···

       
25
       
 
       
  ];

     

       
26
       
 
       


     

       
27
       
 
       
  config = mkIf cfg.enable {

     

       
28
       
-
       


     

       
29
       
 
       
    systemd.services.hercules-ci-agent = {

     

       
30
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
31
       
 
       
      after = [ "network-online.target" ];

     

       
32
       
 
       
      wants = [ "network-online.target" ];

     

       
33
       
 
       
      path = [ config.nix.package ];

     

       
0
       
 
       

     

       
34
       
 
       
      serviceConfig = {

     

       
35
       
 
       
        User = "hercules-ci-agent";

     

       
36
       
 
       
        ExecStart = command;

     

       
37
       
 
       
        ExecStartPre = testCommand;

     

       
38
       
 
       
        Restart = "on-failure";

     

       
39
       
 
       
        RestartSec = 120;

     

       
40
       
-
       
        StartLimitBurst = 30 * 1000000; # practically infinite

     

       
41
       
 
       
      };

     

       
42
       
 
       
    };

     

       
43
       
 
       


     

···

       
25
       
 
       
  ];

     

       
26
       
 
       


     

       
27
       
 
       
  config = mkIf cfg.enable {

     

       
0
       
 
       

     

       
28
       
 
       
    systemd.services.hercules-ci-agent = {

     

       
29
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
30
       
 
       
      after = [ "network-online.target" ];

     

       
31
       
 
       
      wants = [ "network-online.target" ];

     

       
32
       
 
       
      path = [ config.nix.package ];

     

       
33
       
+
       
      startLimitBurst = 30 * 1000000; # practically infinite

     

       
34
       
 
       
      serviceConfig = {

     

       
35
       
 
       
        User = "hercules-ci-agent";

     

       
36
       
 
       
        ExecStart = command;

     

       
37
       
 
       
        ExecStartPre = testCommand;

     

       
38
       
 
       
        Restart = "on-failure";

     

       
39
       
 
       
        RestartSec = 120;

     

       
0
       
 
       

     

       
40
       
 
       
      };

     

       
41
       
 
       
    };

     

       
42
       
 
       


     

···

       
40
       
 
       
    systemd.services.victoriametrics = {

     

       
41
       
 
       
      description = "VictoriaMetrics time series database";

     

       
42
       
 
       
      after = [ "network.target" ];

     

       
0
       
 
       

     

       
43
       
 
       
      serviceConfig = {

     

       
44
       
 
       
        Restart = "on-failure";

     

       
45
       
 
       
        RestartSec = 1;

     

       
46
       
-
       
        StartLimitBurst = 5;

     

       
47
       
 
       
        StateDirectory = "victoriametrics";

     

       
48
       
 
       
        DynamicUser = true;

     

       
49
       
 
       
        ExecStart = ''

     

···

       
40
       
 
       
    systemd.services.victoriametrics = {

     

       
41
       
 
       
      description = "VictoriaMetrics time series database";

     

       
42
       
 
       
      after = [ "network.target" ];

     

       
43
       
+
       
      startLimitBurst = 5;

     

       
44
       
 
       
      serviceConfig = {

     

       
45
       
 
       
        Restart = "on-failure";

     

       
46
       
 
       
        RestartSec = 1;

     

       
0
       
 
       

     

       
47
       
 
       
        StateDirectory = "victoriametrics";

     

       
48
       
 
       
        DynamicUser = true;

     

       
49
       
 
       
        ExecStart = ''

     

···

       
151
       
 
       
        description = "LCDproc - client";

     

       
152
       
 
       
        after = [ "lcdd.service" ];

     

       
153
       
 
       
        wantedBy = [ "lcd.target" ];

     

       
0
       
 
       

     

       
0
       
 
       

     

       
154
       
 
       
        serviceConfig = serviceCfg // {

     

       
155
       
 
       
          ExecStart = "${pkg}/bin/lcdproc -f -c ${clientCfg}";

     

       
156
       
 
       
          # If the server is being restarted at the same time, the client will

     

       
157
       
 
       
          # fail as it cannot connect, so space it out a bit.

     

       
158
       
 
       
          RestartSec = "5";

     

       
159
       
-
       
          # Allow restarting for eternity

     

       
160
       
-
       
          StartLimitIntervalSec = lib.mkIf cfg.client.restartForever "0";

     

       
161
       
-
       
          StartLimitBurst = lib.mkIf cfg.client.restartForever "0";

     

       
162
       
 
       
        };

     

       
163
       
 
       
      };

     

       
164
       
 
       
    };

     

···

       
151
       
 
       
        description = "LCDproc - client";

     

       
152
       
 
       
        after = [ "lcdd.service" ];

     

       
153
       
 
       
        wantedBy = [ "lcd.target" ];

     

       
154
       
+
       
        # Allow restarting for eternity

     

       
155
       
+
       
        startLimitIntervalSec = lib.mkIf cfg.client.restartForever 0;

     

       
156
       
 
       
        serviceConfig = serviceCfg // {

     

       
157
       
 
       
          ExecStart = "${pkg}/bin/lcdproc -f -c ${clientCfg}";

     

       
158
       
 
       
          # If the server is being restarted at the same time, the client will

     

       
159
       
 
       
          # fail as it cannot connect, so space it out a bit.

     

       
160
       
 
       
          RestartSec = "5";

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
161
       
 
       
        };

     

       
162
       
 
       
