From b35b3f472c76b2140b26bfabfa2ce05c20dce8f1 Mon Sep 17 00:00:00 2001 From: lurchi Date: Tue, 21 Apr 2020 17:43:50 +0200 Subject: [PATCH] add non-functional nsswitch module --- nixos/modules/config/nsswitch.nix | 105 ++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 nixos/modules/config/nsswitch.nix diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix new file mode 100644 index 0000000..5357d42 --- /dev/null +++ b/nixos/modules/config/nsswitch.nix @@ -0,0 +1,105 @@ +# Configuration for the Name Service Switch (/etc/nsswitch.conf). + +{ config, lib, ... }: + +with lib; + +let + + # only with nscd up and running we can load NSS modules that are not integrated in NSS + canLoadExternalModules = config.services.nscd.enable; + myhostname = canLoadExternalModules; + mymachines = canLoadExternalModules; + nssmdns = canLoadExternalModules && config.services.avahi.nssmdns; + nsswins = canLoadExternalModules && config.services.samba.nsswins; + ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch); + sssd = canLoadExternalModules && config.services.sssd.enable; + resolved = canLoadExternalModules && config.services.resolved.enable; + gnunet = canLoadExternalModules && (config.services.gnunet.enable && config.services.gnunet.nsswitch); + + hostArray = [ "files" ] + ++ optional mymachines "mymachines" + ++ optional nssmdns "mdns_minimal [NOTFOUND=return]" + ++ optional nsswins "wins" + ++ optional resolved "resolve [!UNAVAIL=return]" + ++ optional gnunet "gns [NOTFOUND=return]" + ++ [ "dns" ] + ++ optional nssmdns "mdns" + ++ optional myhostname "myhostname"; + + passwdArray = [ "files" ] + ++ optional sssd "sss" + ++ optional ldap "ldap" + ++ optional mymachines "mymachines" + ++ [ "systemd" ]; + + shadowArray = [ "files" ] + ++ optional sssd "sss" + ++ optional ldap "ldap"; + + servicesArray = [ "files" ] + ++ optional sssd "sss"; + +in { + options = { + + # NSS modules. Hacky! + # Only works with nscd! + system.nssModules = mkOption { + type = types.listOf types.path; + internal = true; + default = []; + description = '' + Search path for NSS (Name Service Switch) modules. This allows + several DNS resolution methods to be specified via + /etc/nsswitch.conf. + ''; + apply = list: + { + inherit list; + path = makeLibraryPath list; + }; + }; + + }; + + config = { + assertions = [ + { + # generic catch if the NixOS module adding to nssModules does not prevent it with specific message. + assertion = config.system.nssModules.path != "" -> canLoadExternalModules; + message = "Loading NSS modules from path ${config.system.nssModules.path} requires nscd being enabled."; + } + { + # resolved does not need to add to nssModules, therefore needs an extra assertion + assertion = resolved -> canLoadExternalModules; + message = "Loading systemd-resolved's nss-resolve NSS module requires nscd being enabled."; + } + ]; + + # Name Service Switch configuration file. Required by the C + # library. !!! Factor out the mdns stuff. The avahi module + # should define an option used by this module. + environment.etc."nsswitch.conf".text = '' + passwd: ${concatStringsSep " " passwdArray} + group: ${concatStringsSep " " passwdArray} + shadow: ${concatStringsSep " " shadowArray} + + hosts: ${concatStringsSep " " hostArray} + networks: files + + ethers: files + services: ${concatStringsSep " " servicesArray} + protocols: files + rpc: files + ''; + + # Systemd provides nss-myhostname to ensure that our hostname + # always resolves to a valid IP address. It returns all locally + # configured IP addresses, or ::1 and 127.0.0.2 as + # fallbacks. Systemd also provides nss-mymachines to return IP + # addresses of local containers. + system.nssModules = optionals canLoadExternalModules [ config.systemd.package.out ]; + + }; +}