Commit Graph

254 Commits

Author SHA1 Message Date
Robert Hensing
3936d85ec3 nixos/systemd: allow preStart with other ExecStartPre cmdlines
Declaring them as lists enables the concatenation, supporting
lib.mkBefore, lib.mkOrder, etc.

This is useful when you need to extend a service with a pre-start
script that needs to run as root.
2021-01-19 16:29:29 +01:00
Florian Klink
d22b3ed4bc systemd: switch to unified cgroup hierarchy by default
See https://www.redhat.com/sysadmin/fedora-31-control-group-v2 for
details on why this is desirable, and how it impacts containers.

Users that need to keep using the old cgroup hierarchy can re-enable it
by setting `systemd.unifiedCgroupHierarchy` to `false`.

Well-known candidates not supporting that hierarchy, like docker and
hidepid=… will disable it automatically.

Fixes #73800
2020-11-19 16:56:46 +01:00
lf-
644079e707 nixos/modules: deprecation warning for StartLimitInterval in [Service]
This implements
https://github.com/NixOS/nixpkgs/issues/45786#issuecomment-440091879
2020-10-31 16:50:35 +01:00
Niklas Hambüchen
c178fe4bbb nixos/modules: Reformat warnings section 2020-10-31 16:50:25 +01:00
lf-
b37bbca521 nixos/modules: fix systemd start rate-limits
These were broken since 2016:
f0367da7d1
since StartLimitIntervalSec got moved into [Unit] from [Service].
StartLimitBurst has also been moved accordingly, so let's fix that one
too.

NixOS systems have been producing logs such as:
/nix/store/wf98r55aszi1bkmln1lvdbp7znsfr70i-unit-caddy.service/caddy.service:31:
Unknown key name 'StartLimitIntervalSec' in section 'Service', ignoring.

I have also removed some unnecessary duplication in units disabling
rate limiting since setting either interval or burst to zero disables it
(ad16158c10/src/basic/ratelimit.c (L16))
2020-10-31 01:35:56 -07:00
Janne Heß
8cf4ec8b97
nixos/systemd: Don't use apply for $PATH
When not using apply, other modules can use $PATH as a list instead of
getting a colon-separated list to each /bin directory.
2020-09-03 20:27:55 +02:00
Orivej Desh
1a68e21d47
nixos/systemd: support adding and overriding tmpfiles.d via environment.etc (#96766)
This allows the user to configure systemd tmpfiles.d via
`environment.etc."tmpfiles.d/X.conf".text = "..."`, which after #93073
causes permission denied (with new X.conf):

```
ln: failed to create symbolic link '/nix/store/...-etc/etc/tmpfiles.d/X.conf': Permission denied
builder for '/nix/store/...-etc.drv' failed with exit code 1
```

or collision between environment.etc and systemd-default-tmpfiles
packages (with existing X.conf, such as tmp.conf):

```
duplicate entry tmpfiles.d/tmp.conf -> /nix/store/...-etc-tmp.conf
mismatched duplicate entry /nix/store/...-systemd-246/example/tmpfiles.d/tmp.conf <-> /nix/store/...-etc-tmp.conf
builder for '/nix/store/...-etc.drv' failed with exit code 1
```

Fixes #96755
2020-09-02 02:54:11 +00:00
Florian Klink
40d2968ebf
Merge pull request #94354 from flokli/systemd-246
systemd: 245.6 -> 246
2020-08-24 12:42:24 +02:00
Frederik Rietdijk
0ac85bc455 Merge master into staging-next 2020-08-17 14:54:39 +02:00
Florian Klink
36a162edc3
Merge pull request #95342 from flokli/systemd-initctl
nixos/systemd: don't try to install systemd-initctl.{service,socket}
2020-08-16 17:17:18 +02:00
Vladimír Čunát
3937923f81
nixos/systemd.tmpfiles.packages: fix an edge case
symlinkJoin can break (silently) when the passed paths contain symlinks
to directories.  This should work now.

