nixos/modules/config/nsswitch.nix at 18.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / config / nsswitch.nix
at 18.09-beta 3.4 kB view raw
  1# Configuration for the Name Service Switch (/etc/nsswitch.conf).
  2
  3{ config, lib, ... }:
  4
  5with lib;
  6
  7let
  8
  9  # only with nscd up and running we can load NSS modules that are not integrated in NSS
 10  canLoadExternalModules = config.services.nscd.enable;
 11  myhostname = canLoadExternalModules;
 12  mymachines = canLoadExternalModules;
 13  nssmdns = canLoadExternalModules && config.services.avahi.nssmdns;
 14  nsswins = canLoadExternalModules && config.services.samba.nsswins;
 15  ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch);
 16  sssd = canLoadExternalModules && config.services.sssd.enable;
 17  resolved = canLoadExternalModules && config.services.resolved.enable;
 18
 19  hostArray = [ "files" ]
 20    ++ optional mymachines "mymachines"
 21    ++ optional nssmdns "mdns_minimal [NOTFOUND=return]"
 22    ++ optional nsswins "wins"
 23    ++ optional resolved "resolve [!UNAVAIL=return]"
 24    ++ [ "dns" ]
 25    ++ optional nssmdns "mdns"
 26    ++ optional myhostname "myhostname";
 27
 28  passwdArray = [ "files" ]
 29    ++ optional sssd "sss"
 30    ++ optional ldap "ldap"
 31    ++ optional mymachines "mymachines"
 32    ++ [ "systemd" ];
 33
 34  shadowArray = [ "files" ]
 35    ++ optional sssd "sss"
 36    ++ optional ldap "ldap";
 37
 38  servicesArray = [ "files" ]
 39    ++ optional sssd "sss";
 40
 41in {
 42  options = {
 43
 44    # NSS modules.  Hacky!
 45    # Only works with nscd!
 46    system.nssModules = mkOption {
 47      type = types.listOf types.path;
 48      internal = true;
 49      default = [];
 50      description = ''
 51        Search path for NSS (Name Service Switch) modules.  This allows
 52        several DNS resolution methods to be specified via
 53        <filename>/etc/nsswitch.conf</filename>.
 54      '';
 55      apply = list:
 56        {
 57          inherit list;
 58          path = makeLibraryPath list;
 59        };
 60    };
 61
 62  };
 63
 64  config = {
 65    assertions = [
 66      {
 67        # generic catch if the NixOS module adding to nssModules does not prevent it with specific message.
 68        assertion = config.system.nssModules.path != "" -> canLoadExternalModules;
 69        message = "Loading NSS modules from path ${config.system.nssModules.path} requires nscd being enabled.";
 70      }
 71      {
 72        # resolved does not need to add to nssModules, therefore needs an extra assertion
 73        assertion = resolved -> canLoadExternalModules;
 74        message = "Loading systemd-resolved's nss-resolve NSS module requires nscd being enabled.";
 75      }
 76    ];
 77
 78    # Name Service Switch configuration file.  Required by the C
 79    # library.  !!! Factor out the mdns stuff.  The avahi module
 80    # should define an option used by this module.
 81    environment.etc."nsswitch.conf".text = ''
 82      passwd:    ${concatStringsSep " " passwdArray}
 83      group:     ${concatStringsSep " " passwdArray}
 84      shadow:    ${concatStringsSep " " shadowArray}
 85
 86      hosts:     ${concatStringsSep " " hostArray}
 87      networks:  files
 88
 89      ethers:    files
 90      services:  ${concatStringsSep " " servicesArray}
 91      protocols: files
 92      rpc:       files
 93    '';
 94
 95    # Systemd provides nss-myhostname to ensure that our hostname
 96    # always resolves to a valid IP address.  It returns all locally
 97    # configured IP addresses, or ::1 and 127.0.0.2 as
 98    # fallbacks. Systemd also provides nss-mymachines to return IP
 99    # addresses of local containers.
100    system.nssModules = optionals canLoadExternalModules [ config.systemd.package.out ];
101
102  };
103}