      };

     

       
163
       
 
       
    };

     

···

       
427
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
428
       
 
       
      restartTriggers = [ cfg.configFile modulesDir ];

     

       
429
       
 
       


     

       
0
       
 
       

     

       
430
       
 
       
      serviceConfig = {

     

       
431
       
 
       
        ExecStart = "${dovecotPkg}/sbin/dovecot -F";

     

       
432
       
 
       
        ExecReload = "${dovecotPkg}/sbin/doveadm reload";

     

       
433
       
 
       
        Restart = "on-failure";

     

       
434
       
 
       
        RestartSec = "1s";

     

       
435
       
-
       
        StartLimitInterval = "1min";

     

       
436
       
 
       
        RuntimeDirectory = [ "dovecot2" ];

     

       
437
       
 
       
      };

     

       
438
       
 
       


     

···

       
427
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
428
       
 
       
      restartTriggers = [ cfg.configFile modulesDir ];

     

       
429
       
 
       


     

       
430
       
+
       
      startLimitIntervalSec = 60;  # 1 min

     

       
431
       
 
       
      serviceConfig = {

     

       
432
       
 
       
        ExecStart = "${dovecotPkg}/sbin/dovecot -F";

     

       
433
       
 
       
        ExecReload = "${dovecotPkg}/sbin/doveadm reload";

     

       
434
       
 
       
        Restart = "on-failure";

     

       
435
       
 
       
        RestartSec = "1s";

     

       
0
       
 
       

     

       
436
       
 
       
        RuntimeDirectory = [ "dovecot2" ];

     

       
437
       
 
       
      };

     

       
438
       
 
       


     

···

       
37
       
 
       
      description = "Autorandr execution hook";

     

       
38
       
 
       
      after = [ "sleep.target" ];

     

       
39
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
40
       
 
       
      serviceConfig = {

     

       
41
       
-
       
        StartLimitInterval = 5;

     

       
42
       
-
       
        StartLimitBurst = 1;

     

       
43
       
 
       
        ExecStart = "${pkgs.autorandr}/bin/autorandr --batch --change --default ${cfg.defaultTarget}";

     

       
44
       
 
       
        Type = "oneshot";

     

       
45
       
 
       
        RemainAfterExit = false;

     

···

       
37
       
 
       
      description = "Autorandr execution hook";

     

       
38
       
 
       
      after = [ "sleep.target" ];

     

       
39
       
 
       


     

       
40
       
+
       
      startLimitIntervalSec = 5;

     

       
41
       
+
       
      startLimitBurst = 1;

     

       
42
       
 
       
      serviceConfig = {

     

       
0
       
 
       

     

       
0
       
 
       

     

       
43
       
 
       
        ExecStart = "${pkgs.autorandr}/bin/autorandr --batch --change --default ${cfg.defaultTarget}";

     

       
44
       
 
       
        Type = "oneshot";

     

       
45
       
 
       
        RemainAfterExit = false;

     

···

       
126
       
 
       
        GPU_USE_SYNC_OBJECTS = "1";

     

       
127
       
 
       
      };

     

       
128
       
 
       


     

       
0
       
 
       

     

       
129
       
 
       
      serviceConfig = {

     

       
130
       
 
       
        ExecStart = "${pkgs.cgminer}/bin/cgminer --syslog --text-only --config ${cgminerConfig}";

     

       
131
       
 
       
        User = cfg.user;

     

       
132
       
 
       
        RestartSec = "30s";

     

       
133
       
 
       
        Restart = "always";

     

       
134
       
-
       
        StartLimitInterval = "1m";

     

       
135
       
 
       
      };

     

       
136
       
 
       
    };

     

       
137
       
 
       


     

···

       
126
       
 
       
        GPU_USE_SYNC_OBJECTS = "1";

     

       
127
       
 
       
      };

     

       
128
       
 
       


     

       
129
       
+
       
      startLimitIntervalSec = 60;  # 1 min

     

       
130
       
 
       
      serviceConfig = {

     

       
131
       
 
       
        ExecStart = "${pkgs.cgminer}/bin/cgminer --syslog --text-only --config ${cgminerConfig}";

     

       
132
       
 
       
        User = cfg.user;

     

       
133
       
 
       
        RestartSec = "30s";

     

       
134
       
 
       
        Restart = "always";

     

       
0
       
 
       

     

       
135
       
 
       
      };

     

       
136
       
 
       
    };

     

       
137
       
 
       


     

···

       
32
       
 
       
      wantedBy = [ "graphical-session.target" ];

     

       
33
       
 
       
      partOf   = [ "graphical-session.target" ];

     

       
34
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
35
       
 
       
      serviceConfig = {

     

       
36
       
 
       
        ExecStart = ''

     

       
37
       
 
       
          ${pkgs.safeeyes}/bin/safeeyes

     

       
38
       
 
       
        '';

     

       
39
       
 
       
        Restart = "on-failure";

     

       
40
       
 
       
        RestartSec = 3;

     

       
41
       
-
       
        StartLimitInterval = 350;

     

       
42
       
-
       
        StartLimitBurst = 10;

     

       
43
       
 
       
      };

     

       
44
       
 
       
    };

     

       
45
       
 
       


     

···

       
32
       
 
       
      wantedBy = [ "graphical-session.target" ];

     

       
33
       
 
       
      partOf   = [ "graphical-session.target" ];

     

       
34
       
 
       


     

