From ecf327d697f477f903980295a9ba0a00301f9ecc Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Tue, 5 May 2020 23:59:38 +0200 Subject: [PATCH 01/11] nixos/sssd: add to system.nssDatabases.group too nixos/modules/config/nsswitch.nix uses `passwdArray` for both `passwd` and `group`, but when moving this into the sss module in edddc7c82a848f1b1f23344a338b5d56b38178c0, it didn't get split appropriately. --- nixos/modules/services/misc/sssd.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/misc/sssd.nix b/nixos/modules/services/misc/sssd.nix index 77f6ccfe64f06..fbee02b8e2442 100644 --- a/nixos/modules/services/misc/sssd.nix +++ b/nixos/modules/services/misc/sssd.nix @@ -76,9 +76,10 @@ in { system.nssModules = optional cfg.enable pkgs.sssd; system.nssDatabases = { + group = [ "sss" ]; passwd = [ "sss" ]; - shadow = [ "sss" ]; services = [ "sss" ]; + shadow = [ "sss" ]; }; services.dbus.packages = [ pkgs.sssd ]; }) From 22975087831bf4bd86c7f54174796c43946ffcdb Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Wed, 6 May 2020 00:02:57 +0200 Subject: [PATCH 02/11] nixos/google-oslogin: add to system.nssDatabases.group too nixos/modules/config/nsswitch.nix uses `passwdArray` for both `passwd` and `group`, but when moving this into the google-oslogin module in 4b71b6f8fa5f7b06ea5d0dd37d44a73757c7f142, it didn't get split appropriately. --- nixos/modules/security/google_oslogin.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/security/google_oslogin.nix b/nixos/modules/security/google_oslogin.nix index 78c2089baeb95..c2889a0f0d1d7 100644 --- a/nixos/modules/security/google_oslogin.nix +++ b/nixos/modules/security/google_oslogin.nix @@ -50,6 +50,7 @@ in # enable the nss module, so user lookups etc. work system.nssModules = [ package ]; system.nssDatabases.passwd = [ "cache_oslogin" "oslogin" ]; + system.nssDatabases.group = [ "cache_oslogin" "oslogin" ]; # Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable. # So indirect by a symlink. From 36b6e26d40ae8219302c52cac7f5ac5db9b73532 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Wed, 6 May 2020 00:06:40 +0200 Subject: [PATCH 03/11] nixos/systemd: add to system.nssDatabases.group too nixos/modules/config/nsswitch.nix uses `passwdArray` for both `passwd` and `group`, but when moving this into the systemd module in c0995d22eed1a19ac9442c8460c18dd6a4c389b7, it didn't get split appropriately. --- nixos/modules/system/boot/systemd.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index ffc5387e8102f..e05c0c8b2acde 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -848,6 +848,10 @@ in [ "mymachines" ] (mkAfter [ "systemd" ]) ]); + group = (mkMerge [ + [ "mymachines" ] + (mkAfter [ "systemd" ]) + ]); }; environment.systemPackages = [ systemd ]; From 4f9c8ef7911d5fdf125b6959244f18270e8e0a19 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Wed, 6 May 2020 00:09:59 +0200 Subject: [PATCH 04/11] nixos/ldap: move nss database configuration into ldap module now that passwdArray and shadowArray aren't used anymore, these can be folded. --- nixos/modules/config/ldap.nix | 4 ++++ nixos/modules/config/nsswitch.nix | 17 +++-------------- 2 files changed, 7 insertions(+), 14 deletions(-) diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index 4c8b527676b23..1a5dbcd4e26ba 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -244,6 +244,10 @@ in if cfg.daemon.enable then nss_pam_ldapd else nss_ldap ); + system.nssDatabases.group = optional cfg.nsswitch "ldap"; + system.nssDatabases.passwd = optional cfg.nsswitch "ldap"; + system.nssDatabases.shadow = optional cfg.nsswitch "ldap"; + users = mkIf cfg.daemon.enable { groups.nslcd = { gid = config.ids.gids.nslcd; diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index 22ddb3490c8e9..465c910d95b64 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -11,7 +11,6 @@ let # XXX Move these to their respective modules nssmdns = canLoadExternalModules && config.services.avahi.nssmdns; nsswins = canLoadExternalModules && config.services.samba.nsswins; - ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch); hostArray = mkMerge [ (mkBefore [ "files" ]) @@ -21,16 +20,6 @@ let (mkIf nssmdns (mkOrder 1501 [ "mdns" ])) # 1501 to ensure it's after dns ]; - passwdArray = mkMerge [ - (mkBefore [ "files" ]) - (mkIf ldap [ "ldap" ]) - ]; - - shadowArray = mkMerge [ - (mkBefore [ "files" ]) - (mkIf ldap [ "ldap" ]) - ]; - in { options = { @@ -145,9 +134,9 @@ in { ''; system.nssDatabases = { - passwd = passwdArray; - group = passwdArray; - shadow = shadowArray; + passwd = mkBefore [ "files" ]; + group = mkBefore [ "files" ]; + shadow = mkBefore [ "files" ]; hosts = hostArray; services = mkBefore [ "files" ]; }; From fd21793de61bacf8893d7c5f6e7fdd3c76855dfe Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Wed, 6 May 2020 00:17:05 +0200 Subject: [PATCH 05/11] nixos/avahi: move nss database configuration into avahi module --- nixos/modules/config/nsswitch.nix | 3 --- nixos/modules/services/networking/avahi-daemon.nix | 4 ++++ 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index 465c910d95b64..556ae3951f74d 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -9,15 +9,12 @@ let # only with nscd up and running we can load NSS modules that are not integrated in NSS canLoadExternalModules = config.services.nscd.enable; # XXX Move these to their respective modules - nssmdns = canLoadExternalModules && config.services.avahi.nssmdns; nsswins = canLoadExternalModules && config.services.samba.nsswins; hostArray = mkMerge [ (mkBefore [ "files" ]) - (mkIf nssmdns [ "mdns_minimal [NOTFOUND=return]" ]) (mkIf nsswins [ "wins" ]) (mkAfter [ "dns" ]) - (mkIf nssmdns (mkOrder 1501 [ "mdns" ])) # 1501 to ensure it's after dns ]; in { diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix index ddcfe3d77e2f7..c876b252e8cd9 100644 --- a/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixos/modules/services/networking/avahi-daemon.nix @@ -238,6 +238,10 @@ in users.groups.avahi = {}; system.nssModules = optional cfg.nssmdns pkgs.nssmdns; + system.nssDatabases.hosts = optionals cfg.nssmdns (mkMerge [ + [ "mdns_minimal [NOTFOUND=return]" ] + (mkOrder 1501 [ "mdns" ]) # 1501 to ensure it's after dns + ]); environment.systemPackages = [ pkgs.avahi ]; From 1fb6c37597d12e209798ded07f8c122839b8db67 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Wed, 6 May 2020 00:20:30 +0200 Subject: [PATCH 06/11] nixos/samba: move nss database configuration into samba module --- nixos/modules/config/nsswitch.nix | 22 +++++-------------- .../services/network-filesystems/samba.nix | 1 + 2 files changed, 7 insertions(+), 16 deletions(-) diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index 556ae3951f74d..fd8425bfa2eeb 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -4,20 +4,7 @@ with lib; -let - - # only with nscd up and running we can load NSS modules that are not integrated in NSS - canLoadExternalModules = config.services.nscd.enable; - # XXX Move these to their respective modules - nsswins = canLoadExternalModules && config.services.samba.nsswins; - - hostArray = mkMerge [ - (mkBefore [ "files" ]) - (mkIf nsswins [ "wins" ]) - (mkAfter [ "dns" ]) - ]; - -in { +{ options = { # NSS modules. Hacky! @@ -109,7 +96,7 @@ in { assertions = [ { # generic catch if the NixOS module adding to nssModules does not prevent it with specific message. - assertion = config.system.nssModules.path != "" -> canLoadExternalModules; + assertion = config.system.nssModules.path != "" -> config.services.nscd.enable; message = "Loading NSS modules from path ${config.system.nssModules.path} requires nscd being enabled."; } ]; @@ -134,7 +121,10 @@ in { passwd = mkBefore [ "files" ]; group = mkBefore [ "files" ]; shadow = mkBefore [ "files" ]; - hosts = hostArray; + hosts = mkMerge [ + (mkBefore [ "files" ]) + (mkAfter [ "dns" ]) + ]; services = mkBefore [ "files" ]; }; }; diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index a115590ccaa00..08c912e0fcd43 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -224,6 +224,7 @@ in (mkIf cfg.enable { system.nssModules = optional cfg.nsswins samba; + system.nssDatabases.hosts = optional cfg.nsswins "wins"; systemd = { targets.samba = { From 0f6f544aafae42f4dcba7284a8dc4b61bb8fbb22 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Wed, 6 May 2020 00:22:47 +0200 Subject: [PATCH 07/11] nixos/sssd: drop assertion This is now already triggered by the nsswitch module, as we set system.nssModules. --- nixos/modules/services/misc/sssd.