From 289ed2fb27f74da9034b1e0f0f19b0d3a6a1355d Mon Sep 17 00:00:00 2001 From: chn Date: Sat, 2 Sep 2023 21:39:01 +0800 Subject: [PATCH] =?UTF-8?q?=E6=95=B4=E7=90=86=20systemd.security?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- modules/system/default.nix | 45 +++++++++++++------------------------- modules/system/systemd.nix | 19 ++++++++++++++++ 2 files changed, 34 insertions(+), 30 deletions(-) create mode 100644 modules/system/systemd.nix diff --git a/modules/system/default.nix b/modules/system/default.nix index eb354d00..686b50b6 100644 --- a/modules/system/default.nix +++ b/modules/system/default.nix @@ -11,6 +11,7 @@ inputs: ./gui.nix ./nixpkgs.nix ./networking.nix + ./systemd.nix ]; config = let @@ -30,7 +31,6 @@ inputs: ACTION=="add|change", KERNEL=="nvme[0-9]n[0-9]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="bfq" ''; dbus.implementation = "broker"; - journald.extraConfig = "MaxRetentionSec=7d"; }; time.timeZone = "Asia/Shanghai"; boot = @@ -47,36 +47,21 @@ inputs: consoleLogLevel = 7; }; hardware.enableAllFirmware = true; - systemd = + environment.sessionVariables = rec { - extraConfig = - '' - DefaultTimeoutStopSec=10s - DefaultLimitNOFILE=1048576:1048576 - ''; - user.extraConfig = "DefaultTimeoutStopSec=10s"; - services.systemd-tmpfiles-setup = { environment = { SYSTEMD_TMPFILES_FORCE_SUBVOL = "0"; }; }; - timers.systemd-tmpfiles-clean.enable = false; - coredump.enable = false; - }; - environment = - { - sessionVariables = rec - { - XDG_CACHE_HOME = "$HOME/.cache"; - XDG_CONFIG_HOME = "$HOME/.config"; - XDG_DATA_HOME = "$HOME/.local/share"; - XDG_STATE_HOME = "$HOME/.local/state"; - # ANDROID_HOME = "${XDG_DATA_HOME}/android"; - HISTFILE= "${XDG_STATE_HOME}/bash/history"; - CUDA_CACHE_PATH = "${XDG_CACHE_HOME}/nv"; - DOCKER_CONFIG = "${XDG_CONFIG_HOME}/docker"; - GNUPGHOME = "${XDG_DATA_HOME}/gnupg"; - GTK2_RC_FILES = "${XDG_CONFIG_HOME}/gtk-2.0/gtkrc"; - XCOMPOSECACHE = "${XDG_CACHE_HOME}/X11/xcompose"; - MATHEMATICA_USERBASE = "${XDG_CONFIG_HOME}/mathematica"; - _JAVA_OPTIONS = "-Djava.util.prefs.userRoot=${XDG_CONFIG_HOME}/java"; - }; + XDG_CACHE_HOME = "$HOME/.cache"; + XDG_CONFIG_HOME = "$HOME/.config"; + XDG_DATA_HOME = "$HOME/.local/share"; + XDG_STATE_HOME = "$HOME/.local/state"; + # ANDROID_HOME = "${XDG_DATA_HOME}/android"; + HISTFILE= "${XDG_STATE_HOME}/bash/history"; + CUDA_CACHE_PATH = "${XDG_CACHE_HOME}/nv"; + DOCKER_CONFIG = "${XDG_CONFIG_HOME}/docker"; + GNUPGHOME = "${XDG_DATA_HOME}/gnupg"; + GTK2_RC_FILES = "${XDG_CONFIG_HOME}/gtk-2.0/gtkrc"; + XCOMPOSECACHE = "${XDG_CACHE_HOME}/X11/xcompose"; + MATHEMATICA_USERBASE = "${XDG_CONFIG_HOME}/mathematica"; + _JAVA_OPTIONS = "-Djava.util.prefs.userRoot=${XDG_CONFIG_HOME}/java"; }; i18n = { diff --git a/modules/system/systemd.nix b/modules/system/systemd.nix new file mode 100644 index 00000000..daf4cd59 --- /dev/null +++ b/modules/system/systemd.nix @@ -0,0 +1,19 @@ +inputs: { config = +{ + # only preserve the last 7 days of logs + services.journald.extraConfig = "MaxRetentionSec=7d"; + systemd = + { + extraConfig = + '' + DefaultTimeoutStopSec=10s + DefaultLimitNOFILE=1048576:1048576 + ''; + user.extraConfig = "DefaultTimeoutStopSec=10s"; + # do not create /var/lib/machines and /var/lib/portables as subvolumes + services.systemd-tmpfiles-setup.environment.SYSTEMD_TMPFILES_FORCE_SUBVOL = "0"; + # do not clean /tmp + timers.systemd-tmpfiles-clean.enable = false; + coredump.enable = false; + }; +};}