diff options
| author | Florian Klink <flokli@flokli.de> | 2020-05-14 14:55:43 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-05-14 14:55:43 +0200 |
| commit | 4a85559ffcbe5af70c28a69de47f4276ffca6cdd (patch) | |
| tree | 6b70f5943567385ae68cc1e351b703e55019fb6e | |
| parent | 0ffc85d64b081f0210787435122ef7f42b81d791 (diff) | |
| parent | 23ba50611321035e02f5bfc2f5f809600ccc2f7b (diff) | |
| download | nixpkgs-4a85559ffcbe5af70c28a69de47f4276ffca6cdd.tar nixpkgs-4a85559ffcbe5af70c28a69de47f4276ffca6cdd.tar.gz nixpkgs-4a85559ffcbe5af70c28a69de47f4276ffca6cdd.tar.bz2 nixpkgs-4a85559ffcbe5af70c28a69de47f4276ffca6cdd.tar.lz nixpkgs-4a85559ffcbe5af70c28a69de47f4276ffca6cdd.tar.xz nixpkgs-4a85559ffcbe5af70c28a69de47f4276ffca6cdd.tar.zst nixpkgs-4a85559ffcbe5af70c28a69de47f4276ffca6cdd.zip | |
Merge pull request #87016 from flokli/nsswitch-cleanup
nixos/nsswitch cleanup nss modules
| -rw-r--r-- | nixos/modules/config/ldap.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/config/nsswitch.nix | 48 | ||||
| -rw-r--r-- | nixos/modules/security/google_oslogin.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/misc/sssd.nix | 10 | ||||
| -rw-r--r-- | nixos/modules/services/network-filesystems/samba.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/networking/avahi-daemon.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/system/boot/systemd.nix | 16 |
7 files changed, 32 insertions, 52 deletions
diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index 4c8b527676b..1a5dbcd4e26 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -244,6 +244,10 @@ in if cfg.daemon.enable then nss_pam_ldapd else nss_ldap ); + system.nssDatabases.group = optional cfg.nsswitch "ldap"; + system.nssDatabases.passwd = optional cfg.nsswitch "ldap"; + system.nssDatabases.shadow = optional cfg.nsswitch "ldap"; + users = mkIf cfg.daemon.enable { groups.nslcd = { gid = config.ids.gids.nslcd; diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index 22ddb3490c8..d19d35a4890 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -4,34 +4,7 @@ with lib; -let - - # only with nscd up and running we can load NSS modules that are not integrated in NSS - canLoadExternalModules = config.services.nscd.enable; - # XXX Move these to their respective modules - nssmdns = canLoadExternalModules && config.services.avahi.nssmdns; - nsswins = canLoadExternalModules && config.services.samba.nsswins; - ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch); - - hostArray = mkMerge [ - (mkBefore [ "files" ]) - (mkIf nssmdns [ "mdns_minimal [NOTFOUND=return]" ]) - (mkIf nsswins [ "wins" ]) - (mkAfter [ "dns" ]) - (mkIf nssmdns (mkOrder 1501 [ "mdns" ])) # 1501 to ensure it's after dns - ]; - - passwdArray = mkMerge [ - (mkBefore [ "files" ]) - (mkIf ldap [ "ldap" ]) - ]; - - shadowArray = mkMerge [ - (mkBefore [ "files" ]) - (mkIf ldap [ "ldap" ]) - ]; - -in { +{ options = { # NSS modules. Hacky! @@ -122,9 +95,11 @@ in { config = { assertions = [ { - # generic catch if the NixOS module adding to nssModules does not prevent it with specific message. - assertion = config.system.nssModules.path != "" -> canLoadExternalModules; - message = "Loading NSS modules from path ${config.system.nssModules.path} requires nscd being enabled."; + # Prevent users from disabling nscd, with nssModules being set. + # If disabling nscd is really necessary, it's still possible to opt out + # by forcing config.system.nssModules to []. + assertion = config.system.nssModules.path != "" -> config.services.nscd.enable; + message = "Loading NSS modules from system.nssModules (${config.system.nssModules.path}), requires services.nscd.enable being set to true."; } ]; @@ -145,10 +120,13 @@ in { ''; system.nssDatabases = { - passwd = passwdArray; - group = passwdArray; - shadow = shadowArray; - hosts = hostArray; + passwd = mkBefore [ "files" ]; + group = mkBefore [ "files" ]; + shadow = mkBefore [ "files" ]; + hosts = mkMerge [ + (mkBefore [ "files" ]) + (mkAfter [ "dns" ]) + ]; services = mkBefore [ "files" ]; }; }; diff --git a/nixos/modules/security/google_oslogin.nix b/nixos/modules/security/google_oslogin.nix index 78c2089baeb..c2889a0f0d1 100644 --- a/nixos/modules/security/google_oslogin.nix +++ b/nixos/modules/security/google_oslogin.nix @@ -50,6 +50,7 @@ in # enable the nss module, so user lookups etc. work system.nssModules = [ package ]; system.nssDatabases.passwd = [ "cache_oslogin" "oslogin" ]; + system.nssDatabases.group = [ "cache_oslogin" "oslogin" ]; # Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable. # So indirect by a symlink. diff --git a/nixos/modules/services/misc/sssd.nix b/nixos/modules/services/misc/sssd.nix index 77f6ccfe64f..3da99a3b38c 100644 --- a/nixos/modules/services/misc/sssd.nix +++ b/nixos/modules/services/misc/sssd.nix @@ -42,11 +42,6 @@ in { }; config = mkMerge [ (mkIf cfg.enable { - assertions = singleton { - assertion = nscd.enable; - message = "nscd must be enabled through `services.nscd.enable` for SSSD to work."; - }; - systemd.services.sssd = { description = "System Security Services Daemon"; wantedBy = [ "multi-user.target" ]; @@ -74,11 +69,12 @@ in { mode = "0400"; }; - system.nssModules = optional cfg.enable pkgs.sssd; + system.nssModules = pkgs.sssd; system.nssDatabases = { + group = [ "sss" ]; passwd = [ "sss" ]; - shadow = [ "sss" ]; services = [ "sss" ]; + shadow = [ "sss" ]; }; services.dbus.packages = [ pkgs.sssd ]; }) diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index a115590ccaa..08c912e0fcd 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -224,6 +224,7 @@ in (mkIf cfg.enable { system.nssModules = optional cfg.nsswins samba; + system.nssDatabases.hosts = optional cfg.nsswins "wins"; systemd = { targets.samba = { diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix index ddcfe3d77e2..c876b252e8c 100644 --- a/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixos/modules/services/networking/avahi-daemon.nix @@ -238,6 +238,10 @@ in users.groups.avahi = {}; system.nssModules = optional cfg.nssmdns pkgs.nssmdns; + system.nssDatabases.hosts = optionals cfg.nssmdns (mkMerge [ + [ "mdns_minimal [NOTFOUND=return]" ] + (mkOrder 1501 [ "mdns" ]) # 1501 to ensure it's after dns + ]); environment.systemPackages = [ pkgs.avahi ]; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 36a25c4e6c3..7c4dc93e2fb 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -832,16 +832,8 @@ in system.build.units = cfg.units; - # Systemd provides various NSS modules to look up dynamic users, locally - # configured IP adresses and local container hostnames. - # On NixOS, these can only be passed to the NSS system via nscd (and its - # LD_LIBRARY_PATH), which is why it's usually a very good idea to have nscd - # enabled (also see the config.nscd.enable description). - # While there is already an assertion in place complaining loudly about - # having nssModules configured and nscd disabled, for some reason we still - # check for nscd being enabled before adding to nssModules. - system.nssModules = optional config.services.nscd.enable systemd.out; - system.nssDatabases = mkIf config.services.nscd.enable { + system.nssModules = [ systemd.out ]; + system.nssDatabases = { hosts = (mkMerge [ [ "mymachines" ] (mkOrder 1600 [ "myhostname" ] # 1600 to ensure it's always the last @@ -851,6 +843,10 @@ in [ "mymachines" ] (mkAfter [ "systemd" ]) ]); + group = (mkMerge [ + [ "mymachines" ] + (mkAfter [ "systemd" ]) + ]); }; environment.systemPackages = [ systemd ]; |