diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-09-07 08:39:35 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-09-07 08:39:35 +0200 |
| commit | 850adcf4b17afb6f5429b030f3c814d502d2b53e (patch) | |
| tree | 9e30459cec309e4b04bed476f9444a9335dac0af | |
| parent | de6d17ec97a1946f628372e5b0854cb21a91a55f (diff) | |
| download | Nix-850adcf4b17afb6f5429b030f3c814d502d2b53e.tar.gz Nix-850adcf4b17afb6f5429b030f3c814d502d2b53e.tar.zst Nix-850adcf4b17afb6f5429b030f3c814d502d2b53e.zip | |
Put services in slices in systemd
| -rw-r--r-- | modules/private/buildbot/default.nix | 5 | ||||
| -rw-r--r-- | modules/private/databases/redis.nix | 11 | ||||
| -rw-r--r-- | modules/private/mail/default.nix | 3 | ||||
| -rw-r--r-- | modules/private/mail/dovecot.nix | 1 | ||||
| -rw-r--r-- | modules/private/mail/milters.nix | 4 | ||||
| -rw-r--r-- | modules/private/mail/postfix.nix | 1 | ||||
| -rw-r--r-- | modules/private/mail/rspamd.nix | 1 | ||||
| -rw-r--r-- | modules/private/mail/sympa.nix | 11 | ||||
| -rw-r--r-- | modules/private/tasks/default.nix | 8 | ||||
| -rw-r--r-- | modules/private/vpn/default.nix | 5 | ||||
| -rw-r--r-- | modules/webapps/mastodon.nix | 7 | ||||
| -rw-r--r-- | modules/webapps/mediagoblin.nix | 5 |
12 files changed, 60 insertions, 2 deletions
diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix index 3dc6a04..6674ad7 100644 --- a/modules/private/buildbot/default.nix +++ b/modules/private/buildbot/default.nix | |||
| @@ -126,6 +126,10 @@ in | |||
| 126 | ] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets; | 126 | ] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets; |
| 127 | }) config.myEnv.buildbot.projects; | 127 | }) config.myEnv.buildbot.projects; |
| 128 | 128 | ||
| 129 | systemd.slices.buildbot = { | ||
| 130 | description = "buildbot slice"; | ||
| 131 | }; | ||
| 132 | |||
| 129 | systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { | 133 | systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { |
| 130 | description = "Buildbot Continuous Integration Server ${project.name}."; | 134 | description = "Buildbot Continuous Integration Server ${project.name}."; |
| 131 | after = [ "network-online.target" ]; | 135 | after = [ "network-online.target" ]; |
| @@ -207,6 +211,7 @@ in | |||
| 207 | in project_env // { inherit PYTHONPATH HOME; }; | 211 | in project_env // { inherit PYTHONPATH HOME; }; |
| 208 | 212 | ||
| 209 | serviceConfig = { | 213 | serviceConfig = { |
| 214 | Slice = "buildbot.slice"; | ||
| 210 | Type = "forking"; | 215 | Type = "forking"; |
| 211 | User = "buildbot"; | 216 | User = "buildbot"; |
| 212 | Group = "buildbot"; | 217 | Group = "buildbot"; |
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix index 4602510..bc6460f 100644 --- a/modules/private/databases/redis.nix +++ b/modules/private/databases/redis.nix | |||
| @@ -41,6 +41,7 @@ in { | |||
| 41 | maxclients 1024 | 41 | maxclients 1024 |
| 42 | ''; | 42 | ''; |
| 43 | }; | 43 | }; |
| 44 | systemd.services.redis.serviceConfig.Slice = "redis.slice"; | ||
| 44 | 45 | ||
| 45 | services.spiped = { | 46 | services.spiped = { |
| 46 | enable = true; | 47 | enable = true; |
| @@ -57,8 +58,9 @@ in { | |||
| 57 | wantedBy = [ "multi-user.target" ]; | 58 | wantedBy = [ "multi-user.target" ]; |
| 58 | 59 | ||
| 59 | serviceConfig = { | 60 | serviceConfig = { |
| 60 | Restart = "always"; | 61 | Slice = "redis.slice"; |
| 61 | User = "spiped"; | 62 | Restart = "always"; |
