Merge pull request #87016 from flokli/nsswitch-cleanup
nixos/nsswitch cleanup nss modules
This commit is contained in:
commit
4a85559ffc
7 changed files with 32 additions and 52 deletions
|
@ -244,6 +244,10 @@ in
|
|||
if cfg.daemon.enable then nss_pam_ldapd else nss_ldap
|
||||
);
|
||||
|
||||
system.nssDatabases.group = optional cfg.nsswitch "ldap";
|
||||
system.nssDatabases.passwd = optional cfg.nsswitch "ldap";
|
||||
system.nssDatabases.shadow = optional cfg.nsswitch "ldap";
|
||||
|
||||
users = mkIf cfg.daemon.enable {
|
||||
groups.nslcd = {
|
||||
gid = config.ids.gids.nslcd;
|
||||
|
|
|
@ -4,34 +4,7 @@
|
|||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
# only with nscd up and running we can load NSS modules that are not integrated in NSS
|
||||
canLoadExternalModules = config.services.nscd.enable;
|
||||
# XXX Move these to their respective modules
|
||||
nssmdns = canLoadExternalModules && config.services.avahi.nssmdns;
|
||||
nsswins = canLoadExternalModules && config.services.samba.nsswins;
|
||||
ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch);
|
||||
|
||||
hostArray = mkMerge [
|
||||
(mkBefore [ "files" ])
|
||||
(mkIf nssmdns [ "mdns_minimal [NOTFOUND=return]" ])
|
||||
(mkIf nsswins [ "wins" ])
|
||||
(mkAfter [ "dns" ])
|
||||
(mkIf nssmdns (mkOrder 1501 [ "mdns" ])) # 1501 to ensure it's after dns
|
||||
];
|
||||
|
||||
passwdArray = mkMerge [
|
||||
(mkBefore [ "files" ])
|
||||
(mkIf ldap [ "ldap" ])
|
||||
];
|
||||
|
||||
shadowArray = mkMerge [
|
||||
(mkBefore [ "files" ])
|
||||
(mkIf ldap [ "ldap" ])
|
||||
];
|
||||
|
||||
in {
|
||||
{
|
||||
options = {
|
||||
|
||||
# NSS modules. Hacky!
|
||||
|
@ -122,9 +95,11 @@ in {
|
|||
config = {
|
||||
assertions = [
|
||||
{
|
||||
# generic catch if the NixOS module adding to nssModules does not prevent it with specific message.
|
||||
assertion = config.system.nssModules.path != "" -> canLoadExternalModules;
|
||||
message = "Loading NSS modules from path ${config.system.nssModules.path} requires nscd being enabled.";
|
||||
# Prevent users from disabling nscd, with nssModules being set.
|
||||
# If disabling nscd is really necessary, it's still possible to opt out
|
||||
# by forcing config.system.nssModules to [].
|
||||
assertion = config.system.nssModules.path != "" -> config.services.nscd.enable;
|
||||
message = "Loading NSS modules from system.nssModules (${config.system.nssModules.path}), requires services.nscd.enable being set to true.";
|
||||
}
|
||||
];
|
||||
|
||||
|
@ -145,10 +120,13 @@ in {
|
|||
'';
|
||||
|
||||
system.nssDatabases = {
|
||||
passwd = passwdArray;
|
||||
group = passwdArray;
|
||||
shadow = shadowArray;
|
||||
hosts = hostArray;
|
||||
passwd = mkBefore [ "files" ];
|
||||
group = mkBefore [ "files" ];
|
||||
shadow = mkBefore [ "files" ];
|
||||
hosts = mkMerge [
|
||||
(mkBefore [ "files" ])
|
||||
(mkAfter [ "dns" ])
|
||||
];
|
||||
services = mkBefore [ "files" ];
|
||||
};
|
||||
};
|
||||
|
|
|
@ -50,6 +50,7 @@ in
|
|||
# enable the nss module, so user lookups etc. work
|
||||
system.nssModules = [ package ];
|
||||
system.nssDatabases.passwd = [ "cache_oslogin" "oslogin" ];
|
||||
system.nssDatabases.group = [ "cache_oslogin" "oslogin" ];
|
||||
|
||||
# Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable.
