diff options
| author | Franck Cuny <franck@fcuny.net> | 2025-08-17 08:42:35 -0700 |
|---|---|---|
| committer | Franck Cuny <franck@fcuny.net> | 2025-08-17 08:42:35 -0700 |
| commit | 26ed89bf1f77aa8cf4f4533942c0523c611ff836 (patch) | |
| tree | 3ac0a0fb722a0b712b0bf15ec95f80caba341562 | |
| parent | add catppuccin mocha theme for alacritty and starship (diff) | |
| download | infra-26ed89bf1f77aa8cf4f4533942c0523c611ff836.tar.gz | |
create a new systemd slice for critical services
| -rw-r--r-- | machines/nixos/x86_64-linux/do-rproxy/default.nix | 9 | ||||
| -rw-r--r-- | machines/nixos/x86_64-linux/synology-vm/default.nix | 9 | ||||
| -rw-r--r-- | profiles/core/base-server.nix | 14 | ||||
| -rw-r--r-- | profiles/core/cgroups.nix | 75 |
4 files changed, 91 insertions, 16 deletions
diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix index d10c656..949745f 100644 --- a/machines/nixos/x86_64-linux/do-rproxy/default.nix +++ b/machines/nixos/x86_64-linux/do-rproxy/default.nix @@ -25,14 +25,7 @@ "${self}/profiles/programs/home-manager.nix" "${self}/profiles/admin-user/user.nix" "${self}/profiles/admin-user/home-manager.nix" - "${self}/profiles/core/boot.nix" - "${self}/profiles/core/locale.nix" - "${self}/profiles/core/docs.nix" - "${self}/profiles/core/ssh.nix" - "${self}/profiles/core/tools.nix" - "${self}/profiles/core/security.nix" - "${self}/profiles/core/users.nix" - "${self}/profiles/core/motd.nix" + "${self}/profiles/core/base-server.nix" "${self}/profiles/nix/nix.nix" "${self}/profiles/nix/gc.nix" "${self}/profiles/network/networkd.nix" diff --git a/machines/nixos/x86_64-linux/synology-vm/default.nix b/machines/nixos/x86_64-linux/synology-vm/default.nix index 2da20c3..de0f5e9 100644 --- a/machines/nixos/x86_64-linux/synology-vm/default.nix +++ b/machines/nixos/x86_64-linux/synology-vm/default.nix @@ -21,14 +21,7 @@ "${self}/profiles/programs/home-manager.nix" "${self}/profiles/admin-user/user.nix" "${self}/profiles/admin-user/home-manager.nix" - "${self}/profiles/core/boot.nix" - "${self}/profiles/core/locale.nix" - "${self}/profiles/core/docs.nix" - "${self}/profiles/core/ssh.nix" - "${self}/profiles/core/tools.nix" - "${self}/profiles/core/security.nix" - "${self}/profiles/core/users.nix" - "${self}/profiles/core/motd.nix" + "${self}/profiles/core/base-server.nix" "${self}/profiles/nix/nix.nix" "${self}/profiles/nix/gc.nix" "${self}/profiles/network/networkd.nix" diff --git a/profiles/core/base-server.nix b/profiles/core/base-server.nix new file mode 100644 index 0000000..2a13f96 --- /dev/null +++ b/profiles/core/base-server.nix @@ -0,0 +1,14 @@ +{ ... }: +{ + imports = [ + ./boot.nix + ./cgroups.nix + ./docs.nix + ./locale.nix + ./motd.nix + ./security.nix + ./ssh.nix + ./tools.nix + ./users.nix + ]; +} diff --git a/profiles/core/cgroups.nix b/profiles/core/cgroups.nix new file mode 100644 index 0000000..07dc964 --- /dev/null +++ b/profiles/core/cgroups.nix @@ -0,0 +1,75 @@ +# Stolen from https://git.lix.systems/the-distro/infra/src/branch/main/common/cgroups.nix +# Relatively inspired by fbtax2: +# https://facebookmicrosites.github.io/cgroup2/docs/fbtax-results.html +{ ... }: +let + systemCriticalSliceConfig = { + ManagedOOMMemoryPressure = "kill"; + + # guarantee availability of memory + MemoryMin = "192M"; + # default 100 + IOWeight = 1000; + # default 100 + CPUWeight = 1000; + }; +in +{ + systemd.oomd = { + enable = true; + enableRootSlice = true; + enableSystemSlice = true; + enableUserSlices = true; + }; + + systemd.services.nix-daemon = { + serviceConfig = { + CPUWeight = 10; + IOWeight = 10; + }; + }; + + systemd.slices.hostcritical = { + description = "Ensures that services to keep the system alive remain alive"; + + unitConfig = { + # required to avoid a dependency cycle on systemd-oomd. systemd will + # actually guess this right but we should fix it anyway. + DefaultDependencies = false; + }; + + sliceConfig = systemCriticalSliceConfig; + }; + + # make root logins higher priority for resources + systemd.slices."user-0" = { + sliceConfig = systemCriticalSliceConfig; + }; + + systemd.slices.system = { + sliceConfig = { + ManagedOOMMemoryPressure = "kill"; + ManagedOOMMemoryPressureLimit = "50%"; + + IOWeight = 100; + }; + }; + + systemd.services.sshd = { + serviceConfig = { + Slice = "hostcritical.slice"; + }; + }; + + systemd.services.systemd-oomd = { + serviceConfig = { + Slice = "hostcritical.slice"; + }; + }; + + systemd.services.systemd-journald = { + serviceConfig = { + Slice = "hostcritical.slice"; + }; + }; +} |