整理 systemd.security

2024-10-23 07:08:45 +08:00 · 2023-09-02 21:39:01 +08:00 · 2023-09-02 21:39:01 +08:00 · 289ed2fb27
commit 289ed2fb27
parent 438d1181ff
2 changed files with 34 additions and 30 deletions
--- a/modules/system/default.nix
+++ b/modules/system/default.nix
@ -11,6 +11,7 @@ inputs:
    ./gui.nix
    ./nixpkgs.nix
    ./networking.nix
+    ./systemd.nix
  ];
  config =
    let
@ -30,7 +31,6 @@ inputs:
              ACTION=="add|change", KERNEL=="nvme[0-9]n[0-9]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="bfq"
            '';
            dbus.implementation = "broker";
-            journald.extraConfig = "MaxRetentionSec=7d";
          };
          time.timeZone = "Asia/Shanghai";
          boot =
@ -47,21 +47,7 @@ inputs:
            consoleLogLevel = 7;
          };
          hardware.enableAllFirmware = true;
-          systemd =
-          {
-            extraConfig =
-            ''
-              DefaultTimeoutStopSec=10s
-              DefaultLimitNOFILE=1048576:1048576
-            '';
-            user.extraConfig = "DefaultTimeoutStopSec=10s";
-            services.systemd-tmpfiles-setup = { environment = { SYSTEMD_TMPFILES_FORCE_SUBVOL = "0"; }; };
-            timers.systemd-tmpfiles-clean.enable = false;
-            coredump.enable = false;
-          };
-          environment =
-          {
-            sessionVariables = rec
+          environment.sessionVariables = rec
          {
            XDG_CACHE_HOME = "$HOME/.cache";
            XDG_CONFIG_HOME = "$HOME/.config";
@ -77,7 +63,6 @@ inputs:
            MATHEMATICA_USERBASE = "${XDG_CONFIG_HOME}/mathematica";
            _JAVA_OPTIONS = "-Djava.util.prefs.userRoot=${XDG_CONFIG_HOME}/java";
          };
-          };
          i18n =
          {
            defaultLocale = "C.UTF-8";
--- a/modules/system/systemd.nix
+++ b/modules/system/systemd.nix
@ -0,0 +1,19 @@
+inputs: { config =
+{
+  # only preserve the last 7 days of logs
+  services.journald.extraConfig = "MaxRetentionSec=7d";
+  systemd =
+  {
+    extraConfig =
+    ''
+      DefaultTimeoutStopSec=10s
+      DefaultLimitNOFILE=1048576:1048576
+    '';
+    user.extraConfig = "DefaultTimeoutStopSec=10s";
+    # do not create /var/lib/machines and /var/lib/portables as subvolumes
+    services.systemd-tmpfiles-setup.environment.SYSTEMD_TMPFILES_FORCE_SUBVOL = "0";
+    # do not clean /tmp
+    timers.systemd-tmpfiles-clean.enable = false;
+    coredump.enable = false;
+  };
+};}