Merge pull request #166308 from ncfavier/wg-resolvconf

nixos/resolvconf: allow different implementations
2022-07-10 21:00:00 +02:00 · 2022-07-10 21:00:00 +02:00 · 366683965e
commit 366683965e
parent 341b9564bb 4af5c46faa
7 changed files with 39 additions and 8 deletions
--- a/nixos/modules/config/resolvconf.nix
+++ b/nixos/modules/config/resolvconf.nix
@ -50,7 +50,20 @@ in
        default = !(config.environment.etc ? "resolv.conf");
        defaultText = literalExpression ''!(config.environment.etc ? "resolv.conf")'';
        description = ''
-          DNS configuration is managed by resolvconf.
+          Whether DNS configuration is managed by resolvconf.
+        '';
+      };
+
+      package = mkOption {
+        type = types.package;
+        default = pkgs.openresolv;
+        defaultText = literalExpression "pkgs.openresolv";
+        description = ''
+          The package that provides the system-wide resolvconf command. Defaults to <literal>openresolv</literal>
+          if this module is enabled. Otherwise, can be used by other modules (for example <option>services.resolved</option>) to
+          provide a compatibility layer.
+
+          This option generally shouldn't be set by the user.
        '';
      };

@ -119,10 +132,12 @@ in
            exit 1
          ''
        else configText;
+
+      environment.systemPackages = [ cfg.package ];
    }

    (mkIf cfg.enable {
-      environment.systemPackages = [ pkgs.openresolv ];
+      networking.resolvconf.package = pkgs.openresolv;

      systemd.services.resolvconf = {
        description = "resolvconf update";
@ -134,7 +149,7 @@ in

        serviceConfig = {
          Type = "oneshot";
-          ExecStart = "${pkgs.openresolv}/bin/resolvconf -u";
+          ExecStart = "${cfg.package}/bin/resolvconf -u";
          RemainAfterExit = true;
        };
      };
--- a/nixos/modules/services/networking/dhcpcd.nix
+++ b/nixos/modules/services/networking/dhcpcd.nix
@ -215,7 +215,7 @@ in
        # dhcpcd.  So do a "systemctl restart" instead.
        stopIfChanged = false;

-        path = [ dhcpcd pkgs.nettools pkgs.openresolv ];
+        path = [ dhcpcd pkgs.nettools config.networking.resolvconf.package ];

        unitConfig.ConditionCapability = "CAP_NET_ADMIN";

--- a/nixos/modules/services/networking/tailscale.nix
+++ b/nixos/modules/services/networking/tailscale.nix
@ -47,7 +47,7 @@ in {
    systemd.services.tailscaled = {
      wantedBy = [ "multi-user.target" ];
      path = [
-        pkgs.openresolv # for configuring DNS in some configs
+        config.networking.resolvconf.package # for configuring DNS in some configs
        pkgs.procps     # for collecting running services (opt-in feature)
        pkgs.glibc      # for `getent` to look up user shells
      ];
--- a/nixos/modules/services/networking/wg-quick.nix
+++ b/nixos/modules/services/networking/wg-quick.nix
@ -273,7 +273,7 @@ let
        after = [ "network.target" "network-online.target" ];
        wantedBy = optional values.autostart "multi-user.target";
        environment.DEVICE = name;
-        path = [ pkgs.kmod pkgs.wireguard-tools ];
+        path = [ pkgs.kmod pkgs.wireguard-tools config.networking.resolvconf.package ];

        serviceConfig = {
          Type = "oneshot";
@ -332,5 +332,11 @@ in {
    # breaks the wg-quick routing because wireguard packets leave with a fwmark from wireguard.
    networking.firewall.checkReversePath = false;
    systemd.services = mapAttrs' generateUnit cfg.interfaces;
+
+    # Prevent networkd from clearing the rules set by wg-quick when restarted (e.g. when waking up from suspend).
+    systemd.network.config.networkConfig.ManageForeignRoutingPolicyRules = mkDefault false;
+
+    # WireGuard interfaces should be ignored in determining whether the network is online.
+    systemd.network.wait-online.ignoredInterfaces = builtins.attrNames cfg.interfaces;
  };
 }
--- a/nixos/modules/system/boot/resolved.nix
+++ b/nixos/modules/system/boot/resolved.nix
@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:

 with lib;
 let
@ -178,6 +178,8 @@ in
    # If networkmanager is enabled, ask it to interface with resolved.
    networking.networkmanager.dns = "systemd-resolved";

+    networking.resolvconf.package = pkgs.systemd;
+
  };

 }
--- a/nixos/tests/wireguard/wg-quick.nix
+++ b/nixos/tests/wireguard/wg-quick.nix
@ -29,6 +29,8 @@ import ../make-test-python.nix ({ pkgs, lib, ... }:

              inherit (wg-snakeoil-keys.peer1) publicKey;
            };
+
+            dns = [ "10.23.42.2" "fc00::2" "wg0" ];
          };
        };
      };
@ -38,6 +40,7 @@ import ../make-test-python.nix ({ pkgs, lib, ... }:
        ip6 = "fd00::2";
        extraConfig = {
          boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
+          networking.useNetworkd = true;
          networking.wg-quick.interfaces.wg0 = {
            address = [ "10.23.42.2/32" "fc00::2/128" ];
            inherit (wg-snakeoil-keys.peer1) privateKey;
@ -49,6 +52,8 @@ import ../make-test-python.nix ({ pkgs, lib, ... }:

              inherit (wg-snakeoil-keys.peer0) publicKey;
            };
+
+            dns = [ "10.23.42.1" "fc00::1" "wg0" ];
          };
        };
      };
--- a/pkgs/tools/networking/wireguard-tools/default.nix
+++ b/pkgs/tools/networking/wireguard-tools/default.nix
@ -37,7 +37,10 @@ stdenv.mkDerivation rec {
      --replace /usr/bin $out/bin
  '' + lib.optionalString stdenv.isLinux ''
    for f in $out/bin/*; do
-      wrapProgram $f --prefix PATH : ${lib.makeBinPath [ procps iproute2 iptables openresolv ]}
+      # allow users to provide their own resolvconf implementation, e.g. the one provided by systemd-resolved
+      wrapProgram $f \
+        --prefix PATH : ${lib.makeBinPath [ procps iproute2 iptables ]} \
+        --suffix PATH : ${lib.makeBinPath [ openresolv ]}
    done
  '';