modules/programs: sandbox: remove no-longer-needed /run/systemd/resolve from sandbox

mostly just pruning unused features

hosts/common/net/dns.nix

@@ -23,26 +23,36 @@
 #   - this is fixed by either `firejail --blacklist=/var/run/nscd/socket`, or disabling nscd altogether.
 { lib, ... }:
 {
-  # use systemd's stub resolver.
+  # # use systemd's stub resolver.
-  # /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
+  # # /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
-  # instead, running the stub resolver on a known address in the root ns lets us rewrite packets
+  # # instead, running the stub resolver on a known address in the root ns lets us rewrite packets
-  # in servo's ovnps namespace to use the provider's DNS resolvers.
+  # # in servo's ovnps namespace to use the provider's DNS resolvers.
-  # a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
+  # # a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
-  # TODO: rework servo's netns to use `firejail`, which is capable of spoofing /etc/resolv.conf.
+  # # TODO: rework servo's netns to use `firejail`, which is capable of spoofing /etc/resolv.conf.
-  services.resolved.enable = true;  #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`.
+  # services.resolved.enable = true;  #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`.
-  # without DNSSEC:
+  # # without DNSSEC:
-  # - dig matrix.org => works
+  # # - dig matrix.org => works
-  # - curl https://matrix.org => works
+  # # - curl https://matrix.org => works
-  # with default DNSSEC:
+  # # with default DNSSEC:
-  # - dig matrix.org => works
+  # # - dig matrix.org => works
-  # - curl https://matrix.org => fails
+  # # - curl https://matrix.org => fails
-  # i don't know why. this might somehow be interfering with the DNS run on this device (trust-dns)
+  # # i don't know why. this might somehow be interfering with the DNS run on this device (trust-dns)
-  services.resolved.dnssec = "false";
+  # services.resolved.dnssec = "false";
+  # networking.nameservers = [
+  #   # use systemd-resolved resolver
+  #   # full resolver (which understands /etc/hosts) lives on 127.0.0.53
+  #   # stub resolver (just forwards upstream) lives on 127.0.0.54
+  #   "127.0.0.53"
+  # ];
+
+  services.resolved.enable = lib.mkForce false;
+  sane.services.trust-dns.enable = true;
+  sane.services.trust-dns.instances.localhost = {
+    listenAddrs = [ "127.0.0.1" ];
+    enableRecursiveResolver = true;
+  };
   networking.nameservers = [
-    # use systemd-resolved resolver
+    "127.0.0.1"
-    # full resolver (which understands /etc/hosts) lives on 127.0.0.53
-    # stub resolver (just forwards upstream) lives on 127.0.0.54
-    "127.0.0.53"
   ];
 
   # nscd -- the Name Service Caching Daemon -- caches DNS query responses

hosts/common/programs/networkmanager.nix

@@ -31,31 +31,38 @@ in
   };
 
   environment.etc = lib.mkIf cfg.enabled {
+    "NetworkManager/system-connections".source = "/var/lib/NetworkManager/system-connections";
     "NetworkManager/NetworkManager.conf".text = ''
-      # TODO: much of this is likely not needed.
-      [connection]
-      ethernet.cloned-mac-address=preserve
-      wifi.cloned-mac-address=preserve
-      wifi.powersave=null
-
       [device]
+      # wifi.backend: wpa_supplicant or iwd
       wifi.backend=wpa_supplicant
       wifi.scan-rand-mac-address=true
 
-      [keyfile]
-      # keyfile.path: where to check for connection credentials
-      path=/var/lib/NetworkManager/system-connections
-      unmanaged-devices=null
-
       [logging]
       audit=false
-      level=WARN
+      # level: TRACE, DEBUG, INFO, WARN, ERR, OFF
+      level=INFO
+      # domain=...
 
       [main]
+      # dhcp:
+      # - `internal` (default)
+      # - `dhclient` (requires dhclient to be installed)
+      # - `dhcpcd`   (requires dhcpcd to be installed)
       dhcp=internal
-      dns=systemd-resolved
+      # dns:
+      # - `default`: update /etc/resolv.conf with nameservers provided by the active connection
+      # - `none`: NM won't update /etc/resolv.conf
+      # - `systemd-resolved`: push DNS config to systemd-resolved
+      # - `dnsmasq`: run a local caching nameserver
+      dns=none
       plugins=keyfile
+      # rc-manager: how NM should write to /etc/resolv.conf
+      # - may also write /var/lib/NetworkManager/resolv.conf
       rc-manager=unmanaged
+      # systemd-resolved: send DNS config to systemd-resolved?
+      systemd-resolved=false
+      # debug=...  (see also: NM_DEBUG env var)
     '';
   };
   hardware.wirelessRegulatoryDatabase = lib.mkIf cfg.enabled true;

modules/programs/default.nix

@@ -84,7 +84,7 @@ let
             "/etc"  #< especially for /etc/profiles/per-user/$USER/bin
             "/run/current-system"  #< for basics like `ls`, and all this program's `suggestedPrograms` (/run/current-system/sw/bin)
             "/run/wrappers"  #< SUID wrappers, in this case so that firejail can be re-entrant. TODO: remove!
-            "/run/systemd/resolve"  #< to allow reading /etc/resolv.conf, which ultimately symlinks here
+            # "/run/systemd/resolve"  #< to allow reading /etc/resolv.conf, which ultimately symlinks here (if using systemd-resolved)
             # /run/opengl-driver is a symlink into /nix/store; needed by e.g. mpv
             "/run/opengl-driver"
             "/run/opengl-driver-32"  #< XXX: doesn't exist on aarch64?

