nixos/modules: fix systemd start rate-limits
These were broken since 2016:f0367da7d1since StartLimitIntervalSec got moved into [Unit] from [Service]. StartLimitBurst has also been moved accordingly, so let's fix that one too. NixOS systems have been producing logs such as: /nix/store/wf98r55aszi1bkmln1lvdbp7znsfr70i-unit-caddy.service/caddy.service:31: Unknown key name 'StartLimitIntervalSec' in section 'Service', ignoring. I have also removed some unnecessary duplication in units disabling rate limiting since setting either interval or burst to zero disables it (ad16158c10/src/basic/ratelimit.c (L16))
This commit is contained in:
lf-
parent
2df221ec8a
commit
b37bbca521
|
|
@ -25,19 +25,18 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
|
||||||
systemd.services.hercules-ci-agent = {
|
systemd.services.hercules-ci-agent = {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
after = [ "network-online.target" ];
|
after = [ "network-online.target" ];
|
||||||
wants = [ "network-online.target" ];
|
wants = [ "network-online.target" ];
|
||||||
path = [ config.nix.package ];
|
path = [ config.nix.package ];
|
||||||
|
startLimitBurst = 30 * 1000000; # practically infinite
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
User = "hercules-ci-agent";
|
User = "hercules-ci-agent";
|
||||||
ExecStart = command;
|
ExecStart = command;
|
||||||
ExecStartPre = testCommand;
|
ExecStartPre = testCommand;
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = 120;
|
RestartSec = 120;
|
||||||
StartLimitBurst = 30 * 1000000; # practically infinite
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -40,10 +40,10 @@ let cfg = config.services.victoriametrics; in
|
||||||
systemd.services.victoriametrics = {
|
systemd.services.victoriametrics = {
|
||||||
description = "VictoriaMetrics time series database";
|
description = "VictoriaMetrics time series database";
|
||||||
after = [ "network.target" ];
|
after = [ "network.target" ];
|
||||||
|
startLimitBurst = 5;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = 1;
|
RestartSec = 1;
|
||||||
StartLimitBurst = 5;
|
|
||||||
StateDirectory = "victoriametrics";
|
StateDirectory = "victoriametrics";
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
ExecStart = ''
|
ExecStart = ''
|
||||||
|
|
|
||||||
|
|
@ -151,14 +151,13 @@ in with lib; {
|
||||||
description = "LCDproc - client";
|
description = "LCDproc - client";
|
||||||
after = [ "lcdd.service" ];
|
after = [ "lcdd.service" ];
|
||||||
wantedBy = [ "lcd.target" ];
|
wantedBy = [ "lcd.target" ];
|
||||||
|
# Allow restarting for eternity
|
||||||
|
startLimitIntervalSec = lib.mkIf cfg.client.restartForever 0;
|
||||||
serviceConfig = serviceCfg // {
|
serviceConfig = serviceCfg // {
|
||||||
ExecStart = "${pkg}/bin/lcdproc -f -c ${clientCfg}";
|
ExecStart = "${pkg}/bin/lcdproc -f -c ${clientCfg}";
