]> git.immae.eu Git - perso/Immae/Config/Nix.git/commitdiff
projects / perso / Immae / Config / Nix.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: de6d17e)
Put services in slices in systemd
authorIsmaël Bouya <ismael.bouya@normalesup.org>
Mon, 7 Sep 2020 06:39:35 +0000 (08:39 +0200)
committerIsmaël Bouya <ismael.bouya@normalesup.org>
Mon, 7 Sep 2020 06:39:35 +0000 (08:39 +0200)
12 files changed:
modules/private/buildbot/default.nix patch | blob | blame | history
modules/private/databases/redis.nix patch | blob | blame | history
modules/private/mail/default.nix patch | blob | blame | history
modules/private/mail/dovecot.nix patch | blob | blame | history
modules/private/mail/milters.nix patch | blob | blame | history
modules/private/mail/postfix.nix patch | blob | blame | history
modules/private/mail/rspamd.nix patch | blob | blame | history
modules/private/mail/sympa.nix patch | blob | blame | history
modules/private/tasks/default.nix patch | blob | blame | history
modules/private/vpn/default.nix patch | blob | blame | history
modules/webapps/mastodon.nix patch | blob | blame | history
modules/webapps/mediagoblin.nix patch | blob | blame | history

diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix
index 3dc6a044acf8933996e811e0ac9001c2416c2540..6674ad72f622326eadde698ed2831797df3fd7a0 100644 (file)
--- a/modules/private/buildbot/default.nix
+++ b/modules/private/buildbot/default.nix
@@ -126,6 +126,10 @@ in
       ] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets;
     }) config.myEnv.buildbot.projects;
 
       ] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets;
     }) config.myEnv.buildbot.projects;
 
+    systemd.slices.buildbot = {
+      description = "buildbot slice";
+    };
+
     systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
       description = "Buildbot Continuous Integration Server ${project.name}.";
       after = [ "network-online.target" ];
     systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
       description = "Buildbot Continuous Integration Server ${project.name}.";
       after = [ "network-online.target" ];
@@ -207,6 +211,7 @@ in
       in project_env // { inherit PYTHONPATH HOME; };
 
       serviceConfig = {
       in project_env // { inherit PYTHONPATH HOME; };
 
       serviceConfig = {
+        Slice = "buildbot.slice";
         Type = "forking";
         User = "buildbot";
         Group = "buildbot";
         Type = "forking";
         User = "buildbot";
         Group = "buildbot";
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix
index 46025105c64b4318a3a9332508cb5c118d48985f..bc6460ffa2405e2f94d213d3c78ece883ada78fd 100644 (file)
--- a/modules/private/databases/redis.nix
+++ b/modules/private/databases/redis.nix
@@ -41,6 +41,7 @@ in {
         maxclients 1024
         '';
     };
         maxclients 1024
         '';
     };
+    systemd.services.redis.serviceConfig.Slice = "redis.slice";
 
     services.spiped = {
       enable = true;
 
     services.spiped = {
       enable = true;
@@ -57,8 +58,9 @@ in {
       wantedBy = [ "multi-user.target" ];
 
       serviceConfig = {
       wantedBy = [ "multi-user.target" ];
 
       serviceConfig = {
-        Restart   = "always";
-        User      = "spiped";
+        Slice = "redis.slice";
+        Restart = "always";
+        User = "spiped";
         PermissionsStartOnly = true;
         SupplementaryGroups = "keys";
       };
         PermissionsStartOnly = true;
         SupplementaryGroups = "keys";
       };
@@ -108,12 +110,17 @@ in {
       }
     ];
 
       }
     ];
 