       
35
       
+
       
      startLimitIntervalSec = 350;

     

       
36
       
+
       
      startLimitBurst = 10;

     

       
37
       
 
       
      serviceConfig = {

     

       
38
       
 
       
        ExecStart = ''

     

       
39
       
 
       
          ${pkgs.safeeyes}/bin/safeeyes

     

       
40
       
 
       
        '';

     

       
41
       
 
       
        Restart = "on-failure";

     

       
42
       
 
       
        RestartSec = 3;

     

       
0
       
 
       

     

       
0
       
 
       

     

       
43
       
 
       
      };

     

       
44
       
 
       
    };

     

       
45
       
 
       


     

···

       
31
       
 
       
      after = [ "NetworkManager-wait-online.service" "network.target" ];

     

       
32
       
 
       
      preStart = "mkdir -pv /var/lib/teamviewer /var/log/teamviewer";

     

       
33
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
34
       
 
       
      serviceConfig = {

     

       
35
       
 
       
        Type = "forking";

     

       
36
       
 
       
        ExecStart = "${pkgs.teamviewer}/bin/teamviewerd -d";

     

       
37
       
 
       
        PIDFile = "/run/teamviewerd.pid";

     

       
38
       
 
       
        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";

     

       
39
       
 
       
        Restart = "on-abort";

     

       
40
       
-
       
        StartLimitInterval = "60";

     

       
41
       
-
       
        StartLimitBurst = "10";

     

       
42
       
 
       
      };

     

       
43
       
 
       
    };

     

       
44
       
 
       
  };

     

···

       
31
       
 
       
      after = [ "NetworkManager-wait-online.service" "network.target" ];

     

       
32
       
 
       
      preStart = "mkdir -pv /var/lib/teamviewer /var/log/teamviewer";

     

       
33
       
 
       


     

       
34
       
+
       
      startLimitIntervalSec = 60;

     

       
35
       
+
       
      startLimitBurst = 10;

     

       
36
       
 
       
      serviceConfig = {

     

       
37
       
 
       
        Type = "forking";

     

       
38
       
 
       
        ExecStart = "${pkgs.teamviewer}/bin/teamviewerd -d";

     

       
39
       
 
       
        PIDFile = "/run/teamviewerd.pid";

     

       
40
       
 
       
        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";

     

       
41
       
 
       
        Restart = "on-abort";

     

       
0
       
 
       

     

       
0
       
 
       

     

       
42
       
 
       
      };

     

       
43
       
 
       
    };

     

       
44
       
 
       
  };

     

···

       
28
       
 
       


     

       
29
       
 
       
    # Don't start services that are not yet initialized

     

       
30
       
 
       
    unitConfig.ConditionPathExists = "/var/lib/${stateDirectory}/keyring";

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
31
       
 
       


     

       
32
       
 
       
    serviceConfig = {

     

       
33
       
 
       
      LimitNOFILE = 1048576;

     
···

       
39
       
 
       
      ProtectHome = "true";

     

       
40
       
 
       
      ProtectSystem = "full";

     

       
41
       
 
       
      Restart = "on-failure";

     

       
42
       
-
       
      StartLimitBurst = "5";

     

       
43
       
-
       
      StartLimitInterval = "30min";

     

       
44
       
 
       
      StateDirectory = stateDirectory;

     

       
45
       
 
       
      User = "ceph";

     

       
46
       
 
       
      Group = if daemonType == "osd" then "disk" else "ceph";

     
···

       
48
       
 
       
                    -f --cluster ${clusterName} --id ${daemonId}'';

     

       
49
       
 
       
    } // optionalAttrs (daemonType == "osd") {

     

       
50
       
 
       
      ExecStartPre = ''${ceph.lib}/libexec/ceph/ceph-osd-prestart.sh --id ${daemonId} --cluster ${clusterName}'';

     

       
51
       
-
       
      StartLimitBurst = "30";

     

       
52
       
 
       
      RestartSec = "20s";

     

       
53
       
 
       
      PrivateDevices = "no"; # osd needs disk access

     

       
54
       
 
       
    } // optionalAttrs ( daemonType == "mon") {

     

       
55
       
 
       
      RestartSec = "10";

     

       
56
       
-
       
    } // optionalAttrs (lib.elem daemonType ["mgr" "mds"]) {

     

       
57
       
-
       
      StartLimitBurst = "3";

     

       
58
       
 
       
    };

     

       
59
       
 
       
  });

     

       
60
       
 
       


     

···

       
28
       
 
       


     

       
29
       
 
       
    # Don't start services that are not yet initialized

     

       
30
       
 
       
    unitConfig.ConditionPathExists = "/var/lib/${stateDirectory}/keyring";

     

       
31
       
+
       
    startLimitBurst =

     

       
32
       
+
       
      if daemonType == "osd" then 30 else if lib.elem daemonType ["mgr" "mds"] then 3 else 5;

     

       
33
       
+
       
    startLimitIntervalSec = 60 * 30;  # 30 mins

     

       
34
       
 
       


     

       
35
       
 
       
    serviceConfig = {

     

       
36
       
 
       
      LimitNOFILE = 1048576;

     
···

       
42
       
 
       
      ProtectHome = "true";

     

       
43
       
 
       
      ProtectSystem = "full";

     

       
44
       
 
       
      Restart = "on-failure";

     

       
0
       
 
       

     

       
0
       
 
       

     

