Merge branch 'master' of git.uninsane.org:colin/nix-files

2023-06-29 09:12:24 +00:00 · 2023-06-29 09:12:24 +00:00 · 9e972d21b4
commit 9e972d21b4
parent 42f194f447 97ce93cac6
3 changed files with 22 additions and 1 deletions
--- a/TODO.md
+++ b/TODO.md
@ -34,6 +34,9 @@
 - have `sane.programs` be wrapped such that they run in a cgroup?
    - at least, only give them access to the portion of the fs they *need*.
    - Android takes approach of giving each app its own user: could hack that in here.
+    - **systemd-run** takes a command and runs it in a temporary scope (cgroup)
+      - presumably uses the same options as systemd services
+      - see e.g. <https://github.com/NixOS/nixpkgs/issues/113903#issuecomment-857296349>
    - flatpak does this, somehow
    - apparmor?  SElinux?  (desktop) "portals"?
    - see Spectrum OS; Alyssa Ross; etc
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@ -43,6 +43,24 @@
  # does the builder use some content-addressed db to efficiently dedupe?
  nix.settings.auto-optimise-store = true;

+  systemd.services.nix-daemon.serviceConfig = {
+    # the nix-daemon manages nix builders
+    # kill nix-daemon subprocesses when systemd-oomd detects an out-of-memory condition
+    # see:
+    # - nixos PR that enabled systemd-oomd: <https://github.com/NixOS/nixpkgs/pull/169613>
+    # - systemd's docs on these properties: <https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#ManagedOOMSwap=auto%7Ckill>
+    #
+    # systemd's docs warn that without swap, systemd-oomd might not be able to react quick enough to save the system.
+    # see `man oomd.conf` for further tunables that may help.
+    #
+    # alternatively, apply this more broadly with `systemd.oomd.enableSystemSlice = true` or `enableRootSlice`
+    # TODO: also apply this to the guest user's slice (user-1100.slice)
+    # TODO: also apply this to distccd
+    ManagedOOMMemoryPressure = "kill";
+    ManagedOOMSwap = "kill";
+  };
+
+  # TODO: move this to gui machines only
  fonts = {
    enableDefaultFonts = true;
    fonts = with pkgs; [ font-awesome noto-fonts-emoji hack-font ];
--- a/hosts/common/fs.nix
+++ b/hosts/common/fs.nix
@ -7,6 +7,7 @@ let fsOpts = rec {
  common = [
    "_netdev"
    "noatime"
+    "user"  # allow any user with access to the device to mount the fs
    "x-systemd.requires=network-online.target"
    "x-systemd.after=network-online.target"
    "x-systemd.mount-timeout=10s"  # how long to wait for mount **and** how long to wait for unmount
@ -19,7 +20,6 @@ let fsOpts = rec {
  ];

  ssh = common ++ [
-    "user"
    "identityfile=/home/colin/.ssh/id_ed25519"
    "allow_other"
    "default_permissions"