From ebaf7a33ecd7f43988fc5be1b1ecc6d72da2cb6b Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sat, 19 Jul 2025 16:04:38 +0200 Subject: [PATCH 01/21] nixos/systemd: add settings.Manager option --- nixos/modules/system/boot/systemd.nix | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 536174daa08d..74badf346922 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -24,6 +24,7 @@ let mountToUnit automountToUnit sliceToUnit + attrsToSection ; upstreamSystemUnits = [ @@ -423,6 +424,29 @@ in ''; }; + settings.Manager = mkOption { + default = { }; + defaultText = lib.literalExpression '' + { + DefaultIOAccounting = true; + DefaultIPAccounting = true; + } + ''; + type = lib.types.submodule { + freeformType = types.attrsOf unitOption; + }; + example = { + WatchdogDevice = "/dev/watchdog"; + RuntimeWatchdogSec = "30s"; + RebootWatchdogSec = "10min"; + KExecWatchdogSec = "5min"; + }; + description = '' + Options for the global systemd service manager. See {manpage}`systemd-system.conf(5)` man page + for available options. + ''; + }; + sleep.extraConfig = mkOption { default = ""; type = types.lines; @@ -664,6 +688,7 @@ in ''} ${cfg.extraConfig} + ${attrsToSection cfg.settings.Manager} ''; "systemd/sleep.conf".text = '' From f0b71eebdc0b099904f046e30be33eab93e292ab Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Mon, 28 Jul 2025 11:05:34 +0200 Subject: [PATCH 02/21] nixos/systemd: add boot.initrd.systemd.settings.Manager option --- nixos/modules/system/boot/systemd/initrd.nix | 30 ++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index b76682e4d6f0..49ee4edec2f2 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -11,6 +11,7 @@ with lib; let inherit (utils) systemdUtils escapeSystemdPath; + inherit (systemdUtils.unitOptions) unitOption; inherit (systemdUtils.lib) generateUnits pathToUnit @@ -21,6 +22,7 @@ let timerToUnit mountToUnit automountToUnit + attrsToSection ; cfg = config.boot.initrd.systemd; @@ -171,6 +173,28 @@ in ''; }; + settings.Manager = mkOption { + default = { }; + defaultText = lib.literalExpression '' + { + DefaultEnvironment = "PATH=/bin:/sbin"; + } + ''; + type = lib.types.submodule { + freeformType = types.attrsOf unitOption; + }; + example = { + WatchdogDevice = "/dev/watchdog"; + RuntimeWatchdogSec = "30s"; + RebootWatchdogSec = "10min"; + KExecWatchdogSec = "5min"; + }; + description = '' + Options for the global systemd service manager used in initrd. See {manpage}`systemd-system.conf(5)` man page + for available options. + ''; + }; + managerEnvironment = mkOption { type = with types; @@ -182,6 +206,11 @@ in ]) ); default = { }; + defaultText = '' + { + PATH = "/bin:/sbin"; + } + ''; example = { SYSTEMD_LOG_LEVEL = "debug"; }; @@ -460,6 +489,7 @@ in [Manager] DefaultEnvironment=PATH=/bin:/sbin ${cfg.extraConfig} + ${attrsToSection cfg.settings.Manager} ManagerEnvironment=${ lib.concatStringsSep " " ( lib.mapAttrsToList (n: v: "${n}=${lib.escapeShellArg v}") cfg.managerEnvironment From 222ee8fabfad815e6c988882defe282d1e79dc1a Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sat, 19 Jul 2025 16:30:08 +0200 Subject: [PATCH 03/21] nixos/testing: migrate to systemd.settings.Manager --- nixos/modules/testing/test-instrumentation.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index 80852be51f1d..89d3b9d5277c 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -115,7 +115,7 @@ in MaxLevelConsole=debug ''; - extraConfig = config.systemd.extraConfig; + settings.Manager = config.systemd.settings.Manager; } (lib.mkIf cfg.initrdBackdoor { @@ -210,13 +210,13 @@ in MaxLevelConsole=debug ''; - systemd.extraConfig = '' + systemd.settings.Manager = { # Don't clobber the console with duplicate systemd messages. - ShowStatus=no + ShowStatus = false; # Allow very slow start - DefaultTimeoutStartSec=300 - DefaultDeviceTimeoutSec=300 - ''; + DefaultTimeoutStartSec = 300; + DefaultDeviceTimeoutSec = 300; + }; systemd.user.extraConfig = '' # Allow very slow start DefaultTimeoutStartSec=300 From 5077e5f1e88eddb87596a60a7e99575c6645d021 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sat, 19 Jul 2025 16:30:43 +0200 Subject: [PATCH 04/21] nixos/tests/systemd: migrate to systemd.settings.Manager --- nixos/tests/systemd.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix index f2ea77f2ed48..a39d9d9545a1 100644 --- a/nixos/tests/systemd.nix +++ b/nixos/tests/systemd.nix @@ -27,7 +27,9 @@ }; }; - systemd.extraConfig = "DefaultEnvironment=\"XXX_SYSTEM=foo\""; + systemd.settings.Manager = { + DefaultEnvironment = "XXX_SYSTEM=foo"; + }; systemd.user.extraConfig = "DefaultEnvironment=\"XXX_USER=bar\""; services.journald.extraConfig = "Storage=volatile"; test-support.displayManager.auto.user = "alice"; From 9142cadd5e46c9449f6e0e456625bf977fcfb2f5 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sat, 19 Jul 2025 17:05:12 +0200 Subject: [PATCH 05/21] nixos/pam: point to systemd.settings.Manager --- nixos/modules/security/pam.