common/fs: reduce the ftp liveness checks to just one service
This commit is contained in:
@@ -1,40 +1,37 @@
|
|||||||
{ config, lib, utils, ... }:
|
{ config, lib, utils, ... }:
|
||||||
let
|
let
|
||||||
fsOpts = import ./fs-opts.nix;
|
fsOpts = import ./fs-opts.nix;
|
||||||
|
commonOptions = fsOpts.ftp ++ fsOpts.noauto;
|
||||||
remoteServo = subdir: let
|
remoteServo = subdir: let
|
||||||
mountpoint = "/mnt/servo/${subdir}";
|
mountpoint = "/mnt/servo/${subdir}";
|
||||||
systemdName = utils.escapeSystemdPath mountpoint;
|
systemdName = utils.escapeSystemdPath mountpoint;
|
||||||
device = "curlftpfs#ftp://servo-hn:/${subdir}";
|
device = "curlftpfs#ftp://servo-hn:/${subdir}";
|
||||||
fsType = "fuse3";
|
fsType = "fuse3";
|
||||||
commonOptions = fsOpts.ftp ++ fsOpts.noauto;
|
|
||||||
options = commonOptions ++ [
|
options = commonOptions ++ [
|
||||||
# systemd (or maybe fuse?) swallows stderr of mount units with no obvious fix.
|
# systemd (or maybe fuse?) swallows stderr of mount units with no obvious fix.
|
||||||
# instead, use this flag to log the mount output to disk
|
# instead, use this flag to log the mount output to disk
|
||||||
"stderr_path=/var/log/curlftpfs/${builtins.replaceStrings [ "/" ] [ "-" ] subdir}.stderr"
|
"stderr_path=/var/log/curlftpfs/${builtins.replaceStrings [ "/" ] [ "-" ] subdir}.stderr"
|
||||||
];
|
];
|
||||||
in {
|
in {
|
||||||
sane.programs.curlftpfs.enableFor.system = true;
|
|
||||||
sane.fs."/var/log/curlftpfs".dir.acl.mode = "0777";
|
|
||||||
system.fsPackages = [
|
|
||||||
config.sane.programs.curlftpfs.package
|
|
||||||
];
|
|
||||||
fileSystems."${mountpoint}" = {
|
fileSystems."${mountpoint}" = {
|
||||||
inherit device fsType options;
|
inherit device fsType options;
|
||||||
noCheck = true;
|
noCheck = true;
|
||||||
};
|
};
|
||||||
|
systemd.services.servo-ftp-reachable.unitConfig.BindsTo = [ "${systemdName}.mount" ];
|
||||||
systemd.mounts = [{
|
systemd.mounts = [{
|
||||||
where = mountpoint;
|
where = mountpoint;
|
||||||
what = device;
|
what = device;
|
||||||
type = fsType;
|
type = fsType;
|
||||||
options = lib.concatStringsSep "," options;
|
options = lib.concatStringsSep "," options;
|
||||||
wantedBy = [ "default.target" ];
|
wantedBy = [ "servo-ftp-reachable.service" ];
|
||||||
after = [ "network-online.target" "${systemdName}-reachable.service" ];
|
after = [ "servo-ftp-reachable.service" ];
|
||||||
requires = [ "network-online.target" "${systemdName}-reachable.service" ];
|
requires = [ "servo-ftp-reachable.service" ];
|
||||||
|
bindsTo = [ "servo-ftp-reachable.service" ];
|
||||||
|
|
||||||
#VVV patch so that when the mount fails, we start a timer to remount it.
|
#VVV patch so that when the mount fails, we start a timer to remount it.
