nixos/systemd: convert extraConfig to rfc 42 (#426692)

2025-07-28 21:06:12 +01:00 · 2025-07-28 21:06:12 +01:00 · 1adf0f56ff
commit 1adf0f56ff
parent 4577cff3ec 6cd6573d41
8 changed files with 106 additions and 123 deletions
--- a/nixos/doc/manual/release-notes/rl-2511.section.md
+++ b/nixos/doc/manual/release-notes/rl-2511.section.md
@ -141,6 +141,13 @@

 - `libvirt` now supports using `nftables` backend.

+- `systemd.extraConfig` and `boot.initrd.systemd.extraConfig` was converted to RFC42-style `systemd.settings.Manager` and `boot.initrd.systemd.settings.Manager` respectively.
+  - `systemd.watchdog.runtimeTime` was renamed to `systemd.settings.Manager.RuntimeWatchdogSec`
+  - `systemd.watchdog.device` was renamed to `systemd.settings.Manager.WatchdogDevice`
+  - `systemd.watchdog.rebootTime` was renamed to `systemd.settings.Manager.RebootWatchdogSec`
+  - `systemd.watchdog.kexecTime` was renamed to `systemd.settings.Manager.KExecWatchdogSec`
+  - `systemd.enableCgroupAccounting` was removed. Cgroup accounting now needs to be disabled directly using `systemd.settings.Manager.*Accounting`.
+
 - `services.ntpd-rs` now performs configuration validation.

 - `services.postsrsd` now automatically integrates with the local Postfix instance, when enabled. This behavior can disabled using the [services.postsrsd.configurePostfix](#opt-services.postsrsd.configurePostfix) option.
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -1663,7 +1663,7 @@ in
        must be that described in {manpage}`limits.conf(5)`.

        Note that these limits do not apply to systemd services,
-        whose limits can be changed via {option}`systemd.extraConfig`
+        whose limits can be changed via {option}`systemd.settings.Manager`
        instead.
      '';
    };
--- a/nixos/modules/services/monitoring/netdata.nix
+++ b/nixos/modules/services/monitoring/netdata.nix
@ -412,8 +412,6 @@ in
      });
    };

-    systemd.enableCgroupAccounting = true;
-
    security.wrappers = {
      "apps.plugin" = {
        source = "${cfg.package}/libexec/netdata/plugins.d/apps.plugin.org";
--- a/nixos/modules/system/boot/systemd.nix
+++ b/nixos/modules/system/boot/systemd.nix
@ -24,6 +24,7 @@ let
    mountToUnit
    automountToUnit
    sliceToUnit
+    attrsToSection
    ;

  upstreamSystemUnits = [
@ -405,20 +406,25 @@ in
      '';
    };

-    enableCgroupAccounting = mkOption {
-      default = true;
-      type = types.bool;
-      description = ''
-        Whether to enable cgroup accounting; see {manpage}`cgroups(7)`.
+    settings.Manager = mkOption {
+      default = { };
+      defaultText = lib.literalExpression ''
+        {
+          DefaultIOAccounting = true;
+          DefaultIPAccounting = true;
+        }
      '';
-    };
-
-    extraConfig = mkOption {
-      default = "";
-      type = types.lines;
-      example = "DefaultLimitCORE=infinity";
+      type = lib.types.submodule {
+        freeformType = types.attrsOf unitOption;
+      };
+      example = {
+        WatchdogDevice = "/dev/watchdog";
+        RuntimeWatchdogSec = "30s";
+        RebootWatchdogSec = "10min";
+        KExecWatchdogSec = "5min";
+      };
      description = ''
-        Extra config options for systemd. See {manpage}`systemd-system.conf(5)` man page
+        Options for the global systemd service manager. See {manpage}`systemd-system.conf(5)` man page
        for available options.
      '';
    };
@ -457,59 +463,6 @@ in
        by other NixOS modules.
      '';
    };
-
-    watchdog.device = mkOption {
-      type = types.nullOr types.path;
-      default = null;
-      example = "/dev/watchdog";
-      description = ''
-        The path to a hardware watchdog device which will be managed by systemd.
-        If not specified, systemd will default to `/dev/watchdog`.
-      '';
-    };
-
-    watchdog.runtimeTime = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-      example = "30s";
-      description = ''
-        The amount of time which can elapse before a watchdog hardware device
-        will automatically reboot the system.
-
-        Valid time units include "ms", "s", "min", "h", "d", and "w";
-        see {manpage}`systemd.time(7)`.
-      '';
-    };
-
-    watchdog.rebootTime = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-      example = "10m";
-      description = ''
-        The amount of time which can elapse after a reboot has been triggered
-        before a watchdog hardware device will automatically reboot the system.
-        If left `null`, systemd will use its default of 10 minutes;
-        see {manpage}`systemd-system.conf(5)`.
-
-        Valid time units include "ms", "s", "min", "h", "d", and "w";
-        see also {manpage}`systemd.time(7)`.
-      '';
-    };
-
-    watchdog.kexecTime = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-      example = "10m";
-      description = ''
-        The amount of time which can elapse when `kexec` is being executed before
-        a watchdog hardware device will automatically reboot the system. This
-        option should only be enabled if `reloadTime` is also enabled;
-        see {manpage}`kexec(8)`.
-
-        Valid time units include "ms", "s", "min", "h", "d", and "w";
-        see also {manpage}`systemd.time(7)`.
-      '';
-    };
  };

  ###### implementation
@ -638,32 +591,7 @@ in

        "systemd/system.conf".text = ''
          [Manager]
-          ManagerEnvironment=${
-            lib.concatStringsSep " " (
-              lib.mapAttrsToList (n: v: "${n}=${lib.escapeShellArg v}") cfg.managerEnvironment
-            )
-          }
-          ${optionalString cfg.enableCgroupAccounting ''
-            DefaultCPUAccounting=yes
-            DefaultIOAccounting=yes
-            DefaultBlockIOAccounting=yes
-            DefaultIPAccounting=yes
-          ''}
-          DefaultLimitCORE=infinity
-          ${optionalString (cfg.watchdog.device != null) ''
-            WatchdogDevice=${cfg.watchdog.device}
-          ''}
-          ${optionalString (cfg.watchdog.runtimeTime != null) ''
-            RuntimeWatchdogSec=${cfg.watchdog.runtimeTime}
-          ''}
-          ${optionalString (cfg.watchdog.rebootTime != null) ''
-            RebootWatchdogSec=${cfg.watchdog.rebootTime}
-          ''}
-          ${optionalString (cfg.watchdog.kexecTime != null) ''
-            KExecWatchdogSec=${cfg.watchdog.kexecTime}
-          ''}
-
-          ${cfg.extraConfig}
+          ${attrsToSection cfg.settings.Manager}
        '';

        "systemd/sleep.conf".text = ''
@ -749,6 +677,13 @@ in
        config.boot.extraSystemdUnitPaths != [ ]
      ) "${builtins.concatStringsSep ":" config.boot.extraSystemdUnitPaths}:";
    };
+    systemd.settings.Manager = {
+      ManagerEnvironment = lib.concatStringsSep " " (
+        lib.mapAttrsToList (n: v: "${n}=${lib.escapeShellArg v}") cfg.managerEnvironment
+      );
+      DefaultIOAccounting = lib.mkDefault true;
+      DefaultIPAccounting = lib.mkDefault true;
+    };

    system.requiredKernelConfig = map config.lib.kernelConfig.isEnabled [
      "DEVTMPFS"
@ -858,5 +793,26 @@ in
      To forcibly reenable cgroup v1 support, you can set boot.kernelParams = [ "systemd.unified_cgroup_hierarchy=0" "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" ].
      NixOS does not officially support this configuration and might cause your system to be unbootable in future versions. You are on your own.
    '')
+    (mkRemovedOptionModule [ "systemd" "extraConfig" ] "Use systemd.settings.Manager instead.")
+    (lib.mkRenamedOptionModule
+      [ "systemd" "watchdog" "device" ]
+      [ "systemd" "settings" "Manager" "WatchdogDevice" ]
+    )
+    (lib.mkRenamedOptionModule
+      [ "systemd" "watchdog" "runtimeTime" ]
+      [ "systemd" "settings" "Manager" "RuntimeWatchdogSec" ]
+    )
+    (lib.mkRenamedOptionModule
+      [ "systemd" "watchdog" "rebootTime" ]
+      [ "systemd" "settings" "Manager" "RebootWatchdogSec" ]
+    )
+    (lib.mkRenamedOptionModule
+      [ "systemd" "watchdog" "kexecTime" ]
+      [ "systemd" "settings" "Manager" "KExecWatchdogSec" ]
+    )
+    (mkRemovedOptionModule [
+      "systemd"
+      "enableCgroupAccounting"
+    ] "To disable cgroup accounting, disable systemd.settings.Manager.*Accounting directly.")
  ];
 }
--- a/nixos/modules/system/boot/systemd/initrd.nix
+++ b/nixos/modules/system/boot/systemd/initrd.nix
@ -11,6 +11,7 @@ with lib;

 let
  inherit (utils) systemdUtils escapeSystemdPath;
+  inherit (systemdUtils.unitOptions) unitOption;
  inherit (systemdUtils.lib)
    generateUnits
    pathToUnit
@ -21,6 +22,7 @@ let
    timerToUnit
    mountToUnit
    automountToUnit
+    attrsToSection
    ;

  cfg = config.boot.initrd.systemd;
@ -139,6 +141,12 @@ in
      It only saved ~1MiB of initramfs size, but caused a few issues
      like unloadable kernel modules.
    '')
+    (lib.mkRemovedOptionModule [
+      "boot"
+      "initrd"
+      "systemd"
+      "extraConfig"
+    ] "Use boot.initrd.systemd.settings.Manager instead.")
  ];

  options.boot.initrd.systemd = {
@ -161,12 +169,24 @@ in
      '';
    };

