From cc5645c6e01a1d9b54ffe6c17a828b5b9d60a0e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= <bjorn.forsman@gmail.com>
Date: Sat, 4 Jan 2025 22:10:01 +0100
Subject: [PATCH] nixos/dhcpcd: fix updating resolv.conf when using
 systemd-resolved

Fix the regression between NixOS 24.05 and 24.11 where using dhcpcd
(e.g. networking.useDHCP) and systemd-resolved
(services.resolved.enable) result in no "search" entry getting added to
/etc/resolv.conf, and dhcpcd logging the following error:

  $ systemctl status dhcpcd
  [...] dhcpcd[2896]: Failed to set DNS configuration: Interactive authentication required.

Fix it by adding a polkit rule that gives the required permissions to
the 'dhcpcd' user to manipulate resolved. The rule was made by using
polkit logging and allowing each action.id until the above error went
away, and /etc/resolv.conf got the correct search entry.
---
 nixos/modules/services/networking/dhcpcd.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix
index 310a1f3d1c552..4e3f21c0f3e44 100644
--- a/nixos/modules/services/networking/dhcpcd.nix
+++ b/nixos/modules/services/networking/dhcpcd.nix
@@ -303,6 +303,18 @@ in
         /run/current-system/systemd/bin/systemctl reload dhcpcd.service
       '';
 
+    security.polkit.extraConfig = lib.mkIf config.services.resolved.enable ''
+      polkit.addRule(function(action, subject) {
+          if (action.id == 'org.freedesktop.resolve1.revert' ||
+              action.id == 'org.freedesktop.resolve1.set-dns-servers' ||
+              action.id == 'org.freedesktop.resolve1.set-domains') {
+              if (subject.user == '${config.systemd.services.dhcpcd.serviceConfig.User}') {
+                  return polkit.Result.YES;
+              }
+          }
+      });
+    '';
+
   };
 
 }