nixpkgs/nixos/modules/config/nsswitch.nix

# Configuration for the Name Service Switch (/etc/nsswitch.conf).

{ config, lib, pkgs, ... }:

with lib;

let

  # only with nscd up and running we can load NSS modules that are not integrated in NSS
  canLoadExternalModules = config.services.nscd.enable;
  myhostname = canLoadExternalModules;
  mymachines = canLoadExternalModules;
  nssmdns = canLoadExternalModules && config.services.avahi.nssmdns;
  nsswins = canLoadExternalModules && config.services.samba.nsswins;
  ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch);
  sssd = canLoadExternalModules && config.services.sssd.enable;
  resolved = canLoadExternalModules && config.services.resolved.enable;
  googleOsLogin = canLoadExternalModules && config.security.googleOsLogin.enable;

  hostArray = [ "files" ]
    ++ optional mymachines "mymachines"
    ++ optional nssmdns "mdns_minimal [NOTFOUND=return]"
    ++ optional nsswins "wins"
    ++ optional resolved "resolve [!UNAVAIL=return]"
    ++ [ "dns" ]
    ++ optional nssmdns "mdns"
    ++ optional myhostname "myhostname";

  passwdArray = [ "files" ]
    ++ optional sssd "sss"
    ++ optional ldap "ldap"
    ++ optional mymachines "mymachines"
    ++ optional googleOsLogin "cache_oslogin oslogin"
    ++ [ "systemd" ];

  shadowArray = [ "files" ]
    ++ optional sssd "sss"
    ++ optional ldap "ldap";

  servicesArray = [ "files" ]
    ++ optional sssd "sss";

in {
  options = {

    # NSS modules.  Hacky!
    # Only works with nscd!
    system.nssModules = mkOption {
      type = types.listOf types.path;
      internal = true;
      default = [];
      description = ''
        Search path for NSS (Name Service Switch) modules.  This allows
        several DNS resolution methods to be specified via
        <filename>/etc/nsswitch.conf</filename>.
      '';
      apply = list:
        {
          inherit list;
          path = makeLibraryPath list;
        };
    };

    system.nssHosts = mkOption {
      type = types.listOf types.str;
      default = [];
      example = [ "mdns" ];
      description = ''
        List of host entries to configure in <filename>/etc/nsswitch.conf</filename>.
      '';
    };

  };

  config = {
    assertions = [
      {
        # generic catch if the NixOS module adding to nssModules does not prevent it with specific message.
        assertion = config.system.nssModules.path != "" -> canLoadExternalModules;
        message = "Loading NSS modules from path ${config.system.nssModules.path} requires nscd being enabled.";
      }
      {
        # resolved does not need to add to nssModules, therefore needs an extra assertion
        assertion = resolved -> canLoadExternalModules;
        message = "Loading systemd-resolved's nss-resolve NSS module requires nscd being enabled.";
      }
    ];

    # Name Service Switch configuration file.  Required by the C
    # library.  !!! Factor out the mdns stuff.  The avahi module
    # should define an option used by this module.
    environment.etc."nsswitch.conf".text = ''
      passwd:    ${concatStringsSep " " passwdArray}
      group:     ${concatStringsSep " " passwdArray}
      shadow:    ${concatStringsSep " " shadowArray}

      hosts:     ${concatStringsSep " " config.system.nssHosts}
      networks:  files

      ethers:    files
      services:  ${concatStringsSep " " servicesArray}
      protocols: files
      rpc:       files
    '';

    system.nssHosts = hostArray;