|
||||||
# If the server is being restarted at the same time, the client will
|
# If the server is being restarted at the same time, the client will
|
||||||
# fail as it cannot connect, so space it out a bit.
|
# fail as it cannot connect, so space it out a bit.
|
||||||
RestartSec = "5";
|
RestartSec = "5";
|
||||||
# Allow restarting for eternity
|
|
||||||
StartLimitIntervalSec = lib.mkIf cfg.client.restartForever "0";
|
|
||||||
StartLimitBurst = lib.mkIf cfg.client.restartForever "0";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -427,12 +427,12 @@ in
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
restartTriggers = [ cfg.configFile modulesDir ];
|
restartTriggers = [ cfg.configFile modulesDir ];
|
||||||
|
|
||||||
|
startLimitIntervalSec = 60; # 1 min
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${dovecotPkg}/sbin/dovecot -F";
|
ExecStart = "${dovecotPkg}/sbin/dovecot -F";
|
||||||
ExecReload = "${dovecotPkg}/sbin/doveadm reload";
|
ExecReload = "${dovecotPkg}/sbin/doveadm reload";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "1s";
|
RestartSec = "1s";
|
||||||
StartLimitInterval = "1min";
|
|
||||||
RuntimeDirectory = [ "dovecot2" ];
|
RuntimeDirectory = [ "dovecot2" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -37,9 +37,9 @@ in {
|
||||||
description = "Autorandr execution hook";
|
description = "Autorandr execution hook";
|
||||||
after = [ "sleep.target" ];
|
after = [ "sleep.target" ];
|
||||||
|
|
||||||
|
startLimitIntervalSec = 5;
|
||||||
|
startLimitBurst = 1;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
StartLimitInterval = 5;
|
|
||||||
StartLimitBurst = 1;
|
|
||||||
ExecStart = "${pkgs.autorandr}/bin/autorandr --batch --change --default ${cfg.defaultTarget}";
|
ExecStart = "${pkgs.autorandr}/bin/autorandr --batch --change --default ${cfg.defaultTarget}";
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
RemainAfterExit = false;
|
RemainAfterExit = false;
|
||||||
|
|
|
||||||
|
|
@ -126,12 +126,12 @@ in
|
||||||
GPU_USE_SYNC_OBJECTS = "1";
|
GPU_USE_SYNC_OBJECTS = "1";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
startLimitIntervalSec = 60; # 1 min
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${pkgs.cgminer}/bin/cgminer --syslog --text-only --config ${cgminerConfig}";
|
ExecStart = "${pkgs.cgminer}/bin/cgminer --syslog --text-only --config ${cgminerConfig}";
|
||||||
User = cfg.user;
|
User = cfg.user;
|
||||||
RestartSec = "30s";
|
RestartSec = "30s";
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
StartLimitInterval = "1m";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -32,14 +32,14 @@ in
|
||||||
wantedBy = [ "graphical-session.target" ];
|
wantedBy = [ "graphical-session.target" ];
|
||||||
partOf = [ "graphical-session.target" ];
|
partOf = [ "graphical-session.target" ];
|
||||||
|
|
||||||
|
startLimitIntervalSec = 350;
|
||||||
|
startLimitBurst = 10;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = ''
|
ExecStart = ''
|
||||||
${pkgs.safeeyes}/bin/safeeyes
|
${pkgs.safeeyes}/bin/safeeyes
|
||||||
'';
|
'';
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = 3;
|
RestartSec = 3;
|
||||||
StartLimitInterval = 350;
|
|
||||||
StartLimitBurst = 10;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -31,14 +31,14 @@ in
|
||||||
after = [ "NetworkManager-wait-online.service" "network.target" ];
|
after = [ "NetworkManager-wait-online.service" "network.target" ];
|
||||||
preStart = "mkdir -pv /var/lib/teamviewer /var/log/teamviewer";
|
preStart = "mkdir -pv /var/lib/teamviewer /var/log/teamviewer";
|
||||||
|
|
||||||
|
startLimitIntervalSec = 60;
|
||||||
|
startLimitBurst = 10;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "forking";
|
Type = "forking";
|
||||||
ExecStart = "${pkgs.teamviewer}/bin/teamviewerd -d";
|
ExecStart = "${pkgs.teamviewer}/bin/teamviewerd -d";
|
||||||
PIDFile = "/run/teamviewerd.pid";
|
PIDFile = "/run/teamviewerd.pid";
|
||||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||||
