nixos/systemd: move NSS module logic to systemd module

We keep the conditional on only adding if nscd is enabled for now.
NixOS · May 5, 2020 · c0995d2 · c0995d2
1 parent 7426bec
commit c0995d2
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 13 deletions.
diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix
@@ -8,28 +8,22 @@ let
 
   # only with nscd up and running we can load NSS modules that are not integrated in NSS
   canLoadExternalModules = config.services.nscd.enable;
-  myhostname = canLoadExternalModules;
-  mymachines = canLoadExternalModules;
   # XXX Move these to their respective modules
   nssmdns = canLoadExternalModules && config.services.avahi.nssmdns;
   nsswins = canLoadExternalModules && config.services.samba.nsswins;
   ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch);
 
   hostArray = mkMerge [
     (mkBefore [ "files" ])
-    (mkIf mymachines [ "mymachines" ])
     (mkIf nssmdns [ "mdns_minimal [NOTFOUND=return]" ])
     (mkIf nsswins [ "wins" ])
     (mkAfter [ "dns" ])
     (mkIf nssmdns (mkOrder 1501 [ "mdns" ])) # 1501 to ensure it's after dns
-    (mkIf myhostname (mkOrder 1600 [ "myhostname" ])) # 1600 to ensure it's always the last
   ];
 
   passwdArray = mkMerge [
     (mkBefore [ "files" ])
     (mkIf ldap [ "ldap" ])
-    (mkIf mymachines [ "mymachines" ])
-    (mkIf canLoadExternalModules (mkAfter [ "systemd" ]))
   ];
 
   shadowArray = mkMerge [
@@ -157,12 +151,5 @@ in {
       hosts = hostArray;
       services = mkBefore [ "files" ];
     };
-
-    # Systemd provides nss-myhostname to ensure that our hostname
-    # always resolves to a valid IP address.  It returns all locally
-    # configured IP addresses, or ::1 and 127.0.0.2 as
-    # fallbacks. Systemd also provides nss-mymachines to return IP
-    # addresses of local containers.
-    system.nssModules = (optionals canLoadExternalModules [ config.systemd.package.out ]);
   };
 }
diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix
@@ -827,6 +827,27 @@ in
 
     system.build.units = cfg.units;
 
+    # Systemd provides various NSS modules to look up dynamic users, locally
+    # configured IP adresses and local container hostnames.
+    # On NixOS, these can only be passed to the NSS system via nscd (and its
+    # LD_LIBRARY_PATH), which is why it's usually a very good idea to have nscd
+    # enabled (also see the config.nscd.enable description).
+    # While there is already an assertion in place complaining loudly about
+    # having nssModules configured and nscd disabled, for some reason we still
+    # check for nscd being enabled before adding to nssModules.
+    system.nssModules = optional config.services.nscd.enable systemd.out;
+    system.nssDatabases = mkIf config.services.nscd.enable {
+      hosts = (mkMerge [
+        [ "mymachines" ]
+        (mkOrder 1600 [ "myhostname" ] # 1600 to ensure it's always the last
+      )
+      ]);
+      passwd = (mkMerge [
+        [ "mymachines" ]
+        (mkAfter [ "systemd" ])
+      ]);
+    };
+
     environment.systemPackages = [ systemd ];
 
     environment.etc = let