Put services in slices in systemd

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-09-07 08:39:35 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-09-07 08:39:35 +0200
commit: 850adcf4b17afb6f5429b030f3c814d502d2b53e (patch)
tree: 9e30459cec309e4b04bed476f9444a9335dac0af /modules/private
parent: de6d17ec97a1946f628372e5b0854cb21a91a55f (diff)
download: Nix-850adcf4b17afb6f5429b030f3c814d502d2b53e.tar.gz
Nix-850adcf4b17afb6f5429b030f3c814d502d2b53e.tar.zst
Nix-850adcf4b17afb6f5429b030f3c814d502d2b53e.zip
10 files changed, 48 insertions, 2 deletions
diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix
index 3dc6a04..6674ad7 100644
--- a/modules/private/buildbot/default.nix
+++ b/modules/private/buildbot/default.nix
@@ -126,6 +126,10 @@ in
      ] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets;
    }) config.myEnv.buildbot.projects;
+    systemd.slices.buildbot = {
+      description = "buildbot slice";
+    };
    systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
      description = "Buildbot Continuous Integration Server ${project.name}.";
      after = [ "network-online.target" ];
@@ -207,6 +211,7 @@ in
      in project_env // { inherit PYTHONPATH HOME; };
      serviceConfig = {
+        Slice = "buildbot.slice";
        Type = "forking";
        User = "buildbot";
        Group = "buildbot";
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix
index 4602510..bc6460f 100644
--- a/modules/private/databases/redis.nix
+++ b/modules/private/databases/redis.nix
@@ -41,6 +41,7 @@ in {
        maxclients 1024
        '';
    };
+    systemd.services.redis.serviceConfig.Slice = "redis.slice";
    services.spiped = {
      enable = true;
@@ -57,8 +58,9 @@ in {
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
-        Restart   = "always";
+        Slice = "redis.slice";
-        User      = "spiped";
+        Restart = "always";
+        User = "spiped";
        PermissionsStartOnly = true;
        SupplementaryGroups = "keys";
      };
@@ -108,12 +110,17 @@ in {
      }
    ];
+    systemd.slices.redis = {
+      description = "Redis slice";
+    };
    systemd.services.predixy = {
      description = "Redis proxy";
      wantedBy = [ "multi-user.target" ];
      after = [ "redis.service" ];
      serviceConfig = {
+        Slice = "redis.slice";
        User = "redis";
        Group = "redis";
        SupplementaryGroups = "keys";
diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix
index 9e68cc9..fd6d638 100644
--- a/modules/private/mail/default.nix
+++ b/modules/private/mail/default.nix
@@ -45,5 +45,8 @@
          '';
      };
    };
+    systemd.slices.mail = {
+      description = "Mail slice";
+    };
  };
 }
diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix
index aa25d1f..23e795f 100644
--- a/modules/private/mail/dovecot.nix
+++ b/modules/private/mail/dovecot.nix
@@ -13,6 +13,7 @@ let
 in
 {
  config = lib.mkIf config.myServices.mail.enable {
+    systemd.services.dovecot2.serviceConfig.Slice = "mail.slice";
    services.duplyBackup.profiles.mail.excludeFile = ''
      + /var/lib/dhparams
      + /var/lib/dovecot
diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix
index 5de03cf..02c35c8 100644
--- a/modules/private/mail/milters.nix
+++ b/modules/private/mail/milters.nix
@@ -64,6 +64,7 @@
        '';
      group = config.services.postfix.group;
    };
+    systemd.services.opendkim.serviceConfig.Slice = "mail.slice";
    systemd.services.opendkim.preStart = lib.mkBefore ''
      # Skip the prestart script as keys are handled in secrets
      exit 0
@@ -76,6 +77,7 @@
    };
    users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
+    systemd.services.opendmarc.serviceConfig.Slice = "mail.slice";
    services.opendmarc = {
      enable = true;
      socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
@@ -116,6 +118,7 @@
        Syslog                  Yes
        '';
    };
+    systemd.services.openarc.serviceConfig.Slice = "mail.slice";
    systemd.services.openarc.postStart = lib.optionalString
          (lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
      while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
@@ -136,6 +139,7 @@
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
+        Slice = "mail.slice";
        User = "postfix";
        Group = "postfix";
