From f2a20e9966d48d460e50ab36d46e63277177878c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 15 Apr 2020 18:15:51 +0200
Subject: [PATCH] man: move "myhostname" right after "resolve"

The text in the man page provides the justification why I think this is
generally the right thing. An additional reason is that with the previous
commit (to move resolved earlier), since resolved internally implements the
same rules that nss-myhostname does, we'd have this strange inversion where
the priority of external configuration would be different in the "resolve"
path and in the fallback path.
---
 man/nss-myhostname.xml | 13 ++++++++++---
 man/nss-mymachines.xml |  2 +-
 man/nss-resolve.xml    |  2 +-
 man/nss-systemd.xml    |  2 +-
 4 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/man/nss-myhostname.xml b/man/nss-myhostname.xml
index 9a1125caae..e23b24483e 100644
--- a/man/nss-myhostname.xml
+++ b/man/nss-myhostname.xml
@@ -67,9 +67,13 @@
     <para>To activate the NSS modules, add <literal>myhostname</literal> to the line starting with
     <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>
 
-    <para>It is recommended to place <literal>myhostname</literal> last in the <filename>nsswitch.conf</filename>'
-    <literal>hosts:</literal> line to make sure that this mapping is only used as fallback, and that any DNS or
-    <filename>/etc/hosts</filename> based mapping takes precedence.</para>
+    <para>It is recommended to place <literal>myhostname</literal> either between <literal>resolve</literal>
+    and "traditional" modules like <literal>files</literal> and <literal>dns</literal>, or after them. In the
+    first version, well-known names like <literal>localhost</literal> and the machine hostname are given
+    higher priority than the external configuration. This is recommended when the external DNS servers and
+    network are not absolutely trusted. In the second version, external configuration is given higher
+    priority and <command>nss-myhostname</command> only provides a fallback mechanism. This might be suitable
+    in closely controlled networks, for example on a company LAN.</para>
   </refsect1>
 
   <refsect1>
@@ -83,6 +87,9 @@
 group:          compat mymachines systemd
 shadow:         compat
 
+# Either (untrusted network):
+hosts:          mymachines resolve [!UNAVAIL=return] <command>myhostname</command> files dns
+# Or (only trusted networks):
 hosts:          mymachines resolve [!UNAVAIL=return] files dns <command>myhostname</command>
 networks:       files
 
diff --git a/man/nss-mymachines.xml b/man/nss-mymachines.xml
index 71865874dd..1ff88aba2d 100644
--- a/man/nss-mymachines.xml
+++ b/man/nss-mymachines.xml
@@ -69,7 +69,7 @@
 group:          compat <command>mymachines</command> systemd
 shadow:         compat
 
-hosts:          <command>mymachines</command> resolve [!UNAVAIL=return] files dns myhostname
+hosts:          <command>mymachines</command> resolve [!UNAVAIL=return] myhostname files dns
 networks:       files
 
 protocols:      db files
diff --git a/man/nss-resolve.xml b/man/nss-resolve.xml
index 5c8b745881..cc33b2c082 100644
--- a/man/nss-resolve.xml
+++ b/man/nss-resolve.xml
@@ -67,7 +67,7 @@
 group:          compat mymachines systemd
 shadow:         compat
 
-hosts:          mymachines <command>resolve [!UNAVAIL=return]</command> files dns myhostname
+hosts:          mymachines <command>resolve [!UNAVAIL=return]</command> myhostname files dns
 networks:       files
 
 protocols:      db files
diff --git a/man/nss-systemd.xml b/man/nss-systemd.xml
index a5b3de73e7..ac22452bc3 100644
--- a/man/nss-systemd.xml
+++ b/man/nss-systemd.xml
@@ -65,7 +65,7 @@
 group:          compat [SUCCESS=merge] mymachines [SUCCESS=merge] <command>systemd</command>
 shadow:         compat
 
-hosts:          mymachines resolve [!UNAVAIL=return] files dns myhostname
+hosts:          mymachines resolve [!UNAVAIL=return] myhostname files dns
 networks:       files
 
 protocols:      db files