+    systemd.slices.redis = {
+      description = "Redis slice";
+    };
+
     systemd.services.predixy = {
       description = "Redis proxy";
       wantedBy = [ "multi-user.target" ];
       after = [ "redis.service" ];
 
       serviceConfig = {
     systemd.services.predixy = {
       description = "Redis proxy";
       wantedBy = [ "multi-user.target" ];
       after = [ "redis.service" ];
 
       serviceConfig = {
+        Slice = "redis.slice";
         User = "redis";
         Group = "redis";
         SupplementaryGroups = "keys";
         User = "redis";
         Group = "redis";
         SupplementaryGroups = "keys";
diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix
index 9e68cc91f06c8271be93abcaf8b92c2dce0d88b8..fd6d638a843e7fa08e8073d0e5d89227d826b231 100644 (file)
--- a/modules/private/mail/default.nix
+++ b/modules/private/mail/default.nix
@@ -45,5 +45,8 @@
           '';
       };
     };
           '';
       };
     };
+    systemd.slices.mail = {
+      description = "Mail slice";
+    };
   };
 }
   };
 }
diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix
index aa25d1fb5531c0bbe66ba3e473bb43f865df6041..23e795f78bbad7a7d082e56ef2274f81b89a063b 100644 (file)
--- a/modules/private/mail/dovecot.nix
+++ b/modules/private/mail/dovecot.nix
@@ -13,6 +13,7 @@ let
 in
 {
   config = lib.mkIf config.myServices.mail.enable {
 in
 {
   config = lib.mkIf config.myServices.mail.enable {
+    systemd.services.dovecot2.serviceConfig.Slice = "mail.slice";
     services.duplyBackup.profiles.mail.excludeFile = ''
       + /var/lib/dhparams
       + /var/lib/dovecot
     services.duplyBackup.profiles.mail.excludeFile = ''
       + /var/lib/dhparams
       + /var/lib/dovecot
diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix
index 5de03cf12dcb04152579f01ffa5e7a4c7823fbe5..02c35c8a97e9f1e9f753c57113f00a46e04a54b6 100644 (file)
--- a/modules/private/mail/milters.nix
+++ b/modules/private/mail/milters.nix
@@ -64,6 +64,7 @@
         '';
       group = config.services.postfix.group;
     };
         '';
       group = config.services.postfix.group;
     };
+    systemd.services.opendkim.serviceConfig.Slice = "mail.slice";
     systemd.services.opendkim.preStart = lib.mkBefore ''
       # Skip the prestart script as keys are handled in secrets
       exit 0
     systemd.services.opendkim.preStart = lib.mkBefore ''
       # Skip the prestart script as keys are handled in secrets
       exit 0
@@ -76,6 +77,7 @@
     };
 
     users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
     };
 
     users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
+    systemd.services.opendmarc.serviceConfig.Slice = "mail.slice";
     services.opendmarc = {
       enable = true;
       socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
     services.opendmarc = {
       enable = true;
       socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
@@ -116,6 +118,7 @@
         Syslog                  Yes
         '';
     };
         Syslog                  Yes
         '';
     };
+    systemd.services.openarc.serviceConfig.Slice = "mail.slice";
     systemd.services.openarc.postStart = lib.optionalString
           (lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
       while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
     systemd.services.openarc.postStart = lib.optionalString
           (lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
       while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
@@ -136,6 +139,7 @@
       wantedBy = [ "multi-user.target" ];
 
       serviceConfig = {
       wantedBy = [ "multi-user.target" ];
 
       serviceConfig = {
+        Slice = "mail.slice";
         User = "postfix";
         Group = "postfix";
         ExecStart = let python = pkgs.python3.withPackages (p: [ p.pymilter ]);
         User = "postfix";
         Group = "postfix";
         ExecStart = let python = pkgs.python3.withPackages (p: [ p.pymilter ]);
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index c4b09b21ba1dd1ed676164dd44e3e3b412f55c9f..f6c4362b4e4ea960867d9e5061a62e34182d8dda 100644 (file)
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -463,5 +463,6 @@
         done
         '';
     };
         done
         '';
     };
+    systemd.services.postfix.serviceConfig.Slice = "mail.slice";
   };
 }
   };
 }
diff --git a/modules/private/mail/rspamd.nix b/modules/private/mail/rspamd.nix
index 98e006d5514fb9c3ce07c5cc908b35b611ca8dc6..a20135a273a6204fe661b1b7beeb992cfd1bfc15 100644 (file)
--- a/modules/private/mail/rspamd.nix
+++ b/modules/private/mail/rspamd.nix
@@ -28,6 +28,7 @@
     in
       [ "*/20 * * * * vhost ${cron_script}/scan_reported_mails" ];
 
     in
       [ "*/20 * * * * vhost ${cron_script}/scan_reported_mails" ];
 