| 63 | User = "spiped"; | ||
| 62 | PermissionsStartOnly = true; | 64 | PermissionsStartOnly = true; |
| 63 | SupplementaryGroups = "keys"; | 65 | SupplementaryGroups = "keys"; |
| 64 | }; | 66 | }; |
| @@ -108,12 +110,17 @@ in { | |||
| 108 | } | 110 | } |
| 109 | ]; | 111 | ]; |
| 110 | 112 | ||
| 113 | systemd.slices.redis = { | ||
| 114 | description = "Redis slice"; | ||
| 115 | }; | ||
| 116 | |||
| 111 | systemd.services.predixy = { | 117 | systemd.services.predixy = { |
| 112 | description = "Redis proxy"; | 118 | description = "Redis proxy"; |
| 113 | wantedBy = [ "multi-user.target" ]; | 119 | wantedBy = [ "multi-user.target" ]; |
| 114 | after = [ "redis.service" ]; | 120 | after = [ "redis.service" ]; |
| 115 | 121 | ||
| 116 | serviceConfig = { | 122 | serviceConfig = { |
| 123 | Slice = "redis.slice"; | ||
| 117 | User = "redis"; | 124 | User = "redis"; |
| 118 | Group = "redis"; | 125 | Group = "redis"; |
| 119 | SupplementaryGroups = "keys"; | 126 | SupplementaryGroups = "keys"; |
diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix index 9e68cc9..fd6d638 100644 --- a/modules/private/mail/default.nix +++ b/modules/private/mail/default.nix | |||
| @@ -45,5 +45,8 @@ | |||
| 45 | ''; | 45 | ''; |
| 46 | }; | 46 | }; |
| 47 | }; | 47 | }; |
| 48 | systemd.slices.mail = { | ||
| 49 | description = "Mail slice"; | ||
| 50 | }; | ||
| 48 | }; | 51 | }; |
| 49 | } | 52 | } |
diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix index aa25d1f..23e795f 100644 --- a/modules/private/mail/dovecot.nix +++ b/modules/private/mail/dovecot.nix | |||
| @@ -13,6 +13,7 @@ let | |||
| 13 | in | 13 | in |
| 14 | { | 14 | { |
| 15 | config = lib.mkIf config.myServices.mail.enable { | 15 | config = lib.mkIf config.myServices.mail.enable { |
| 16 | systemd.services.dovecot2.serviceConfig.Slice = "mail.slice"; | ||
| 16 | services.duplyBackup.profiles.mail.excludeFile = '' | 17 | services.duplyBackup.profiles.mail.excludeFile = '' |
| 17 | + /var/lib/dhparams | 18 | + /var/lib/dhparams |
| 18 | + /var/lib/dovecot | 19 | + /var/lib/dovecot |
diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix index 5de03cf..02c35c8 100644 --- a/modules/private/mail/milters.nix +++ b/modules/private/mail/milters.nix | |||
| @@ -64,6 +64,7 @@ | |||
| 64 | ''; | 64 | ''; |
| 65 | group = config.services.postfix.group; | 65 | group = config.services.postfix.group; |
| 66 | }; | 66 | }; |
| 67 | systemd.services.opendkim.serviceConfig.Slice = "mail.slice"; | ||
| 67 | systemd.services.opendkim.preStart = lib.mkBefore '' | 68 | systemd.services.opendkim.preStart = lib.mkBefore '' |
| 68 | # Skip the prestart script as keys are handled in secrets | 69 | # Skip the prestart script as keys are handled in secrets |
| 69 | exit 0 | 70 | exit 0 |
| @@ -76,6 +77,7 @@ | |||
| 76 | }; | 77 | }; |
| 77 | 78 | ||
| 78 | users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; | 79 | users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; |
| 80 | systemd.services.opendmarc.serviceConfig.Slice = "mail.slice"; | ||
| 79 | services.opendmarc = { | 81 | services.opendmarc = { |
| 80 | enable = true; | 82 | enable = true; |
| 81 | socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; | 83 | socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; |
| @@ -116,6 +118,7 @@ | |||
| 116 | Syslog Yes | 118 | Syslog Yes |
| 117 | ''; | 119 | ''; |
| 118 | }; | 120 | }; |
| 121 | systemd.services.openarc.serviceConfig.Slice = "mail.slice"; | ||