Restart = "on-abort";
|
Restart = "on-abort";
|
||||||
StartLimitInterval = "60";
|
|
||||||
StartLimitBurst = "10";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -28,6 +28,9 @@ let
|
||||||
|
|
||||||
# Don't start services that are not yet initialized
|
# Don't start services that are not yet initialized
|
||||||
unitConfig.ConditionPathExists = "/var/lib/${stateDirectory}/keyring";
|
unitConfig.ConditionPathExists = "/var/lib/${stateDirectory}/keyring";
|
||||||
|
startLimitBurst =
|
||||||
|
if daemonType == "osd" then 30 else if lib.elem daemonType ["mgr" "mds"] then 3 else 5;
|
||||||
|
startLimitIntervalSec = 60 * 30; # 30 mins
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
LimitNOFILE = 1048576;
|
LimitNOFILE = 1048576;
|
||||||
|
|
@ -39,8 +42,6 @@ let
|
||||||
ProtectHome = "true";
|
ProtectHome = "true";
|
||||||
ProtectSystem = "full";
|
ProtectSystem = "full";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
StartLimitBurst = "5";
|
|
||||||
StartLimitInterval = "30min";
|
|
||||||
StateDirectory = stateDirectory;
|
StateDirectory = stateDirectory;
|
||||||
User = "ceph";
|
User = "ceph";
|
||||||
Group = if daemonType == "osd" then "disk" else "ceph";
|
Group = if daemonType == "osd" then "disk" else "ceph";
|
||||||
|
|
@ -48,13 +49,10 @@ let
|
||||||
-f --cluster ${clusterName} --id ${daemonId}'';
|
-f --cluster ${clusterName} --id ${daemonId}'';
|
||||||
} // optionalAttrs (daemonType == "osd") {
|
} // optionalAttrs (daemonType == "osd") {
|
||||||
ExecStartPre = ''${ceph.lib}/libexec/ceph/ceph-osd-prestart.sh --id ${daemonId} --cluster ${clusterName}'';
|
ExecStartPre = ''${ceph.lib}/libexec/ceph/ceph-osd-prestart.sh --id ${daemonId} --cluster ${clusterName}'';
|
||||||
StartLimitBurst = "30";
|
|
||||||
RestartSec = "20s";
|
RestartSec = "20s";
|
||||||
PrivateDevices = "no"; # osd needs disk access
|
PrivateDevices = "no"; # osd needs disk access
|
||||||
} // optionalAttrs ( daemonType == "mon") {
|
} // optionalAttrs ( daemonType == "mon") {
|
||||||
RestartSec = "10";
|
RestartSec = "10";
|
||||||
} // optionalAttrs (lib.elem daemonType ["mgr" "mds"]) {
|
|
||||||
StartLimitBurst = "3";
|
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -264,10 +264,10 @@ in
|
||||||
''
|
''
|
||||||
);
|
);
|
||||||
|
|
||||||
|
startLimitIntervalSec = 0;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "forking";
|
Type = "forking";
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
StartLimitInterval = 0;
|
|
||||||
RestartSec = 1;
|
RestartSec = 1;
|
||||||
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID";
|
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID";
|
||||||
ProtectSystem = true;
|
ProtectSystem = true;
|
||||||
|
|
|
||||||
|
|
@ -41,6 +41,7 @@ in {
|
||||||
systemd.services.dnsdist = {
|
systemd.services.dnsdist = {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|
||||||
|
startLimitIntervalSec = 0;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -29,9 +29,9 @@ with lib;
|
||||||
# Needed for ping
|
# Needed for ping
|
||||||
"/run/wrappers"
|
"/run/wrappers"
|
||||||
];
|
];
|
||||||
|
startLimitBurst = 5;
|
||||||
|
startLimitIntervalSec = 20;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
StartLimitBurst = 5;
|
|
||||||
StartLimitIntervalSec = 20;
|
|
||||||
ExecStart = "${pkgs.mullvad-vpn}/bin/mullvad-daemon -v --disable-stdout-timestamps";
|
ExecStart = "${pkgs.mullvad-vpn}/bin/mullvad-daemon -v --disable-stdout-timestamps";
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
RestartSec = 1;
|
RestartSec = 1;
|
||||||
|
|
|
||||||
|
|
@ -165,6 +165,8 @@ in
|
||||||
after = [ "network.target" ];
|
after = [ "network.target" ];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|
||||||
|
startLimitIntervalSec = 120;
|
||||||
|
startLimitBurst = 5;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
User = "namecoin";
|
User = "namecoin";
|
||||||
Group = "namecoin";
|
Group = "namecoin";
|
||||||
|
|