        ExecStart = let python = pkgs.python3.withPackages (p: [ p.pymilter ]);
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index c4b09b2..f6c4362 100644
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -463,5 +463,6 @@
        done
        '';
    };
+    systemd.services.postfix.serviceConfig.Slice = "mail.slice";
  };
 }
diff --git a/modules/private/mail/rspamd.nix b/modules/private/mail/rspamd.nix
index 98e006d..a20135a 100644
--- a/modules/private/mail/rspamd.nix
+++ b/modules/private/mail/rspamd.nix
@@ -28,6 +28,7 @@
    in
      [ "*/20 * * * * vhost ${cron_script}/scan_reported_mails" ];
+    systemd.services.rspamd.serviceConfig.Slice = "mail.slice";
    services.rspamd = {
      enable = true;
      debug = false;
diff --git a/modules/private/mail/sympa.nix b/modules/private/mail/sympa.nix
index f7070e6..5270b69 100644
--- a/modules/private/mail/sympa.nix
+++ b/modules/private/mail/sympa.nix
@@ -50,12 +50,22 @@ in
      dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
    }) sympaConfig.scenari;
    users.users.sympa.extraGroups = [ "keys" ];
+    systemd.slices.mail-sympa = {
+      description = "Sympa slice";
+    };
    systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ];
    systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ];
    systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ];
    systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ];
    systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ];
+    systemd.services.sympa.serviceConfig.Slice = "mail-sympa.slice";
+    systemd.services.sympa-archive.serviceConfig.Slice = "mail-sympa.slice";
+    systemd.services.sympa-bounce.serviceConfig.Slice = "mail-sympa.slice";
+    systemd.services.sympa-bulk.serviceConfig.Slice = "mail-sympa.slice";
+    systemd.services.sympa-task.serviceConfig.Slice = "mail-sympa.slice";
    # https://github.com/NixOS/nixpkgs/pull/84202
    systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false;
    systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false;
@@ -72,6 +82,7 @@ in
      wantedBy = [ "multi-user.target" ];
      after = [ "sympa.service" ];
      serviceConfig = {
+        Slice = "mail-sympa.slice";
        Type = "forking";
        PIDFile = "/run/sympa/wwsympa.pid";
        Restart = "always";
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix
index 5e1ac1e..b523995 100644
--- a/modules/private/tasks/default.nix
+++ b/modules/private/tasks/default.nix
@@ -263,6 +263,10 @@ in {
      '';
    };
+    systemd.slices.taskwarrior = {
+      description = "Taskwarrior slice";
+    };
    systemd.services = (lib.attrsets.mapAttrs' (name: userConfig:
      let
        credentials = "${userConfig.org}/${name}/${userConfig.key}";
@@ -314,6 +318,7 @@ in {
        '';
        serviceConfig = {
+          Slice = "taskwarrior.slice";
          User = user;
          PrivateTmp = true;
          Restart = "always";
@@ -334,6 +339,9 @@ in {
          chown :${group} "${server_vardir}/keys/ca.key"
          chmod g+r "${server_vardir}/keys/ca.key"
        '';
+        taskserver-ca.serviceConfig.Slice = "taskwarrior.slice";
+        taskserver-init.serviceConfig.Slice = "taskwarrior.slice";
+        taskserver.serviceConfig.Slice = "taskwarrior.slice";
      };
  };
diff --git a/modules/private/vpn/default.nix b/modules/private/vpn/default.nix
index fbcba2f..a9051af 100644
--- a/modules/private/vpn/default.nix
+++ b/modules/private/vpn/default.nix
@@ -46,12 +46,17 @@ in
      fi
    '';
+    systemd.slices.tinc = {
+      description = "Tinc slice";
+    };
    systemd.services.tinc-Immae = {
      description = "Tinc Daemon - Immae";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      path = [ pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ];
      serviceConfig = {
+        Slice = "tinc.slice";
        Type = "simple";
        Restart = "always";
        RestartSec = "3";
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-09-07 08:39:35 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-09-07 08:39:35 +0200
commit	850adcf4b17afb6f5429b030f3c814d502d2b53e (patch)
tree	9e30459cec309e4b04bed476f9444a9335dac0af /modules/private
parent	de6d17ec97a1946f628372e5b0854cb21a91a55f (diff)
download	Nix-850adcf4b17afb6f5429b030f3c814d502d2b53e.tar.gz Nix-850adcf4b17afb6f5429b030f3c814d502d2b53e.tar.zst Nix-850adcf4b17afb6f5429b030f3c814d502d2b53e.zip