Merge pull request #87016 from flokli/nsswitch-cleanup

nixos/nsswitch cleanup nss modules
This commit is contained in:
Florian Klink 2020-05-14 14:55:43 +02:00 committed by GitHub
commit 4a85559ffc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 32 additions and 52 deletions

View file

@ -244,6 +244,10 @@ in
if cfg.daemon.enable then nss_pam_ldapd else nss_ldap
);
system.nssDatabases.group = optional cfg.nsswitch "ldap";
system.nssDatabases.passwd = optional cfg.nsswitch "ldap";
system.nssDatabases.shadow = optional cfg.nsswitch "ldap";
users = mkIf cfg.daemon.enable {
groups.nslcd = {
gid = config.ids.gids.nslcd;

View file

@ -4,34 +4,7 @@
with lib;
let
# only with nscd up and running we can load NSS modules that are not integrated in NSS
canLoadExternalModules = config.services.nscd.enable;
# XXX Move these to their respective modules
nssmdns = canLoadExternalModules && config.services.avahi.nssmdns;
nsswins = canLoadExternalModules && config.services.samba.nsswins;
ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch);
hostArray = mkMerge [
(mkBefore [ "files" ])
(mkIf nssmdns [ "mdns_minimal [NOTFOUND=return]" ])
(mkIf nsswins [ "wins" ])
(mkAfter [ "dns" ])
(mkIf nssmdns (mkOrder 1501 [ "mdns" ])) # 1501 to ensure it's after dns
];
passwdArray = mkMerge [
(mkBefore [ "files" ])
(mkIf ldap [ "ldap" ])
];
shadowArray = mkMerge [
(mkBefore [ "files" ])
(mkIf ldap [ "ldap" ])
];
in {
{
options = {
# NSS modules. Hacky!
@ -122,9 +95,11 @@ in {
config = {
assertions = [
{
# generic catch if the NixOS module adding to nssModules does not prevent it with specific message.
assertion = config.system.nssModules.path != "" -> canLoadExternalModules;
message = "Loading NSS modules from path ${config.system.nssModules.path} requires nscd being enabled.";
# Prevent users from disabling nscd, with nssModules being set.
# If disabling nscd is really necessary, it's still possible to opt out
# by forcing config.system.nssModules to [].
assertion = config.system.nssModules.path != "" -> config.services.nscd.enable;
message = "Loading NSS modules from system.nssModules (${config.system.nssModules.path}), requires services.nscd.enable being set to true.";
}
];
@ -145,10 +120,13 @@ in {
'';
system.nssDatabases = {
passwd = passwdArray;
group = passwdArray;
shadow = shadowArray;
hosts = hostArray;
passwd = mkBefore [ "files" ];
group = mkBefore [ "files" ];
shadow = mkBefore [ "files" ];
hosts = mkMerge [
(mkBefore [ "files" ])
(mkAfter [ "dns" ])
];
services = mkBefore [ "files" ];
};
};

View file

@ -50,6 +50,7 @@ in
# enable the nss module, so user lookups etc. work
system.nssModules = [ package ];
system.nssDatabases.passwd = [ "cache_oslogin" "oslogin" ];
system.nssDatabases.group = [ "cache_oslogin" "oslogin" ];
# Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable.
# So indirect by a symlink.

View file

@ -42,11 +42,6 @@ in {
};
config = mkMerge [
(mkIf cfg.enable {
assertions = singleton {
assertion = nscd.enable;
message = "nscd must be enabled through `services.nscd.enable` for SSSD to work.";
};
systemd.services.sssd = {
description = "System Security Services Daemon";
wantedBy = [ "multi-user.target" ];
@ -74,11 +69,12 @@ in {
mode = "0400";
};
system.nssModules = optional cfg.enable pkgs.sssd;
system.nssModules = pkgs.sssd;
system.nssDatabases = {
group = [ "sss" ];
passwd = [ "sss" ];
shadow = [ "sss" ];
services = [ "sss" ];
shadow = [ "sss" ];
};
services.dbus.packages = [ pkgs.sssd ];
})

View file

@ -224,6 +224,7 @@ in
(mkIf cfg.enable {
system.nssModules = optional cfg.nsswins samba;
system.nssDatabases.hosts = optional cfg.nsswins "wins";
systemd = {
targets.samba = {

View file

@ -238,6 +238,10 @@ in
users.groups.avahi = {};
system.nssModules = optional cfg.nssmdns pkgs.nssmdns;
system.nssDatabases.hosts = optionals cfg.nssmdns (mkMerge [
[ "mdns_minimal [NOTFOUND=return]" ]
(mkOrder 1501 [ "mdns" ]) # 1501 to ensure it's after dns
]);
environment.systemPackages = [ pkgs.avahi ];

View file

@ -832,16 +832,8 @@ in
system.build.units = cfg.units;
# Systemd provides various NSS modules to look up dynamic users, locally
# configured IP adresses and local container hostnames.
# On NixOS, these can only be passed to the NSS system via nscd (and its
# LD_LIBRARY_PATH), which is why it's usually a very good idea to have nscd
# enabled (also see the config.nscd.enable description).
# While there is already an assertion in place complaining loudly about
# having nssModules configured and nscd disabled, for some reason we still
# check for nscd being enabled before adding to nssModules.
system.nssModules = optional config.services.nscd.enable systemd.out;
system.nssDatabases = mkIf config.services.nscd.enable {
system.nssModules = [ systemd.out ];
system.nssDatabases = {
hosts = (mkMerge [
[ "mymachines" ]
(mkOrder 1600 [ "myhostname" ] # 1600 to ensure it's always the last
@ -851,6 +843,10 @@ in
[ "mymachines" ]
(mkAfter [ "systemd" ])
]);
group = (mkMerge [
[ "mymachines" ]
(mkAfter [ "systemd" ])
]);
};
environment.systemPackages = [ systemd ];