| blob | 1bf3583336e2e97af16836e6239ffc16dcb88113 |
1 { config, lib, pkgs, ... }:
3 with lib;
5 let
7 nssModulesPath = config.system.nssModules.path;
8 cfg = config.services.nscd;
10 in
12 {
14 ###### interface
16 options = {
18 services.nscd = {
20 enable = mkOption {
21 type = types.bool;
22 default = true;
23 description = ''
24 Whether to enable the Name Service Cache Daemon.
25 Disabling this is strongly discouraged, as this effectively disables NSS Lookups
26 from all non-glibc NSS modules, including the ones provided by systemd.
27 '';
28 };
30 enableNsncd = mkOption {
31 type = types.bool;
32 default = true;
33 description = ''
34 Whether to use nsncd instead of nscd from glibc.
35 This is a nscd-compatible daemon, that proxies lookups, without any caching.
36 Using nscd from glibc is discouraged.
37 '';
38 };
40 user = mkOption {
41 type = types.str;
42 default = "nscd";
43 description = ''
44 User account under which nscd runs.
45 '';
46 };
48 group = mkOption {
49 type = types.str;
50 default = "nscd";
51 description = ''
52 User group under which nscd runs.
53 '';
54 };
56 config = mkOption {
57 type = types.lines;
58 default = builtins.readFile ./nscd.conf;
59 description = ''
60 Configuration to use for Name Service Cache Daemon.
61 Only used in case glibc-nscd is used.
62 '';
63 };
65 package = mkOption {
66 type = types.package;
67 default =
68 if pkgs.stdenv.hostPlatform.libc == "glibc"
69 then pkgs.stdenv.cc.libc.bin
70 else pkgs.glibc.bin;
71 defaultText = lib.literalExpression ''
72 if pkgs.stdenv.hostPlatform.libc == "glibc"
73 then pkgs.stdenv.cc.libc.bin
74 else pkgs.glibc.bin;
75 '';
76 description = ''
77 package containing the nscd binary to be used by the service.
78 Ignored when enableNsncd is set to true.
79 '';
80 };
82 };
84 };
87 ###### implementation
89 config = mkIf cfg.enable {
90 environment.etc."nscd.conf".text = cfg.config;
92 users.users.${cfg.user} = {
93 isSystemUser = true;
94 group = cfg.group;
95 };
97 users.groups.${cfg.group} = { };
99 systemd.services.nscd =
100 {
101 description = "Name Service Cache Daemon"
102 + lib.optionalString cfg.enableNsncd " (nsncd)";
104 before = [ "nss-lookup.target" "nss-user-lookup.target" ];
105 wants = [ "nss-lookup.target" "nss-user-lookup.target" ];
106 wantedBy = [ "multi-user.target" ];
107 requiredBy = [ "nss-lookup.target" "nss-user-lookup.target" ];
109 environment = { LD_LIBRARY_PATH = nssModulesPath; };
111 restartTriggers = lib.optionals (!cfg.enableNsncd) ([
112 config.environment.etc.hosts.source
113 config.environment.etc."nsswitch.conf".source
114 config.environment.etc."nscd.conf".source
115 ] ++ optionals config.users.mysql.enable [
116 config.environment.etc."libnss-mysql.cfg".source
117 config.environment.etc."libnss-mysql-root.cfg".source
118 ]);
120 # In some configurations, nscd needs to be started as root; it will
121 # drop privileges after all the NSS modules have read their
122 # configuration files. So prefix the ExecStart command with "!" to
123 # prevent systemd from dropping privileges early. See ExecStart in
124 # systemd.service(5). We use a static user, because some NSS modules
125 # sill want to read their configuration files after the privilege drop
126 # and so users can set the owner of those files to the nscd user.
127 serviceConfig =
128 {
129 ExecStart =
130 if cfg.enableNsncd then "${pkgs.nsncd}/bin/nsncd"
131 else "!@${cfg.package}/bin/nscd nscd";
132 Type = if cfg.enableNsncd then "notify" else "forking";
133 User = cfg.user;
134 Group = cfg.group;
135 RemoveIPC = true;
136 PrivateTmp = true;
137 NoNewPrivileges = true;
138 RestrictSUIDSGID = true;
139 ProtectSystem = "strict";
140 ProtectHome = "read-only";
141 RuntimeDirectory = "nscd";
142 PIDFile = "/run/nscd/nscd.pid";
143 Restart = "always";
144 ExecReload =
145 lib.optionals (!cfg.enableNsncd) [
146 "${cfg.package}/bin/nscd --invalidate passwd"
147 "${cfg.package}/bin/nscd --invalidate group"
148 "${cfg.package}/bin/nscd --invalidate hosts"
149 ];
150 };
151 };
152 };
153 }