    # Systemd provides nss-myhostname to ensure that our hostname
    # always resolves to a valid IP address.  It returns all locally
    # configured IP addresses, or ::1 and 127.0.0.2 as
    # fallbacks. Systemd also provides nss-mymachines to return IP
    # addresses of local containers.
    system.nssModules = (optionals canLoadExternalModules [ config.systemd.package.out ])
      ++ optional googleOsLogin pkgs.google-compute-engine-oslogin.out;
  };
}
* Refactoring: moved some options out of system/options.nix (almost empty now), do more of bashrc.sh declaratively, and moved nsswitch generation to modules/config/nsswitch.nix. svn path=/nixos/branches/modular-nixos/; revision=15754 2009-05-27 23:14:38 +00:00			`# Configuration for the Name Service Switch (/etc/nsswitch.conf).`

config.nsswitch: load cache_oslogin and oslogin nss modules if config.security.googleOsLogin.enable is set 2018-12-12 13:57:31 +01:00			`{ config, lib, pkgs, ... }:`
Generate nsswitch.conf properly 2012-10-06 20:58:46 -04:00
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`with lib;`
* Refactoring: moved some options out of system/options.nix (almost empty now), do more of bashrc.sh declaratively, and moved nsswitch generation to modules/config/nsswitch.nix. svn path=/nixos/branches/modular-nixos/; revision=15754 2009-05-27 23:14:38 +00:00
			`let`

nsswitch: add assertions for enabled nscd 2017-06-30 02:20:09 +02:00			`# only with nscd up and running we can load NSS modules that are not integrated in NSS`
			`canLoadExternalModules = config.services.nscd.enable;`
nsswitch: only add modules to nsswitch.conf if they can be loaded 2017-06-30 02:20:50 +02:00			`myhostname = canLoadExternalModules;`
			`mymachines = canLoadExternalModules;`
			`nssmdns = canLoadExternalModules && config.services.avahi.nssmdns;`
			`nsswins = canLoadExternalModules && config.services.samba.nsswins;`
			`ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch);`
			`sssd = canLoadExternalModules && config.services.sssd.enable;`
			`resolved = canLoadExternalModules && config.services.resolved.enable;`
config.nsswitch: load cache_oslogin and oslogin nss modules if config.security.googleOsLogin.enable is set 2018-12-12 13:57:31 +01:00			`googleOsLogin = canLoadExternalModules && config.security.googleOsLogin.enable;`
nsswitch: only add modules to nsswitch.conf if they can be loaded 2017-06-30 02:20:50 +02:00
			`hostArray = [ "files" ]`
nixos: replace `optionals` -> `optional` in nsswitch 2017-11-30 20:43:48 +00:00			`++ optional mymachines "mymachines"`
			`++ optional nssmdns "mdns_minimal [NOTFOUND=return]"`
			`++ optional nsswins "wins"`
			`++ optional resolved "resolve [!UNAVAIL=return]"`
/etc/hosts and /etc/nsswitch.conf cleanups fixes #18183 2016-09-01 17:00:20 +08:00			`++ [ "dns" ]`
nixos: replace `optionals` -> `optional` in nsswitch 2017-11-30 20:43:48 +00:00			`++ optional nssmdns "mdns"`
			`++ optional myhostname "myhostname";`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00
/etc/hosts and /etc/nsswitch.conf cleanups fixes #18183 2016-09-01 17:00:20 +08:00			`passwdArray = [ "files" ]`
sssd: init at 1.14.2 perlPackages.TextWrapI18N: init at 0.06 perlPackages.Po4a: init at 0.47 jade: init at 1.2.1 ding-libs: init at 0.6.0 Switch nscd to no-caching mode if SSSD is enabled. abbradar: disable jade parallel building. Closes #21150 2016-04-14 11:18:09 -07:00			`++ optional sssd "sss"`
nixos: replace `optionals` -> `optional` in nsswitch 2017-11-30 20:43:48 +00:00			`++ optional ldap "ldap"`
			`++ optional mymachines "mymachines"`
config.nsswitch: load cache_oslogin and oslogin nss modules if config.security.googleOsLogin.enable is set 2018-12-12 13:57:31 +01:00			`++ optional googleOsLogin "cache_oslogin oslogin"`
nsswitch: add systemd module In order for DynamicUser = true to work in services, we need the nss-systemd module to be able to resolve the user and group names generated dynamically. 2017-08-02 16:16:42 +08:00			`++ [ "systemd" ];`
/etc/hosts and /etc/nsswitch.conf cleanups fixes #18183 2016-09-01 17:00:20 +08:00
			`shadowArray = [ "files" ]`
sssd: init at 1.14.2 perlPackages.TextWrapI18N: init at 0.06 perlPackages.Po4a: init at 0.47 jade: init at 1.2.1 ding-libs: init at 0.6.0 Switch nscd to no-caching mode if SSSD is enabled. abbradar: disable jade parallel building. Closes #21150 2016-04-14 11:18:09 -07:00			`++ optional sssd "sss"`
nixos: replace `optionals` -> `optional` in nsswitch 2017-11-30 20:43:48 +00:00			`++ optional ldap "ldap";`
/etc/hosts and /etc/nsswitch.conf cleanups fixes #18183 2016-09-01 17:00:20 +08:00
sssd: init at 1.14.2 perlPackages.TextWrapI18N: init at 0.06 perlPackages.Po4a: init at 0.47 jade: init at 1.2.1 ding-libs: init at 0.6.0 Switch nscd to no-caching mode if SSSD is enabled. abbradar: disable jade parallel building. Closes #21150 2016-04-14 11:18:09 -07:00			`servicesArray = [ "files" ]`
			`++ optional sssd "sss";`

