nixos/systemd/resolved: add resolve to nss hosts database if enabled

We keep the "only add the nss module if nscd is enabled" logic for now.

The assertion never was triggered, so it can be removed.

nixos/modules/config/nsswitch.nix

@@ -14,14 +14,12 @@ let
   nssmdns = canLoadExternalModules && config.services.avahi.nssmdns;
   nsswins = canLoadExternalModules && config.services.samba.nsswins;
   ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch);
-  resolved = canLoadExternalModules && config.services.resolved.enable;
 
   hostArray = mkMerge [
     (mkBefore [ "files" ])
     (mkIf mymachines [ "mymachines" ])
     (mkIf nssmdns [ "mdns_minimal [NOTFOUND=return]" ])
     (mkIf nsswins [ "wins" ])
-    (mkIf resolved [ "resolve [!UNAVAIL=return]" ])
     (mkAfter [ "dns" ])
     (mkIf nssmdns (mkOrder 1501 [ "mdns" ])) # 1501 to ensure it's after dns
     (mkIf myhostname (mkOrder 1600 [ "myhostname" ])) # 1600 to ensure it's always the last
@@ -134,11 +132,6 @@ in {
         assertion = config.system.nssModules.path != "" -> canLoadExternalModules;
         message = "Loading NSS modules from path ${config.system.nssModules.path} requires nscd being enabled.";
       }
-      {
-        # resolved does not need to add to nssModules, therefore needs an extra assertion
-        assertion = resolved -> canLoadExternalModules;
-        message = "Loading systemd-resolved's nss-resolve NSS module requires nscd being enabled.";
-      }
     ];
 
     # Name Service Switch configuration file.  Required by the C

nixos/modules/system/boot/resolved.nix

@@ -138,6 +138,10 @@ in
 
     users.users.resolved.group = "systemd-resolve";
 
+    # add resolve to nss hosts database if enabled and nscd enabled
+    # system.nssModules is configured in nixos/modules/system/boot/systemd.nix
+    system.nssDatabases.hosts = optional config.services.nscd.enable "resolve [!UNAVAIL=return]";
+
     systemd.additionalUpstreamSystemUnits = [
       "systemd-resolved.service"
     ];