nixos/sssd: migrate to rfc42-style settings (#448955)

nixos/modules/security/ipa.nix

@@ -7,7 +7,6 @@
 with lib;
 let
   cfg = config.security.ipa;
-  pyBool = x: if x then "True" else "False";
 
   ldapConf = pkgs.writeText "ldap.conf" ''
     # Turning this off breaks GSSAPI used with krb5 when rdns = false
@@ -236,50 +235,53 @@ in
 
     services.sssd = {
       enable = true;
-      config = ''
+      settings = {
-        [domain/${cfg.domain}]
+        "domain/${cfg.domain}" = {
-        id_provider = ipa
+          id_provider = "ipa";
-        auth_provider = ipa
+          auth_provider = "ipa";
-        access_provider = ipa
+          access_provider = "ipa";
-        chpass_provider = ipa
+          chpass_provider = "ipa";
 
-        ipa_domain = ${cfg.domain}
+          ipa_domain = cfg.domain;
-        ipa_server = _srv_, ${cfg.server}
+          ipa_server = "_srv_, ${cfg.server}";
-        ipa_hostname = ${cfg.ipaHostname}
+          ipa_hostname = cfg.ipaHostname;
 
-        cache_credentials = ${pyBool cfg.cacheCredentials}
+          cache_credentials = cfg.cacheCredentials;
-        krb5_store_password_if_offline = ${pyBool cfg.offlinePasswords}
+          krb5_store_password_if_offline = cfg.offlinePasswords;
-        ${optionalString ((toLower cfg.domain) != (toLower cfg.realm)) "krb5_realm = ${cfg.realm}"}
+          krb5_realm = lib.mkIf ((toLower cfg.domain) != (toLower cfg.realm)) cfg.realm;
 
-        dyndns_update = ${pyBool cfg.dyndns.enable}
+          dyndns_update = cfg.dyndns.enable;
-        dyndns_iface = ${cfg.dyndns.interface}
+          dyndns_iface = cfg.dyndns.interface;
 
-        ldap_tls_cacert = /etc/ipa/ca.crt
+          ldap_tls_cacert = "/etc/ipa/ca.crt";
-        ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname, telephoneNumber:telephoneNumber, lock:nsaccountlock
+          ldap_user_extra_attrs = "mail:mail, sn:sn, givenname:givenname, telephoneNumber:telephoneNumber, lock:nsaccountlock";
+        };
 
-        [sssd]
+        sssd = {
-        services = nss, sudo, pam, ssh, ifp
+          services = "nss, sudo, pam, ssh, ifp";
-        domains = ${cfg.domain}
+          domains = cfg.domain;
+        };
 
-        [nss]
+        nss.homedir_substring = "/home";
-        homedir_substring = /home
 
-        [pam]
+        pam = {
-        pam_pwd_expiration_warning = 3
+          pam_pwd_expiration_warning = 3;
-        pam_verbosity = 3
+          pam_verbosity = 3;
+        };
 
-        [sudo]
+        sudo = { };
 
-        [autofs]
+        autofs = { };
 
-        [ssh]
+        ssh = { };
 
-        [pac]
+        pac = { };
 
-        [ifp]
+        ifp = {
-        user_attributes = +mail, +telephoneNumber, +givenname, +sn, +lock
+          user_attributes = "+mail, +telephoneNumber, +givenname, +sn, +lock";
-        allowed_uids = ${concatStringsSep ", " cfg.ifpAllowedUids}
+          allowed_uids = concatStringsSep ", " cfg.ifpAllowedUids;
-      '';
+        };
+      };
     };
 
     networking.timeServers = singleton cfg.server;

nixos/modules/services/misc/sssd.nix

@@ -6,20 +6,59 @@
 }:
 let
   cfg = config.services.sssd;
+  settingsFormat = pkgs.formats.ini { };
 
   dataDir = "/var/lib/sssd";
   settingsFile = "${dataDir}/sssd.conf";
-  settingsFileUnsubstituted = pkgs.writeText "${dataDir}/sssd-unsubstituted.conf" cfg.config;
+  mkSettingsFileUnsubstituted =
+    settings:
+    let
+      pyBool = x: if x then "True" else "False";
+      finalSettings = lib.mapAttrs (
+        _: lib.mapAttrs (_: v: if lib.isBool v then pyBool v else v)
+      ) settings;
+    in
+    settingsFormat.generate "sssd-unsubstituted.conf" finalSettings;
+  settingsFileUnsubstituted =
+    if cfg.settings == { } then
+      pkgs.writeText "sssd-unsubstituted.conf" cfg.config
+    else
+      mkSettingsFileUnsubstituted cfg.settings;
 in
 {
   options = {
     services.sssd = {
       enable = lib.mkEnableOption "the System Security Services Daemon";
 