|
||||||
# and for a disconnection after a good mount (onSuccess), restart the timer to be more aggressive
|
# and for a disconnection after a good mount (onSuccess), restart the timer to be more aggressive
|
||||||
unitConfig.OnFailure = [ "${systemdName}.timer" ];
|
# unitConfig.OnFailure = [ "${systemdName}.timer" ];
|
||||||
unitConfig.OnSuccess = [ "${systemdName}-restart-timer.target" ];
|
# unitConfig.OnSuccess = [ "${systemdName}-restart-timer.target" ];
|
||||||
|
|
||||||
mountConfig.TimeoutSec = "10s";
|
mountConfig.TimeoutSec = "10s";
|
||||||
mountConfig.ExecSearchPath = [ "/run/current-system/sw/bin" ];
|
mountConfig.ExecSearchPath = [ "/run/current-system/sw/bin" ];
|
||||||
@@ -71,11 +68,24 @@ let
|
|||||||
# mountConfig.RestrictNamespaces = true;
|
# mountConfig.RestrictNamespaces = true;
|
||||||
}];
|
}];
|
||||||
|
|
||||||
systemd.services."${systemdName}-reachable" = {
|
};
|
||||||
|
in
|
||||||
|
lib.mkMerge [
|
||||||
|
{
|
||||||
|
sane.programs.curlftpfs.enableFor.system = true;
|
||||||
|
system.fsPackages = [
|
||||||
|
config.sane.programs.curlftpfs.package
|
||||||
|
];
|
||||||
|
|
||||||
|
sane.fs."/var/log/curlftpfs".dir.acl.mode = "0777";
|
||||||
|
|
||||||
|
systemd.services.servo-ftp-reachable = {
|
||||||
|
wantedBy = [ "default.target" ];
|
||||||
|
after = [ "network-online.target" ];
|
||||||
serviceConfig.ExecSearchPath = [ "/run/current-system/sw/bin" ];
|
serviceConfig.ExecSearchPath = [ "/run/current-system/sw/bin" ];
|
||||||
serviceConfig.ExecStart = lib.escapeShellArgs [
|
serviceConfig.ExecStart = lib.escapeShellArgs [
|
||||||
"curlftpfs"
|
"curlftpfs"
|
||||||
"ftp://servo-hn:/${subdir}"
|
"ftp://servo-hn:/"
|
||||||
"/dev/null"
|
"/dev/null"
|
||||||
"-o"
|
"-o"
|
||||||
(lib.concatStringsSep "," ([
|
(lib.concatStringsSep "," ([
|
||||||
@@ -84,7 +94,12 @@ let
|
|||||||
];
|
];
|
||||||
serviceConfig.RemainAfterExit = true;
|
serviceConfig.RemainAfterExit = true;
|
||||||
serviceConfig.Type = "oneshot";
|
serviceConfig.Type = "oneshot";
|
||||||
unitConfig.BindsTo = [ "${systemdName}.mount" ];
|
|
||||||
|
serviceConfig.RestartOn = "always";
|
||||||
|
serviceConfig.RestartSec = "10s";
|
||||||
|
serviceConfig.RestartMaxDelaySec = "120s";
|
||||||
|
serviceConfig.RestartSteps = 3;
|
||||||
|
|
||||||
# hardening (systemd-analyze security mnt-servo-playground-reachable.service)
|
# hardening (systemd-analyze security mnt-servo-playground-reachable.service)
|
||||||
serviceConfig.AmbientCapabilities = "";
|
serviceConfig.AmbientCapabilities = "";
|
||||||
serviceConfig.CapabilityBoundingSet = "";
|
serviceConfig.CapabilityBoundingSet = "";
|
||||||
@@ -128,30 +143,28 @@ let
|
|||||||
serviceConfig.ProtectKernelTunables = false;
|
serviceConfig.ProtectKernelTunables = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.targets."${systemdName}-restart-timer" = {
|
# systemd.targets."${systemdName}-restart-timer" = {
|
||||||
# hack unit which, when started, stops the timer (if running), and then starts it again.
|
# # hack unit which, when started, stops the timer (if running), and then starts it again.
|
||||||
after = [ "${systemdName}.timer" ];
|
# after = [ "${systemdName}.timer" ];
|
||||||
conflicts = [ "${systemdName}.timer" ];
|
# conflicts = [ "${systemdName}.timer" ];
|
||||||
upholds = [ "${systemdName}.timer" ];
|
# upholds = [ "${systemdName}.timer" ];
|
||||||
unitConfig.StopWhenUnneeded = true;
|
# unitConfig.StopWhenUnneeded = true;
|
||||||
};
|
# };
|
||||||
systemd.timers."${systemdName}" = {
|
# systemd.timers."${systemdName}" = {
|
||||||
timerConfig.Unit = "${systemdName}.mount";
|
# timerConfig.Unit = "${systemdName}.mount";
|
||||||
timerConfig.AccuracySec = "2s";
|
# timerConfig.AccuracySec = "2s";
|
||||||
timerConfig.OnActiveSec = [
|
# timerConfig.OnActiveSec = [
|
||||||
# try to remount at these timestamps, backing off gradually
|
# # try to remount at these timestamps, backing off gradually
|
||||||
# there seems to be an implicit mount attempt at t=0.
|
# # there seems to be an implicit mount attempt at t=0.
|
||||||
"10s"
|
# "10s"
|
||||||
"30s"
|
# "30s"
|
||||||
"60s"
|
# "60s"
|
||||||
"120s"
|
# "120s"
|
||||||
];
|
# ];
|
||||||
# cap the backoff to a fixed interval.
|
# # cap the backoff to a fixed interval.
|
||||||
timerConfig.OnUnitActiveSec = [ "120s" ];
|
# timerConfig.OnUnitActiveSec = [ "120s" ];
|
||||||
};
|
# };
|
||||||
};
|
}
|
||||||
in
|
|
||||||
lib.mkMerge [
|
|
||||||
# this granularity of servo media mounts is necessary to support sandboxing:
|
# this granularity of servo media mounts is necessary to support sandboxing:
|
||||||
# for flaky mounts, we can only bind the mountpoint itself into the sandbox,
|
# for flaky mounts, we can only bind the mountpoint itself into the sandbox,
|
||||||
# so it's either this or unconditionally bind all of media/.
|
# so it's either this or unconditionally bind all of media/.
|
||||||
|
Reference in New Issue
Block a user