| 119 | systemd.services.openarc.postStart = lib.optionalString | 122 | systemd.services.openarc.postStart = lib.optionalString |
| 120 | (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' | 123 | (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' |
| 121 | while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do | 124 | while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do |
| @@ -136,6 +139,7 @@ | |||
| 136 | wantedBy = [ "multi-user.target" ]; | 139 | wantedBy = [ "multi-user.target" ]; |
| 137 | 140 | ||
| 138 | serviceConfig = { | 141 | serviceConfig = { |
| 142 | Slice = "mail.slice"; | ||
| 139 | User = "postfix"; | 143 | User = "postfix"; |
| 140 | Group = "postfix"; | 144 | Group = "postfix"; |
| 141 | ExecStart = let python = pkgs.python3.withPackages (p: [ p.pymilter ]); | 145 | ExecStart = let python = pkgs.python3.withPackages (p: [ p.pymilter ]); |
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index c4b09b2..f6c4362 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix | |||
| @@ -463,5 +463,6 @@ | |||
| 463 | done | 463 | done |
| 464 | ''; | 464 | ''; |
| 465 | }; | 465 | }; |
| 466 | systemd.services.postfix.serviceConfig.Slice = "mail.slice"; | ||
| 466 | }; | 467 | }; |
| 467 | } | 468 | } |
diff --git a/modules/private/mail/rspamd.nix b/modules/private/mail/rspamd.nix index 98e006d..a20135a 100644 --- a/modules/private/mail/rspamd.nix +++ b/modules/private/mail/rspamd.nix | |||
| @@ -28,6 +28,7 @@ | |||
| 28 | in | 28 | in |
| 29 | [ "*/20 * * * * vhost ${cron_script}/scan_reported_mails" ]; | 29 | [ "*/20 * * * * vhost ${cron_script}/scan_reported_mails" ]; |
| 30 | 30 | ||
| 31 | systemd.services.rspamd.serviceConfig.Slice = "mail.slice"; | ||
| 31 | services.rspamd = { | 32 | services.rspamd = { |
| 32 | enable = true; | 33 | enable = true; |
| 33 | debug = false; | 34 | debug = false; |
diff --git a/modules/private/mail/sympa.nix b/modules/private/mail/sympa.nix index f7070e6..5270b69 100644 --- a/modules/private/mail/sympa.nix +++ b/modules/private/mail/sympa.nix | |||
| @@ -50,12 +50,22 @@ in | |||
| 50 | dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; | 50 | dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; |
| 51 | }) sympaConfig.scenari; | 51 | }) sympaConfig.scenari; |
| 52 | users.users.sympa.extraGroups = [ "keys" ]; | 52 | users.users.sympa.extraGroups = [ "keys" ]; |
| 53 | systemd.slices.mail-sympa = { | ||
| 54 | description = "Sympa slice"; | ||
| 55 | }; | ||
| 56 | |||
| 53 | systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ]; | 57 | systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ]; |
| 54 | systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ]; | 58 | systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ]; |
| 55 | systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ]; | 59 | systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ]; |
| 56 | systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ]; | 60 | systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ]; |
| 57 | systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ]; | 61 | systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ]; |
| 58 | 62 | ||
| 63 | systemd.services.sympa.serviceConfig.Slice = "mail-sympa.slice"; | ||
| 64 | systemd.services.sympa-archive.serviceConfig.Slice = "mail-sympa.slice"; | ||
| 65 | systemd.services.sympa-bounce.serviceConfig.Slice = "mail-sympa.slice"; | ||
