diff options
author | Florian Klink <flokli@flokli.de> | 2020-04-29 01:28:33 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-04-29 01:28:33 +0200 |
commit | c01ac3ed129fafeff69025882b227f8612f0aeb7 (patch) | |
tree | f5789081f472d1c174da19583465d8bb3950d34f /nixos | |
parent | aa3dde806e0b6239d8cb8d15309b120a26f23cd6 (diff) | |
parent | edddc7c82a848f1b1f23344a338b5d56b38178c0 (diff) | |
download | nixpkgs-c01ac3ed129fafeff69025882b227f8612f0aeb7.tar nixpkgs-c01ac3ed129fafeff69025882b227f8612f0aeb7.tar.gz nixpkgs-c01ac3ed129fafeff69025882b227f8612f0aeb7.tar.bz2 nixpkgs-c01ac3ed129fafeff69025882b227f8612f0aeb7.tar.lz nixpkgs-c01ac3ed129fafeff69025882b227f8612f0aeb7.tar.xz nixpkgs-c01ac3ed129fafeff69025882b227f8612f0aeb7.tar.zst nixpkgs-c01ac3ed129fafeff69025882b227f8612f0aeb7.zip |
Merge pull request #85998 from helsinki-systems/make-nsswitch-more-flexible
nixos/nsswitch: Make databases more configurable
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/config/nsswitch.nix | 140 | ||||
-rw-r--r-- | nixos/modules/services/misc/sssd.nix | 5 |
2 files changed, 106 insertions, 39 deletions
diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index 13277fe56e4..0acd8900e7b 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -10,35 +10,36 @@ let canLoadExternalModules = config.services.nscd.enable; myhostname = canLoadExternalModules; mymachines = canLoadExternalModules; + # XXX Move these to their respective modules nssmdns = canLoadExternalModules && config.services.avahi.nssmdns; nsswins = canLoadExternalModules && config.services.samba.nsswins; ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch); - sssd = canLoadExternalModules && config.services.sssd.enable; resolved = canLoadExternalModules && config.services.resolved.enable; googleOsLogin = canLoadExternalModules && config.security.googleOsLogin.enable; - hostArray = [ "files" ] - ++ optional mymachines "mymachines" - ++ optional nssmdns "mdns_minimal [NOTFOUND=return]" - ++ optional nsswins "wins" - ++ optional resolved "resolve [!UNAVAIL=return]" - ++ [ "dns" ] - ++ optional nssmdns "mdns" - ++ optional myhostname "myhostname"; - - passwdArray = [ "files" ] - ++ optional sssd "sss" - ++ optional ldap "ldap" - ++ optional mymachines "mymachines" - ++ optional googleOsLogin "cache_oslogin oslogin" - ++ [ "systemd" ]; - - shadowArray = [ "files" ] - ++ optional sssd "sss" - ++ optional ldap "ldap"; - - servicesArray = [ "files" ] - ++ optional sssd "sss"; + hostArray = mkMerge [ + (mkBefore [ "files" ]) + (mkIf mymachines [ "mymachines" ]) + (mkIf nssmdns [ "mdns_minimal [NOTFOUND=return]" ]) + (mkIf nsswins [ "wins" ]) + (mkIf resolved [ "resolve [!UNAVAIL=return]" ]) + (mkAfter [ "dns" ]) + (mkIf nssmdns (mkOrder 1501 [ "mdns" ])) # 1501 to ensure it's after dns + (mkIf myhostname (mkOrder 1600 [ "myhostname" ])) # 1600 to ensure it's always the last + ]; + + passwdArray = mkMerge [ + (mkBefore [ "files" ]) + (mkIf ldap [ "ldap" ]) + (mkIf mymachines [ "mymachines" ]) + (mkIf googleOsLogin [ "cache_oslogin oslogin" ]) + (mkIf canLoadExternalModules (mkAfter [ "systemd" ])) + ]; + + shadowArray = mkMerge [ + (mkBefore [ "files" ]) + (mkIf ldap [ "ldap" ]) + ]; in { options = { @@ -61,17 +62,73 @@ in { }; }; - system.nssHosts = mkOption { - type = types.listOf types.str; - default = []; - example = [ "mdns" ]; - description = '' - List of host entries to configure in <filename>/etc/nsswitch.conf</filename>. - ''; - }; + system.nssDatabases = { + passwd = mkOption { + type = types.listOf types.str; + description = '' + List of passwd entries to configure in <filename>/etc/nsswitch.conf</filename>. + + Note that "files" is always prepended while "systemd" is appended if nscd is enabled. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + + group = mkOption { + type = types.listOf types.str; + description = '' + List of group entries to configure in <filename>/etc/nsswitch.conf</filename>. + + Note that "files" is always prepended while "systemd" is appended if nscd is enabled. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + + shadow = mkOption { + type = types.listOf types.str; + description = '' + List of shadow entries to configure in <filename>/etc/nsswitch.conf</filename>. + Note that "files" is always prepended. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + + hosts = mkOption { + type = types.listOf types.str; + description = '' + List of hosts entries to configure in <filename>/etc/nsswitch.conf</filename>. + + Note that "files" is always prepended, and "dns" and "myhostname" are always appended. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + + services = mkOption { + type = types.listOf types.str; + description = '' + List of services entries to configure in <filename>/etc/nsswitch.conf</filename>. + + Note that "files" is always prepended. + + This option only takes effect if nscd is enabled. + ''; + default = []; + }; + }; }; + imports = [ + (mkRenamedOptionModule [ "system" "nssHosts" ] [ "system" "nssDatabases" "hosts" ]) + ]; + config = { assertions = [ { @@ -87,23 +144,28 @@ in { ]; # Name Service Switch configuration file. Required by the C - # library. !!! Factor out the mdns stuff. The avahi module - # should define an option used by this module. + # library. environment.etc."nsswitch.conf".text = '' - passwd: ${concatStringsSep " " passwdArray} - group: ${concatStringsSep " " passwdArray} - shadow: ${concatStringsSep " " shadowArray} + passwd: ${concatStringsSep " " config.system.nssDatabases.passwd} + group: ${concatStringsSep " " config.system.nssDatabases.group} + shadow: ${concatStringsSep " " config.system.nssDatabases.shadow} - hosts: ${concatStringsSep " " config.system.nssHosts} + hosts: ${concatStringsSep " " config.system.nssDatabases.hosts} networks: files ethers: files - services: ${concatStringsSep " " servicesArray} + services: ${concatStringsSep " " config.system.nssDatabases.services} protocols: files rpc: files ''; - system.nssHosts = hostArray; + system.nssDatabases = { + passwd = passwdArray; + group = passwdArray; + shadow = shadowArray; + hosts = hostArray; + services = mkBefore [ "files" ]; + }; # Systemd provides nss-myhostname to ensure that our hostname # always resolves to a valid IP address. It returns all locally diff --git a/nixos/modules/services/misc/sssd.nix b/nixos/modules/services/misc/sssd.nix index 36008d25741..77f6ccfe64f 100644 --- a/nixos/modules/services/misc/sssd.nix +++ b/nixos/modules/services/misc/sssd.nix @@ -75,6 +75,11 @@ in { }; system.nssModules = optional cfg.enable pkgs.sssd; + system.nssDatabases = { + passwd = [ "sss" ]; + shadow = [ "sss" ]; + services = [ "sss" ]; + }; services.dbus.packages = [ pkgs.sssd ]; }) |