] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets;
}) config.myEnv.buildbot.projects;
+ systemd.slices.buildbot = {
+ description = "buildbot slice";
+ };
+
systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
description = "Buildbot Continuous Integration Server ${project.name}.";
after = [ "network-online.target" ];
in project_env // { inherit PYTHONPATH HOME; };
serviceConfig = {
+ Slice = "buildbot.slice";
Type = "forking";
User = "buildbot";
Group = "buildbot";
maxclients 1024
'';
};
+ systemd.services.redis.serviceConfig.Slice = "redis.slice";
services.spiped = {
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig = {
- Restart = "always";
- User = "spiped";
+ Slice = "redis.slice";
+ Restart = "always";
+ User = "spiped";
PermissionsStartOnly = true;
SupplementaryGroups = "keys";
};
}
];
+ systemd.slices.redis = {
+ description = "Redis slice";
+ };
+
systemd.services.predixy = {
description = "Redis proxy";
wantedBy = [ "multi-user.target" ];
after = [ "redis.service" ];
serviceConfig = {
+ Slice = "redis.slice";
User = "redis";
Group = "redis";
SupplementaryGroups = "keys";
'';
};
};
+ systemd.slices.mail = {
+ description = "Mail slice";
+ };
};
}
in
{
config = lib.mkIf config.myServices.mail.enable {
+ systemd.services.dovecot2.serviceConfig.Slice = "mail.slice";
services.duplyBackup.profiles.mail.excludeFile = ''
+ /var/lib/dhparams
+ /var/lib/dovecot
'';
group = config.services.postfix.group;
};
+ systemd.services.opendkim.serviceConfig.Slice = "mail.slice";
systemd.services.opendkim.preStart = lib.mkBefore ''
# Skip the prestart script as keys are handled in secrets
exit 0
};
users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
+ systemd.services.opendmarc.serviceConfig.Slice = "mail.slice";
services.opendmarc = {
enable = true;
socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
Syslog Yes
'';
};
+ systemd.services.openarc.serviceConfig.Slice = "mail.slice";
systemd.services.openarc.postStart = lib.optionalString
(lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
wantedBy = [ "multi-user.target" ];
serviceConfig = {
+ Slice = "mail.slice";
User = "postfix";
Group = "postfix";
ExecStart = let python = pkgs.python3.withPackages (p: [ p.pymilter ]);
done
'';
};
+ systemd.services.postfix.serviceConfig.Slice = "mail.slice";
};
}
in
[ "*/20 * * * * vhost ${cron_script}/scan_reported_mails" ];
+ systemd.services.rspamd.serviceConfig.Slice = "mail.slice";
services.rspamd = {
enable = true;
debug = false;
dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
}) sympaConfig.scenari;
users.users.sympa.extraGroups = [ "keys" ];
+ systemd.slices.mail-sympa = {
+ description = "Sympa slice";
+ };
+
systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ];
systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ];
systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ];
systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ];
systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ];
+ systemd.services.sympa.serviceConfig.Slice = "mail-sympa.slice";
+ systemd.services.sympa-archive.serviceConfig.Slice = "mail-sympa.slice";
+ systemd.services.sympa-bounce.serviceConfig.Slice = "mail-sympa.slice";
+ systemd.services.sympa-bulk.serviceConfig.Slice = "mail-sympa.slice";
+ systemd.services.sympa-task.serviceConfig.Slice = "mail-sympa.slice";
+
# https://github.com/NixOS/nixpkgs/pull/84202
systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false;
systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false;
wantedBy = [ "multi-user.target" ];
after = [ "sympa.service" ];
serviceConfig = {
+ Slice = "mail-sympa.slice";
Type = "forking";
PIDFile = "/run/sympa/wwsympa.pid";
Restart = "always";
'';
};
+ systemd.slices.taskwarrior = {
+ description = "Taskwarrior slice";
+ };
+
systemd.services = (lib.attrsets.mapAttrs' (name: userConfig:
let
credentials = "${userConfig.org}/${name}/${userConfig.key}";
'';
serviceConfig = {
+ Slice = "taskwarrior.slice";
User = user;
PrivateTmp = true;
Restart = "always";
chown :${group} "${server_vardir}/keys/ca.key"
chmod g+r "${server_vardir}/keys/ca.key"
'';
+ taskserver-ca.serviceConfig.Slice = "taskwarrior.slice";
+ taskserver-init.serviceConfig.Slice = "taskwarrior.slice";
+ taskserver.serviceConfig.Slice = "taskwarrior.slice";
};
};
fi
'';
+ systemd.slices.tinc = {
+ description = "Tinc slice";
+ };
+
systemd.services.tinc-Immae = {
description = "Tinc Daemon - Immae";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
path = [ pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ];
serviceConfig = {
+ Slice = "tinc.slice";
Type = "simple";
Restart = "always";
RestartSec = "3";
};
};
+ systemd.slices.mastodon = {
+ description = "Mastodon slice";
+ };
+
systemd.services.mastodon-streaming = {
description = "Mastodon Streaming";
wantedBy = [ "multi-user.target" ];
'';
serviceConfig = {
+ Slice = "mastodon.slice";
User = cfg.user;
EnvironmentFile = cfg.configFile;
PrivateTmp = true;
exec ./bin/tootctl cache clear
'';
serviceConfig = {
+ Slice = "mastodon.slice";
User = cfg.user;
EnvironmentFile = cfg.configFile;
PrivateTmp = true;
'';
serviceConfig = {
+ Slice = "mastodon.slice";
User = cfg.user;
EnvironmentFile = cfg.configFile;
PrivateTmp = true;
};
};
+ systemd.slices.mediagoblin = {
+ description = "Mediagoblin slice";
+ };
systemd.services.mediagoblin-web = {
description = "Mediagoblin service";
wantedBy = [ "multi-user.target" ];
'';
serviceConfig = {
+ Slice = "mediagoblin.slice";
User = cfg.user;
PrivateTmp = true;
Restart = "always";
'';
serviceConfig = {
+ Slice = "mediagoblin.slice";
User = cfg.user;
PrivateTmp = true;
Restart = "always";
projects / perso / Immae / Config / Nix.git / commitdiff