| 66 | systemd.services.sympa-bulk.serviceConfig.Slice = "mail-sympa.slice"; | ||
| 67 | systemd.services.sympa-task.serviceConfig.Slice = "mail-sympa.slice"; | ||
| 68 | |||
| 59 | # https://github.com/NixOS/nixpkgs/pull/84202 | 69 | # https://github.com/NixOS/nixpkgs/pull/84202 |
| 60 | systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false; | 70 | systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false; |
| 61 | systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false; | 71 | systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false; |
| @@ -72,6 +82,7 @@ in | |||
| 72 | wantedBy = [ "multi-user.target" ]; | 82 | wantedBy = [ "multi-user.target" ]; |
| 73 | after = [ "sympa.service" ]; | 83 | after = [ "sympa.service" ]; |
| 74 | serviceConfig = { | 84 | serviceConfig = { |
| 85 | Slice = "mail-sympa.slice"; | ||
| 75 | Type = "forking"; | 86 | Type = "forking"; |
| 76 | PIDFile = "/run/sympa/wwsympa.pid"; | 87 | PIDFile = "/run/sympa/wwsympa.pid"; |
| 77 | Restart = "always"; | 88 | Restart = "always"; |
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix index 5e1ac1e..b523995 100644 --- a/modules/private/tasks/default.nix +++ b/modules/private/tasks/default.nix | |||
| @@ -263,6 +263,10 @@ in { | |||
| 263 | ''; | 263 | ''; |
| 264 | }; | 264 | }; |
| 265 | 265 | ||
| 266 | systemd.slices.taskwarrior = { | ||
| 267 | description = "Taskwarrior slice"; | ||
| 268 | }; | ||
| 269 | |||
| 266 | systemd.services = (lib.attrsets.mapAttrs' (name: userConfig: | 270 | systemd.services = (lib.attrsets.mapAttrs' (name: userConfig: |
| 267 | let | 271 | let |
| 268 | credentials = "${userConfig.org}/${name}/${userConfig.key}"; | 272 | credentials = "${userConfig.org}/${name}/${userConfig.key}"; |
| @@ -314,6 +318,7 @@ in { | |||
| 314 | ''; | 318 | ''; |
| 315 | 319 | ||
| 316 | serviceConfig = { | 320 | serviceConfig = { |
| 321 | Slice = "taskwarrior.slice"; | ||
| 317 | User = user; | 322 | User = user; |
| 318 | PrivateTmp = true; | 323 | PrivateTmp = true; |
| 319 | Restart = "always"; | 324 | Restart = "always"; |
| @@ -334,6 +339,9 @@ in { | |||
| 334 | chown :${group} "${server_vardir}/keys/ca.key" | 339 | chown :${group} "${server_vardir}/keys/ca.key" |
| 335 | chmod g+r "${server_vardir}/keys/ca.key" | 340 | chmod g+r "${server_vardir}/keys/ca.key" |
| 336 | ''; | 341 | ''; |
| 342 | taskserver-ca.serviceConfig.Slice = "taskwarrior.slice"; | ||
| 343 | taskserver-init.serviceConfig.Slice = "taskwarrior.slice"; | ||
| 344 | taskserver.serviceConfig.Slice = "taskwarrior.slice"; | ||
| 337 | }; | 345 | }; |
| 338 | 346 | ||
| 339 | }; | 347 | }; |
diff --git a/modules/private/vpn/default.nix b/modules/private/vpn/default.nix index fbcba2f..a9051af 100644 --- a/modules/private/vpn/default.nix +++ b/modules/private/vpn/default.nix | |||
| @@ -46,12 +46,17 @@ in | |||
| 46 | fi | 46 | fi |
| 47 | ''; | 47 | ''; |
| 48 | 48 | ||
| 49 | systemd.slices.tinc = { | ||
| 50 | description = "Tinc slice"; | ||
| 51 | }; | ||
| 52 | |||
| 49 | systemd.services.tinc-Immae = { | 53 | systemd.services.tinc-Immae = { |
| 50 | description = "Tinc Daemon - Immae"; | 54 | description = "Tinc Daemon - Immae"; |
| 51 | wantedBy = [ "multi-user.target" ]; | 55 | wantedBy = [ "multi-user.target" ]; |
| 52 | after = [ "network.target" ]; | 56 | after = [ "network.target" ]; |
| 53 | path = [ pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ]; | 57 | path = [ pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ]; |