Down-side: when lib/tmpfiles.d doesn't exist for some passed package,
the error message is a little less explicit, because we never get
to the postBuild phase (and symlinkJoin doesn't provide a better way):
/nix/store/HASH-NAME/lib/tmpfiles.d: No such file or directory

Also, it seemed pointless to create symlinks for whole package trees
and using only a part of the result (usually very small part).
2020-08-16 10:23:53 +02:00
Florian Klink
4f7636dafc nixos/systemd: don't try to install systemd-initctl.{service,socket}
These are now only installed by systemd if HAVE_SYSV_COMPAT is true,
which only is the case if you set sysvinit-path and sysvrcnd-path (which
we explicitly unset in the systemd derivation for quite some time)
2020-08-13 20:51:39 +02:00
Florian Klink
2f9d719061 nixos/systemd: remove mymachines nss module from passwd: and group: lines
From the systemd release notes:

nss-mymachines lost support for resolution of users and groups, and now
only does resolution of hostnames. This functionality is now provided by
nss-systemd. Thus, the 'mymachines' entry should be removed from the
'passwd:' and 'group:' lines in /etc/nsswitch.conf (and 'systemd' added
if it is not already there).
2020-08-13 20:51:39 +02:00
Florian Klink
e37941e4e4 nixos/systemd: don't try to install systemd-initctl.{service,socket}
Since systemd 246, these are only installed by systemd if
HAVE_SYSV_COMPAT is true, which only is the case if you set
sysvinit-path and sysvrcnd-path (which we explicitly unset in the
systemd derivation for quite some time)
2020-08-13 17:00:24 +02:00
Frederik Rietdijk
7e189c56a1 Merge staging-next into staging 2020-08-13 08:52:48 +02:00
John Ericson
70d68f0478 nixos/systemd: Add support for listenDatagrams
This works exactly analogously to the existing `listenStreams`.
2020-08-11 22:08:19 +00:00
Frederik Rietdijk
cb634b2aa5 Merge staging-next into staging 2020-08-07 23:02:23 +02:00
volth
7503f280c8
nixos/systemd: fix TUN networking in LXC containers (#81481)
in LXC container /dev/net/tun is pre-available, "dev-net-tun.device" always fails
2020-08-05 21:12:57 -05:00
Florian Klink
72c8ed0389 systemd: build with cryptsetup and cryptsetup-generators
There's a circular dependency to systemd via cryptsetup and lvm2
(systemd -> cryptsetup -> lvm2 -> udev=systemd).

However, cryptsetup only really needs the devmapper component shipped
with lvm2. So build `pkgs.cryptsetup` with a lvm2 that doesn't come with
udev.
2020-08-05 00:46:57 +02:00
Janne Heß
a44b2cdd3a nixos/systemd: Implement a packages option for tmpfiles
Also drop the `portables` tmpfiles because the file is missing in the
systemd derivation.
2020-07-18 00:03:47 +02:00
Florian Klink
3b2b3f7c53 nixos/systemd: add missing defaults, make options nullable
Otherwise evaluation will fail if these are not set.
2020-07-12 12:16:26 +02:00
Matt Layher
f9ea9c7299 nixos/systemd: add options for hardware watchdog management 2020-07-08 21:43:12 -04:00
Malte Brandy
0d4134de4a
nixos/systemd: Update warning for restarting oneshots
Restart= can be anything other than on-success and always for onehost units as of
10e72727ee
which is contained in systemd 245.
2020-06-16 22:10:12 +02:00
Florian Klink
4e2715934e nixos/binfmt: move systemd-binfmt.service to binfmt module
Also, remove the dangling systemd.services.systemd-binfmt.wants = [
"proc-sys-fs-binfmt_misc.mount" ]; in systemd.nix.

If boot.binfmt.registrations != {}, systemd will install
proc-sys-fs-binfmt_misc.automount, which will auto-mount
`/proc/sys/fs/binfmt_misc` as soon as systemd-binfmt tries to access it.

