diff --git a/hosts/common/net/dns.nix b/hosts/common/net/dns.nix index 1e1335059..f2e7a58ff 100644 --- a/hosts/common/net/dns.nix +++ b/hosts/common/net/dns.nix @@ -20,7 +20,7 @@ # - each namespace may use a different /etc/resolv.conf to specify different DNS servers # - nscd breaks namespacing: the host nscd is unaware of the guest's /etc/resolv.conf, and so directs the guest's DNS requests to the host's servers. # - this is fixed by either removing `/var/run/nscd/socket` from the namespace, or disabling nscd altogether. -{ config, lib, ... }: +{ config, lib, pkgs, ... }: lib.mkMerge [ { sane.services.trust-dns.enable = lib.mkDefault config.sane.services.trust-dns.asSystemResolver; @@ -59,15 +59,34 @@ lib.mkMerge [ # in the netns and we query upstream DNS more often than needed. hm. # services.nscd.enableNsncd = true; - # disabling nscd LOSES US SOME FUNCTIONALITY. in particular, only the glibc-builtin modules are accessible via /etc/resolv.conf. + # disabling nscd LOSES US SOME FUNCTIONALITY. in particular, only the glibc-builtin modules are accessible via /etc/resolv.conf (er, did i mean /etc/nsswitch.conf?). # - dns: glibc-bultin # - files: glibc-builtin # - myhostname: systemd # - mymachines: systemd # - resolve: systemd # in practice, i see no difference with nscd disabled. + # - the exception is when the system dns resolver doesn't do everything. + # for example, systemd-resolved does mDNS. hickory-dns does not. a hickory-dns system won't be mDNS-capable. # disabling nscd VASTLY simplifies netns and process isolation. see explainer at top of file. services.nscd.enable = false; - system.nssModules = lib.mkForce []; + # system.nssModules = lib.mkForce []; + sane.silencedAssertions = [''.*Loading NSS modules from system.nssModules.*requires services.nscd.enable being set to true.*'']; + # add NSS modules into their own subdirectory. + # then i can add just the NSS modules library path to the global LD_LIBRARY_PATH, rather than ALL of /run/current-system/sw/lib. + # TODO: i'm doing this so as to achieve mdns DNS resolution (avahi). it would be better to just have trust-dns delegate .local to avahi + # (except avahi doesn't act as a local resolver over DNS protocol -- only dbus). + environment.systemPackages = [(pkgs.symlinkJoin { + name = "nss-modules"; + paths = config.system.nssModules.list; + postBuild = '' + mkdir nss + mv $out/lib/libnss_* nss + rm -rf $out + mkdir -p $out/lib + mv nss $out/lib + ''; + })]; + environment.variables.LD_LIBRARY_PATH = [ "/run/current-system/sw/lib/nss" ]; } ] diff --git a/hosts/common/programs/avahi.nix b/hosts/common/programs/avahi.nix index 5e81656e5..2f61d2a69 100644 --- a/hosts/common/programs/avahi.nix +++ b/hosts/common/programs/avahi.nix @@ -5,7 +5,10 @@ # - code: # - IRC: #avahi on irc.libera.chat # -# `avahi-browse --help` for usage +# - `avahi-browse --help` for usage +# - `man avahi-daemon.conf` +# - `LD_LIBRARY_PATH=/nix/store/ngwj3jqmxh8k4qji2z0lj7y1f8vzqrn2-nss-mdns-0.15.1/lib getent hosts desko.local` +# nss-mdns goes through avahi-daemon, so there IS caching here # # TODO(2024/06/25): *.local DNS resolution should go through avahi, # but this fails on trust-dns-based systems. @@ -18,7 +21,8 @@ package = config.sane.programs.avahi.package; publish.enable = true; publish.userServices = true; - # nssmdns4 = true; #< TODO: integrate with nss so all applications (e.g. Firefox) can resolve .local domains + nssmdns4 = true; #< TODO: integrate with nss so all applications (e.g. Firefox) can resolve .local domains + # reflector = true; allowInterfaces = [ # particularly, the default config disallows loopback, which is kinda fucking retarded, right? "ens1" #< servo diff --git a/modules/programs/default.nix b/modules/programs/default.nix index 1c335ff49..d44ec7d0a 100644 --- a/modules/programs/default.nix +++ b/modules/programs/default.nix @@ -57,8 +57,10 @@ let "/run/opengl-driver" "/run/opengl-driver-32" #< XXX: doesn't exist on aarch64? "/usr/bin/env" - ] ++ lib.optionals (config.services.resolved.enable) [ + ] ++ lib.optionals (sandbox.net == "all" && config.services.resolved.enable) [ "/run/systemd/resolve" #< to allow reading /etc/resolv.conf, which ultimately symlinks here (if using systemd-resolved) + ] ++ lib.optionals (sandbox.net == "all" && config.services.avahi.enable) [ + "/var/run/avahi-daemon" #< yes, it has to be "/var/run/...". required for nss (e.g. `getent hosts desko.local`) ] ++ lib.optionals (builtins.elem "system" sandbox.whitelistDbus) [ "/run/dbus/system_bus_socket" ] ++ sandbox.extraPaths ;