modules/services/trust-dns.nix

@@ -3,7 +3,7 @@ let
   cfg = config.sane.services.trust-dns;
   dns = config.sane.dns;
   toml = pkgs.formats.toml { };
-  instanceModule = with lib; types.submodule {
+  instanceModule = with lib; types.submodule ({ config, ...}: {
     options = {
       port = mkOption {
         type = types.port;
@@ -11,7 +11,7 @@ let
       };
       listenAddrs = mkOption {
         type = types.listOf types.str;
-        default = [];
+        default = [ "127.0.0.1" ];
         description = ''
           IP addresses to serve requests from.
         '';
@@ -27,17 +27,46 @@ let
           "%AWAN%" = ''"$(cat /var/www/wan.txt)"'';
         };
       };
+      enableRecursiveResolver = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          act as a recursive resolver
+        '';
+      };
       extraConfig = mkOption {
         type = types.attrs;
         default = {};
       };
     };
-  };
+
-  mkSystemdService = flavor: { port, listenAddrs, substitutions, extraConfig }: let
+    config = {
+      extraConfig = lib.mkIf config.enableRecursiveResolver {
+        zones = [
+          {
+            zone = ".";
+            zone_type = "Hint";
+            stores = {
+              type = "recursor";
+              # contains the list of toplevel DNS servers, from which to recursively resolve entries.
+              roots = "${pkgs.dns-root-data}/root.hints";
+
+              # dnssec, see: <https://github.com/hickory-dns/hickory-dns/issues/2193>
+              # probably not needed: the default seems to be that dnssec is disabled
+              # enable_dnssec = false;
+              #
+              # defaults, untuned
+              # ns_cache_size = 1024;
+              # record_cache_size = 1048576;
+            };
+          }
+        ];
+      };
+    };
+  });
+
+  mkSystemdService = flavor: { port, listenAddrs, substitutions, extraConfig, ... }: let
     sed = "${pkgs.gnused}/bin/sed";
-    zoneTemplate = pkgs.writeText
-      "uninsane.org.zone.in"
-      config.sane.dns.zones."uninsane.org".rendered;
     configTemplate = toml.generate "trust-dns-${flavor}.toml" (
       (
         lib.filterAttrsRecursive (_: v: v != null) config.services.trust-dns.settings
@@ -51,8 +80,8 @@ let
   in {
     description = "trust-dns Domain Name Server (serving ${flavor})";
     unitConfig.Documentation = "https://trust-dns.org/";
-
+    after = [ "network.target" ];
-    wantedBy = [ "default.target" ];
+    wantedBy = [ "network.target" ];
 
     preStart = lib.concatStringsSep "\n" (
       [''
@@ -66,7 +95,7 @@ let
 
     serviceConfig = config.systemd.services.trust-dns.serviceConfig // {
       ExecStart = lib.escapeShellArgs ([
-        "${pkgs.trust-dns}/bin/${pkgs.trust-dns.meta.mainProgram}"
+        "${config.services.trust-dns.package}/bin/${config.services.trust-dns.package.meta.mainProgram}"
         "--port"     (builtins.toString port)
         "--zonedir"  "/var/lib/trust-dns/${flavor}"
         "--config"   "${configPath}"
@@ -75,7 +104,10 @@ let
       ] ++ lib.optionals config.services.trust-dns.quiet [
         "--quiet"
       ]);
-      ReadOnlyPaths = [ "/var/lib/uninsane" ];  # for dyn-dns (wan.txt)
+      # servo/dyn-dns needs /var/lib/uninsane/wan.txt.
+      # this might not exist on other systems,
+      # so just bind the deepest path which is guaranteed to exist.
+      ReadOnlyPaths = [ "/var/lib" ];
     };
   };
 in
@@ -97,6 +129,7 @@ in
     # enable nixpkgs' trust-dns so that i get its config generation
     # but don't actually enable the systemd service... i'll instantiate *multiple* instances per interface further below
     services.trust-dns.enable = true;
+    services.trust-dns.settings.zones = [];  #< TODO: remove once upstreamed (bad default)
 
     # don't bind to IPv6 until i explicitly test that stack
     services.trust-dns.settings.listen_addrs_ipv6 = [];
@@ -105,6 +138,25 @@ in
     # - see: <https://github.com/hickory-dns/hickory-dns/issues/2082>
     # services.trust-dns.debug = true;
 
+    services.trust-dns.package = pkgs.trust-dns.override {
+      rustPlatform.buildRustPackage = args: pkgs.rustPlatform.buildRustPackage (args // {
+        buildFeatures = [
+          "recursor"
+        ];
+
+        # fix enough bugs inside the recursive resolver that it's compatible with my infra.
+        # TODO: upstream these patches!
+        src = pkgs.fetchFromGitea {
+          domain = "git.uninsane.org";
+          owner = "colin";
+          repo = "hickory-dns";
+          rev = "67649863faf2e08f63963a96a491a4025aaf8ed6";
+          hash = "sha256-vmVY8C0cCCFxy/4+g1vKZsAD5lMaufIExnFaSVVAhGM=";
+        };
+        cargoHash = "sha256-FEjNxv1iu27SXQhz1+Aehs4es8VxT1BPz5uZq8TcG/k=";
+      });
+    };
+
     users.groups.trust-dns = {};
     users.users.trust-dns = {
       group = "trust-dns";