avahi: integrate with nss
now i can resolve .local hosts, via glibc, e.g. 'getent hosts <host>.local'
This commit is contained in:
@@ -20,7 +20,7 @@
|
|||||||
# - each namespace may use a different /etc/resolv.conf to specify different DNS servers
|
# - each namespace may use a different /etc/resolv.conf to specify different DNS servers
|
||||||
# - nscd breaks namespacing: the host nscd is unaware of the guest's /etc/resolv.conf, and so directs the guest's DNS requests to the host's servers.
|
# - nscd breaks namespacing: the host nscd is unaware of the guest's /etc/resolv.conf, and so directs the guest's DNS requests to the host's servers.
|
||||||
# - this is fixed by either removing `/var/run/nscd/socket` from the namespace, or disabling nscd altogether.
|
# - this is fixed by either removing `/var/run/nscd/socket` from the namespace, or disabling nscd altogether.
|
||||||
{ config, lib, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
lib.mkMerge [
|
lib.mkMerge [
|
||||||
{
|
{
|
||||||
sane.services.trust-dns.enable = lib.mkDefault config.sane.services.trust-dns.asSystemResolver;
|
sane.services.trust-dns.enable = lib.mkDefault config.sane.services.trust-dns.asSystemResolver;
|
||||||
@@ -59,15 +59,34 @@ lib.mkMerge [
|
|||||||
# in the netns and we query upstream DNS more often than needed. hm.
|
# in the netns and we query upstream DNS more often than needed. hm.
|
||||||
# services.nscd.enableNsncd = true;
|
# services.nscd.enableNsncd = true;
|
||||||
|
|
||||||
# disabling nscd LOSES US SOME FUNCTIONALITY. in particular, only the glibc-builtin modules are accessible via /etc/resolv.conf.
|
# disabling nscd LOSES US SOME FUNCTIONALITY. in particular, only the glibc-builtin modules are accessible via /etc/resolv.conf (er, did i mean /etc/nsswitch.conf?).
|
||||||
# - dns: glibc-bultin
|
# - dns: glibc-bultin
|
||||||
# - files: glibc-builtin
|
# - files: glibc-builtin
|
||||||
# - myhostname: systemd
|
# - myhostname: systemd
|
||||||
# - mymachines: systemd
|
# - mymachines: systemd
|
||||||
# - resolve: systemd
|
# - resolve: systemd
|
||||||
# in practice, i see no difference with nscd disabled.
|
# in practice, i see no difference with nscd disabled.
|
||||||
|
# - the exception is when the system dns resolver doesn't do everything.
|
||||||
|
# for example, systemd-resolved does mDNS. hickory-dns does not. a hickory-dns system won't be mDNS-capable.
|
||||||
# disabling nscd VASTLY simplifies netns and process isolation. see explainer at top of file.
|
# disabling nscd VASTLY simplifies netns and process isolation. see explainer at top of file.
|
||||||
services.nscd.enable = false;
|
services.nscd.enable = false;
|
||||||
system.nssModules = lib.mkForce [];
|
# system.nssModules = lib.mkForce [];
|
||||||
|
sane.silencedAssertions = [''.*Loading NSS modules from system.nssModules.*requires services.nscd.enable being set to true.*''];
|
||||||
|
# add NSS modules into their own subdirectory.
|
||||||
|
# then i can add just the NSS modules library path to the global LD_LIBRARY_PATH, rather than ALL of /run/current-system/sw/lib.