       
45
       
 
       
      StateDirectory = stateDirectory;

     

       
46
       
 
       
      User = "ceph";

     

       
47
       
 
       
      Group = if daemonType == "osd" then "disk" else "ceph";

     
···

       
49
       
 
       
                    -f --cluster ${clusterName} --id ${daemonId}'';

     

       
50
       
 
       
    } // optionalAttrs (daemonType == "osd") {

     

       
51
       
 
       
      ExecStartPre = ''${ceph.lib}/libexec/ceph/ceph-osd-prestart.sh --id ${daemonId} --cluster ${clusterName}'';

     

       
0
       
 
       

     

       
52
       
 
       
      RestartSec = "20s";

     

       
53
       
 
       
      PrivateDevices = "no"; # osd needs disk access

     

       
54
       
 
       
    } // optionalAttrs ( daemonType == "mon") {

     

       
55
       
 
       
      RestartSec = "10";

     

       
0
       
 
       

     

       
0
       
 
       

     

       
56
       
 
       
    };

     

       
57
       
 
       
  });

     

       
58
       
 
       


     

···

       
264
       
 
       
         ''

     

       
265
       
 
       
      );

     

       
266
       
 
       


     

       
0
       
 
       

     

       
267
       
 
       
      serviceConfig = {

     

       
268
       
 
       
        Type = "forking";

     

       
269
       
 
       
        Restart = "always";

     

       
270
       
-
       
        StartLimitInterval = 0;

     

       
271
       
 
       
        RestartSec = 1;

     

       
272
       
 
       
        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID";

     

       
273
       
 
       
        ProtectSystem = true;

     

···

       
264
       
 
       
         ''

     

       
265
       
 
       
      );

     

       
266
       
 
       


     

       
267
       
+
       
      startLimitIntervalSec = 0;

     

       
268
       
 
       
      serviceConfig = {

     

       
269
       
 
       
        Type = "forking";

     

       
270
       
 
       
        Restart = "always";

     

       
0
       
 
       

     

       
271
       
 
       
        RestartSec = 1;

     

       
272
       
 
       
        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID";

     

       
273
       
 
       
        ProtectSystem = true;

     

···

       
41
       
 
       
    systemd.services.dnsdist = {

     

       
42
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
43
       
 
       


     

       
0
       
 
       

     

       
44
       
 
       
      serviceConfig = {

     

       
45
       
 
       
        DynamicUser = true;

     

       
46
       
 
       


     

···

       
41
       
 
       
    systemd.services.dnsdist = {

     

       
42
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
43
       
 
       


     

       
44
       
+
       
      startLimitIntervalSec = 0;

     

       
45
       
 
       
      serviceConfig = {

     

       
46
       
 
       
        DynamicUser = true;

     

       
47
       
 
       


     

···

       
29
       
 
       
        # Needed for ping

     

       
30
       
 
       
        "/run/wrappers"

     

       
31
       
 
       
      ];

     

       
0
       
 
       

     

       
0
       
 
       

     

       
32
       
 
       
      serviceConfig = {

     

       
33
       
-
       
        StartLimitBurst = 5;

     

       
34
       
-
       
        StartLimitIntervalSec = 20;

     

       
35
       
 
       
        ExecStart = "${pkgs.mullvad-vpn}/bin/mullvad-daemon -v --disable-stdout-timestamps";

     

       
36
       
 
       
        Restart = "always";

     

       
37
       
 
       
        RestartSec = 1;

     

···

       
29
       
 
       
        # Needed for ping

     

       
30
       
 
       
        "/run/wrappers"

     

       
31
       
 
       
      ];

     

       
32
       
+
       
      startLimitBurst = 5;

     

       
33
       
+
       
      startLimitIntervalSec = 20;

     

       
34
       
 
       
      serviceConfig = {

     

       
0
       
 
       

     

       
0
       
 
       

     

       
35
       
 
       
        ExecStart = "${pkgs.mullvad-vpn}/bin/mullvad-daemon -v --disable-stdout-timestamps";

     

       
36
       
 
       
        Restart = "always";

     

       
37
       
 
       
        RestartSec = 1;

     

···

       
165
       
 
       
      after    = [ "network.target" ];

     

       
166
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
167
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
168
       
 
       
      serviceConfig = {

     

       
169
       
 
       
        User  = "namecoin";

     

       
170
       
 
       
        Group = "namecoin";

     
···

       
176
       
 
       
        TimeoutStopSec     = "60s";

     

       
177
       
 
       
        TimeoutStartSec    = "2s";

     

       
178
       
 
       
        Restart            = "always";

     

       
179
       
-
       
        StartLimitInterval = "120s";

     

       
180
       
-
       
        StartLimitBurst    = "5";

     

       
181
       
 
       
      };

     

       
182
       
 
       


     

       
183
       
 
       
      preStart = optionalString (cfg.wallet != "${dataDir}/wallet.dat")  ''

     

···

       
165
       
 
       
      after    = [ "network.target" ];

     

       
166
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
167
       
 
       


     

       
168
       
+
       
      startLimitIntervalSec = 120;

     

       
169
       
+
       
      startLimitBurst = 5;

     

       
170
       
 
       
      serviceConfig = {

     

       
171
       
 
       
        User  = "namecoin";

     

       
172
       
 
       
        Group = "namecoin";

     
···

       
178
       
 
       
        TimeoutStopSec     = "60s";

     

