nixpkgs/nixos/modules/services/system/nscd.nix

{ config, lib, pkgs, ... }:

with lib;

let

  nssModulesPath = config.system.nssModules.path;
  cfg = config.services.nscd;

in

{

  ###### interface

  options = {

    services.nscd = {

      enable = mkOption {
        type = types.bool;
        default = true;
        description = "Whether to enable the Name Service Cache Daemon.";
      };

      config = mkOption {
        type = types.lines;
        default = builtins.readFile ./nscd.conf;
        description = "Configuration to use for Name Service Cache Daemon.";
      };

    };

  };


  ###### implementation

  config = mkIf cfg.enable {
    environment.etc."nscd.conf".text = cfg.config;

    systemd.services.nscd =
      { description = "Name Service Cache Daemon";

        wantedBy = [ "nss-lookup.target" "nss-user-lookup.target" ];

        environment = { LD_LIBRARY_PATH = nssModulesPath; };

        restartTriggers = [
          config.environment.etc.hosts.source
          config.environment.etc."nsswitch.conf".source
          config.environment.etc."nscd.conf".source
        ];

        # We use DynamicUser because in default configurations nscd doesn't
        # create any files that need to survive restarts. However, in some
        # configurations, nscd needs to be started as root; it will drop
        # privileges after all the NSS modules have read their configuration
        # files. So prefix the ExecStart command with "!" to prevent systemd
        # from dropping privileges early. See ExecStart in systemd.service(5).
        serviceConfig =
          { ExecStart = "!@${pkgs.glibc.bin}/sbin/nscd nscd";
            Type = "forking";
            DynamicUser = true;
            RuntimeDirectory = "nscd";
            PIDFile = "/run/nscd/nscd.pid";
            Restart = "always";
            ExecReload =
              [ "${pkgs.glibc.bin}/sbin/nscd --invalidate passwd"
                "${pkgs.glibc.bin}/sbin/nscd --invalidate group"
                "${pkgs.glibc.bin}/sbin/nscd --invalidate hosts"
              ];
          };
      };

  };
}
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`{ config, lib, pkgs, ... }:`
* NSCD daemon. svn path=/nixos/trunk/; revision=7645 2007-01-12 00:55:25 +01:00
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`with lib;`
Adding an option to disable nscd. svn path=/nixos/trunk/; revision=19004 2009-12-16 21:51:25 +01:00
Convert "sncd" svn path=/nixos/branches/fix-style/; revision=14404 2009-03-06 13:27:40 +01:00			`let`
* Get rid of the "users" and "groups" fields in jobs. svn path=/nixos/branches/modular-nixos/; revision=16371 2009-07-15 13:34:55 +02:00
Convert "sncd" svn path=/nixos/branches/fix-style/; revision=14404 2009-03-06 13:27:40 +01:00			`nssModulesPath = config.system.nssModules.path;`
nixos/nscd: add option to change nscd config [Bjørn Forsman <bjorn.forsman@gmail.com>: - use types.lines instead of types.string. The former joins strings with "\n" and the latter with "" (and is deprecated). ] 2014-01-31 14:07:44 +01:00			`cfg = config.services.nscd;`
* Get rid of the "users" and "groups" fields in jobs. svn path=/nixos/branches/modular-nixos/; revision=16371 2009-07-15 13:34:55 +02:00
Convert "sncd" svn path=/nixos/branches/fix-style/; revision=14404 2009-03-06 13:27:40 +01:00			`in`
* NSCD daemon. svn path=/nixos/trunk/; revision=7645 2007-01-12 00:55:25 +01:00
Convert "sncd" svn path=/nixos/branches/fix-style/; revision=14404 2009-03-06 13:27:40 +01:00			`{`
Adding an option to disable nscd. svn path=/nixos/trunk/; revision=19004 2009-12-16 21:51:25 +01:00
			`###### interface`

