diff options
| author | Janne Heß <janne@hess.ooo> | 2020-04-25 14:27:50 +0200 |
|---|---|---|
| committer | Janne Heß <janne@hess.ooo> | 2020-04-26 03:16:57 +0200 |
| commit | bc2a4b341a5a49a5068e5b361b5862df5e1ae9f9 (patch) | |
| tree | 6906314a8af45d0d90ff46230d49d59584249420 /nixos/modules/config | |
| parent | bc675971dae581ec653fa6ce0b238729ccb7aa80 (diff) | |
| download | nixpkgs-bc2a4b341a5a49a5068e5b361b5862df5e1ae9f9.tar nixpkgs-bc2a4b341a5a49a5068e5b361b5862df5e1ae9f9.tar.gz nixpkgs-bc2a4b341a5a49a5068e5b361b5862df5e1ae9f9.tar.bz2 nixpkgs-bc2a4b341a5a49a5068e5b361b5862df5e1ae9f9.tar.lz nixpkgs-bc2a4b341a5a49a5068e5b361b5862df5e1ae9f9.tar.xz nixpkgs-bc2a4b341a5a49a5068e5b361b5862df5e1ae9f9.tar.zst nixpkgs-bc2a4b341a5a49a5068e5b361b5862df5e1ae9f9.zip | |
nixos/nsswitch: Make databases more configurable
Instead of hardcoding all nss modules that are added into nsswitch, there are now options exposed. This allows users to add own nss modules (I had this issue with winbindd, for example). Also, nss modules could be moved to their NixOS modules which would make the nsswitch module slimmer. As the lists are now handled by the modules system, we can use mkOrder to ensure a proper order as well as mkForce to override one specific database type instead of the entire file.
Diffstat (limited to 'nixos/modules/config')
| -rw-r--r-- | nixos/modules/config/nsswitch.nix | 146 |
1 files changed, 108 insertions, 38 deletions
diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index 13277fe56e4..186dd7376e9 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -10,6 +10,7 @@ let canLoadExternalModules = config.services.nscd.enable; myhostname = canLoadExternalModules; mymachines = canLoadExternalModules; + # XXX Move these to their respective modules nssmdns = canLoadExternalModules && config.services.avahi.nssmdns; nsswins = canLoadExternalModules && config.services.samba.nsswins; ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch); @@ -17,28 +18,36 @@ let resolved = canLoadExternalModules && config.services.resolved.enable; googleOsLogin = canLoadExternalModules && config.security.googleOsLogin.enable; - hostArray = [ "files" ] - ++ optional mymachines "mymachines" - ++ optional nssmdns "mdns_minimal [NOTFOUND=return]" - ++ optional nsswins "wins" - ++ optional resolved "resolve [!UNAVAIL=return]" - ++ [ "dns" ] - ++ optional nssmdns "mdns" - ++ optional myhostname "myhostname"; - - passwdArray = [ "files" ] - ++ optional sssd "sss" - ++ optional ldap "ldap" - ++ optional mymachines "mymachines" - ++ optional googleOsLogin "cache_oslogin oslogin" - ++ [ "systemd" ]; - - shadowArray = [ "files" ] - ++ optional sssd "sss" - ++ optional ldap "ldap"; - - servicesArray = [ "files" ] - ++ optional sssd "sss"; + hostArray = mkMerge [ + (mkBefore [ "files" ]) + (mkIf mymachines [ "mymachines" ]) + (mkIf nssmdns [ "mdns_minimal [NOTFOUND=return]" ]) + (mkIf nsswins [ "wins" ]) + (mkIf resolved [ "resolve [!UNAVAIL=return]" ]) + (mkAfter [ "dns" ]) + (mkIf nssmdns (mkOrder 1501 [ "mdns" ])) # 1501 to ensure it's after dns + (mkIf myhostname (mkOrder 1600 [ "myhostname" ])) # 1600 to ensure it's always the last + ]; + + passwdArray = mkMerge [ + (mkBefore [ "files" ]) + (mkIf sssd [ "sss" ]) + (mkIf ldap [ "ldap" ]) + (mkIf mymachines [ "mymachines" ]) + (mkIf googleOsLogin [ "cache_oslogin oslogin" ]) + (mkIf canLoadExternalModules (mkAfter [ "systemd" ])) + ]; + + shadowArray = mkMerge [ + (mkBefore [ "files" ]) + (mkIf sssd [ "sss" ]) + (mkIf ldap [ "ldap" ]) + ]; + + servicesArray = mkMerge [ + (mkBefore [ "files" ]) + (mkIf sssd [ "sss" ]) + ]; in { options = { @@ -61,17 +70,73 @@ in { }; }; - system.nssHosts = mkOption { - type = types.listOf types.str; - default = []; - example = [ "mdns" ]; - description = '' - List of host entries to configure in <filename>/etc/nsswitch.conf</filename>. - ''; - }; + system.nssDatabases = { + passwd = mkOption { + type = types.listOf types.str; + description = '' + List of passwd entries to configure in <filename>/etc/nsswitch.conf</filename>. + + Note that "files" is always prepended while "systemd" is appended if nscd is enabled. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + + group = mkOption { + type = types.listOf types.str; + description = '' + List of group entries to configure in <filename>/etc/nsswitch.conf</filename>. + + Note that "files" is always prepended while "systemd" is appended if nscd is enabled. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + + shadow = mkOption { + type = types.listOf types.str; + description = '' + List of shadow entries to configure in <filename>/etc/nsswitch.conf</filename>. + Note that "files" is always prepended. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + + hosts = mkOption { + type = types.listOf types.str; + description = '' + List of hosts entries to configure in <filename>/etc/nsswitch.conf</filename>. + + Note that "files" is always prepended, and "dns" and "myhostname" are always appended. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + + services = mkOption { + type = types.listOf types.str; + description = '' + List of services entries to configure in <filename>/etc/nsswitch.conf</filename>. + + Note that "files" is always prepended. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + }; }; + imports = [ + (mkRenamedOptionModule [ "system" "nssHosts" ] [ "system" "nssDatabases" "hosts" ]) + ]; + config = { assertions = [ { @@ -87,23 +152,28 @@ in { ]; # Name Service Switch configuration file. Required by the C - # library. !!! Factor out the mdns stuff. The avahi module - # should define an option used by this module. + # library. environment.etc."nsswitch.conf".text = '' - passwd: ${concatStringsSep " " passwdArray} - group: ${concatStringsSep " " passwdArray} - shadow: ${concatStringsSep " " shadowArray} + passwd: ${concatStringsSep " " config.system.nssDatabases.passwd} + group: ${concatStringsSep " " config.system.nssDatabases.group} + shadow: ${concatStringsSep " " config.system.nssDatabases.shadow} - hosts: ${concatStringsSep " " config.system.nssHosts} + hosts: ${concatStringsSep " " config.system.nssDatabases.hosts} networks: files ethers: files - services: ${concatStringsSep " " servicesArray} + services: ${concatStringsSep " " config.system.nssDatabases.services} protocols: files rpc: files ''; - system.nssHosts = hostArray; + system.nssDatabases = { + passwd = passwdArray; + group = passwdArray; + shadow = shadowArray; + hosts = hostArray; + services = servicesArray; + }; # Systemd provides nss-myhostname to ensure that our hostname # always resolves to a valid IP address. It returns all locally |