+    systemd.services.rspamd.serviceConfig.Slice = "mail.slice";
     services.rspamd = {
       enable = true;
       debug = false;
     services.rspamd = {
       enable = true;
       debug = false;
diff --git a/modules/private/mail/sympa.nix b/modules/private/mail/sympa.nix
index f7070e65be68d619bb83fe507314ea93f005e1b7..5270b693f72bed7cdde29ed611bef20b8bd250f7 100644 (file)
--- a/modules/private/mail/sympa.nix
+++ b/modules/private/mail/sympa.nix
@@ -50,12 +50,22 @@ in
       dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
     }) sympaConfig.scenari;
     users.users.sympa.extraGroups = [ "keys" ];
       dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
     }) sympaConfig.scenari;
     users.users.sympa.extraGroups = [ "keys" ];
+    systemd.slices.mail-sympa = {
+      description = "Sympa slice";
+    };
+
     systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ];
     systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ];
     systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ];
     systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ];
     systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ];
 
     systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ];
     systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ];
     systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ];
     systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ];
     systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ];
 
+    systemd.services.sympa.serviceConfig.Slice = "mail-sympa.slice";
+    systemd.services.sympa-archive.serviceConfig.Slice = "mail-sympa.slice";
+    systemd.services.sympa-bounce.serviceConfig.Slice = "mail-sympa.slice";
+    systemd.services.sympa-bulk.serviceConfig.Slice = "mail-sympa.slice";
+    systemd.services.sympa-task.serviceConfig.Slice = "mail-sympa.slice";
+
     # https://github.com/NixOS/nixpkgs/pull/84202
     systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false;
     systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false;
     # https://github.com/NixOS/nixpkgs/pull/84202
     systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false;
     systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false;
@@ -72,6 +82,7 @@ in
       wantedBy = [ "multi-user.target" ];
       after = [ "sympa.service" ];
       serviceConfig = {
       wantedBy = [ "multi-user.target" ];
       after = [ "sympa.service" ];
       serviceConfig = {
+        Slice = "mail-sympa.slice";
         Type = "forking";
         PIDFile = "/run/sympa/wwsympa.pid";
         Restart = "always";
         Type = "forking";
         PIDFile = "/run/sympa/wwsympa.pid";
         Restart = "always";
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix
index 5e1ac1eaa6d4df882db78e5283911a3b443f7f5b..b523995370416e77affe6baf329f2fa84555c188 100644 (file)
--- a/modules/private/tasks/default.nix
+++ b/modules/private/tasks/default.nix
@@ -263,6 +263,10 @@ in {
       '';
     };
 
       '';
     };
 
+    systemd.slices.taskwarrior = {
+      description = "Taskwarrior slice";
+    };
+
     systemd.services = (lib.attrsets.mapAttrs' (name: userConfig:
       let
         credentials = "${userConfig.org}/${name}/${userConfig.key}";
     systemd.services = (lib.attrsets.mapAttrs' (name: userConfig:
       let
         credentials = "${userConfig.org}/${name}/${userConfig.key}";
@@ -314,6 +318,7 @@ in {
         '';
 
         serviceConfig = {
         '';
 
         serviceConfig = {
+          Slice = "taskwarrior.slice";
           User = user;
           PrivateTmp = true;
           Restart = "always";
           User = user;
           PrivateTmp = true;
           Restart = "always";
@@ -334,6 +339,9 @@ in {
           chown :${group} "${server_vardir}/keys/ca.key"
           chmod g+r "${server_vardir}/keys/ca.key"
         '';
           chown :${group} "${server_vardir}/keys/ca.key"
           chmod g+r "${server_vardir}/keys/ca.key"
         '';
+        taskserver-ca.serviceConfig.Slice = "taskwarrior.slice";
+        taskserver-init.serviceConfig.Slice = "taskwarrior.slice";
+        taskserver.serviceConfig.Slice = "taskwarrior.slice";
       };
 
   };
       };
 