			`options = {`

			`services.nscd = {`

			`enable = mkOption {`
Add lots of missing option types 2013-10-30 17:37:45 +01:00			`type = types.bool;`
Adding an option to disable nscd. svn path=/nixos/trunk/; revision=19004 2009-12-16 21:51:25 +01:00			`default = true;`
To ease migration to systemd, generate units from the ‘jobs’ option Also get rid of the ‘buildHook’ job option because it wasn't very useful. 2012-06-16 06:19:43 +02:00			`description = "Whether to enable the Name Service Cache Daemon.";`
Adding an option to disable nscd. svn path=/nixos/trunk/; revision=19004 2009-12-16 21:51:25 +01:00			`};`

nixos/nscd: add option to change nscd config [Bjørn Forsman <bjorn.forsman@gmail.com>: - use types.lines instead of types.string. The former joins strings with "\n" and the latter with "" (and is deprecated). ] 2014-01-31 14:07:44 +01:00			`config = mkOption {`
			`type = types.lines;`
			`default = builtins.readFile ./nscd.conf;`
			`description = "Configuration to use for Name Service Cache Daemon.";`
			`};`

Adding an option to disable nscd. svn path=/nixos/trunk/; revision=19004 2009-12-16 21:51:25 +01:00			`};`

			`};`

nscd: Ensure that invalidate-nscd starts after nscd 2012-08-06 18:26:52 +02:00
Adding an option to disable nscd. svn path=/nixos/trunk/; revision=19004 2009-12-16 21:51:25 +01:00			`###### implementation`