| 54 | serviceConfig = { | 58 | serviceConfig = { |
| 59 | Slice = "tinc.slice"; | ||
| 55 | Type = "simple"; | 60 | Type = "simple"; |
| 56 | Restart = "always"; | 61 | Restart = "always"; |
| 57 | RestartSec = "3"; | 62 | RestartSec = "3"; |
diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix index cd550c0..2f5a8e3 100644 --- a/modules/webapps/mastodon.nix +++ b/modules/webapps/mastodon.nix | |||
| @@ -111,6 +111,10 @@ in | |||
| 111 | }; | 111 | }; |
| 112 | }; | 112 | }; |
| 113 | 113 | ||
| 114 | systemd.slices.mastodon = { | ||
| 115 | description = "Mastodon slice"; | ||
| 116 | }; | ||
| 117 | |||
| 114 | systemd.services.mastodon-streaming = { | 118 | systemd.services.mastodon-streaming = { |
| 115 | description = "Mastodon Streaming"; | 119 | description = "Mastodon Streaming"; |
| 116 | wantedBy = [ "multi-user.target" ]; | 120 | wantedBy = [ "multi-user.target" ]; |
| @@ -137,6 +141,7 @@ in | |||
| 137 | ''; | 141 | ''; |
| 138 | 142 | ||
| 139 | serviceConfig = { | 143 | serviceConfig = { |
| 144 | Slice = "mastodon.slice"; | ||
| 140 | User = cfg.user; | 145 | User = cfg.user; |
| 141 | EnvironmentFile = cfg.configFile; | 146 | EnvironmentFile = cfg.configFile; |
| 142 | PrivateTmp = true; | 147 | PrivateTmp = true; |
| @@ -177,6 +182,7 @@ in | |||
| 177 | exec ./bin/tootctl cache clear | 182 | exec ./bin/tootctl cache clear |
| 178 | ''; | 183 | ''; |
| 179 | serviceConfig = { | 184 | serviceConfig = { |
| 185 | Slice = "mastodon.slice"; | ||
| 180 | User = cfg.user; | 186 | User = cfg.user; |
| 181 | EnvironmentFile = cfg.configFile; | 187 | EnvironmentFile = cfg.configFile; |
| 182 | PrivateTmp = true; | 188 | PrivateTmp = true; |
| @@ -239,6 +245,7 @@ in | |||
| 239 | ''; | 245 | ''; |
| 240 | 246 | ||
| 241 | serviceConfig = { | 247 | serviceConfig = { |
| 248 | Slice = "mastodon.slice"; | ||
| 242 | User = cfg.user; | 249 | User = cfg.user; |
| 243 | EnvironmentFile = cfg.configFile; | 250 | EnvironmentFile = cfg.configFile; |
| 244 | PrivateTmp = true; | 251 | PrivateTmp = true; |
diff --git a/modules/webapps/mediagoblin.nix b/modules/webapps/mediagoblin.nix index 19bbc2e..3fe5e38 100644 --- a/modules/webapps/mediagoblin.nix +++ b/modules/webapps/mediagoblin.nix | |||
| @@ -153,6 +153,9 @@ in | |||
| 153 | }; | 153 | }; |
| 154 | }; | 154 | }; |
| 155 | 155 | ||
| 156 | systemd.slices.mediagoblin = { | ||
| 157 | description = "Mediagoblin slice"; | ||
| 158 | }; | ||
| 156 | systemd.services.mediagoblin-web = { | 159 | systemd.services.mediagoblin-web = { |
| 157 | description = "Mediagoblin service"; | 160 | description = "Mediagoblin service"; |
| 158 | wantedBy = [ "multi-user.target" ]; | 161 | wantedBy = [ "multi-user.target" ]; |
| @@ -180,6 +183,7 @@ in | |||
| 180 | ''; | 183 | ''; |
| 181 | 184 | ||
| 182 | serviceConfig = { | 185 | serviceConfig = { |
| 186 | Slice = "mediagoblin.slice"; | ||
| 183 | User = cfg.user; | 187 | User = cfg.user; |
| 184 | PrivateTmp = true; | 188 | PrivateTmp = true; |
| 185 | Restart = "always"; | 189 | Restart = "always"; |
| @@ -209,6 +213,7 @@ in | |||
| 209 | ''; | 213 | ''; |
| 210 | 214 | ||
| 211 | serviceConfig = { | 215 | serviceConfig = { |
| 216 | Slice = "mediagoblin.slice"; | ||
| 212 | User = cfg.user; | 217 | User = cfg.user; |
| 213 | PrivateTmp = true; | 218 | PrivateTmp = true; |
| 214 | Restart = "always"; | 219 | Restart = "always"; |