@ -176,8 +178,6 @@ in
|
||||||
TimeoutStopSec = "60s";
|
TimeoutStopSec = "60s";
|
||||||
TimeoutStartSec = "2s";
|
TimeoutStartSec = "2s";
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
StartLimitInterval = "120s";
|
|
||||||
StartLimitBurst = "5";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
preStart = optionalString (cfg.wallet != "${dataDir}/wallet.dat") ''
|
preStart = optionalString (cfg.wallet != "${dataDir}/wallet.dat") ''
|
||||||
|
|
|
||||||
|
|
@ -28,9 +28,9 @@ in {
|
||||||
environment = {
|
environment = {
|
||||||
SERVICE_RUN_MODE = "1";
|
SERVICE_RUN_MODE = "1";
|
||||||
};
|
};
|
||||||
|
startLimitIntervalSec = 5;
|
||||||
|
startLimitBurst = 10;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
StartLimitInterval = 5;
|
|
||||||
StartLimitBurst = 10;
|
|
||||||
ExecStart = "${pkgs.nextdns}/bin/nextdns run ${escapeShellArgs config.services.nextdns.arguments}";
|
ExecStart = "${pkgs.nextdns}/bin/nextdns run ${escapeShellArgs config.services.nextdns.arguments}";
|
||||||
RestartSec = 120;
|
RestartSec = 120;
|
||||||
LimitMEMLOCK = "infinity";
|
LimitMEMLOCK = "infinity";
|
||||||
|
|
|
||||||
|
|
@ -42,9 +42,9 @@ in
|
||||||
description = "A HTTP nix store that proxies requests to Google Storage";
|
description = "A HTTP nix store that proxies requests to Google Storage";
|
||||||
wantedBy = ["multi-user.target"];
|
wantedBy = ["multi-user.target"];
|
||||||
|
|
||||||
|
startLimitIntervalSec = 10;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
RestartSec = 5;
|
RestartSec = 5;
|
||||||
StartLimitInterval = 10;
|
|
||||||
ExecStart = ''
|
ExecStart = ''
|
||||||
${pkgs.nix-store-gcs-proxy}/bin/nix-store-gcs-proxy \
|
${pkgs.nix-store-gcs-proxy}/bin/nix-store-gcs-proxy \
|
||||||
--bucket-name ${cfg.bucketName} \
|
--bucket-name ${cfg.bucketName} \
|
||||||
|
|
|
||||||
|
|
@ -916,14 +916,14 @@ in
|
||||||
after = [ "network.target" ];
|
after = [ "network.target" ];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|
||||||
|
startLimitBurst = 4;
|
||||||
|
startLimitIntervalSec = 5 * 60; # 5 mins
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${nsdPkg}/sbin/nsd -d -c ${nsdEnv}/nsd.conf";
|
ExecStart = "${nsdPkg}/sbin/nsd -d -c ${nsdEnv}/nsd.conf";
|
||||||
StandardError = "null";
|
StandardError = "null";
|
||||||
PIDFile = pidFile;
|
PIDFile = pidFile;
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
RestartSec = "4s";
|
RestartSec = "4s";
|
||||||
StartLimitBurst = 4;
|
|
||||||
StartLimitInterval = "5min";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
preStart = ''
|
preStart = ''
|
||||||
|
|
|
||||||
|
|
@ -103,6 +103,8 @@ in
|
||||||
rm -f '${cfg.stateDir}/supybot.cfg.bak'
|
rm -f '${cfg.stateDir}/supybot.cfg.bak'
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
startLimitIntervalSec = 5 * 60; # 5 min
|
||||||
|
startLimitBurst = 1;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${pyEnv}/bin/supybot ${cfg.stateDir}/supybot.cfg";
|
ExecStart = "${pyEnv}/bin/supybot ${cfg.stateDir}/supybot.cfg";
|
||||||
PIDFile = "/run/supybot.pid";
|
PIDFile = "/run/supybot.pid";
|
||||||
|
|
@ -110,8 +112,6 @@ in
|
||||||
Group = "supybot";
|
Group = "supybot";
|
||||||
UMask = "0007";
|
UMask = "0007";
|
||||||
Restart = "on-abort";
|
Restart = "on-abort";
|
||||||
StartLimitInterval = "5m";
|
|
||||||
StartLimitBurst = "1";
|
|
||||||
|
|
||||||
NoNewPrivileges = true;
|
NoNewPrivileges = true;
|
||||||
PrivateDevices = true;
|
PrivateDevices = true;
|
||||||
|
|
|
||||||
|
|
@ -25,10 +25,7 @@ in {
|
||||||
wants = [ "network-pre.target" ];
|
wants = [ "network-pre.target" ];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|
||||||
unitConfig = {
|
startLimitIntervalSec = 0;
|
||||||
StartLimitIntervalSec = 0;
|
|
||||||
StartLimitBurst = 0;
|
|
||||||
};
|
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart =
|
ExecStart =
|
||||||
|
|
|
||||||
|
|
@ -131,6 +131,8 @@ in
|
||||||
|
|
||||||
restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.