nixos/nscd: add option to change nscd config [Bjørn Forsman <bjorn.forsman@gmail.com>: - use types.lines instead of types.string. The former joins strings with "\n" and the latter with "" (and is deprecated). ] 2014-01-31 14:07:44 +01:00			`config = mkIf cfg.enable {`
sssd: init at 1.14.2 perlPackages.TextWrapI18N: init at 0.06 perlPackages.Po4a: init at 0.47 jade: init at 1.2.1 ding-libs: init at 0.6.0 Switch nscd to no-caching mode if SSSD is enabled. abbradar: disable jade parallel building. Closes #21150 2016-04-14 20:18:09 +02:00			`environment.etc."nscd.conf".text = cfg.config;`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 20:20:50 +02:00
Rename ‘boot.systemd’ to ‘systemd’ Suggested by Mathijs Kwik. ‘boot.systemd’ is a misnomer because systemd affects more than just booting. And it saves some typing. 2013-01-16 12:33:18 +01:00			`systemd.services.nscd =`
* Convert the remaining jobs to jobAttrs style. svn path=/nixos/trunk/; revision=17764 2009-10-12 19:27:57 +02:00			`{ description = "Name Service Cache Daemon";`
* Get rid of the "users" and "groups" fields in jobs. svn path=/nixos/branches/modular-nixos/; revision=16371 2009-07-15 13:34:55 +02:00
nscd: use proper systemd.special(7) targets 2012-12-27 10:04:05 +01:00			`wantedBy = [ "nss-lookup.target" "nss-user-lookup.target" ];`
* Get rid of the "users" and "groups" fields in jobs. svn path=/nixos/branches/modular-nixos/; revision=16371 2009-07-15 13:34:55 +02:00
* In the jobs attribute, support a more high-level way of specifying jobs, e.g. (from the nscd job) { name = "nscd"; description = "Name Service Cache Daemon"; startOn = "startup"; stopOn = "shutdown"; environment = { LD_LIBRARY_PATH = nssModulesPath; }; preStart = '' mkdir -m 0755 -p /var/run/nscd mkdir -m 0755 -p /var/db/nscd ''; exec = "${pkgs.glibc}/sbin/nscd -f ${./nscd.conf} -d 2> /dev/null"; }; The Upstart job is generated from this. The main goal is to provide some abstraction from the Upstart syntax. For instance, this should make it easier to upgrade to newer versions of Upstart, to switch to an entirely different process management system (e.g. initng or launchd), or to test a job independantly from Upstart. (However the startOn and stopOn attributes are tied to Upstart's event model.) svn path=/nixos/branches/modular-nixos/; revision=16376 2009-07-15 17:24:11 +02:00			`environment = { LD_LIBRARY_PATH = nssModulesPath; };`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 20:20:50 +02:00
sssd: init at 1.14.2 perlPackages.TextWrapI18N: init at 0.06 perlPackages.Po4a: init at 0.47 jade: init at 1.2.1 ding-libs: init at 0.6.0 Switch nscd to no-caching mode if SSSD is enabled. abbradar: disable jade parallel building. Closes #21150 2016-04-14 20:18:09 +02:00			`restartTriggers = [`
			`config.environment.etc.hosts.source`
			`config.environment.etc."nsswitch.conf".source`
			`config.environment.etc."nscd.conf".source`
			`];`
nscd: Restart if /etc/hosts changes 2013-06-11 16:15:24 +02:00
nixos/nscd: document why it is configured this way 2019-07-12 21:07:45 +02:00			`# We use DynamicUser because in default configurations nscd doesn't`
			`# create any files that need to survive restarts. However, in some`
			`# configurations, nscd needs to be started as root; it will drop`
			`# privileges after all the NSS modules have read their configuration`
			`# files. So prefix the ExecStart command with "!" to prevent systemd`
			`# from dropping privileges early. See ExecStart in systemd.service(5).`
Fix a hang during shutdown Subtle: dhcpcd.service would call resolvconf during shutdown, which in turn would start invalidate-nscd.service, causing the shutdown to be cancelled. Instead, give nscd.service a proper reload action, and do "systemctl reload --no-block nscd.service". The --no-block is necessary to prevent that command from waiting until a timeout occurs (bug in systemd?). 2012-08-14 22:45:50 +02:00			`serviceConfig =`
nixos/nscd: only drop privs after nss module init NixOS usually needs nscd just to have a single place where LD_LIBRARY_PATH can be set to include all NSS modules, but nscd is also useful if some of the NSS modules need to read files which are only accessible by root. For example, nixos/modules/config/ldap.nix needs this when users.ldap.enable = true; users.ldap.daemon.enable = false; and users.ldap.bind.passwordFile exists. In that case, the module creates an /etc/ldap.conf which is only readable by root, but which the NSS module needs to read in order to find out what LDAP server to connect to and with what credentials. If nscd is started as root and configured with the server-user option in nscd.conf, then it gives each NSS module the opportunity to initialize itself before dropping privileges. The initialization happens in the glibc-internal __nss_disable_nscd function, which pre-loads all the configured NSS modules for passwd, group, hosts, and services (but not netgroup for some reason?) and, for each loaded module, calls an init function if one is defined. After that finishes, nscd's main() calls nscd_init() which ends by calling finish_drop_privileges(). There are provisions in systemd for using DynamicUser with a service which needs to drop privileges itself, so this patch does that. 2019-07-07 17:43:41 +02:00			`{ ExecStart = "!@${pkgs.glibc.bin}/sbin/nscd nscd";`