|
||||||
|
# TODO: i'm doing this so as to achieve mdns DNS resolution (avahi). it would be better to just have trust-dns delegate .local to avahi
|
||||||
|
# (except avahi doesn't act as a local resolver over DNS protocol -- only dbus).
|
||||||
|
environment.systemPackages = [(pkgs.symlinkJoin {
|
||||||
|
name = "nss-modules";
|
||||||
|
paths = config.system.nssModules.list;
|
||||||
|
postBuild = ''
|
||||||
|
mkdir nss
|
||||||
|
mv $out/lib/libnss_* nss
|
||||||
|
rm -rf $out
|
||||||
|
mkdir -p $out/lib
|
||||||
|
mv nss $out/lib
|
||||||
|
'';
|
||||||
|
})];
|
||||||
|
environment.variables.LD_LIBRARY_PATH = [ "/run/current-system/sw/lib/nss" ];
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
@@ -5,7 +5,10 @@
|
|||||||
# - code: <https://github.com/avahi/avahi>
|
# - code: <https://github.com/avahi/avahi>
|
||||||
# - IRC: #avahi on irc.libera.chat
|
# - IRC: #avahi on irc.libera.chat
|
||||||
#
|
#
|
||||||
# `avahi-browse --help` for usage
|
# - `avahi-browse --help` for usage
|
||||||
|
# - `man avahi-daemon.conf`
|
||||||
|
# - `LD_LIBRARY_PATH=/nix/store/ngwj3jqmxh8k4qji2z0lj7y1f8vzqrn2-nss-mdns-0.15.1/lib getent hosts desko.local`
|
||||||
|
# nss-mdns goes through avahi-daemon, so there IS caching here
|
||||||
#
|
#
|
||||||
# TODO(2024/06/25): *.local DNS resolution should go through avahi,
|
# TODO(2024/06/25): *.local DNS resolution should go through avahi,
|
||||||
# but this fails on trust-dns-based systems.
|
# but this fails on trust-dns-based systems.
|
||||||
@@ -18,7 +21,8 @@
|
|||||||
package = config.sane.programs.avahi.package;
|
package = config.sane.programs.avahi.package;
|
||||||
publish.enable = true;
|
publish.enable = true;
|
||||||
publish.userServices = true;
|
publish.userServices = true;
|
||||||
# nssmdns4 = true; #< TODO: integrate with nss so all applications (e.g. Firefox) can resolve .local domains
|
nssmdns4 = true; #< TODO: integrate with nss so all applications (e.g. Firefox) can resolve .local domains
|
||||||
|
# reflector = true;
|
||||||
allowInterfaces = [
|
allowInterfaces = [
|
||||||
# particularly, the default config disallows loopback, which is kinda fucking retarded, right?
|
# particularly, the default config disallows loopback, which is kinda fucking retarded, right?
|
||||||
"ens1" #< servo
|
"ens1" #< servo
|
||||||
|
@@ -57,8 +57,10 @@ let
|
|||||||
"/run/opengl-driver"
|
"/run/opengl-driver"
|
||||||
"/run/opengl-driver-32" #< XXX: doesn't exist on aarch64?
|
"/run/opengl-driver-32" #< XXX: doesn't exist on aarch64?
|
||||||
"/usr/bin/env"
|
"/usr/bin/env"
|
||||||
] ++ lib.optionals (config.services.resolved.enable) [
|
] ++ lib.optionals (sandbox.net == "all" && config.services.resolved.enable) [
|
||||||
"/run/systemd/resolve" #< to allow reading /etc/resolv.conf, which ultimately symlinks here (if using systemd-resolved)
|
"/run/systemd/resolve" #< to allow reading /etc/resolv.conf, which ultimately symlinks here (if using systemd-resolved)
|
||||||
|
] ++ lib.optionals (sandbox.net == "all" && config.services.avahi.enable) [
|
||||||
|
"/var/run/avahi-daemon" #< yes, it has to be "/var/run/...". required for nss (e.g. `getent hosts desko.local`)
|
||||||
] ++ lib.optionals (builtins.elem "system" sandbox.whitelistDbus) [ "/run/dbus/system_bus_socket" ]
|
] ++ lib.optionals (builtins.elem "system" sandbox.whitelistDbus) [ "/run/dbus/system_bus_socket" ]
|
||||||
++ sandbox.extraPaths
|
++ sandbox.extraPaths
|
||||||
;
|
;
|
||||||
|
Reference in New Issue
Block a user