/etc/hosts and /etc/nsswitch.conf cleanups fixes #18183 2016-09-01 17:00:20 +08:00			`in {`
* Refactoring: moved some options out of system/options.nix (almost empty now), do more of bashrc.sh declaratively, and moved nsswitch generation to modules/config/nsswitch.nix. svn path=/nixos/branches/modular-nixos/; revision=15754 2009-05-27 23:14:38 +00:00			`options = {`

			`# NSS modules. Hacky!`
nsswitch: add assertions for enabled nscd 2017-06-30 02:20:09 +02:00			`# Only works with nscd!`
Generate nsswitch.conf properly 2012-10-06 20:58:46 -04:00			`system.nssModules = mkOption {`
Remove uses of the "merge" option attribute It's redundant because you can (and should) specify an option type, or an apply function. 2013-10-28 16:14:15 +01:00			`type = types.listOf types.path;`
* Refactoring: moved some options out of system/options.nix (almost empty now), do more of bashrc.sh declaratively, and moved nsswitch generation to modules/config/nsswitch.nix. svn path=/nixos/branches/modular-nixos/; revision=15754 2009-05-27 23:14:38 +00:00			`internal = true;`
			`default = [];`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`description = ''`
* Refactoring: moved some options out of system/options.nix (almost empty now), do more of bashrc.sh declaratively, and moved nsswitch generation to modules/config/nsswitch.nix. svn path=/nixos/branches/modular-nixos/; revision=15754 2009-05-27 23:14:38 +00:00			`Search path for NSS (Name Service Switch) modules. This allows`
			`several DNS resolution methods to be specified via`
			`<filename>/etc/nsswitch.conf</filename>.`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`'';`
* Refactoring: moved some options out of system/options.nix (almost empty now), do more of bashrc.sh declaratively, and moved nsswitch generation to modules/config/nsswitch.nix. svn path=/nixos/branches/modular-nixos/; revision=15754 2009-05-27 23:14:38 +00:00			`apply = list:`
Add support for nslcd (nss-pam-ldapd) as users.ldap.daemon option 2012-09-16 19:14:19 +02:00			`{`
			`inherit list;`
			`path = makeLibraryPath list;`
* Refactoring: moved some options out of system/options.nix (almost empty now), do more of bashrc.sh declaratively, and moved nsswitch generation to modules/config/nsswitch.nix. svn path=/nixos/branches/modular-nixos/; revision=15754 2009-05-27 23:14:38 +00:00			`};`
			`};`

nixos/nsswitch: add option to configure nssHosts Enables adding or overriding the default nsswitch hosts in a generic way for packages without a nixos module. 2019-02-15 19:22:14 +01:00			`system.nssHosts = mkOption {`
			`type = types.listOf types.str;`
			`default = [];`
			`example = [ "mdns" ];`
			`description = ''`
			`List of host entries to configure in <filename>/etc/nsswitch.conf</filename>.`
			`'';`
			`};`