Make unitConfig/serviceConfig attribute sets So instead of: boot.systemd.services."foo".serviceConfig = '' StartLimitInterval=10 CPUShare=500 ''; you can say: boot.systemd.services."foo".serviceConfig.StartLimitInterval = 10; boot.systemd.services."foo".serviceConfig.CPUShare = 500; This way all unit options are available and users can set/override options in configuration.nix. 2012-10-01 22:27:42 +02:00			`Type = "forking";`
nixos/nscd: run with a dynamic user nscd doesn't create any files outside of /run/nscd unless the nscd.conf "persistent" option is used, which we don't do by default. Therefore it doesn't matter what UID/GID we run this service as, so long as it isn't shared with any other running processes. /run/nscd does need to be owned by the same UID that the service is running as, but systemd takes care of that for us thanks to the RuntimeDirectory directive. If someone wants to turn on the "persistent" option, they need to manually configure users.users.nscd and systemd.tmpfiles.rules so that /var/db/nscd is owned by the same user that nscd runs as. In an all-defaults boot.isContainer configuration of NixOS, this removes the only user which did not have a pre-assigned UID. 2019-07-03 22:11:05 +02:00			`DynamicUser = true;`
nixos/nscd: let systemd manage directories Previously this module created both /var/db/nscd and /run/nscd using shell commands in a preStart script. Note that both of these paths are hard-coded in the nscd source. (Well, the latter is actually /var/run/nscd but /var/run is a symlink to /run so it works out the same.) /var/db/nscd is only used if the nscd.conf "persistent" option is turned on for one or more databases, which it is not in our default config file. I'm not even sure persistent mode can work under systemd, since `nscd --shutdown` is not synchronous so systemd will always unceremoniously kill nscd without reliably giving it time to mark the databases as unused. Nonetheless, if someone wants to use that option, they can ensure the directory exists using systemd.tmpfiles.rules. systemd can create /run/nscd for us with the RuntimeDirectory directive, with the added benefit of causing systemd to delete the directory on service stop or restart. The default value of RuntimeDirectoryMode is 755, the same as the mode which this module was using before. I don't think the `rm -f /run/nscd/nscd.pid` was necessary after NixOS switched to systemd and used its PIDFile directive, because systemd deletes the specified file after the service stops, and because the file can't persist across reboots since /run is a tmpfs. Even if the file still exists when nscd starts, it's only a problem if the pid it contains has been reused by another process, which is unlikely. Anyway, this change makes that deletion even less necessary, because now systemd deletes the entire /run/nscd directory when the service stops. 2019-07-03 21:39:48 +02:00			`RuntimeDirectory = "nscd";`
Make unitConfig/serviceConfig attribute sets So instead of: boot.systemd.services."foo".serviceConfig = '' StartLimitInterval=10 CPUShare=500 ''; you can say: boot.systemd.services."foo".serviceConfig.StartLimitInterval = 10; boot.systemd.services."foo".serviceConfig.CPUShare = 500; This way all unit options are available and users can set/override options in configuration.nix. 2012-10-01 22:27:42 +02:00			`PIDFile = "/run/nscd/nscd.pid";`
			`Restart = "always";`
			`ExecReload =`
fix "libc}/lib" and similar references Done mostly without any verification. I didn't bother with libc}/include, as the path is still correct. 2015-04-26 19:54:51 +02:00			`[ "${pkgs.glibc.bin}/sbin/nscd --invalidate passwd"`
			`"${pkgs.glibc.bin}/sbin/nscd --invalidate group"`
			`"${pkgs.glibc.bin}/sbin/nscd --invalidate hosts"`
Make unitConfig/serviceConfig attribute sets So instead of: boot.systemd.services."foo".serviceConfig = '' StartLimitInterval=10 CPUShare=500 ''; you can say: boot.systemd.services."foo".serviceConfig.StartLimitInterval = 10; boot.systemd.services."foo".serviceConfig.CPUShare = 500; This way all unit options are available and users can set/override options in configuration.nix. 2012-10-01 22:27:42 +02:00			`];`
			`};`
* Invalidate the nscd hosts cache when an "ip-up" event occurs. This event is emitted by dhclient and by the network-interfaces job in case of statically configured interfaces. Invalidating the cache is necessary to get rid of negative queries. svn path=/nixos/trunk/; revision=31779 2012-01-21 20:13:43 +01:00			`};`

Convert "sncd" svn path=/nixos/branches/fix-style/; revision=14404 2009-03-06 13:27:40 +01:00			`};`
* NSCD daemon. svn path=/nixos/trunk/; revision=7645 2007-01-12 00:55:25 +01:00			`}`