Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/nsswitch: Make databases more configurable #85998

Merged
merged 2 commits into from Apr 28, 2020
Merged

nixos/nsswitch: Make databases more configurable #85998

merged 2 commits into from Apr 28, 2020

Conversation

dasJ
Copy link
Member

@dasJ dasJ commented Apr 25, 2020

Motivation for this change

Instead of hardcoding all nss modules that are added into nsswitch,
there are now options exposed.
This allows users to add own nss modules (I had this issue with
winbindd, for example).
Also, nss modules could be moved to their NixOS modules which would
make the nsswitch module slimmer.

As the lists are now handled by the modules system, we can use mkOrder
to ensure a proper order as well as mkForce to override one specific
database type instead of the entire file.

cc @infinisil to make sure I use mk* correctly
cc @LnL7 because you were the last to touch the file and I drop your option

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@dasJ dasJ force-pushed the make-nsswitch-more-flexible branch from 5b162a3 to c0bffb2 Compare April 25, 2020 12:34
@flokli flokli mentioned this pull request Apr 25, 2020
Closed
flokli
flokli reviewed Apr 25, 2020
View reviewed changes
nixos/modules/config/nsswitch.nix
@@ -10,35 +10,44 @@ let
canLoadExternalModules = config.services.nscd.enable;
myhostname = canLoadExternalModules;
mymachines = canLoadExternalModules;
# XXX Move these to their respective modules
Copy link
Contributor

@flokli flokli Apr 25, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could these also be moved into the individual modules?

We have a similar mess inside the pam module, and it'd be nice to clean all this up.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that's what I wanted to say

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a commit on top that does this, for some of the NSS modules?

I'd assume the systemd and oslogin nss modules should be a somewhat trivial example, and then we could create a follow-up ticket tracking the migration of the others.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just added the commit. I used sss instead, because it allows me to drop the servicesArray ;)

@dasJ
Copy link
Member Author

dasJ commented Apr 25, 2020

Ah example from my Samba DC config:

{
    system.nssDatabases = rec {
      passwd = [ "winbind" ];
      group = passwd;
    };
}

Results in

passwd:    files winbind mymachines systemd
group:     files winbind mymachines systemd
…

infinisil
infinisil requested changes Apr 25, 2020
View reviewed changes
nixos/modules/config/nsswitch.nix Outdated
++ optional sssd "sss";
hostArray = mkMerge [
(mkBefore [ "files" ])
(optional mymachines "mymachines")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prefer mkIf over optional in NixOS modules

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, should be fixed

@dasJ
nixos/nsswitch: Make databases more configurable
bc2a4b3 
Instead of hardcoding all nss modules that are added into nsswitch,
there are now options exposed.
This allows users to add own nss modules (I had this issue with
winbindd, for example).
Also, nss modules could be moved to their NixOS modules which would
make the nsswitch module slimmer.

As the lists are now handled by the modules system, we can use mkOrder
to ensure a proper order as well as mkForce to override one specific
database type instead of the entire file.
@dasJ dasJ force-pushed the make-nsswitch-more-flexible branch from c0bffb2 to bc2a4b3 Compare April 26, 2020 01:17
@flokli
Copy link
Contributor

flokli commented Apr 28, 2020

Thanks!

@flokli flokli merged commit c01ac3e into NixOS:master Apr 28, 2020
@ajs124 ajs124 deleted the make-nsswitch-more-flexible branch April 28, 2020 23:58
@dasJ dasJ mentioned this pull request Apr 29, 2020
Closed
5 tasks
@flokli flokli mentioned this pull request Jun 16, 2020
Open
@kwohlfahrt kwohlfahrt mentioned this pull request Nov 26, 2020
Draft
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flokli flokli flokli left review comments

@infinisil infinisil infinisil requested changes

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@dasJ @flokli @infinisil