       
179
       
 
       
        TimeoutStartSec    = "2s";

     

       
180
       
 
       
        Restart            = "always";

     

       
0
       
 
       

     

       
0
       
 
       

     

       
181
       
 
       
      };

     

       
182
       
 
       


     

       
183
       
 
       
      preStart = optionalString (cfg.wallet != "${dataDir}/wallet.dat")  ''

     

···

       
28
       
 
       
      environment = {

     

       
29
       
 
       
        SERVICE_RUN_MODE = "1";

     

       
30
       
 
       
      };

     

       
0
       
 
       

     

       
0
       
 
       

     

       
31
       
 
       
      serviceConfig = {

     

       
32
       
-
       
        StartLimitInterval = 5;

     

       
33
       
-
       
        StartLimitBurst = 10;

     

       
34
       
 
       
        ExecStart = "${pkgs.nextdns}/bin/nextdns run ${escapeShellArgs config.services.nextdns.arguments}";

     

       
35
       
 
       
        RestartSec = 120;

     

       
36
       
 
       
        LimitMEMLOCK = "infinity";

     

···

       
28
       
 
       
      environment = {

     

       
29
       
 
       
        SERVICE_RUN_MODE = "1";

     

       
30
       
 
       
      };

     

       
31
       
+
       
      startLimitIntervalSec = 5;

     

       
32
       
+
       
      startLimitBurst = 10;

     

       
33
       
 
       
      serviceConfig = {

     

       
0
       
 
       

     

       
0
       
 
       

     

       
34
       
 
       
        ExecStart = "${pkgs.nextdns}/bin/nextdns run ${escapeShellArgs config.services.nextdns.arguments}";

     

       
35
       
 
       
        RestartSec = 120;

     

       
36
       
 
       
        LimitMEMLOCK = "infinity";

     

···

       
42
       
 
       
      description = "A HTTP nix store that proxies requests to Google Storage";

     

       
43
       
 
       
      wantedBy = ["multi-user.target"];

     

       
44
       
 
       


     

       
0
       
 
       

     

       
45
       
 
       
      serviceConfig = {

     

       
46
       
 
       
        RestartSec = 5;

     

       
47
       
-
       
        StartLimitInterval = 10;

     

       
48
       
 
       
        ExecStart = ''

     

       
49
       
 
       
          ${pkgs.nix-store-gcs-proxy}/bin/nix-store-gcs-proxy \

     

       
50
       
 
       
            --bucket-name ${cfg.bucketName} \

     

···

       
42
       
 
       
      description = "A HTTP nix store that proxies requests to Google Storage";

     

       
43
       
 
       
      wantedBy = ["multi-user.target"];

     

       
44
       
 
       


     

       
45
       
+
       
      startLimitIntervalSec = 10;

     

       
46
       
 
       
      serviceConfig = {

     

       
47
       
 
       
        RestartSec = 5;

     

       
0
       
 
       

     

       
48
       
 
       
        ExecStart = ''

     

       
49
       
 
       
          ${pkgs.nix-store-gcs-proxy}/bin/nix-store-gcs-proxy \

     

       
50
       
 
       
            --bucket-name ${cfg.bucketName} \

     

···

       
916
       
 
       
      after = [ "network.target" ];

     

       
917
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
918
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
919
       
 
       
      serviceConfig = {

     

       
920
       
 
       
        ExecStart = "${nsdPkg}/sbin/nsd -d -c ${nsdEnv}/nsd.conf";

     

       
921
       
 
       
        StandardError = "null";

     

       
922
       
 
       
        PIDFile = pidFile;

     

       
923
       
 
       
        Restart = "always";

     

       
924
       
 
       
        RestartSec = "4s";

     

       
925
       
-
       
        StartLimitBurst = 4;

     

       
926
       
-
       
        StartLimitInterval = "5min";

     

       
927
       
 
       
      };

     

       
928
       
 
       


     

       
929
       
 
       
      preStart = ''

     

···

       
916
       
 
       
      after = [ "network.target" ];

     

       
917
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
918
       
 
       


     

       
919
       
+
       
      startLimitBurst = 4;

     

       
920
       
+
       
      startLimitIntervalSec = 5 * 60;  # 5 mins

     

       
921
       
 
       
      serviceConfig = {

     

       
922
       
 
       
        ExecStart = "${nsdPkg}/sbin/nsd -d -c ${nsdEnv}/nsd.conf";

     

       
923
       
 
       
        StandardError = "null";

     

       
924
       
 
       
        PIDFile = pidFile;

     

       
925
       
 
       
        Restart = "always";

     

       
926
       
 
       
        RestartSec = "4s";

     

       
0
       
 
       

     

       
0
       
 
       

     

       
927
       
 
       
      };

     

       
928
       
 
       


     

       
929
       
 
       
      preStart = ''

     

···

       
103
       
 
       
        rm -f '${cfg.stateDir}/supybot.cfg.bak'

     

       
104
       
 
       
      '';

     

       
105
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
106
       
 
       
      serviceConfig = {

     

       
107
       
 
       
        ExecStart = "${pyEnv}/bin/supybot ${cfg.stateDir}/supybot.cfg";

     

       
108
       
 
       
        PIDFile = "/run/supybot.pid";

     
···

       
110
       
 
       
        Group = "supybot";

     

       
111
       
 
       
        UMask = "0007";

     

       
112
       
 
       
        Restart = "on-abort";