-    extraConfig = mkOption {
-      default = "";
-      type = types.lines;
-      example = "DefaultLimitCORE=infinity";
+    settings.Manager = mkOption {
+      default = { };
+      defaultText = lib.literalExpression ''
+        {
+          DefaultEnvironment = "PATH=/bin:/sbin";
+        }
+      '';
+      type = lib.types.submodule {
+        freeformType = types.attrsOf unitOption;
+      };
+      example = {
+        WatchdogDevice = "/dev/watchdog";
+        RuntimeWatchdogSec = "30s";
+        RebootWatchdogSec = "10min";
+        KExecWatchdogSec = "5min";
+      };
      description = ''
-        Extra config options for systemd. See {manpage}`systemd-system.conf(5)` man page
+        Options for the global systemd service manager used in initrd. See {manpage}`systemd-system.conf(5)` man page
        for available options.
      '';
    };
@ -182,6 +202,11 @@ in
          ])
        );
      default = { };
+      defaultText = ''
+        {
+          PATH = "/bin:/sbin";
+        }
+      '';
      example = {
        SYSTEMD_LOG_LEVEL = "debug";
      };
@ -450,6 +475,10 @@ in
      };

      managerEnvironment.PATH = "/bin:/sbin";
+      settings.Manager.ManagerEnvironment = lib.concatStringsSep " " (
+        lib.mapAttrsToList (n: v: "${n}=${lib.escapeShellArg v}") cfg.managerEnvironment
+      );
+      settings.Manager.DefaultEnvironment = "PATH=/bin:/sbin";

      contents = {
        "/tmp/.keep".text = "systemd requires the /tmp mount point in the initrd cpio archive";
@ -458,13 +487,7 @@ in

        "/etc/systemd/system.conf".text = ''
          [Manager]
-          DefaultEnvironment=PATH=/bin:/sbin
-          ${cfg.extraConfig}
-          ManagerEnvironment=${
-            lib.concatStringsSep " " (
-              lib.mapAttrsToList (n: v: "${n}=${lib.escapeShellArg v}") cfg.managerEnvironment
-            )
-          }
+          ${attrsToSection cfg.settings.Manager}
        '';

        "/lib".source = "${config.system.build.modulesClosure}/lib";
--- a/nixos/modules/testing/test-instrumentation.nix
+++ b/nixos/modules/testing/test-instrumentation.nix
@ -115,7 +115,7 @@ in
          MaxLevelConsole=debug
        '';

-        extraConfig = config.systemd.extraConfig;
+        settings.Manager = config.systemd.settings.Manager;
      }

      (lib.mkIf cfg.initrdBackdoor {
@ -210,13 +210,13 @@ in
      MaxLevelConsole=debug
    '';

-    systemd.extraConfig = ''
+    systemd.settings.Manager = {
      # Don't clobber the console with duplicate systemd messages.
-      ShowStatus=no
+      ShowStatus = false;
      # Allow very slow start
-      DefaultTimeoutStartSec=300
-      DefaultDeviceTimeoutSec=300
-    '';
+      DefaultTimeoutStartSec = 300;
+      DefaultDeviceTimeoutSec = 300;
+    };
    systemd.user.extraConfig = ''
      # Allow very slow start
      DefaultTimeoutStartSec=300
--- a/nixos/tests/switch-test.nix
+++ b/nixos/tests/switch-test.nix
@ -68,9 +68,9 @@ in
            echo "systemd 0" > $out/init-interface-version
          '';

-          modifiedSystemConf.configuration.systemd.extraConfig = ''
-            # Hello world!
-          '';
+          modifiedSystemConf.configuration.systemd.settings.Manager = {
+            DefaultEnvironment = "XXX_SYSTEM=foo";
+          };

          addedMount.configuration.virtualisation.fileSystems."/test" = {
            device = "tmpfs";
--- a/nixos/tests/systemd.nix
+++ b/nixos/tests/systemd.nix
@ -27,7 +27,13 @@
        };
      };

-      systemd.extraConfig = "DefaultEnvironment=\"XXX_SYSTEM=foo\"";
+      systemd.settings.Manager = {
+        DefaultEnvironment = "XXX_SYSTEM=foo";
+        WatchdogDevice = "/dev/watchdog";
+        RuntimeWatchdogSec = "30s";
+        RebootWatchdogSec = "10min";
+        KExecWatchdogSec = "5min";
+      };
      systemd.user.extraConfig = "DefaultEnvironment=\"XXX_USER=bar\"";
      services.journald.extraConfig = "Storage=volatile";
      test-support.displayManager.auto.user = "alice";
@ -86,13 +92,6 @@
        '';
      };

-      systemd.watchdog = {
-        device = "/dev/watchdog";
-        runtimeTime = "30s";
-        rebootTime = "10min";
-        kexecTime = "5min";
-      };
-
      environment.etc."systemd/system-preset/10-testservice.preset".text = ''
        disable ${config.systemd.services.testservice1.name}
      '';