From d79584c90253107d8d29869de0951545a567554a Mon Sep 17 00:00:00 2001
From: Jamey Sharp <jamey@minilop.net>
Date: Fri, 12 Jul 2019 12:07:45 -0700
Subject: [PATCH] nixos/nscd: document why it is configured this way

---
 nixos/modules/services/system/nscd.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/nixos/modules/services/system/nscd.nix b/nixos/modules/services/system/nscd.nix
index c2d0cd5d0eb..e11f7e049d8 100644
--- a/nixos/modules/services/system/nscd.nix
+++ b/nixos/modules/services/system/nscd.nix
@@ -52,6 +52,12 @@ in
           config.environment.etc."nscd.conf".source
         ];
 
+        # We use DynamicUser because in default configurations nscd doesn't
+        # create any files that need to survive restarts. However, in some
+        # configurations, nscd needs to be started as root; it will drop
+        # privileges after all the NSS modules have read their configuration
+        # files. So prefix the ExecStart command with "!" to prevent systemd
+        # from dropping privileges early. See ExecStart in systemd.service(5).
         serviceConfig =
           { ExecStart = "!@${pkgs.glibc.bin}/sbin/nscd nscd";
             Type = "forking";