From 7426bec45ef03c55bfc5bb27cdc60d6163aeed04 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Tue, 5 May 2020 13:41:12 +0200 Subject: [PATCH 1/2] nixos/systemd/resolved: add resolve to nss hosts database if enabled We keep the "only add the nss module if nscd is enabled" logic for now. The assertion never was triggered, so it can be removed. --- nixos/modules/config/nsswitch.nix | 7 ------- nixos/modules/system/boot/resolved.nix | 4 ++++ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index 77e47a350ecb..b191e6feb0aa 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -14,14 +14,12 @@ let nssmdns = canLoadExternalModules && config.services.avahi.nssmdns; nsswins = canLoadExternalModules && config.services.samba.nsswins; ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch); - resolved = canLoadExternalModules && config.services.resolved.enable; hostArray = mkMerge [ (mkBefore [ "files" ]) (mkIf mymachines [ "mymachines" ]) (mkIf nssmdns [ "mdns_minimal [NOTFOUND=return]" ]) (mkIf nsswins [ "wins" ]) - (mkIf resolved [ "resolve [!UNAVAIL=return]" ]) (mkAfter [ "dns" ]) (mkIf nssmdns (mkOrder 1501 [ "mdns" ])) # 1501 to ensure it's after dns (mkIf myhostname (mkOrder 1600 [ "myhostname" ])) # 1600 to ensure it's always the last @@ -134,11 +132,6 @@ in { assertion = config.system.nssModules.path != "" -> canLoadExternalModules; message = "Loading NSS modules from path ${config.system.nssModules.path} requires nscd being enabled."; } - { - # resolved does not need to add to nssModules, therefore needs an extra assertion - assertion = resolved -> canLoadExternalModules; - message = "Loading systemd-resolved's nss-resolve NSS module requires nscd being enabled."; - } ]; # Name Service Switch configuration file. Required by the C diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index da61c64faf8b..b7aaef575ac1 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -138,6 +138,10 @@ in users.users.resolved.group = "systemd-resolve"; + # add resolve to nss hosts database if enabled and nscd enabled + # system.nssModules is configured in nixos/modules/system/boot/systemd.nix + system.nssDatabases.hosts = optional config.services.nscd.enable "resolve [!UNAVAIL=return]"; + systemd.additionalUpstreamSystemUnits = [ "systemd-resolved.service" ]; From c0995d22eed1a19ac9442c8460c18dd6a4c389b7 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Tue, 5 May 2020 15:03:14 +0200 Subject: [PATCH 2/2] nixos/systemd: move NSS module logic to systemd module We keep the conditional on only adding if nscd is enabled for now. --- nixos/modules/config/nsswitch.nix | 13 ------------- nixos/modules/system/boot/systemd.nix | 21 +++++++++++++++++++++ 2 files changed, 21 insertions(+), 13 deletions(-) diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index b191e6feb0aa..22ddb3490c8e 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -8,8 +8,6 @@ let # only with nscd up and running we can load NSS modules that are not integrated in NSS canLoadExternalModules = config.services.nscd.enable; - myhostname = canLoadExternalModules; - mymachines = canLoadExternalModules; # XXX Move these to their respective modules nssmdns = canLoadExternalModules && config.services.avahi.nssmdns; nsswins = canLoadExternalModules && config.services.samba.nsswins; @@ -17,19 +15,15 @@ let hostArray = mkMerge [ (mkBefore [ "files" ]) - (mkIf mymachines [ "mymachines" ]) (mkIf nssmdns [ "mdns_minimal [NOTFOUND=return]" ]) (mkIf nsswins [ "wins" ]) (mkAfter [ "dns" ]) (mkIf nssmdns (mkOrder 1501 [ "mdns" ])) # 1501 to ensure it's after dns - (mkIf myhostname (mkOrder 1600 [ "myhostname" ])) # 1600 to ensure it's always the last ]; passwdArray = mkMerge [ (mkBefore [ "files" ]) (mkIf ldap [ "ldap" ]) - (mkIf mymachines [ "mymachines" ]) - (mkIf canLoadExternalModules (mkAfter [ "systemd" ])) ]; shadowArray = mkMerge [ @@ -157,12 +151,5 @@ in { hosts = hostArray; services = mkBefore [ "files" ]; }; - - # Systemd provides nss-myhostname to ensure that our hostname - # always resolves to a valid IP address. It returns all locally - # configured IP addresses, or ::1 and 127.0.0.2 as - # fallbacks. Systemd also provides nss-mymachines to return IP - # addresses of local containers. - system.nssModules = (optionals canLoadExternalModules [ config.systemd.package.out ]); }; } diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 2167df60bc9a..df20a433d524 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -827,6 +827,27 @@ in system.build.units = cfg.units; + # Systemd provides various NSS modules to look up dynamic users, locally + # configured IP adresses and local container hostnames. + # On NixOS, these can only be passed to the NSS system via nscd (and its + # LD_LIBRARY_PATH), which is why it's usually a very good idea to have nscd + # enabled (also see the config.nscd.enable description). + # While there is already an assertion in place complaining loudly about + # having nssModules configured and nscd disabled, for some reason we still + # check for nscd being enabled before adding to nssModules. + system.nssModules = optional config.services.nscd.enable systemd.out; + system.nssDatabases = mkIf config.services.nscd.enable { + hosts = (mkMerge [ + [ "mymachines" ] + (mkOrder 1600 [ "myhostname" ] # 1600 to ensure it's always the last + ) + ]); + passwd = (mkMerge [ + [ "mymachines" ] + (mkAfter [ "systemd" ]) + ]); + }; + environment.systemPackages = [ systemd ]; environment.etc = let