pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / config / nsswitch.nix
at 17.09-beta 3.5 kB view raw
1# Configuration for the Name Service Switch (/etc/nsswitch.conf). 2 3{ config, lib, pkgs, ... }: 4 5with lib; 6 7let 8 9 # only with nscd up and running we can load NSS modules that are not integrated in NSS 10 canLoadExternalModules = config.services.nscd.enable; 11 myhostname = canLoadExternalModules; 12 mymachines = canLoadExternalModules; 13 nssmdns = canLoadExternalModules && config.services.avahi.nssmdns; 14 nsswins = canLoadExternalModules && config.services.samba.nsswins; 15 ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch); 16 sssd = canLoadExternalModules && config.services.sssd.enable; 17 resolved = canLoadExternalModules && config.services.resolved.enable; 18 19 hostArray = [ "files" ] 20 ++ optionals mymachines [ "mymachines" ] 21 ++ optionals nssmdns [ "mdns_minimal [!UNAVAIL=return]" ] 22 ++ optionals nsswins [ "wins" ] 23 ++ optionals resolved ["resolve [!UNAVAIL=return]"] 24 ++ [ "dns" ] 25 ++ optionals nssmdns [ "mdns" ] 26 ++ optionals myhostname ["myhostname" ]; 27 28 passwdArray = [ "files" ] 29 ++ optional sssd "sss" 30 ++ optionals ldap [ "ldap" ] 31 ++ optionals mymachines [ "mymachines" ] 32 ++ [ "systemd" ]; 33 34 shadowArray = [ "files" ] 35 ++ optional sssd "sss" 36 ++ optionals ldap [ "ldap" ]; 37 38 servicesArray = [ "files" ] 39 ++ optional sssd "sss"; 40 41in { 42 options = { 43 44 # NSS modules. Hacky! 45 # Only works with nscd! 46 system.nssModules = mkOption { 47 type = types.listOf types.path; 48 internal = true; 49 default = []; 50 description = '' 51 Search path for NSS (Name Service Switch) modules. This allows 52 several DNS resolution methods to be specified via 53 <filename>/etc/nsswitch.conf</filename>. 54 ''; 55 apply = list: 56 { 57 inherit list; 58 path = makeLibraryPath list; 59 }; 60 }; 61 62 }; 63 64 config = { 65 assertions = [ 66 { 67 # generic catch if the NixOS module adding to nssModules does not prevent it with specific message. 68 assertion = config.system.nssModules.path != "" -> canLoadExternalModules; 69 message = "Loading NSS modules from path ${config.system.nssModules.path} requires nscd being enabled."; 70 } 71 { 72 # resolved does not need to add to nssModules, therefore needs an extra assertion 73 assertion = resolved -> canLoadExternalModules; 74 message = "Loading systemd-resolved's nss-resolve NSS module requires nscd being enabled."; 75 } 76 ]; 77 78 # Name Service Switch configuration file. Required by the C 79 # library. !!! Factor out the mdns stuff. The avahi module 80 # should define an option used by this module. 81 environment.etc."nsswitch.conf".text = '' 82 passwd: ${concatStringsSep " " passwdArray} 83 group: ${concatStringsSep " " passwdArray} 84 shadow: ${concatStringsSep " " shadowArray} 85 86 hosts: ${concatStringsSep " " hostArray} 87 networks: files 88 89 ethers: files 90 services: ${concatStringsSep " " servicesArray} 91 protocols: files 92 rpc: files 93 ''; 94 95 # Systemd provides nss-myhostname to ensure that our hostname 96 # always resolves to a valid IP address. It returns all locally 97 # configured IP addresses, or ::1 and 127.0.0.2 as 98 # fallbacks. Systemd also provides nss-mymachines to return IP 99 # addresses of local containers. 100 system.nssModules = optionals canLoadExternalModules [ config.systemd.package.out ]; 101 102 }; 103}