     

       
113
       
-
       
        StartLimitInterval = "5m";

     

       
114
       
-
       
        StartLimitBurst = "1";

     

       
115
       
 
       


     

       
116
       
 
       
        NoNewPrivileges = true;

     

       
117
       
 
       
        PrivateDevices = true;

     

···

       
103
       
 
       
        rm -f '${cfg.stateDir}/supybot.cfg.bak'

     

       
104
       
 
       
      '';

     

       
105
       
 
       


     

       
106
       
+
       
      startLimitIntervalSec = 5 * 60;  # 5 min

     

       
107
       
+
       
      startLimitBurst = 1;

     

       
108
       
 
       
      serviceConfig = {

     

       
109
       
 
       
        ExecStart = "${pyEnv}/bin/supybot ${cfg.stateDir}/supybot.cfg";

     

       
110
       
 
       
        PIDFile = "/run/supybot.pid";

     
···

       
112
       
 
       
        Group = "supybot";

     

       
113
       
 
       
        UMask = "0007";

     

       
114
       
 
       
        Restart = "on-abort";

     

       
0
       
 
       

     

       
0
       
 
       

     

       
115
       
 
       


     

       
116
       
 
       
        NoNewPrivileges = true;

     

       
117
       
 
       
        PrivateDevices = true;

     

···

       
25
       
 
       
      wants = [ "network-pre.target" ];

     

       
26
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
27
       
 
       


     

       
28
       
-
       
      unitConfig = {

     

       
29
       
-
       
        StartLimitIntervalSec = 0;

     

       
30
       
-
       
        StartLimitBurst = 0;

     

       
31
       
-
       
      };

     

       
32
       
 
       


     

       
33
       
 
       
      serviceConfig = {

     

       
34
       
 
       
        ExecStart =

     

···

       
25
       
 
       
      wants = [ "network-pre.target" ];

     

       
26
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
27
       
 
       


     

       
28
       
+
       
      startLimitIntervalSec = 0;

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
29
       
 
       


     

       
30
       
 
       
      serviceConfig = {

     

       
31
       
 
       
        ExecStart =

     

···

       
131
       
 
       


     

       
132
       
 
       
      restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.

     

       
133
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
134
       
 
       
      serviceConfig = {

     

       
135
       
 
       
        User = "vault";

     

       
136
       
 
       
        Group = "vault";

     
···

       
145
       
 
       
        KillSignal = "SIGINT";

     

       
146
       
 
       
        TimeoutStopSec = "30s";

     

       
147
       
 
       
        Restart = "on-failure";

     

       
148
       
-
       
        StartLimitInterval = "60s";

     

       
149
       
-
       
        StartLimitBurst = 3;

     

       
150
       
 
       
      };

     

       
151
       
 
       


     

       
152
       
 
       
      unitConfig.RequiresMountsFor = optional (cfg.storagePath != null) cfg.storagePath;

     

···

       
131
       
 
       


     

       
132
       
 
       
      restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.

     

       
133
       
 
       


     

       
134
       
+
       
      startLimitIntervalSec = 60;

     

       
135
       
+
       
      startLimitBurst = 3;

     

       
136
       
 
       
      serviceConfig = {

     

       
137
       
 
       
        User = "vault";

     

       
138
       
 
       
        Group = "vault";

     
···

       
147
       
 
       
        KillSignal = "SIGINT";

     

       
148
       
 
       
        TimeoutStopSec = "30s";

     

       
149
       
 
       
        Restart = "on-failure";

     

       
0
       
 
       

     

       
0
       
 
       

     

       
150
       
 
       
      };

     

       
151
       
 
       


     

       
152
       
 
       
      unitConfig.RequiresMountsFor = optional (cfg.storagePath != null) cfg.storagePath;

     

···

       
224
       
 
       
              chmod -R u+w ${dataDir}/${wikiIdent}/underlay

     

       
225
       
 
       
            '';

     

       
226
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
227
       
 
       
            serviceConfig = {

     

       
228
       
 
       
              User = user;

     

       
229
       
 
       
              Group = group;

     
···

       
237
       
 
       


     

       
238
       
 
       
              Restart = "on-failure";

     

       
239
       
 
       
              RestartSec = "2s";

     

       
240
       
-
       
              StartLimitIntervalSec = "30s";

     

       
241
       
 
       


     

       
242
       
 
       
              StateDirectory = "moin/${wikiIdent}";

     

       
243
       
 
       
              StateDirectoryMode = "0750";

     

···

       
224
       
 
       
              chmod -R u+w ${dataDir}/${wikiIdent}/underlay

     

       
225
       
 
       
            '';

     

       
226
       
 
       


     

       
227
       
+
       
            startLimitIntervalSec = 30;

     

       
228
       
+
       


     

       
229
       
 
       
            serviceConfig = {

     

       
230
       
 
       
              User = user;

     

       
231
       
 
       
              Group = group;

     
···

       
239
       
 
       


     

       
240
       
 
       
              Restart = "on-failure";

     

       
241
       
 
       
              RestartSec = "2s";

     

       
0
       
 
       

     

       
242
       
 
       


     

       
243
       
 
       
              StateDirectory = "moin/${wikiIdent}";

     

       
244
       
 
       
              StateDirectoryMode = "0750";

     

···

       
101
       
 
       
      after = [ "network-online.target" ];

     

       
102
       
 
       
      wants = [ "network-online.target" ]; # systemd-networkd-wait-online.service

     

       
103
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
0
       
 
       

     

       
0
       
 
       

     

       
104
       
 
       
      serviceConfig = {

     

       
105
       
 
       
        ExecStart = "${cfg.package}/bin/caddy run --config ${configJSON}";

     

       
106
       
 
       
        ExecReload = "${cfg.package}/bin/caddy reload --config ${configJSON}";

     
···

       
108
       
 
       
        User = "caddy";

     

       
109
       
 
       
        Group = "caddy";

     

       
110
       
 
       
        Restart = "on-abnormal";

     

       
111
       
-
       
        StartLimitIntervalSec = 14400;

     

       
112
       
-
       
        StartLimitBurst = 10;

     

       
113
       
 
       
        AmbientCapabilities = "cap_net_bind_service";

     

       
114
       
 
       
        CapabilityBoundingSet = "cap_net_bind_service";

     

       
115
       
 
       
        NoNewPrivileges = true;

     

···

       
101
       
 
       
      after = [ "network-online.target" ];

     

       
102
       
 
       
      wants = [ "network-online.target" ]; # systemd-networkd-wait-online.service

     

       
103
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
104
       
+
       
      startLimitIntervalSec = 14400;

     

       
105
       
+
       
      startLimitBurst = 10;

     

       
106
       
 
       
      serviceConfig = {

     

       
107
       
 
       
        ExecStart = "${cfg.package}/bin/caddy run --config ${configJSON}";

     

       
108
       
 
       
        ExecReload = "${cfg.package}/bin/caddy reload --config ${configJSON}";

     
···

       
110
       
 
       
        User = "caddy";

     

       
111
       
 
       
        Group = "caddy";

     

       
112
       
 
       
        Restart = "on-abnormal";

     

       
0
       
 
       

     

       
0
       
 
       

     

       
113
       
 
       
        AmbientCapabilities = "cap_net_bind_service";

     

       
114
       
 
       
        CapabilityBoundingSet = "cap_net_bind_service";

     

       
115
       
 
       
        NoNewPrivileges = true;

     

···

       
693
       
 
       
        ${cfg.preStart}

     

       
694
       
 
       
        ${execCommand} -t

     

       
695
       
 
       
      '';

     

       
0
       
 
       

     

       
0
       
 
       

     

       
696
       
 
       
      serviceConfig = {

     

       
697
       
 
       
        ExecStart = execCommand;

     

       
698
       
 
       
        ExecReload = [

     
···

       
701
       
 
       
        ];

     

       
702
       
 
       
        Restart = "always";

     

       
703
       
 
       
        RestartSec = "10s";

     

       
704
       
-
       
        StartLimitInterval = "1min";

     

       
705
       
 
       
        # User and group

     

       
706
       
 
       
        User = cfg.user;

     

       
707
       
 
       
        Group = cfg.group;

     

···

       
693
       
 
       
        ${cfg.preStart}

     

       
694
       
 
       
        ${execCommand} -t

     

       
695
       
 
       
      '';

     

       
696
       
+
       


     

       
697
       
+
       
      startLimitIntervalSec = 60;

     

       
698
       
 
       
      serviceConfig = {

     

       
699
       
 
       
        ExecStart = execCommand;

     

       
700
       
 
       
        ExecReload = [

     
···

       
703
       
 
       
        ];

     

       
704
       
 
       
        Restart = "always";

     

       
705
       
 
       
        RestartSec = "10s";

     

       
0
       
 
       

     

       
706
       
 
       
        # User and group

     

       
707
       
 
       
        User = cfg.user;

     

       
708
       
 
       
        Group = cfg.group;

     

···

       
136
       
 
       
      description = "Traefik web server";

     

       
137
       
 
       
      after = [ "network-online.target" ];

     

       
138
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
0
       
 
       

     

       
0
       
 
       

     

       
139
       
 
       
      serviceConfig = {

     

       
140
       
 
       
        ExecStart =

     

       
141
       
 
       
          "${cfg.package}/bin/traefik --configfile=${staticConfigFile}";

     
···

       
143
       
 
       
        User = "traefik";

     

       
144
       
 
       
        Group = cfg.group;

     

       
145
       
 
       
        Restart = "on-failure";

     

       
146
       
-
       
        StartLimitInterval = 86400;

     

       
147
       
-
       
        StartLimitBurst = 5;

     

       
148
       
 
       
        AmbientCapabilities = "cap_net_bind_service";

     

       
149
       
 
       
        CapabilityBoundingSet = "cap_net_bind_service";

     

       
150
       
 
       
        NoNewPrivileges = true;

     

···

       
136
       
 
       
      description = "Traefik web server";

     

       
137
       
 
       
      after = [ "network-online.target" ];

     

       
138
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
139
       
+
       
      startLimitIntervalSec = 86400;

     

       
140
       
+
       
      startLimitBurst = 5;

     

       
141
       
 
       
      serviceConfig = {

     

       
142
       
 
       
        ExecStart =

     

       
143
       
 
       
          "${cfg.package}/bin/traefik --configfile=${staticConfigFile}";

     
···

       
145
       
 
       
        User = "traefik";

     

       
146
       
 
       
        Group = cfg.group;

     

       
147
       
 
       
        Restart = "on-failure";

     

       
0
       
 
       

     

       
0
       
 
       

     

       
148
       
 
       
        AmbientCapabilities = "cap_net_bind_service";

