From b4be3de16985e4684d4c422cd245105dfe700648 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= <bjorn.forsman@gmail.com>
Date: Sat, 4 Jan 2025 22:10:01 +0100
Subject: [PATCH] nixos/dhcpcd: fix updating resolv.conf when using
 systemd-resolved

Fix the regression between NixOS 24.05 and 24.11 where using dhcpcd
(e.g. networking.useDHCP) and systemd-resolved
(services.resolved.enable) result in no "search" entry getting added to
/etc/resolv.conf, and dhcpcd logging the following error:

  $ systemctl status dhcpcd
  [...] dhcpcd[2896]: Failed to set DNS configuration: Interactive authentication required.

Fix it by adding a polkit rule that gives the required permissions to
the 'dhcpcd' user to manipulate resolved. The rule was made by using
polkit logging and allowing each action.id until the above error went
away, and /etc/resolv.conf got the correct nameserver entry.
---
 nixos/modules/services/networking/dhcpcd.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix
index 310a1f3d1c5528..4e3f21c0f3e44a 100644
--- a/nixos/modules/services/networking/dhcpcd.nix
+++ b/nixos/modules/services/networking/dhcpcd.nix
@@ -303,6 +303,18 @@ in
         /run/current-system/systemd/bin/systemctl reload dhcpcd.service
       '';
 
+    security.polkit.extraConfig = lib.mkIf config.services.resolved.enable ''
+      polkit.addRule(function(action, subject) {
+          if (action.id == 'org.freedesktop.resolve1.revert' ||
+              action.id == 'org.freedesktop.resolve1.set-dns-servers' ||
+              action.id == 'org.freedesktop.resolve1.set-domains') {
+              if (subject.user == '${config.systemd.services.dhcpcd.serviceConfig.User}') {
+                  return polkit.Result.YES;
+              }
+          }
+      });
+    '';
+
   };
 
 }