* Refactoring: moved some options out of system/options.nix (almost empty now), do more of bashrc.sh declaratively, and moved nsswitch generation to modules/config/nsswitch.nix. svn path=/nixos/branches/modular-nixos/; revision=15754 2009-05-27 23:14:38 +00:00			`};`

Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`config = {`
nsswitch: add assertions for enabled nscd 2017-06-30 02:20:09 +02:00			`assertions = [`
			`{`
			`# generic catch if the NixOS module adding to nssModules does not prevent it with specific message.`
			`assertion = config.system.nssModules.path != "" -> canLoadExternalModules;`
			`message = "Loading NSS modules from path ${config.system.nssModules.path} requires nscd being enabled.";`
			`}`
			`{`
			`# resolved does not need to add to nssModules, therefore needs an extra assertion`
			`assertion = resolved -> canLoadExternalModules;`
			`message = "Loading systemd-resolved's nss-resolve NSS module requires nscd being enabled.";`
			`}`
			`];`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00
Enable systemd's mymachines NSS module It makes every local container registered with machined resolvable. 2014-08-24 17:08:55 +02:00			`# Name Service Switch configuration file. Required by the C`
			`# library. !!! Factor out the mdns stuff. The avahi module`
			`# should define an option used by this module.`
/etc/hosts and /etc/nsswitch.conf cleanups fixes #18183 2016-09-01 17:00:20 +08:00			`environment.etc."nsswitch.conf".text = ''`
			`passwd: ${concatStringsSep " " passwdArray}`
			`group: ${concatStringsSep " " passwdArray}`
			`shadow: ${concatStringsSep " " shadowArray}`

nixos/nsswitch: add option to configure nssHosts Enables adding or overriding the default nsswitch hosts in a generic way for packages without a nixos module. 2019-02-15 19:22:14 +01:00			`hosts: ${concatStringsSep " " config.system.nssHosts}`
/etc/hosts and /etc/nsswitch.conf cleanups fixes #18183 2016-09-01 17:00:20 +08:00			`networks: files`

			`ethers: files`
sssd: init at 1.14.2 perlPackages.TextWrapI18N: init at 0.06 perlPackages.Po4a: init at 0.47 jade: init at 1.2.1 ding-libs: init at 0.6.0 Switch nscd to no-caching mode if SSSD is enabled. abbradar: disable jade parallel building. Closes #21150 2016-04-14 11:18:09 -07:00			`services: ${concatStringsSep " " servicesArray}`
/etc/hosts and /etc/nsswitch.conf cleanups fixes #18183 2016-09-01 17:00:20 +08:00			`protocols: files`
			`rpc: files`
			`'';`
Enable systemd's mymachines NSS module It makes every local container registered with machined resolvable. 2014-08-24 17:08:55 +02:00
nixos/nsswitch: add option to configure nssHosts Enables adding or overriding the default nsswitch hosts in a generic way for packages without a nixos module. 2019-02-15 19:22:14 +01:00			`system.nssHosts = hostArray;`

Enable systemd's mymachines NSS module It makes every local container registered with machined resolvable. 2014-08-24 17:08:55 +02:00			`# Systemd provides nss-myhostname to ensure that our hostname`
			`# always resolves to a valid IP address. It returns all locally`
			`# configured IP addresses, or ::1 and 127.0.0.2 as`
			`# fallbacks. Systemd also provides nss-mymachines to return IP`
			`# addresses of local containers.`
config.nsswitch: load cache_oslogin and oslogin nss modules if config.security.googleOsLogin.enable is set 2018-12-12 13:57:31 +01:00			`system.nssModules = (optionals canLoadExternalModules [ config.systemd.package.out ])`
			`++ optional googleOsLogin pkgs.google-compute-engine-oslogin.out;`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`};`
* Refactoring: moved some options out of system/options.nix (almost empty now), do more of bashrc.sh declaratively, and moved nsswitch generation to modules/config/nsswitch.nix. svn path=/nixos/branches/modular-nixos/; revision=15754 2009-05-27 23:14:38 +00:00			`}`