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/nixos/modules/services/misc/sssd.nix b/nixos/modules/services/misc/sssd.nix index fbee02b8e2442..b9b1b13d7f945 100644 --- a/nixos/modules/services/misc/sssd.nix +++ b/nixos/modules/services/misc/sssd.nix @@ -42,11 +42,6 @@ in { }; config = mkMerge [ (mkIf cfg.enable { - assertions = singleton { - assertion = nscd.enable; - message = "nscd must be enabled through `services.nscd.enable` for SSSD to work."; - }; - systemd.services.sssd = { description = "System Security Services Daemon"; wantedBy = [ "multi-user.target" ]; From 1df38e2a1d747f6e519c5aec02118e9672640cc8 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Wed, 6 May 2020 00:29:35 +0200 Subject: [PATCH 08/11] nixos/nsswitch: update comment next to assertion --- nixos/modules/config/nsswitch.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index fd8425bfa2eeb..9d1b67d3bbf32 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -95,7 +95,9 @@ with lib; config = { assertions = [ { - # generic catch if the NixOS module adding to nssModules does not prevent it with specific message. + # Prevent users from disabling nscd, with nssModules being set. + # If disabling nscd is really necessary, it's still possible to opt out + # by forcing config.system.nssModules to []. assertion = config.system.nssModules.path != "" -> config.services.nscd.enable; message = "Loading NSS modules from path ${config.system.nssModules.path} requires nscd being enabled."; } From 4a69bf2a1e8ed79a237c0476556fb72f6de90f98 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Wed, 6 May 2020 00:24:38 +0200 Subject: [PATCH 09/11] nixos/systemd: enable systemd-provided nss modules unconditionally A disabled nscd breaks nss module loading on NixOS, and systemd without its nss modules doesn't really work either - instead of silently disabling its nss modules if nscd is disabled, let the assertion in nsswitch handle this. --- nixos/modules/system/boot/systemd.nix | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index e05c0c8b2acde..96b9815aa2b31 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -829,16 +829,8 @@ in system.build.units = cfg.units; - # Systemd provides various NSS modules to look up dynamic users, locally - # configured IP adresses and local container hostnames. - # On NixOS, these can only be passed to the NSS system via nscd (and its - # LD_LIBRARY_PATH), which is why it's usually a very good idea to have nscd - # enabled (also see the config.nscd.enable description). - # While there is already an assertion in place complaining loudly about - # having nssModules configured and nscd disabled, for some reason we still - # check for nscd being enabled before adding to nssModules. - system.nssModules = optional config.services.nscd.enable systemd.out; - system.nssDatabases = mkIf config.services.nscd.enable { + system.nssModules = [ systemd.out ]; + system.nssDatabases = { hosts = (mkMerge [ [ "mymachines" ] (mkOrder 1600 [ "myhostname" ] # 1600 to ensure it's always the last From 90bc3ec9b97ef3fb0ea6f34916bea1db780f110f Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Sat, 9 May 2020 16:38:08 +0200 Subject: [PATCH 10/11] nixos/sssd remove redundant condition This is all inside a global cfg.enable conditional, so we don't need to check here again. --- nixos/modules/services/misc/sssd.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/misc/sssd.nix b/nixos/modules/services/misc/sssd.nix index b9b1b13d7f945..3da99a3b38c1b 100644 --- a/nixos/modules/services/misc/sssd.nix +++ b/nixos/modules/services/misc/sssd.nix @@ -69,7 +69,7 @@ in { mode = "0400"; }; - system.nssModules = optional cfg.enable pkgs.sssd; + system.nssModules = pkgs.sssd; system.nssDatabases = { group = [ "sss" ]; passwd = [ "sss" ]; From 23ba50611321035e02f5bfc2f5f809600ccc2f7b Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Sat, 9 May 2020 16:39:58 +0200 Subject: [PATCH 11/11] nixos/nsswitch: improve error message Show the config option triggering the assertion, so people don't necessary lookup the nixpkgs source code. --- nixos/modules/config/nsswitch.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index 9d1b67d3bbf32..d19d35a489062 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -99,7 +99,7 @@ with lib; # If disabling nscd is really necessary, it's still possible to opt out # by forcing config.system.nssModules to []. assertion = config.system.nssModules.path != "" -> config.services.nscd.enable; - message = "Loading NSS modules from path ${config.system.nssModules.path} requires nscd being enabled."; + message = "Loading NSS modules from system.nssModules (${config.system.nssModules.path}), requires services.nscd.enable being set to true."; } ];