths ++ fullHomePaths ++ fullRuntimePaths;
         in makeProfile {