Add options to configure idmapd.conf

[justinlovinger]

Issue description

If you want root access to an NFS share secured with Kerberos, you need to modify the default idmapd.conf . Currently, I override the idmapd.conf source, because NixOS has no options to modify idmapd.conf :

environment.etc."idmapd.conf".source = let
  nfsStateDir = "/var/lib/nfs";
  rpcMountpoint = "${nfsStateDir}/rpc_pipefs";
in lib.mkForce (pkgs.writeText "idmapd.conf" ''
  [General]
  Pipefs-Directory = ${rpcMountpoint}
  ${lib.optionalString (config.networking.domain != null)
    "Domain = ${config.networking.domain}"}

  [Mapping]
  Nobody-User = nobody
  Nobody-Group = nogroup

  [Translation]
  GSS-Methods = static,nsswitch

  [Static]
  root/[email protected] = root
'');

The text is mostly copied from the default NixOS idmapd.conf . The only changes are

-  Method = nsswitch
+  GSS-Methods = static,nsswitch
+
+  [Static]
+  root/[email protected] = root

This solution is brittle, and requires manual intervention if the default idmapd.conf ever changes. I'm not sure exactly what the NixOS options should look like, but there should be mechanisms to modify idmapd.conf in NixOS.

Technical details

• system: "x86_64-linux"
• host os: Linux 5.4.62, NixOS, 20.03.2882.51d115ac89d (Markhor)
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.3.6
• channels(root): "nixos-20.03.2882.51d115ac89d"
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

[aanderse]

@justinlovinger what about an option like this so you can easily override/append values as you see fit?

[justinlovinger]

@justinlovinger what about an option like this so you can easily override/append values as you see fit?

That looks great. I'm a big fan of RFC 42 :) Just one question though. Can you remove an option, such as Translation.Method = null?

[aanderse]

Good question. @infinisil can we bug you for some advice on how you can remove values from a settings option?

[infinisil]

There's nothing builtin for that. The best that can be done is to just filter out null values during string generation. Though in INI's case, null is also a valid value in INI files, so that might not be a great idea. There is a PR that adds a way to "unset" values, though I haven't looked into it much.

[aanderse]

Thanks for mentioning @infinisil!
@justinlovinger without the ability to remove values would this not work?

[justinlovinger]

@aanderse I did a double-check on man idmapd.conf, and it looks like Method and GSS-Methods are actually separate, but related. GSS-Methods defaults to the value of Method. Also, the default value of Method is already nsswitch, so removing it in my configuration had no effect. On that note, we may consider removing Method = "nsswitch", as that is already the default. Regardless, your RFC 42 solution should work, even without the ability to remove values.

[aanderse]

@justinlovinger are you interested in opening a PR? Feel free to use the branch I posted.

[justinlovinger]

@justinlovinger are you interested in opening a PR? Feel free to use the branch I posted.

I can open a pull request. Just one question: is there a reason the option and variables are called imapd instead of idmapd?

[aanderse]

Typo 🤷‍♂️

[justinlovinger]

@aanderse pull request is up. I fixed the imapd typo and a syntax error.