Fixes https://github.com/NixOS/nixpkgs/issues/87687
Fixes https://github.com/NixOS/nixops/issues/574
2020-05-18 11:18:44 +02:00
Florian Klink
4a85559ffc
Merge pull request #87016 from flokli/nsswitch-cleanup
nixos/nsswitch cleanup nss modules
2020-05-14 14:55:43 +02:00
Linus Heckemann
90c0191735
Merge pull request #85428 from serokell/kirelagin/unit-script-name
systemd: Simplify unit script names
2020-05-12 09:35:26 +02:00
Florian Klink
4a69bf2a1e nixos/systemd: enable systemd-provided nss modules unconditionally
A disabled nscd breaks nss module loading on NixOS, and systemd without
its nss modules doesn't really work either - instead of silently
disabling its nss modules if nscd is disabled, let the assertion in
nsswitch handle this.
2020-05-11 16:14:51 +02:00
Florian Klink
36b6e26d40 nixos/systemd: add to system.nssDatabases.group too
nixos/modules/config/nsswitch.nix uses `passwdArray` for both `passwd`
and `group`, but when moving this into the systemd module in
c0995d22ee, it didn't get split
appropriately.
2020-05-11 16:14:50 +02:00
Michael Adler
7915dc737c nixos/systemd: use global proxy config in systemd-importd 2020-05-06 11:32:17 +02:00
Florian Klink
c0995d22ee nixos/systemd: move NSS module logic to systemd module
We keep the conditional on only adding if nscd is enabled for now.
2020-05-05 15:59:30 +02:00
Florian Klink
15d761a525 Revert "nixos/systemd.nix: don’t require online for multi-user.target"
This reverts commit 764c8203b8.

While this is desireable in principle, some of our modules and services
fail during service startup if no network is available don't currently
properly set Wants=network-online.target.

If nothing pulls in this target anymore, systemd won't try to reach it.

We have many VM tests waiting for `network-online.target`, and after
764c8203b8 fail with the following error
message:

```
error: unit "network-online.target" is inactive and there are no pending jobs
```

Most likely, test scripts shouldn't wait for `network-online.target` in
first place (as `network-online.target` says nothing about whether a
service has been started), but instead, the script should wait for the
network ports of the corresponding service to be open.

Let's revert this for now, and re-apply in a draft PR, fixing the tests
before merging it back in.
2020-05-01 17:12:05 +02:00
Matthew Bauer
764c8203b8 nixos/systemd.nix: don’t require online for multi-user.target
Not all systems need to be online to boot up. So, don’t pull
network-online.target into multi-user.target. Services that need
online network can still require it.

This increases my boot time from ~9s to ~5s.
2020-04-28 18:59:48 -05:00
Niklas Hambüchen
811411db6e journald service: Add helpful comments about the journal getting full 2020-04-23 02:24:50 +02:00
Niklas Hambüchen
d16d34732c journald service: Increase default rate limit 1000 -> 10000.
Follows the upstream change of this default:

https://github.com/systemd/systemd/pull/8660
2020-04-21 18:29:03 +02:00
Kirill Elagin
daac85d991 fixup! systemd: Add prefix to unit script derivations
* Avoid extra string interpolation.
2020-04-20 12:01:54 +03:00
Kirill Elagin
a9e9d37fc8 systemd: Add prefix to unit script derivations
Add a distinctive `unit-script` prefix to systemd unit scripts to make
them easier to find in the store directory. Do not add this prefix to
actual script file name as it clutters logs.
2020-04-17 13:55:48 +03:00
Kirill Elagin
f1a78e1b5e fixup! systemd: Simplify unit script names 2020-04-17 13:44:48 +03:00
Kirill Elagin
5822d03851 systemd: Simplify unit script names
Current journal output from services started by `script` rather than
`ExexStart` is unreadable because the name of the file (which journalctl
records and outputs) quite literally takes 1/3 of the screen (on smaller
screens).