|
||||
# So indirect by a symlink.
|
||||
|
|
|
@ -42,11 +42,6 @@ in {
|
|||
};
|
||||
config = mkMerge [
|
||||
(mkIf cfg.enable {
|
||||
assertions = singleton {
|
||||
assertion = nscd.enable;
|
||||
message = "nscd must be enabled through `services.nscd.enable` for SSSD to work.";
|
||||
};
|
||||
|
||||
systemd.services.sssd = {
|
||||
description = "System Security Services Daemon";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
@ -74,11 +69,12 @@ in {
|
|||
mode = "0400";
|
||||
};
|
||||
|
||||
system.nssModules = optional cfg.enable pkgs.sssd;
|
||||
system.nssModules = pkgs.sssd;
|
||||
system.nssDatabases = {
|
||||
group = [ "sss" ];
|
||||
passwd = [ "sss" ];
|
||||
shadow = [ "sss" ];
|
||||
services = [ "sss" ];
|
||||
shadow = [ "sss" ];
|
||||
};
|
||||
services.dbus.packages = [ pkgs.sssd ];
|
||||
})
|
||||
|
|
|
@ -224,6 +224,7 @@ in
|
|||
(mkIf cfg.enable {
|
||||
|
||||
system.nssModules = optional cfg.nsswins samba;
|
||||
system.nssDatabases.hosts = optional cfg.nsswins "wins";
|
||||
|
||||
systemd = {
|
||||
targets.samba = {
|
||||
|
|
|
@ -238,6 +238,10 @@ in
|
|||
users.groups.avahi = {};
|
||||
|
||||
system.nssModules = optional cfg.nssmdns pkgs.nssmdns;
|
||||
system.nssDatabases.hosts = optionals cfg.nssmdns (mkMerge [
|
||||
[ "mdns_minimal [NOTFOUND=return]" ]
|
||||
(mkOrder 1501 [ "mdns" ]) # 1501 to ensure it's after dns
|
||||
]);
|
||||
|
||||
environment.systemPackages = [ pkgs.avahi ];
|
||||
|
||||
|
|
|
@ -832,16 +832,8 @@ in
|
|||
|
||||
system.build.units = cfg.units;
|
||||
|
||||
# Systemd provides various NSS modules to look up dynamic users, locally
|
||||
# configured IP adresses and local container hostnames.
|
||||
# On NixOS, these can only be passed to the NSS system via nscd (and its
|
||||
# LD_LIBRARY_PATH), which is why it's usually a very good idea to have nscd
|
||||
# enabled (also see the config.nscd.enable description).
|
||||
# While there is already an assertion in place complaining loudly about
|
||||
# having nssModules configured and nscd disabled, for some reason we still
|
||||
# check for nscd being enabled before adding to nssModules.
|
||||
system.nssModules = optional config.services.nscd.enable systemd.out;
|
||||
system.nssDatabases = mkIf config.services.nscd.enable {
|
||||
system.nssModules = [ systemd.out ];
|
||||
system.nssDatabases = {
|
||||
hosts = (mkMerge [
|
||||
[ "mymachines" ]
|
||||
(mkOrder 1600 [ "myhostname" ] # 1600 to ensure it's always the last
|
||||
|
@ -851,6 +843,10 @@ in
|
|||
[ "mymachines" ]
|
||||
(mkAfter [ "systemd" ])
|
||||
]);
|
||||
group = (mkMerge [
|
||||
[ "mymachines" ]
|
||||
(mkAfter [ "systemd" ])
|
||||
]);
|
||||
};
|
||||
|
||||
environment.systemPackages = [ systemd ];
|
||||
|
|
Loading…
Reference in a new issue