Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/nsswitch cleanup nss modules #87016

Merged
merged 11 commits into from
May 14, 2020
Merged

nixos/nsswitch cleanup nss modules #87016

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
ecf327d
nixos/sssd: add to system.nssDatabases.group too
flokli May 5, 2020
2297508
nixos/google-oslogin: add to system.nssDatabases.group too
flokli May 5, 2020
36b6e26
nixos/systemd: add to system.nssDatabases.group too
flokli May 5, 2020
4f9c8ef
nixos/ldap: move nss database configuration into ldap module
flokli May 5, 2020
fd21793
nixos/avahi: move nss database configuration into avahi module
flokli May 5, 2020
1fb6c37
nixos/samba: move nss database configuration into samba module
flokli May 5, 2020
0f6f544
nixos/sssd: drop assertion
flokli May 5, 2020
1df38e2
nixos/nsswitch: update comment next to assertion
flokli May 5, 2020
4a69bf2
nixos/systemd: enable systemd-provided nss modules unconditionally
flokli May 5, 2020
90bc3ec
nixos/sssd remove redundant condition
flokli May 9, 2020
23ba506
nixos/nsswitch: improve error message
flokli May 9, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions nixos/modules/config/ldap.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,6 +244,10 @@ in
if cfg.daemon.enable then nss_pam_ldapd else nss_ldap
);

system.nssDatabases.group = optional cfg.nsswitch "ldap";
system.nssDatabases.passwd = optional cfg.nsswitch "ldap";
system.nssDatabases.shadow = optional cfg.nsswitch "ldap";

users = mkIf cfg.daemon.enable {
groups.nslcd = {
gid = config.ids.gids.nslcd;
Expand Down
48 changes: 13 additions & 35 deletions nixos/modules/config/nsswitch.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,34 +4,7 @@

with lib;

let

# only with nscd up and running we can load NSS modules that are not integrated in NSS
canLoadExternalModules = config.services.nscd.enable;
# XXX Move these to their respective modules
nssmdns = canLoadExternalModules && config.services.avahi.nssmdns;
nsswins = canLoadExternalModules && config.services.samba.nsswins;
ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch);

hostArray = mkMerge [
(mkBefore [ "files" ])
(mkIf nssmdns [ "mdns_minimal [NOTFOUND=return]" ])
(mkIf nsswins [ "wins" ])
(mkAfter [ "dns" ])
(mkIf nssmdns (mkOrder 1501 [ "mdns" ])) # 1501 to ensure it's after dns
];

passwdArray = mkMerge [
(mkBefore [ "files" ])
(mkIf ldap [ "ldap" ])
];

shadowArray = mkMerge [
(mkBefore [ "files" ])
(mkIf ldap [ "ldap" ])
];

in {
{
options = {

# NSS modules. Hacky!
Expand Down Expand Up @@ -122,9 +95,11 @@ in {
config = {
assertions = [
{
# generic catch if the NixOS module adding to nssModules does not prevent it with specific message.
assertion = config.system.nssModules.path != "" -> canLoadExternalModules;
message = "Loading NSS modules from path ${config.system.nssModules.path} requires nscd being enabled.";
# Prevent users from disabling nscd, with nssModules being set.
# If disabling nscd is really necessary, it's still possible to opt out
# by forcing config.system.nssModules to [].
assertion = config.system.nssModules.path != "" -> config.services.nscd.enable;
message = "Loading NSS modules from system.nssModules (${config.system.nssModules.path}), requires services.nscd.enable being set to true.";
}
];

Expand All @@ -145,10 +120,13 @@ in {
'';

system.nssDatabases = {
passwd = passwdArray;
group = passwdArray;
shadow = shadowArray;
hosts = hostArray;
passwd = mkBefore [ "files" ];
group = mkBefore [ "files" ];
shadow = mkBefore [ "files" ];
hosts = mkMerge [
(mkBefore [ "files" ])
(mkAfter [ "dns" ])
];
services = mkBefore [ "files" ];
};
};
Expand Down
1 change: 1 addition & 0 deletions nixos/modules/security/google_oslogin.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ in
# enable the nss module, so user lookups etc. work
system.nssModules = [ package ];
system.nssDatabases.passwd = [ "cache_oslogin" "oslogin" ];
system.nssDatabases.group = [ "cache_oslogin" "oslogin" ];

# Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable.
# So indirect by a symlink.
Expand Down
10 changes: 3 additions & 7 deletions nixos/modules/services/misc/sssd.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,11 +42,6 @@ in {
};
config = mkMerge [
(mkIf cfg.enable {
assertions = singleton {
flokli marked this conversation as resolved.
Show resolved Hide resolved
assertion = nscd.enable;
message = "nscd must be enabled through `services.nscd.enable` for SSSD to work.";
};

systemd.services.sssd = {
description = "System Security Services Daemon";
wantedBy = [ "multi-user.target" ];
Expand Down Expand Up @@ -74,11 +69,12 @@ in {
mode = "0400";
};

system.nssModules = optional cfg.enable pkgs.sssd;
system.nssModules = pkgs.sssd;
system.nssDatabases = {
group = [ "sss" ];
passwd = [ "sss" ];
shadow = [ "sss" ];
services = [ "sss" ];
shadow = [ "sss" ];
};
services.dbus.packages = [ pkgs.sssd ];
})
Expand Down
1 change: 1 addition & 0 deletions nixos/modules/services/network-filesystems/samba.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,7 @@ in
(mkIf cfg.enable {

system.nssModules = optional cfg.nsswins samba;
system.nssDatabases.hosts = optional cfg.nsswins "wins";

systemd = {
targets.samba = {
Expand Down
4 changes: 4 additions & 0 deletions nixos/modules/services/networking/avahi-daemon.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,10 @@ in
users.groups.avahi = {};

system.nssModules = optional cfg.nssmdns pkgs.nssmdns;
system.nssDatabases.hosts = optionals cfg.nssmdns (mkMerge [
[ "mdns_minimal [NOTFOUND=return]" ]
(mkOrder 1501 [ "mdns" ]) # 1501 to ensure it's after dns
]);

environment.systemPackages = [ pkgs.avahi ];

Expand Down
16 changes: 6 additions & 10 deletions nixos/modules/system/boot/systemd.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -829,16 +829,8 @@ in

system.build.units = cfg.units;

# Systemd provides various NSS modules to look up dynamic users, locally
# configured IP adresses and local container hostnames.
# On NixOS, these can only be passed to the NSS system via nscd (and its
# LD_LIBRARY_PATH), which is why it's usually a very good idea to have nscd
# enabled (also see the config.nscd.enable description).
# While there is already an assertion in place complaining loudly about
# having nssModules configured and nscd disabled, for some reason we still
# check for nscd being enabled before adding to nssModules.
system.nssModules = optional config.services.nscd.enable systemd.out;
system.nssDatabases = mkIf config.services.nscd.enable {
system.nssModules = [ systemd.out ];
system.nssDatabases = {
hosts = (mkMerge [
[ "mymachines" ]
(mkOrder 1600 [ "myhostname" ] # 1600 to ensure it's always the last
Expand All @@ -848,6 +840,10 @@ in
[ "mymachines" ]
(mkAfter [ "systemd" ])
]);
group = (mkMerge [
[ "mymachines" ]
(mkAfter [ "systemd" ])
]);
};

environment.systemPackages = [ systemd ];
Expand Down