From 850adcf4b17afb6f5429b030f3c814d502d2b53e Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Mon, 7 Sep 2020 08:39:35 +0200 Subject: [PATCH] Put services in slices in systemd --- modules/private/buildbot/default.nix | 5 +++++ modules/private/databases/redis.nix | 11 +++++++++-- modules/private/mail/default.nix | 3 +++ modules/private/mail/dovecot.nix | 1 + modules/private/mail/milters.nix | 4 ++++ modules/private/mail/postfix.nix | 1 + modules/private/mail/rspamd.nix | 1 + modules/private/mail/sympa.nix | 11 +++++++++++ modules/private/tasks/default.nix | 8 ++++++++ modules/private/vpn/default.nix | 5 +++++ modules/webapps/mastodon.nix | 7 +++++++ modules/webapps/mediagoblin.nix | 5 +++++ 12 files changed, 60 insertions(+), 2 deletions(-) diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix index 3dc6a04..6674ad7 100644 --- a/modules/private/buildbot/default.nix +++ b/modules/private/buildbot/default.nix @@ -126,6 +126,10 @@ in ] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets; }) config.myEnv.buildbot.projects; + systemd.slices.buildbot = { + description = "buildbot slice"; + }; + systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { description = "Buildbot Continuous Integration Server ${project.name}."; after = [ "network-online.target" ]; @@ -207,6 +211,7 @@ in in project_env // { inherit PYTHONPATH HOME; }; serviceConfig = { + Slice = "buildbot.slice"; Type = "forking"; User = "buildbot"; Group = "buildbot"; diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix index 4602510..bc6460f 100644 --- a/modules/private/databases/redis.nix +++ b/modules/private/databases/redis.nix @@ -41,6 +41,7 @@ in { maxclients 1024 ''; }; + systemd.services.redis.serviceConfig.Slice = "redis.slice"; services.spiped = { enable = true; @@ -57,8 +58,9 @@ in { wantedBy = [ "multi-user.target" ]; serviceConfig = { - Restart = "always"; - User = "spiped"; + Slice = "redis.slice"; + Restart = "always"; + User = "spiped"; PermissionsStartOnly = true; SupplementaryGroups = "keys"; }; @@ -108,12 +110,17 @@ in { } ]; + systemd.slices.redis = { + description = "Redis slice"; + }; + systemd.services.predixy = { description = "Redis proxy"; wantedBy = [ "multi-user.target" ]; after = [ "redis.service" ]; serviceConfig = { + Slice = "redis.slice"; User = "redis"; Group = "redis"; SupplementaryGroups = "keys"; diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix index 9e68cc9..fd6d638 100644 --- a/modules/private/mail/default.nix +++ b/modules/private/mail/default.nix @@ -45,5 +45,8 @@ ''; }; }; + systemd.slices.mail = { + description = "Mail slice"; + }; }; } diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix index aa25d1f..23e795f 100644 --- a/modules/private/mail/dovecot.nix +++ b/modules/private/mail/dovecot.nix @@ -13,6 +13,7 @@ let in { config = lib.mkIf config.myServices.mail.enable { + systemd.services.dovecot2.serviceConfig.Slice = "mail.slice"; services.duplyBackup.profiles.mail.excludeFile = '' + /var/lib/dhparams + /var/lib/dovecot diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix index 5de03cf..02c35c8 100644 --- a/modules/private/mail/milters.nix +++ b/modules/private/mail/milters.nix @@ -64,6 +64,7 @@ ''; group = config.services.postfix.group; }; + systemd.services.opendkim.serviceConfig.Slice = "mail.slice"; systemd.services.opendkim.preStart = lib.mkBefore '' # Skip the prestart script as keys are handled in secrets exit 0 @@ -76,6 +77,7 @@ }; users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; + systemd.services.opendmarc.serviceConfig.Slice = "mail.slice"; services.opendmarc = { enable = true; socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; @@ -116,6 +118,7 @@ Syslog Yes ''; }; + systemd.services.openarc.serviceConfig.Slice = "mail.slice"; systemd.services.openarc.postStart = lib.optionalString (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do @@ -136,6 +139,7 @@ wantedBy = [ "multi-user.target" ]; serviceConfig = { + Slice = "mail.slice"; User = "postfix"; Group = "postfix"; ExecStart = let python = pkgs.python3.withPackages (p: [ p.pymilter ]); diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index c4b09b2..f6c4362 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix @@ -463,5 +463,6 @@ done ''; }; + systemd.services.postfix.serviceConfig.Slice = "mail.slice"; }; } diff --git a/modules/private/mail/rspamd.nix b/modules/private/mail/rspamd.nix index 98e006d..a20135a 100644 --- a/modules/private/mail/rspamd.nix +++ b/modules/private/mail/rspamd.nix @@ -28,6 +28,7 @@ in [ "*/20 * * * * vhost ${cron_script}/scan_reported_mails" ]; + systemd.services.rspamd.serviceConfig.Slice = "mail.slice"; services.rspamd = { enable = true; debug = false; diff --git a/modules/private/mail/sympa.nix b/modules/private/mail/sympa.nix index f7070e6..5270b69 100644 --- a/modules/private/mail/sympa.nix +++ b/modules/private/mail/sympa.nix @@ -50,12 +50,22 @@ in dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; }) sympaConfig.scenari; users.users.sympa.extraGroups = [ "keys" ]; + systemd.slices.mail-sympa = { + description = "Sympa slice"; + }; + systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ]; systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ]; systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ]; systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ]; systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ]; + systemd.services.sympa.serviceConfig.Slice = "mail-sympa.slice"; + systemd.services.sympa-archive.serviceConfig.Slice = "mail-sympa.slice"; + systemd.services.sympa-bounce.serviceConfig.Slice = "mail-sympa.slice"; + systemd.services.sympa-bulk.serviceConfig.Slice = "mail-sympa.slice"; + systemd.services.sympa-task.serviceConfig.Slice = "mail-sympa.slice"; + # https://github.com/NixOS/nixpkgs/pull/84202 systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false; systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false; @@ -72,6 +82,7 @@ in wantedBy = [ "multi-user.target" ]; after = [ "sympa.service" ]; serviceConfig = { + Slice = "mail-sympa.slice"; Type = "forking"; PIDFile = "/run/sympa/wwsympa.pid"; Restart = "always"; diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix index 5e1ac1e..b523995 100644 --- a/modules/private/tasks/default.nix +++ b/modules/private/tasks/default.nix @@ -263,6 +263,10 @@ in { ''; }; + systemd.slices.taskwarrior = { + description = "Taskwarrior slice"; + }; + systemd.services = (lib.attrsets.mapAttrs' (name: userConfig: let credentials = "${userConfig.org}/${name}/${userConfig.key}"; @@ -314,6 +318,7 @@ in { ''; serviceConfig = { + Slice = "taskwarrior.slice"; User = user; PrivateTmp = true; Restart = "always"; @@ -334,6 +339,9 @@ in { chown :${group} "${server_vardir}/keys/ca.key" chmod g+r "${server_vardir}/keys/ca.key" ''; + taskserver-ca.serviceConfig.Slice = "taskwarrior.slice"; + taskserver-init.serviceConfig.Slice = "taskwarrior.slice"; + taskserver.serviceConfig.Slice = "taskwarrior.slice"; }; }; diff --git a/modules/private/vpn/default.nix b/modules/private/vpn/default.nix index fbcba2f..a9051af 100644 --- a/modules/private/vpn/default.nix +++ b/modules/private/vpn/default.nix @@ -46,12 +46,17 @@ in fi ''; + systemd.slices.tinc = { + description = "Tinc slice"; + }; + systemd.services.tinc-Immae = { description = "Tinc Daemon - Immae"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; path = [ pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ]; serviceConfig = { + Slice = "tinc.slice"; Type = "simple"; Restart = "always"; RestartSec = "3"; diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix index cd550c0..2f5a8e3 100644 --- a/modules/webapps/mastodon.nix +++ b/modules/webapps/mastodon.nix @@ -111,6 +111,10 @@ in }; }; + systemd.slices.mastodon = { + description = "Mastodon slice"; + }; + systemd.services.mastodon-streaming = { description = "Mastodon Streaming"; wantedBy = [ "multi-user.target" ]; @@ -137,6 +141,7 @@ in ''; serviceConfig = { + Slice = "mastodon.slice"; User = cfg.user; EnvironmentFile = cfg.configFile; PrivateTmp = true; @@ -177,6 +182,7 @@ in exec ./bin/tootctl cache clear ''; serviceConfig = { + Slice = "mastodon.slice"; User = cfg.user; EnvironmentFile = cfg.configFile; PrivateTmp = true; @@ -239,6 +245,7 @@ in ''; serviceConfig = { + Slice = "mastodon.slice"; User = cfg.user; EnvironmentFile = cfg.configFile; PrivateTmp = true; diff --git a/modules/webapps/mediagoblin.nix b/modules/webapps/mediagoblin.nix index 19bbc2e..3fe5e38 100644 --- a/modules/webapps/mediagoblin.nix +++ b/modules/webapps/mediagoblin.nix @@ -153,6 +153,9 @@ in }; }; + systemd.slices.mediagoblin = { + description = "Mediagoblin slice"; + }; systemd.services.mediagoblin-web = { description = "Mediagoblin service"; wantedBy = [ "multi-user.target" ]; @@ -180,6 +183,7 @@ in ''; serviceConfig = { + Slice = "mediagoblin.slice"; User = cfg.user; PrivateTmp = true; Restart = "always"; @@ -209,6 +213,7 @@ in ''; serviceConfig = { + Slice = "mediagoblin.slice"; User = cfg.user; PrivateTmp = true; Restart = "always"; -- 2.41.0