+      settings = lib.mkOption {
+        inherit (settingsFormat) type;
+        description = "Contents of {file}`sssd.conf`.";
+        default = { };
+        example = {
+          sssd = {
+            services = "nss, pam";
+            domains = "shadowutils";
+          };
+
+          nss = { };
+
+          pam = { };
+
+          "domain/shadowutils" = {
+            id_provider = "proxy";
+            proxy_lib_name = "files";
+            auth_provider = "proxy";
+            proxy_pam_target = "sssd-shadowutils";
+            proxy_fast_alias = true;
+          };
+        };
+      };
+
       config = lib.mkOption {
         type = lib.types.lines;
         description = "Contents of {file}`sssd.conf`.";
-        default = ''
+        default = "";
+        example = ''
           [sssd]
           services = nss, pam
           domains = shadowutils
@@ -80,6 +119,13 @@ in
   };
   config = lib.mkMerge [
     (lib.mkIf cfg.enable {
+      assertions = [
+        {
+          assertion = lib.xor (cfg.settings != { }) (cfg.config != "");
+          message = "services.sssd.settings and services.sssd.config are mutually exclusive";
+        }
+      ];
+
       # For `sssctl` to work.
       environment.etc."sssd/sssd.conf".source = settingsFile;
       environment.etc."sssd/conf.d".source = "${dataDir}/conf.d";

nixos/tests/all-tests.nix

@@ -1391,8 +1391,8 @@ in
   ssh-audit = runTest ./ssh-audit.nix;
   sshwifty = runTest ./web-apps/sshwifty/default.nix;
   sslh = handleTest ./sslh.nix { };
-  sssd = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd.nix { };
   sssd-ldap = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd-ldap.nix { };
+  sssd-legacy-config = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd-legacy-config.nix { };
   stalwart-mail = runTest ./stalwart/stalwart-mail.nix;
   stargazer = runTest ./web-servers/stargazer.nix;
   starship = runTest ./starship.nix;

nixos/tests/sssd-ldap.nix

@@ -112,23 +112,25 @@ import ./make-test-python.nix (
           enable = true;
           # just for testing purposes, don't put this into the Nix store in production!
           environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}";
-          config = ''
+          settings = {
-            [sssd]
+            sssd = {
-            config_file_version = 2
+              config_file_version = 2;
-            services = nss, pam, sudo
+              services = "nss, pam, sudo";
-            domains = ${dbDomain}
+              domains = dbDomain;
+            };
 
-            [domain/${dbDomain}]
+            "domain/${dbDomain}" = {
-            auth_provider = ldap
+              auth_provider = "ldap";
-            id_provider = ldap
+              id_provider = "ldap";
-            ldap_uri = ldaps://127.0.0.1:636
+              ldap_uri = "ldaps://127.0.0.1:636";
-            ldap_tls_reqcert = allow
+              ldap_tls_reqcert = "allow";
-            ldap_tls_cacert = /etc/cert.pem
+              ldap_tls_cacert = "/etc/cert.pem";
-            ldap_search_base = ${dbSuffix}
+              ldap_search_base = dbSuffix;
-            ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix}
+              ldap_default_bind_dn = "cn=${ldapRootUser},${dbSuffix}";
-            ldap_default_authtok_type = password
+              ldap_default_authtok_type = "password";
-            ldap_default_authtok = $LDAP_BIND_PW
+              ldap_default_authtok = "$LDAP_BIND_PW";
-          '';
+            };
+          };
         };
       };
 

nixos/tests/sssd-legacy-config.nix

@@ -0,0 +1,37 @@
+import ./make-test-python.nix (
+  { pkgs, ... }:
+
+  {
+    name = "sssd-legacy-config";
+    meta = with pkgs.lib.maintainers; {
+      maintainers = [ bbigras ];
+    };
+    nodes.machine.services.sssd = {
+      enable = true;
+      config = # ini
+        ''
+          [sssd]
+          services = nss, pam
+          domains = shadowutils
+
+          [nss]
+
+          [pam]
+
+          [domain/shadowutils]
+          id_provider = proxy
+          proxy_lib_name = files
+          auth_provider = proxy
+          proxy_pam_target = sssd-shadowutils
+          proxy_fast_alias = True
+        '';
+    };
+
+    testScript = ''
+      start_all()
+      machine.wait_for_unit("multi-user.target")
+      machine.wait_for_unit("sssd.service")
+      machine.succeed("sssctl config-check")
+    '';
+  }
+)

nixos/tests/sssd.nix

@@ -1,22 +0,0 @@
-import ./make-test-python.nix (
-  { pkgs, ... }:
-
-  {
-    name = "sssd";
-    meta = with pkgs.lib.maintainers; {
-      maintainers = [ bbigras ];
-    };
-    nodes.machine =
-      { pkgs, ... }:
-      {
-        services.sssd.enable = true;
-      };
-
-    testScript = ''
-      start_all()
-      machine.wait_for_unit("multi-user.target")
-      machine.wait_for_unit("sssd.service")
-      machine.succeed("sssctl config-check")
-    '';
-  }
-)

pkgs/os-specific/linux/sssd/default.nix

@@ -221,7 +221,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   passthru = {
     tests = {
-      inherit (nixosTests) sssd sssd-ldap;
+      inherit (nixosTests) sssd-ldap sssd-legacy-config;
       pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
     };
     updateScript = nix-update-script { };