|
restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.
|
||||||
|
|
||||||
|
startLimitIntervalSec = 60;
|
||||||
|
startLimitBurst = 3;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
User = "vault";
|
User = "vault";
|
||||||
Group = "vault";
|
Group = "vault";
|
||||||
|
|
@ -145,8 +147,6 @@ in
|
||||||
KillSignal = "SIGINT";
|
KillSignal = "SIGINT";
|
||||||
TimeoutStopSec = "30s";
|
TimeoutStopSec = "30s";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
StartLimitInterval = "60s";
|
|
||||||
StartLimitBurst = 3;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
unitConfig.RequiresMountsFor = optional (cfg.storagePath != null) cfg.storagePath;
|
unitConfig.RequiresMountsFor = optional (cfg.storagePath != null) cfg.storagePath;
|
||||||
|
|
|
||||||
|
|
@ -224,6 +224,8 @@ in
|
||||||
chmod -R u+w ${dataDir}/${wikiIdent}/underlay
|
chmod -R u+w ${dataDir}/${wikiIdent}/underlay
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
startLimitIntervalSec = 30;
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
User = user;
|
User = user;
|
||||||
Group = group;
|
Group = group;
|
||||||
|
|
@ -237,7 +239,6 @@ in
|
||||||
|
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "2s";
|
RestartSec = "2s";
|
||||||
StartLimitIntervalSec = "30s";
|
|
||||||
|
|
||||||
StateDirectory = "moin/${wikiIdent}";
|
StateDirectory = "moin/${wikiIdent}";
|
||||||
StateDirectoryMode = "0750";
|
StateDirectoryMode = "0750";
|
||||||
|
|
|
||||||
|
|
@ -101,6 +101,8 @@ in {
|
||||||
after = [ "network-online.target" ];
|
after = [ "network-online.target" ];
|
||||||
wants = [ "network-online.target" ]; # systemd-networkd-wait-online.service
|
wants = [ "network-online.target" ]; # systemd-networkd-wait-online.service
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
startLimitIntervalSec = 14400;
|
||||||
|
startLimitBurst = 10;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${cfg.package}/bin/caddy run --config ${configJSON}";
|
ExecStart = "${cfg.package}/bin/caddy run --config ${configJSON}";
|
||||||
ExecReload = "${cfg.package}/bin/caddy reload --config ${configJSON}";
|
ExecReload = "${cfg.package}/bin/caddy reload --config ${configJSON}";
|
||||||
|
|
@ -108,8 +110,6 @@ in {
|
||||||
User = "caddy";
|
User = "caddy";
|
||||||
Group = "caddy";
|
Group = "caddy";
|
||||||
Restart = "on-abnormal";
|
Restart = "on-abnormal";
|
||||||
StartLimitIntervalSec = 14400;
|
|
||||||
StartLimitBurst = 10;
|
|
||||||
AmbientCapabilities = "cap_net_bind_service";
|
AmbientCapabilities = "cap_net_bind_service";
|
||||||
CapabilityBoundingSet = "cap_net_bind_service";
|
CapabilityBoundingSet = "cap_net_bind_service";
|
||||||
NoNewPrivileges = true;
|
NoNewPrivileges = true;
|
||||||
|
|
|
||||||
|
|
@ -693,6 +693,8 @@ in
|
||||||
${cfg.preStart}
|
${cfg.preStart}
|
||||||
${execCommand} -t
|
${execCommand} -t
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
startLimitIntervalSec = 60;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = execCommand;
|
ExecStart = execCommand;
|
||||||
ExecReload = [
|
ExecReload = [
|
||||||
|
|
@ -701,7 +703,6 @@ in
|
||||||
];
|
];
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
StartLimitInterval = "1min";
|
|
||||||
# User and group
|
# User and group
|
||||||
User = cfg.user;
|
User = cfg.user;
|
||||||
Group = cfg.group;
|
Group = cfg.group;
|
||||||
|
|
|
||||||
|
|
@ -136,6 +136,8 @@ in {
|
||||||
description = "Traefik web server";
|
description = "Traefik web server";
|
||||||
after = [ "network-online.target" ];
|
after = [ "network-online.target" ];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