     

       
149
       
 
       
        CapabilityBoundingSet = "cap_net_bind_service";

     

       
150
       
 
       
        NoNewPrivileges = true;

     

···

       
678
       
 
       


     

       
679
       
 
       
        script = "${cfg.displayManager.job.execCmd}";

     

       
680
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
681
       
 
       
        serviceConfig = {

     

       
682
       
 
       
          Restart = "always";

     

       
683
       
 
       
          RestartSec = "200ms";

     

       
684
       
 
       
          SyslogIdentifier = "display-manager";

     

       
685
       
-
       
          # Stop restarting if the display manager stops (crashes) 2 times

     

       
686
       
-
       
          # in one minute. Starting X typically takes 3-4s.

     

       
687
       
-
       
          StartLimitInterval = "30s";

     

       
688
       
-
       
          StartLimitBurst = "3";

     

       
689
       
 
       
        };

     

       
690
       
 
       
      };

     

       
691
       
 
       


     

···

       
678
       
 
       


     

       
679
       
 
       
        script = "${cfg.displayManager.job.execCmd}";

     

       
680
       
 
       


     

       
681
       
+
       
        # Stop restarting if the display manager stops (crashes) 2 times

     

       
682
       
+
       
        # in one minute. Starting X typically takes 3-4s.

     

       
683
       
+
       
        startLimitIntervalSec = 30;

     

       
684
       
+
       
        startLimitBurst = 3;

     

       
685
       
 
       
        serviceConfig = {

     

       
686
       
 
       
          Restart = "always";

     

       
687
       
 
       
          RestartSec = "200ms";

     

       
688
       
 
       
          SyslogIdentifier = "display-manager";

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
689
       
 
       
        };

     

       
690
       
 
       
      };

     

       
691
       
 
       


     

···

       
210
       
 
       
      '';

     

       
211
       
 
       
    };

     

       
212
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
213
       
 
       
    startLimitIntervalSec = mkOption {

     

       
214
       
 
       
       type = types.int;

     

       
215
       
 
       
       description = ''

     

       
216
       
 
       
         Configure unit start rate limiting. Units which are started

     

       
217
       
-
       
         more than burst times within an interval time interval are

     

       
218
       
-
       
         not permitted to start any more.

     

       
219
       
 
       
       '';

     

       
220
       
 
       
    };

     

       
221
       
 
       


     
···

       
245
       
 
       
    serviceConfig = mkOption {

     

       
246
       
 
       
      default = {};

     

       
247
       
 
       
      example =

     

       
248
       
-
       
        { StartLimitInterval = 10;

     

       
249
       
-
       
          RestartSec = 5;

     

       
250
       
 
       
        };

     

       
251
       
 
       
      type = types.addCheck (types.attrsOf unitOption) checkService;

     

       
252
       
 
       
      description = ''

     

···

       
210
       
 
       
      '';

     

       
211
       
 
       
    };

     

       
212
       
 
       


     

       
213
       
+
       
    startLimitBurst = mkOption {

     

       
214
       
+
       
       type = types.int;

     

       
215
       
+
       
       description = ''

     

       
216
       
+
       
         Configure unit start rate limiting. Units which are started

     

       
217
       
+
       
         more than startLimitBurst times within an interval time

     

       
218
       
+
       
         interval are not permitted to start any more.

     

       
219
       
+
       
       '';

     

       
220
       
+
       
    };

     

       
221
       
+
       


     

       
222
       
 
       
    startLimitIntervalSec = mkOption {

     

       
223
       
 
       
       type = types.int;

     

       
224
       
 
       
       description = ''

     

       
225
       
 
       
         Configure unit start rate limiting. Units which are started

     

       
226
       
+
       
         more than startLimitBurst times within an interval time

     

       
227
       
+
       
         interval are not permitted to start any more.

     

       
228
       
 
       
       '';

     

       
229
       
 
       
    };

     

       
230
       
 
       


     
···

       
254
       
 
       
    serviceConfig = mkOption {

     

       
255
       
 
       
      default = {};

     

       
256
       
 
       
      example =

     

       
257
       
+
       
        { RestartSec = 5;

     

       
0
       
 
       

     

       
258
       
 
       
        };

     

       
259
       
 
       
      type = types.addCheck (types.attrsOf unitOption) checkService;

     

       
260
       
 
       
      description = ''

     

···

       
243
       
 
       
          OnFailure = toString config.onFailure; }

     

       
244
       
 
       
        // optionalAttrs (options.startLimitIntervalSec.isDefined) {

     

       
245
       
 
       
          StartLimitIntervalSec = toString config.startLimitIntervalSec;

     

       
0
       
 
       

     

       
0
       
 
       

     

       
246
       
 
       
        };

     

       
247
       
 
       
    };

     

       
248
       
 
       
  };

     

···

       
243
       
 
       
          OnFailure = toString config.onFailure; }

     

       
244
       
 
       
        // optionalAttrs (options.startLimitIntervalSec.isDefined) {

     

       
245
       
 
       
          StartLimitIntervalSec = toString config.startLimitIntervalSec;

     

       
246
       
+
       
        } // optionalAttrs (options.startLimitBurst.isDefined) {

     

       
247
       
+
       
          StartLimitBurst = toString config.startLimitBurst;

     

       
248
       
 
       
        };

     

       
249
       
 
       
    };

     

       
250
       
 
       
  };