Replace nscd caching with systemd-resolved

[arianvp]

Feature description

We now use nscd caching only for host lookups since #50316 was merged. However, we would want to get rid of any mentions of nscd caching as manual
cach invalidation is error prone. We can use systemd-resolved, which is already loaded by default as an nss_module to do Host lookup caching for us instead, automatically invalidating based on /etc/resolv.conf and the TTLs given by the DNS records.

Once this is done, we can get rid of a lot of places in NixOS where we manually invalidate nscd caches, as nscd is then not used for caching anymore, but purely for delegating nss requests to the appropriate nss_module

[flokli]

I basically agree - just want to add that there of course other nss modules providing hosts, passwd etc too, so a dive into the priorities there shouldn't hurt :-)

[arianvp]

That is already supported. You can add nss modules as you please by modifying the nssModules nixos option. For examples sssd is loaded when sssd is enabled.

[flokli]

Sure, what I meant was the /order/ of the nss modules being queried.

[andir]

Would using systemd-resolved for all the host caching also imply that we use it for all DNS queries that leave the host? If so, I do not think it is a viable option. It should still be possible for someone to use a local (recursive) resolver that isn't systemd-resolved

[flokli]

These days, nscd doesn't cache most things anymore, it just acts as a proxy to expose nss modules system-wide.
The only thing that's still cached by it is hosts (and only in the positive case).
We do much less manual invalidation (only in update-users-groups.pl and in nixos/modules/config/resolvconf.nix).

The PRs mentioned in #86350 made the configuration and order of NSS modules much cleaner.

In case people enable systemd-resolved, we set resolve [!UNAVAIL=return] - otherwise, it's just hosts: files mymachines dns myhostname.

IMHO, by now, we could just disable the positive hosts caching too:

• systems with systemd-resolved will get caching via it
• systems without it, but another local resolver configured (likely via the dns module and a matching /etc/resolv.conf) will use its local cache
• users without resolved and without their own custom local resolver and without any custom config will use whatever dns server the DHCP server told them to use - which is the same behaviour as on non-networkd distros.

@arianvp could you file a PR disabling the remaining caching in nscd? Then, we could also remove the invalidation in nixos/modules/config/resolvconf.nix. I'd keep the one in update-users-groups.pl, as another safety net against users who did enable user/group caching.

[xaverdh]

Can this be closed, now that #89274 was merged?

[arianvp]

I think so yes. @flokli ?

[flokli]

👍