nixos/nscd: use nsncd by default

As announced in the NixOS 22.11 release notes, 23.05 will switch NixOS
to using nsncd (a non-caching reimplementation in Rust) as NSS lookup
dispatcher, instead of the buggy and deprecated glibc-provided nscd.

If you need to switch back, set `services.nscd.enableNsncd = false`, but
please open an issue in nixpkgs so your issue can be fixed.

4 files changed, 31 insertions, 14 deletions

diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
index 5f9d67b5e7d6..b8affabb8647 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
@@ -529,6 +529,16 @@
       </listitem>
       <listitem>
         <para>
+          NixOS now defaults to using nsncd (a non-caching
+          reimplementation in Rust) as NSS lookup dispatcher, instead of
+          the buggy and deprecated glibc-provided nscd. If you need to
+          switch back, set
+          <literal>services.nscd.enableNsncd = false</literal>, but
+          please open an issue in nixpkgs so your issue can be fixed.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
           The <literal>dnsmasq</literal> service now takes configuration
           via the <literal>services.dnsmasq.settings</literal> attribute
           set. The option
diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md
index b19bf5d402a2..96f67673211d 100644
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@@ -130,6 +130,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
   DocBook option documentation support will be removed in the next release and CommonMark will become the default. DocBook option documentation that has not been migrated until then will no longer render properly or cause errors.
 
+- NixOS now defaults to using nsncd (a non-caching reimplementation in Rust) as NSS lookup dispatcher, instead of the buggy and deprecated glibc-provided nscd. If you need to switch back, set `services.nscd.enableNsncd = false`, but please open an issue in nixpkgs so your issue can be fixed.
+
 - The `dnsmasq` service now takes configuration via the
   `services.dnsmasq.settings` attribute set. The option
   `services.dnsmasq.extraConfig` will be deprecated when NixOS 22.11 reaches
diff --git a/nixos/modules/services/system/nscd.nix b/nixos/modules/services/system/nscd.nix
index fdc5190d084b..971dffbadc13 100644
--- a/nixos/modules/services/system/nscd.nix
+++ b/nixos/modules/services/system/nscd.nix
@@ -29,10 +29,11 @@ in
 
       enableNsncd = mkOption {
         type = types.bool;
-        default = false;
+        default = true;
         description = lib.mdDoc ''
-          Whether to use nsncd instead of nscd.
+          Whether to use nsncd instead of nscd from glibc.
           This is a nscd-compatible daemon, that proxies lookups, without any caching.
+          Using nscd from glibc is discouraged.
         '';
       };
 
@@ -55,7 +56,10 @@ in
       config = mkOption {
         type = types.lines;
         default = builtins.readFile ./nscd.conf;
-        description = lib.mdDoc "Configuration to use for Name Service Cache Daemon.";
+        description = lib.mdDoc ''
+          Configuration to use for Name Service Cache Daemon.
+          Only used in case glibc-nscd is used.
+        '';
       };
 
       package = mkOption {
diff --git a/nixos/tests/nscd.nix b/nixos/tests/nscd.nix
index 1922812ef8c8..356c6d2e2a54 100644
--- a/nixos/tests/nscd.nix
+++ b/nixos/tests/nscd.nix
@@ -40,12 +40,13 @@ in
     };
 
     specialisation = {
+      withGlibcNscd.configuration = { ... }: {
+        services.nscd.enableNsncd = false;
+      };
       withUnscd.configuration = { ... }: {
+        services.nscd.enableNsncd = false;
         services.nscd.package = pkgs.unscd;
       };
-      withNsncd.configuration = { ... }: {
-        services.nscd.enableNsncd = true;
-      };
     };
   };
 
@@ -118,6 +119,14 @@ in
       test_host_lookups()
       test_nss_myhostname()
 
+      with subtest("glibc-nscd"):
+          machine.succeed('${specialisations}/withGlibcNscd/bin/switch-to-configuration test')
+          machine.wait_for_unit("default.target")
+
+          test_dynamic_user()
+          test_host_lookups()
+          test_nss_myhostname()
+
       with subtest("unscd"):
           machine.succeed('${specialisations}/withUnscd/bin/switch-to-configuration test')
           machine.wait_for_unit("default.target")
@@ -129,13 +138,5 @@ in
 
           # known to fail, unscd doesn't load external NSS modules
           # test_nss_myhostname()
-
-      with subtest("nsncd"):
-          machine.succeed('${specialisations}/withNsncd/bin/switch-to-configuration test')
-          machine.wait_for_unit("default.target")
-
-          test_dynamic_user()
-          test_host_lookups()
-          test_nss_myhostname()
     '';
 })