nixpkgs/nixos/modules/services/system/nscd.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

154 lines
4.5 KiB
Nix
Raw Normal View History

{ config, lib, pkgs, ... }:
with lib;
let
nssModulesPath = config.system.nssModules.path;
cfg = config.services.nscd;
in
{
###### interface
options = {
services.nscd = {
enable = mkOption {
2013-10-30 16:37:45 +00:00
type = types.bool;
default = true;
description = ''
Whether to enable the Name Service Cache Daemon.
Disabling this is strongly discouraged, as this effectively disables NSS Lookups
from all non-glibc NSS modules, including the ones provided by systemd.
'';
};
enableNsncd = mkOption {
type = types.bool;
default = true;
description = ''
Whether to use nsncd instead of nscd from glibc.
This is a nscd-compatible daemon, that proxies lookups, without any caching.
Using nscd from glibc is discouraged.
'';
};
user = mkOption {
type = types.str;
default = "nscd";
description = ''
User account under which nscd runs.
'';
};
group = mkOption {
type = types.str;
default = "nscd";
description = ''
User group under which nscd runs.
'';
};
config = mkOption {
type = types.lines;
default = builtins.readFile ./nscd.conf;
description = ''
Configuration to use for Name Service Cache Daemon.
Only used in case glibc-nscd is used.
'';
};
2021-05-22 08:07:18 +01:00
package = mkOption {
type = types.package;
2022-10-07 09:47:45 +01:00
default =
if pkgs.stdenv.hostPlatform.libc == "glibc"
2021-05-22 08:07:18 +01:00
then pkgs.stdenv.cc.libc.bin
else pkgs.glibc.bin;
defaultText = lib.literalExpression ''
2022-04-18 13:47:53 +01:00
if pkgs.stdenv.hostPlatform.libc == "glibc"
then pkgs.stdenv.cc.libc.bin
else pkgs.glibc.bin;
'';
description = ''
package containing the nscd binary to be used by the service.
Ignored when enableNsncd is set to true.
'';
2021-05-22 08:07:18 +01:00
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.etc."nscd.conf".text = cfg.config;
users.users.${cfg.user} = {
isSystemUser = true;
group = cfg.group;
};
2022-10-07 09:47:45 +01:00
users.groups.${cfg.group} = { };
systemd.services.nscd =
2022-10-07 09:47:45 +01:00
{
description = "Name Service Cache Daemon"
+ lib.optionalString cfg.enableNsncd " (nsncd)";
before = [ "nss-lookup.target" "nss-user-lookup.target" ];
wants = [ "nss-lookup.target" "nss-user-lookup.target" ];
wantedBy = [ "multi-user.target" ];
requiredBy = [ "nss-lookup.target" "nss-user-lookup.target" ];
environment = { LD_LIBRARY_PATH = nssModulesPath; };
restartTriggers = lib.optionals (!cfg.enableNsncd) ([
config.environment.etc.hosts.source
config.environment.etc."nsswitch.conf".source
config.environment.etc."nscd.conf".source
] ++ optionals config.users.mysql.enable [
config.environment.etc."libnss-mysql.cfg".source
config.environment.etc."libnss-mysql-root.cfg".source
]);
2013-06-11 15:15:24 +01:00
# In some configurations, nscd needs to be started as root; it will
# drop privileges after all the NSS modules have read their
# configuration files. So prefix the ExecStart command with "!" to
# prevent systemd from dropping privileges early. See ExecStart in
# systemd.service(5). We use a static user, because some NSS modules
# sill want to read their configuration files after the privilege drop
# and so users can set the owner of those files to the nscd user.
serviceConfig =
2022-10-07 09:47:45 +01:00
{
ExecStart =
if cfg.enableNsncd then "${pkgs.nsncd}/bin/nsncd"
else "!@${cfg.package}/bin/nscd nscd";
Type = if cfg.enableNsncd then "notify" else "forking";
User = cfg.user;
Group = cfg.group;
RemoveIPC = true;
PrivateTmp = true;
NoNewPrivileges = true;
RestrictSUIDSGID = true;
ProtectSystem = "strict";
ProtectHome = "read-only";
nixos/nscd: let systemd manage directories Previously this module created both /var/db/nscd and /run/nscd using shell commands in a preStart script. Note that both of these paths are hard-coded in the nscd source. (Well, the latter is actually /var/run/nscd but /var/run is a symlink to /run so it works out the same.) /var/db/nscd is only used if the nscd.conf "persistent" option is turned on for one or more databases, which it is not in our default config file. I'm not even sure persistent mode can work under systemd, since `nscd --shutdown` is not synchronous so systemd will always unceremoniously kill nscd without reliably giving it time to mark the databases as unused. Nonetheless, if someone wants to use that option, they can ensure the directory exists using systemd.tmpfiles.rules. systemd can create /run/nscd for us with the RuntimeDirectory directive, with the added benefit of causing systemd to delete the directory on service stop or restart. The default value of RuntimeDirectoryMode is 755, the same as the mode which this module was using before. I don't think the `rm -f /run/nscd/nscd.pid` was necessary after NixOS switched to systemd and used its PIDFile directive, because systemd deletes the specified file after the service stops, and because the file can't persist across reboots since /run is a tmpfs. Even if the file still exists when nscd starts, it's only a problem if the pid it contains has been reused by another process, which is unlikely. Anyway, this change makes that deletion even less necessary, because now systemd deletes the entire /run/nscd directory when the service stops.
2019-07-03 20:39:48 +01:00
RuntimeDirectory = "nscd";
PIDFile = "/run/nscd/nscd.pid";
Restart = "always";
ExecReload =
lib.optionals (!cfg.enableNsncd) [
2022-10-07 09:47:45 +01:00
"${cfg.package}/bin/nscd --invalidate passwd"
2021-05-22 08:07:18 +01:00
"${cfg.package}/bin/nscd --invalidate group"
"${cfg.package}/bin/nscd --invalidate hosts"
];
};
};
};
}