nixos/systemd: fix NSS database ordering
- The order of NSS (host) modules has been brought in line with upstream recommendations: - The `myhostname` module is placed before the `resolve` (optional) and `dns` entries, but after `file` (to allow overriding via `/etc/hosts` / `networking.extraHosts`, and prevent ISPs with catchall-DNS resolvers from hijacking `.localhost` domains) - The `mymachines` module, which provides hostname resolution for local containers (registered with `systemd-machined`) is placed to the front, to make sure its mappings are preferred over other resolvers. - If systemd-networkd is enabled, the `resolve` module is placed before `files` and `myhostname`, as it provides the same logic internally, with caching. - The `mdns(_minimal)` module has been updated to the new priorities. If you use your own NSS host modules, make sure to update your priorities according to these rules: - NSS modules which should be queried before `resolved` DNS resolution should use mkBefore. - NSS modules which should be queried after `resolved`, `files` and `myhostname`, but before `dns` should use the default priority - NSS modules which should come after `dns` should use mkAfter.
This commit is contained in:
parent
b59c06dc92
commit
c1536f5c78
@ -562,6 +562,77 @@
|
||||
be removed in 22.05.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The order of NSS (host) modules has been brought in line with
|
||||
upstream recommendations:
|
||||
</para>
|
||||
<itemizedlist spacing="compact">
|
||||
<listitem>
|
||||
<para>
|
||||
The <literal>myhostname</literal> module is placed before
|
||||
the <literal>resolve</literal> (optional) and
|
||||
<literal>dns</literal> entries, but after
|
||||
<literal>file</literal> (to allow overriding via
|
||||
<literal>/etc/hosts</literal> /
|
||||
<literal>networking.extraHosts</literal>, and prevent ISPs
|
||||
with catchall-DNS resolvers from hijacking
|
||||
<literal>.localhost</literal> domains)
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The <literal>mymachines</literal> module, which provides
|
||||
hostname resolution for local containers (registered with
|
||||
<literal>systemd-machined</literal>) is placed to the
|
||||
front, to make sure its mappings are preferred over other
|
||||
resolvers.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
If systemd-networkd is enabled, the
|
||||
<literal>resolve</literal> module is placed before
|
||||
<literal>files</literal> and
|
||||
<literal>myhostname</literal>, as it provides the same
|
||||
logic internally, with caching.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The <literal>mdns(_minimal)</literal> module has been
|
||||
updated to the new priorities.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<para>
|
||||
If you use your own NSS host modules, make sure to update your
|
||||
priorities according to these rules:
|
||||
</para>
|
||||
<itemizedlist spacing="compact">
|
||||
<listitem>
|
||||
<para>
|
||||
NSS modules which should be queried before
|
||||
<literal>resolved</literal> DNS resolution should use
|
||||
mkBefore.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
NSS modules which should be queried after
|
||||
<literal>resolved</literal>, <literal>files</literal> and
|
||||
<literal>myhostname</literal>, but before
|
||||
<literal>dns</literal> should use the default priority
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
NSS modules which should come after <literal>dns</literal>
|
||||
should use mkAfter.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</section>
|
||||
|
@ -139,3 +139,27 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||
- The wordpress module provides a new interface which allows to use different webservers with the new option [`services.wordpress.webserver`](options.html#opt-services.wordpress.webserver). Currently `httpd` and `nginx` are supported. The definitions of wordpress sites should now be set in [`services.wordpress.sites`](options.html#opt-services.wordpress.sites).
|
||||
|
||||
Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05.
|
||||
|
||||
- The order of NSS (host) modules has been brought in line with upstream
|
||||
recommendations:
|
||||
|
||||
- The `myhostname` module is placed before the `resolve` (optional) and `dns`
|
||||
entries, but after `file` (to allow overriding via `/etc/hosts` /
|
||||
`networking.extraHosts`, and prevent ISPs with catchall-DNS resolvers from
|
||||
hijacking `.localhost` domains)
|
||||
- The `mymachines` module, which provides hostname resolution for local
|
||||
containers (registered with `systemd-machined`) is placed to the front, to
|
||||
make sure its mappings are preferred over other resolvers.
|
||||
- If systemd-networkd is enabled, the `resolve` module is placed before
|
||||
`files` and `myhostname`, as it provides the same logic internally, with
|
||||
caching.
|
||||
- The `mdns(_minimal)` module has been updated to the new priorities.
|
||||
|
||||
If you use your own NSS host modules, make sure to update your priorities
|
||||
according to these rules:
|
||||
|
||||
- NSS modules which should be queried before `resolved` DNS resolution should
|
||||
use mkBefore.
|
||||
- NSS modules which should be queried after `resolved`, `files` and
|
||||
`myhostname`, but before `dns` should use the default priority
|
||||
- NSS modules which should come after `dns` should use mkAfter.
|
||||
|
@ -124,8 +124,8 @@ with lib;
|
||||
group = mkBefore [ "files" ];
|
||||
shadow = mkBefore [ "files" ];
|
||||
hosts = mkMerge [
|
||||
(mkBefore [ "files" ])
|
||||
(mkAfter [ "dns" ])
|
||||
(mkOrder 998 [ "files" ])
|
||||
(mkOrder 1499 [ "dns" ])
|
||||
];
|
||||
services = mkBefore [ "files" ];
|
||||
};
|
||||
|
@ -240,8 +240,8 @@ in
|
||||
|
||||
system.nssModules = optional cfg.nssmdns pkgs.nssmdns;
|
||||
system.nssDatabases.hosts = optionals cfg.nssmdns (mkMerge [
|
||||
(mkOrder 900 [ "mdns_minimal [NOTFOUND=return]" ]) # must be before resolve
|
||||
(mkOrder 1501 [ "mdns" ]) # 1501 to ensure it's after dns
|
||||
(mkBefore [ "mdns_minimal [NOTFOUND=return]" ]) # before resolve
|
||||
(mkAfter [ "mdns" ]) # after dns
|
||||
]);
|
||||
|
||||
environment.systemPackages = [ pkgs.avahi ];
|
||||
|
@ -140,7 +140,8 @@ in
|
||||
|
||||
# add resolve to nss hosts database if enabled and nscd enabled
|
||||
# system.nssModules is configured in nixos/modules/system/boot/systemd.nix
|
||||
system.nssDatabases.hosts = optional config.services.nscd.enable "resolve [!UNAVAIL=return]";
|
||||
# added with order 501 to allow modules to go before with mkBefore
|
||||
system.nssDatabases.hosts = (mkOrder 501 ["resolve [!UNAVAIL=return]"]);
|
||||
|
||||
systemd.additionalUpstreamSystemUnits = [
|
||||
"systemd-resolved.service"
|
||||
|
@ -925,9 +925,8 @@ in
|
||||
system.nssModules = [ systemd.out ];
|
||||
system.nssDatabases = {
|
||||
hosts = (mkMerge [
|
||||
[ "mymachines" ]
|
||||
(mkOrder 1600 [ "myhostname" ] # 1600 to ensure it's always the last
|
||||
)
|
||||
(mkOrder 400 ["mymachines"]) # 400 to ensure it comes before resolve (which is mkBefore'd)
|
||||
(mkOrder 999 ["myhostname"]) # after files (which is 998), but before regular nss modules
|
||||
]);
|
||||
passwd = (mkMerge [
|
||||
(mkAfter [ "systemd" ])
|
||||
|
Loading…
Reference in New Issue
Block a user