summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
authorNikolay Amiantov <ab@fmap.me>2019-07-22 16:23:07 +0300
committerGitHub <noreply@github.com>2019-07-22 16:23:07 +0300
commita0ba42e3f4e7de10de156707ef845e8a52525e0c (patch)
tree1c6aabec727dd8f74389d2c3d0db86c876e34865 /nixos
parent3c65adaa750a66de589e61e01e96200a29187cd6 (diff)
parentd79584c90253107d8d29869de0951545a567554a (diff)
downloadnixpkgs-a0ba42e3f4e7de10de156707ef845e8a52525e0c.tar
nixpkgs-a0ba42e3f4e7de10de156707ef845e8a52525e0c.tar.gz
nixpkgs-a0ba42e3f4e7de10de156707ef845e8a52525e0c.tar.bz2
nixpkgs-a0ba42e3f4e7de10de156707ef845e8a52525e0c.tar.lz
nixpkgs-a0ba42e3f4e7de10de156707ef845e8a52525e0c.tar.xz
nixpkgs-a0ba42e3f4e7de10de156707ef845e8a52525e0c.tar.zst
nixpkgs-a0ba42e3f4e7de10de156707ef845e8a52525e0c.zip
Merge pull request #64268 from jameysharp/nscd-dynamicuser
nixos/nscd: DynamicUser and other cleanups
Diffstat (limited to 'nixos')
-rw-r--r--nixos/modules/services/system/nscd.conf18
-rw-r--r--nixos/modules/services/system/nscd.nix31
2 files changed, 9 insertions, 40 deletions
diff --git a/nixos/modules/services/system/nscd.conf b/nixos/modules/services/system/nscd.conf
index 603a5d01acc..2b7523a7346 100644
--- a/nixos/modules/services/system/nscd.conf
+++ b/nixos/modules/services/system/nscd.conf
@@ -7,46 +7,28 @@
 # is not aware of the path in which the nss modules live.  As a workaround, we
 # have `enable-cache yes` with an explicit ttl of 0
 server-user             nscd
-threads                 1
-paranoia                no
-debug-level             0
 
 enable-cache            passwd          yes
 positive-time-to-live   passwd          0
 negative-time-to-live   passwd          0
-suggested-size          passwd          211
-check-files             passwd          yes
-persistent              passwd          no
 shared                  passwd          yes
 
 enable-cache            group           yes
 positive-time-to-live   group           0
 negative-time-to-live   group           0
-suggested-size          group           211
-check-files             group           yes
-persistent              group           no
 shared                  group           yes
 
 enable-cache            netgroup        yes
 positive-time-to-live   netgroup        0
 negative-time-to-live   netgroup        0
-suggested-size          netgroup        211
-check-files             netgroup        yes
-persistent              netgroup        no
 shared                  netgroup        yes
 
 enable-cache            hosts           yes
 positive-time-to-live   hosts           600
 negative-time-to-live   hosts           0
-suggested-size          hosts           211
-check-files             hosts           yes
-persistent              hosts           no
 shared                  hosts           yes
 
 enable-cache            services        yes
 positive-time-to-live   services        0
 negative-time-to-live   services        0
-suggested-size          services        211
-check-files             services        yes
-persistent              services        no
 shared                  services        yes
diff --git a/nixos/modules/services/system/nscd.nix b/nixos/modules/services/system/nscd.nix
index fd1570d1198..e11f7e049d8 100644
--- a/nixos/modules/services/system/nscd.nix
+++ b/nixos/modules/services/system/nscd.nix
@@ -39,11 +39,6 @@ in
   config = mkIf cfg.enable {
     environment.etc."nscd.conf".text = cfg.config;
 
-    users.users.nscd =
-      { isSystemUser = true;
-        description = "Name service cache daemon user";
-      };
-
     systemd.services.nscd =
       { description = "Name Service Cache Daemon";
 
@@ -51,22 +46,23 @@ in
 
         environment = { LD_LIBRARY_PATH = nssModulesPath; };
 
-        preStart =
-          ''
-            mkdir -m 0755 -p /run/nscd
-            rm -f /run/nscd/nscd.pid
-            mkdir -m 0755 -p /var/db/nscd
-          '';
-
         restartTriggers = [
           config.environment.etc.hosts.source
           config.environment.etc."nsswitch.conf".source
           config.environment.etc."nscd.conf".source
         ];
 
+        # We use DynamicUser because in default configurations nscd doesn't
+        # create any files that need to survive restarts. However, in some
+        # configurations, nscd needs to be started as root; it will drop
+        # privileges after all the NSS modules have read their configuration
+        # files. So prefix the ExecStart command with "!" to prevent systemd
+        # from dropping privileges early. See ExecStart in systemd.service(5).
         serviceConfig =
-          { ExecStart = "@${pkgs.glibc.bin}/sbin/nscd nscd";
+          { ExecStart = "!@${pkgs.glibc.bin}/sbin/nscd nscd";
             Type = "forking";
+            DynamicUser = true;
+            RuntimeDirectory = "nscd";
             PIDFile = "/run/nscd/nscd.pid";
             Restart = "always";
             ExecReload =
@@ -75,15 +71,6 @@ in
                 "${pkgs.glibc.bin}/sbin/nscd --invalidate hosts"
               ];
           };
-
-        # Urgggggh... Nscd forks before opening its socket and writing
-        # its pid. So wait until it's ready.
-        postStart =
-          ''
-            while ! ${pkgs.glibc.bin}/sbin/nscd -g > /dev/null; do
-              sleep 0.2
-            done
-          '';
       };
 
   };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-14 01:41:50 +0000