nixos/systemd: move systemd-provided NSS modules to systemd module

[flokli]

Motivation for this change

#86350

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[flokli]

@florianjacob as the author of e370e97, can you elaborate on why we silently disable these nss modules if nscd is disabled, even though there's an assertion in https://github.com/NixOS/nixpkgs/pull/86940/files#diff-5796c52b71eee35842f408f4126430d6R126-R127 which should complain if nss modules are present, but nscd disabled (so nssModules are not respected)?

Maybe instead of silently ignoring these (and breaking dynamic user support, as well as other NSS modules), can't we ask the user to mkForce system.nssModules = [] in the assertion message if they really doesn't want any external NSS modules?

[flokli]

Also see #43607 and #86010 for context.

[dasJ]

I really like your idea. There is no reason for the current behaviour and system.nssModules = systemd.out seems like the most elegant solution and also prevents users from accidentially breaking their systems by disabling nscd.

[andir]

I hope @florianjacob can shed some light on this. I think we should never have to add vague comments like for some reason we still check for nscd being enabled before adding to nssModules. The source should be a place of truth :) If we can't figure it out and the original authors don't respond we might as well change the implementation until we encounter errors and can properly document them.

[dasJ]

Configuring systemd without the mkIf seems like a much better solution 👍

[dasJ]

I really like your idea. There is no reason for the current behaviour and system.nssModules = systemd.out seems like the most elegant solution and also prevents users from accidentially breaking their systems by disabling nscd.

[flokli]

I adressed your suggestions. I'll reserve the nssModules assertions for a follow-up PR.

[andir]

Overall 👍 just some comments.

[andir]

I hope @florianjacob can shed some light on this. I think we should never have to add vague comments like for some reason we still check for nscd being enabled before adding to nssModules. The source should be a place of truth :) If we can't figure it out and the original authors don't respond we might as well change the implementation until we encounter errors and can properly document them.

[flokli]

@andir as written in #86940 (comment), I'd really prefer to make the user explicitly force system.nssModules to [] if he really wants to disable nscd - as loading custom modules without nscd doesn't work anyways.

However, I wanted to keep the existing behaviour while moving things around, and plan to address this in a future PR.

[arianvp]

This isn't enough. We need to mkOrder in such a way that we're sure dns follows resolve

[flokli]

dns is still added with (mkAfter [ "dns" ]) - try nix-build nixos/tests/networking.nix --arg networkd true -A dhcpOneIf.driver && result/bin/nixos-run-vms and cat /etc/nsswitch.conf on the client:

cat /etc/nsswitch.conf | grep hosts
hosts:    files mymachines resolve [!UNAVAIL=return] dns myhostname

[arianvp]

perfect

[arianvp]

LGTM. Let's hope we can get rid of the conditional check on nscd later.

[florianjacob]

Finally, here comes the truth regarding optional config.services.nscd.enable systemd.out;: ‼️
In 2017, disabling nscd did not break your system that much, the systemd nss modules were not that crucial as they are today - my motivation behind the additional check was indeed to make nscd.enable = false; not result in the assertion error, not knowing whether I can dare to make users who want to disable nscd jump through this additional hoop.
Historical context PR: #26967

From today's perspective, this is indeed another silent source of errors, which I was actually trying to prevent with the assertion. Thank you @flokli for not waiting two years until I shed light on the reasons, and continuing in #87016 😅