From 89160f68e883296c352ab3e5957fd52d40b12c05 Mon Sep 17 00:00:00 2001 From: Colin Date: Wed, 28 Jun 2023 10:30:57 +0000 Subject: [PATCH 1/3] mention systemd-run in app containerization todo --- TODO.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/TODO.md b/TODO.md index 5efb4701..107ecfca 100644 --- a/TODO.md +++ b/TODO.md @@ -34,6 +34,9 @@ - have `sane.programs` be wrapped such that they run in a cgroup? - at least, only give them access to the portion of the fs they *need*. - Android takes approach of giving each app its own user: could hack that in here. + - **systemd-run** takes a command and runs it in a temporary scope (cgroup) + - presumably uses the same options as systemd services + - see e.g. - flatpak does this, somehow - apparmor? SElinux? (desktop) "portals"? - see Spectrum OS; Alyssa Ross; etc From 56c637d4d33c4f417f2be3610ea0d7040268f691 Mon Sep 17 00:00:00 2001 From: Colin Date: Wed, 28 Jun 2023 10:47:53 +0000 Subject: [PATCH 2/3] enable systemd-oomd on nix builds --- hosts/common/default.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/hosts/common/default.nix b/hosts/common/default.nix index 38b6865e..7a035990 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -43,6 +43,24 @@ # does the builder use some content-addressed db to efficiently dedupe? nix.settings.auto-optimise-store = true; + systemd.services.nix-daemon.serviceConfig = { + # the nix-daemon manages nix builders + # kill nix-daemon subprocesses when systemd-oomd detects an out-of-memory condition + # see: + # - nixos PR that enabled systemd-oomd: + # - systemd's docs on these properties: + # + # systemd's docs warn that without swap, systemd-oomd might not be able to react quick enough to save the system. + # see `man oomd.conf` for further tunables that may help. + # + # alternatively, apply this more broadly with `systemd.oomd.enableSystemSlice = true` or `enableRootSlice` + # TODO: also apply this to the guest user's slice (user-1100.slice) + # TODO: also apply this to distccd + ManagedOOMMemoryPressure = "kill"; + ManagedOOMSwap = "kill"; + }; + + # TODO: move this to gui machines only fonts = { enableDefaultFonts = true; fonts = with pkgs; [ font-awesome noto-fonts-emoji hack-font ]; From 97ce93cac6f9fbe233f88aeab5c4171508535d9d Mon Sep 17 00:00:00 2001 From: Colin Date: Wed, 28 Jun 2023 10:50:39 +0000 Subject: [PATCH 3/3] fs: allow mounting /mnt/* as ordinary user --- hosts/common/fs.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/common/fs.nix b/hosts/common/fs.nix index 743a0366..01533fab 100644 --- a/hosts/common/fs.nix +++ b/hosts/common/fs.nix @@ -7,6 +7,7 @@ let fsOpts = rec { common = [ "_netdev" "noatime" + "user" # allow any user with access to the device to mount the fs "x-systemd.requires=network-online.target" "x-systemd.after=network-online.target" "x-systemd.mount-timeout=10s" # how long to wait for mount **and** how long to wait for unmount @@ -19,7 +20,6 @@ let fsOpts = rec { ]; ssh = common ++ [ - "user" "identityfile=/home/colin/.ssh/id_ed25519" "allow_other" "default_permissions"