Make it shorter. In particular:

* Drop the `unit-script` prefix as it is not very useful.
* Use `writeShellScriptBin` to write them because:
  * It has a `checkPhase` which is better than no checkPhase.
  * The script itself ends up having a short name.
2020-04-17 10:17:46 +03:00
Jörg Thalheim
4cc7c2e55a
tmpfiles: load user-defined entries first
systemd-tmpfiles will load all files in lexicographic order and ignores rules
for the same path in later files with a warning Since we apply the default rules
provided by systemd, we should load user-defines rules first so users have a
chance to override defaults.
2020-04-16 13:02:24 +01:00
Rouven Czerwinski
d22373b2b1 nixos/systemd: remove one DefaultBlockIOAccounting
DefaultBlockIOAccounting=yes is set twice in the same file, remove one
copy.
2020-03-29 10:56:34 +02:00
Silvan Mosberger
5acd168425
Merge pull request #59827 from oxij/nixos/suppress-systemd-units
nixos/systemd: add an option to suppress system units
2020-02-06 18:11:01 +01:00
misuzu
f93a9074e4 nixos/systemd: add systemd.sleep.extraConfig config option 2020-02-03 18:33:15 +02:00
Jörg Thalheim
3ef5115963
nixos/systemd: add all systemd tmpfiles files
Especially tmp.conf is important to create /tmp and /var/tmp with the correct
permissions.
2020-01-24 17:20:54 +00:00
Silvan Mosberger
9327e1c6ba
nixos/systemd: Explicitly put default path packages after others
This fixes the dhcpcd issue in https://github.com/NixOS/nixpkgs/issues/76969,
which was exposed by https://github.com/NixOS/nixpkgs/pull/75031
introducing changes in the module ordering and therefore option ordering
too.

The dhcpcd issue would also be fixable by explicitly putting
dhcpcd's paths before others, however it makes more sense for systemd's
default paths to be after all others by default, since they should only
be a fallback, which is how binary finding will work if they come after.
2020-01-06 15:58:06 +01:00
Silvan Mosberger
4ee3e8b21d
nixos/treewide: Move rename.nix imports to their respective modules
A centralized list for these renames is not good because:
- It breaks disabledModules for modules that have a rename defined
- Adding/removing renames for a module means having to find them in the
central file
- Merge conflicts due to multiple people editing the central file
2019-12-10 02:51:19 +01:00
wucke13
29ac226225 systemd: adding support for systemd-importd
Adding `systemd-importd` to the build, so that `machinectl`s `import-.*`
may actually do anything. Currently they fail with

```
Failed to transfer image: The name org.freedesktop.import1 was not provided by any .service files
```
as `systemd-importd` is not built. Also registers the regarding dbus
api and service in the systemd module.
2019-11-02 21:33:18 +01:00
Fabian Möller
996d846726
nixos/systemd: fix broken tmpfiles.d symlinks 2019-10-09 10:53:01 +02:00
Eelco Dolstra
37c22b9d30
Revive systemd.coredump.enable 2019-10-07 20:28:13 +02:00
Franz Pletz
0dc4fe0a44
nixos/systemd: pick more upstream tmpfiles confs
In #68792 it was discovered that /dev/fuse doesn't have
wordl-read-writeable permissions anymore. The cause of this is that the
tmpfiles examples in systemd were reorganized and split into more files.
We thus lost some of the configuration we were depending on.

In this commit some of the new tmpfiles configuration that are
applicable to us are added which also makes wtmp/lastlog in the pam
module not necessary anymore.

Rationale for the new tmpfile configs:

  - `journal-nowcow.conf`: Contains chattr +C for journald logs which
  makes sense on copy-on-write filesystems like Btrfs. Other filesystems
  shouldn't do anything funny when that flag is set.

  - `static-nodes-permissions.conf`: Contains some permission overrides
  for some device nodes like audio, loop, tun, fuse and kvm.

  - `systemd-nspawn.conf`: Makes sure `/var/lib/machines` exists and old
  snapshots are properly removed.

  - `systemd-tmp.conf`: Removes systemd services related private tmp
  folders and temporary coredump files.

  - `var.conf`: Creates some useful directories in `/var` which we would
  create anyway at some point. Also includes
  `/var/log/{wtmp,btmp,lastlog}`.

Fixes #68792.
2019-09-23 15:23:31 +02:00
Frederik Rietdijk
ad1d58c622 Merge staging-next into staging 2019-08-31 10:04:20 +02:00