colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/nsswitch: Make databases more configurable

Browse Source 
Instead of hardcoding all nss modules that are added into nsswitch,
there are now options exposed.
This allows users to add own nss modules (I had this issue with
winbindd, for example).
Also, nss modules could be moved to their NixOS modules which would
make the nsswitch module slimmer.

As the lists are now handled by the modules system, we can use mkOrder
to ensure a proper order as well as mkForce to override one specific
database type instead of the entire file.
This commit is contained in:
Janne Heß 2020-04-25 14:27:50 +02:00
parent bc675971da
commit bc2a4b341a
No known key found for this signature in database
GPG Key ID: 69165158F05265DF
1 changed files with 105 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
nixos/modules/config/nsswitch.nix
View File

@ -10,6 +10,7 @@ let
canLoadExternalModules = config.services.nscd.enable;
myhostname = canLoadExternalModules;
mymachines = canLoadExternalModules;
# XXX Move these to their respective modules
nssmdns = canLoadExternalModules && config.services.avahi.nssmdns;
nsswins = canLoadExternalModules && config.services.samba.nsswins;
ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch);
@ -17,28 +18,36 @@ let
resolved = canLoadExternalModules && config.services.resolved.enable;
googleOsLogin = canLoadExternalModules && config.security.googleOsLogin.enable;
hostArray = [ "files" ]
++ optional mymachines "mymachines"
++ optional nssmdns "mdns_minimal [NOTFOUND=return]"
++ optional nsswins "wins"
++ optional resolved "resolve [!UNAVAIL=return]"
++ [ "dns" ]
++ optional nssmdns "mdns"
++ optional myhostname "myhostname";
hostArray = mkMerge [
(mkBefore [ "files" ])
(mkIf mymachines [ "mymachines" ])
(mkIf nssmdns [ "mdns_minimal [NOTFOUND=return]" ])
(mkIf nsswins [ "wins" ])
(mkIf resolved [ "resolve [!UNAVAIL=return]" ])
(mkAfter [ "dns" ])
(mkIf nssmdns (mkOrder 1501 [ "mdns" ])) # 1501 to ensure it's after dns
(mkIf myhostname (mkOrder 1600 [ "myhostname" ])) # 1600 to ensure it's always the last
];
passwdArray = [ "files" ]
++ optional sssd "sss"
++ optional ldap "ldap"
++ optional mymachines "mymachines"
++ optional googleOsLogin "cache_oslogin oslogin"
++ [ "systemd" ];
passwdArray = mkMerge [
(mkBefore [ "files" ])
(mkIf sssd [ "sss" ])
(mkIf ldap [ "ldap" ])
(mkIf mymachines [ "mymachines" ])
(mkIf googleOsLogin [ "cache_oslogin oslogin" ])
(mkIf canLoadExternalModules (mkAfter [ "systemd" ]))
];
shadowArray = [ "files" ]
++ optional sssd "sss"
++ optional ldap "ldap";
shadowArray = mkMerge [
(mkBefore [ "files" ])
(mkIf sssd [ "sss" ])
(mkIf ldap [ "ldap" ])
];
servicesArray = [ "files" ]
++ optional sssd "sss";
servicesArray = mkMerge [
(mkBefore [ "files" ])
(mkIf sssd [ "sss" ])
];
in {
options = {
@ -61,17 +70,73 @@ in {
};
};
system.nssHosts = mkOption {
type = types.listOf types.str;
default = [];
example = [ "mdns" ];
description = ''
List of host entries to configure in <filename>/etc/nsswitch.conf</filename>.
'';
};
system.nssDatabases = {
passwd = mkOption {
type = types.listOf types.str;
description = ''
List of passwd entries to configure in <filename>/etc/nsswitch.conf</filename>.
Note that "files" is always prepended while "systemd" is appended if nscd is enabled.
This option only takes effect if nscd is enabled.
'';
default = [];
};
group = mkOption {
type = types.listOf types.str;
description = ''
List of group entries to configure in <filename>/etc/nsswitch.conf</filename>.
Note that "files" is always prepended while "systemd" is appended if nscd is enabled.
This option only takes effect if nscd is enabled.
'';
default = [];
};
shadow = mkOption {
type = types.listOf types.str;
description = ''
List of shadow entries to configure in <filename>/etc/nsswitch.conf</filename>.
Note that "files" is always prepended.
This option only takes effect if nscd is enabled.
'';
default = [];
};
hosts = mkOption {
type = types.listOf types.str;
description = ''
List of hosts entries to configure in <filename>/etc/nsswitch.conf</filename>.
Note that "files" is always prepended, and "dns" and "myhostname" are always appended.
This option only takes effect if nscd is enabled.
'';
default = [];
};
services = mkOption {
type = types.listOf types.str;
description = ''
List of services entries to configure in <filename>/etc/nsswitch.conf</filename>.
Note that "files" is always prepended.
This option only takes effect if nscd is enabled.
'';
default = [];
};
};
};
imports = [
(mkRenamedOptionModule [ "system" "nssHosts" ] [ "system" "nssDatabases" "hosts" ])
];
config = {
assertions = [
{
@ -87,23 +152,28 @@ in {
];
# Name Service Switch configuration file. Required by the C
# library. !!! Factor out the mdns stuff. The avahi module
# should define an option used by this module.
# library.
environment.etc."nsswitch.conf".text = ''
passwd: ${concatStringsSep " " passwdArray}
group: ${concatStringsSep " " passwdArray}
shadow: ${concatStringsSep " " shadowArray}
passwd: ${concatStringsSep " " config.system.nssDatabases.passwd}
group: ${concatStringsSep " " config.system.nssDatabases.group}
shadow: ${concatStringsSep " " config.system.nssDatabases.shadow}
hosts: ${concatStringsSep " " config.system.nssHosts}
hosts: ${concatStringsSep " " config.system.nssDatabases.hosts}
networks: files
ethers: files
services: ${concatStringsSep " " servicesArray}
services: ${concatStringsSep " " config.system.nssDatabases.services}
protocols: files
rpc: files
'';
system.nssHosts = hostArray;
system.nssDatabases = {
passwd = passwdArray;
group = passwdArray;
shadow = shadowArray;
hosts = hostArray;
services = servicesArray;
};
# Systemd provides nss-myhostname to ensure that our hostname
# always resolves to a valid IP address. It returns all locally