startLimitIntervalSec = 86400;
|
||||||
|
startLimitBurst = 5;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart =
|
ExecStart =
|
||||||
"${cfg.package}/bin/traefik --configfile=${staticConfigFile}";
|
"${cfg.package}/bin/traefik --configfile=${staticConfigFile}";
|
||||||
|
|
@ -143,8 +145,6 @@ in {
|
||||||
User = "traefik";
|
User = "traefik";
|
||||||
Group = cfg.group;
|
Group = cfg.group;
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
StartLimitInterval = 86400;
|
|
||||||
StartLimitBurst = 5;
|
|
||||||
AmbientCapabilities = "cap_net_bind_service";
|
AmbientCapabilities = "cap_net_bind_service";
|
||||||
CapabilityBoundingSet = "cap_net_bind_service";
|
CapabilityBoundingSet = "cap_net_bind_service";
|
||||||
NoNewPrivileges = true;
|
NoNewPrivileges = true;
|
||||||
|
|
|
||||||
|
|
@ -678,14 +678,14 @@ in
|
||||||
|
|
||||||
script = "${cfg.displayManager.job.execCmd}";
|
script = "${cfg.displayManager.job.execCmd}";
|
||||||
|
|
||||||
|
# Stop restarting if the display manager stops (crashes) 2 times
|
||||||
|
# in one minute. Starting X typically takes 3-4s.
|
||||||
|
startLimitIntervalSec = 30;
|
||||||
|
startLimitBurst = 3;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
RestartSec = "200ms";
|
RestartSec = "200ms";
|
||||||
SyslogIdentifier = "display-manager";
|
SyslogIdentifier = "display-manager";
|
||||||
# Stop restarting if the display manager stops (crashes) 2 times
|
|
||||||
# in one minute. Starting X typically takes 3-4s.
|
|
||||||
StartLimitInterval = "30s";
|
|
||||||
StartLimitBurst = "3";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -210,12 +210,21 @@ in rec {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
startLimitBurst = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
description = ''
|
||||||
|
Configure unit start rate limiting. Units which are started
|
||||||
|
more than startLimitBurst times within an interval time
|
||||||
|
interval are not permitted to start any more.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
startLimitIntervalSec = mkOption {
|
startLimitIntervalSec = mkOption {
|
||||||
type = types.int;
|
type = types.int;
|
||||||
description = ''
|
description = ''
|
||||||
Configure unit start rate limiting. Units which are started
|
Configure unit start rate limiting. Units which are started
|
||||||
more than burst times within an interval time interval are
|
more than startLimitBurst times within an interval time
|
||||||
not permitted to start any more.
|
interval are not permitted to start any more.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -245,8 +254,7 @@ in rec {
|
||||||
serviceConfig = mkOption {
|
serviceConfig = mkOption {
|
||||||
default = {};
|
default = {};
|
||||||
example =
|
example =
|
||||||
{ StartLimitInterval = 10;
|
{ RestartSec = 5;
|
||||||
RestartSec = 5;
|
|
||||||
};
|
};
|
||||||
type = types.addCheck (types.attrsOf unitOption) checkService;
|
type = types.addCheck (types.attrsOf unitOption) checkService;
|
||||||
description = ''
|
description = ''
|
||||||
|
|
|
||||||
|
|
@ -243,6 +243,8 @@ let
|
||||||
OnFailure = toString config.onFailure; }
|
OnFailure = toString config.onFailure; }
|
||||||
// optionalAttrs (options.startLimitIntervalSec.isDefined) {
|
// optionalAttrs (options.startLimitIntervalSec.isDefined) {
|
||||||
StartLimitIntervalSec = toString config.startLimitIntervalSec;
|
StartLimitIntervalSec = toString config.startLimitIntervalSec;
|
||||||
|
} // optionalAttrs (options.startLimitBurst.isDefined) {
|
||||||
|
StartLimitBurst = toString config.startLimitBurst;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue