nixos/nscd: add enableNsncd option

When set, this switches from using nscd to using nsncd. It's a protocol-compatible, non-caching and much less flaky alternative.
2022-10-07 10:53:14 +02:00 · 2022-10-07 10:53:14 +02:00 · aee40c2d8a
commit aee40c2d8a
parent 308548f253
1 changed files with 22 additions and 8 deletions
--- a/nixos/modules/services/system/nscd.nix
+++ b/nixos/modules/services/system/nscd.nix
@ -27,6 +27,15 @@ in
        '';
      };

+      enableNsncd = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc ''
+          Whether to use nsncd instead of nscd.
+          This is a nscd-compatible daemon, that proxies lookups, without any caching.
+        '';
+      };
+
      user = mkOption {
        type = types.str;
        default = "nscd";
@ -60,7 +69,10 @@ in
            then pkgs.stdenv.cc.libc.bin
            else pkgs.glibc.bin;
        '';
-        description = lib.mdDoc "package containing the nscd binary to be used by the service";
+        description = lib.mdDoc ''
+          package containing the nscd binary to be used by the service.
+          Ignored when enableNsncd is set to true.
+        '';
      };

    };
@ -82,7 +94,8 @@ in

    systemd.services.nscd =
      {
-        description = "Name Service Cache Daemon";
+        description = "Name Service Cache Daemon"
+          + lib.optionalString cfg.enableNsncd " (nsncd)";

        before = [ "nss-lookup.target" "nss-user-lookup.target" ];
        wants = [ "nss-lookup.target" "nss-user-lookup.target" ];
@ -91,14 +104,14 @@ in

        environment = { LD_LIBRARY_PATH = nssModulesPath; };

-        restartTriggers = [
+        restartTriggers = lib.optionals (!cfg.enableNsncd) ([
          config.environment.etc.hosts.source
          config.environment.etc."nsswitch.conf".source
          config.environment.etc."nscd.conf".source
        ] ++ optionals config.users.mysql.enable [
          config.environment.etc."libnss-mysql.cfg".source
          config.environment.etc."libnss-mysql-root.cfg".source
-        ];
+        ]);

        # In some configurations, nscd needs to be started as root; it will
        # drop privileges after all the NSS modules have read their
@ -109,8 +122,10 @@ in
        # and so users can set the owner of those files to the nscd user.
        serviceConfig =
          {
-            ExecStart = "!@${cfg.package}/bin/nscd nscd";
-            Type = "forking";
+            ExecStart =
+              if cfg.enableNsncd then "${pkgs.nsncd}/bin/nsncd"
+              else "!@${cfg.package}/bin/nscd nscd";
+            Type = if cfg.enableNsncd then "notify" else "forking";
            User = cfg.user;
            Group = cfg.group;
            RemoveIPC = true;
@ -123,13 +138,12 @@ in
            PIDFile = "/run/nscd/nscd.pid";
            Restart = "always";
            ExecReload =
-              [
+              lib.optionals (!cfg.enableNsncd) [
                "${cfg.package}/bin/nscd --invalidate passwd"
                "${cfg.package}/bin/nscd --invalidate group"
                "${cfg.package}/bin/nscd --invalidate hosts"
              ];
          };
      };
-
  };
 }