   };
diff --git a/modules/private/vpn/default.nix b/modules/private/vpn/default.nix
index fbcba2f845dfb61ff06c874706b1df52b465b43c..a9051afeed3cee193f13f04907846fe50fe22405 100644 (file)
--- a/modules/private/vpn/default.nix
+++ b/modules/private/vpn/default.nix
@@ -46,12 +46,17 @@ in
       fi
     '';
 
       fi
     '';
 
+    systemd.slices.tinc = {
+      description = "Tinc slice";
+    };
+
     systemd.services.tinc-Immae = {
       description = "Tinc Daemon - Immae";
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ];
       path = [ pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ];
       serviceConfig = {
     systemd.services.tinc-Immae = {
       description = "Tinc Daemon - Immae";
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ];
       path = [ pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ];
       serviceConfig = {
+        Slice = "tinc.slice";
         Type = "simple";
         Restart = "always";
         RestartSec = "3";
         Type = "simple";
         Restart = "always";
         RestartSec = "3";
diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix
index cd550c0e64cf75d81dc5694489e033df88e1597c..2f5a8e392027016791d7d3544b27d1ccbbb174a6 100644 (file)
--- a/modules/webapps/mastodon.nix
+++ b/modules/webapps/mastodon.nix
@@ -111,6 +111,10 @@ in
       };
     };
 
       };
     };
 
+    systemd.slices.mastodon = {
+      description = "Mastodon slice";
+    };
+
     systemd.services.mastodon-streaming = {
       description = "Mastodon Streaming";
       wantedBy = [ "multi-user.target" ];
     systemd.services.mastodon-streaming = {
       description = "Mastodon Streaming";
       wantedBy = [ "multi-user.target" ];
@@ -137,6 +141,7 @@ in
       '';
 
       serviceConfig = {
       '';
 
       serviceConfig = {
+        Slice = "mastodon.slice";
         User = cfg.user;
         EnvironmentFile = cfg.configFile;
         PrivateTmp = true;
         User = cfg.user;
         EnvironmentFile = cfg.configFile;
         PrivateTmp = true;
@@ -177,6 +182,7 @@ in
         exec ./bin/tootctl cache clear
         '';
       serviceConfig = {
         exec ./bin/tootctl cache clear
         '';
       serviceConfig = {
+        Slice = "mastodon.slice";
         User = cfg.user;
         EnvironmentFile = cfg.configFile;
         PrivateTmp = true;
         User = cfg.user;
         EnvironmentFile = cfg.configFile;
         PrivateTmp = true;
@@ -239,6 +245,7 @@ in
       '';
 
       serviceConfig = {
       '';
 
       serviceConfig = {
+        Slice = "mastodon.slice";
         User = cfg.user;
         EnvironmentFile = cfg.configFile;
         PrivateTmp = true;
         User = cfg.user;
         EnvironmentFile = cfg.configFile;
         PrivateTmp = true;
diff --git a/modules/webapps/mediagoblin.nix b/modules/webapps/mediagoblin.nix
index 19bbc2e8ce6c394ea282dfcde04d8e2598bcefbf..3fe5e38327c23974e40169bebbfa80f4ea22bc34 100644 (file)
--- a/modules/webapps/mediagoblin.nix
+++ b/modules/webapps/mediagoblin.nix
@@ -153,6 +153,9 @@ in
       };
     };
 
       };
     };
 
+    systemd.slices.mediagoblin = {
+      description = "Mediagoblin slice";
+    };
     systemd.services.mediagoblin-web = {
       description = "Mediagoblin service";
       wantedBy = [ "multi-user.target" ];
     systemd.services.mediagoblin-web = {
       description = "Mediagoblin service";
       wantedBy = [ "multi-user.target" ];
@@ -180,6 +183,7 @@ in
         '';
 
       serviceConfig = {
         '';
 
       serviceConfig = {
+        Slice = "mediagoblin.slice";
         User = cfg.user;
         PrivateTmp = true;
         Restart = "always";
         User = cfg.user;
         PrivateTmp = true;
         Restart = "always";
@@ -209,6 +213,7 @@ in
         '';
 
       serviceConfig = {
         '';
 
       serviceConfig = {
+        Slice = "mediagoblin.slice";
         User = cfg.user;
         PrivateTmp = true;
         Restart = "always";
         User = cfg.user;
         PrivateTmp = true;
         Restart = "always";
My infrastructure configuration