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 3eba6d4b519e..53e67873d200 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -1663,7 +1663,7 @@ in must be that described in {manpage}`limits.conf(5)`. Note that these limits do not apply to systemd services, - whose limits can be changed via {option}`systemd.extraConfig` + whose limits can be changed via {option}`systemd.settings.Manager` instead. ''; }; From a48bc46a3eb284a94b2c1074ff11d91962d55c3b Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sat, 19 Jul 2025 17:13:56 +0200 Subject: [PATCH 06/21] nixos/tests/switchTest: migrate to systemd.settings.Manager --- nixos/tests/switch-test.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/tests/switch-test.nix b/nixos/tests/switch-test.nix index 18defdfc9d76..545cbe25f167 100644 --- a/nixos/tests/switch-test.nix +++ b/nixos/tests/switch-test.nix @@ -68,9 +68,9 @@ in echo "systemd 0" > $out/init-interface-version ''; - modifiedSystemConf.configuration.systemd.extraConfig = '' - # Hello world! - ''; + modifiedSystemConf.configuration.systemd.settings.Manager = { + DefaultEnvironment = "XXX_SYSTEM=foo"; + }; addedMount.configuration.virtualisation.fileSystems."/test" = { device = "tmpfs"; From 1a846a2fffb0041b978db145c3ec08f3982ae028 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sat, 19 Jul 2025 17:15:08 +0200 Subject: [PATCH 07/21] nixos/systemd: remove systemd.extraConfig --- nixos/modules/system/boot/systemd.nix | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 74badf346922..fbdf963ead18 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -414,16 +414,6 @@ in ''; }; - extraConfig = mkOption { - default = ""; - type = types.lines; - example = "DefaultLimitCORE=infinity"; - description = '' - Extra config options for systemd. See {manpage}`systemd-system.conf(5)` man page - for available options. - ''; - }; - settings.Manager = mkOption { default = { }; defaultText = lib.literalExpression '' @@ -687,7 +677,6 @@ in KExecWatchdogSec=${cfg.watchdog.kexecTime} ''} - ${cfg.extraConfig} ${attrsToSection cfg.settings.Manager} ''; @@ -883,5 +872,6 @@ in To forcibly reenable cgroup v1 support, you can set boot.kernelParams = [ "systemd.unified_cgroup_hierarchy=0" "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" ]. NixOS does not officially support this configuration and might cause your system to be unbootable in future versions. You are on your own. '') + (mkRemovedOptionModule [ "systemd" "extraConfig" ] "Use systemd.settings.Manager instead.") ]; } From 071ce0b44a70fdaab1b28bed8e06f44d3dc1430b Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Mon, 28 Jul 2025 11:06:32 +0200 Subject: [PATCH 08/21] nixos/systemd: remove boot.initrd.systemd.extraConfig --- nixos/modules/system/boot/systemd/initrd.nix | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 49ee4edec2f2..905232b66864 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -141,6 +141,12 @@ in It only saved ~1MiB of initramfs size, but caused a few issues like unloadable kernel modules. '') + (lib.mkRemovedOptionModule [ + "boot" + "initrd" + "systemd" + "extraConfig" + ] "Use boot.initrd.systemd.settings.Manager instead.") ]; options.boot.initrd.systemd = { @@ -163,16 +169,6 @@ in ''; }; - extraConfig = mkOption { - default = ""; - type = types.lines; - example = "DefaultLimitCORE=infinity"; - description = '' - Extra config options for systemd. See {manpage}`systemd-system.conf(5)` man page - for available options. - ''; - }; - settings.Manager = mkOption { default = { }; defaultText = lib.literalExpression '' @@ -488,7 +484,6 @@ in "/etc/systemd/system.conf".text = '' [Manager] DefaultEnvironment=PATH=/bin:/sbin - ${cfg.extraConfig} ${attrsToSection cfg.settings.Manager} ManagerEnvironment=${ lib.concatStringsSep " " ( From 5bc2d42ba9c84e805bcd388d9973f9f69da54925 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Mon, 28 Jul 2025 11:07:13 +0200 Subject: [PATCH 09/21] nixos/systemd: make boot.initrd.systemd.managerEnvironment affect boot.initrd.systemd.settings.Manager --- nixos/modules/system/boot/systemd/initrd.nix | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 905232b66864..c2b1b1ab005c 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -475,6 +475,10 @@ in }; managerEnvironment.PATH = "/bin:/sbin"; + settings.Manager.ManagerEnvironment = lib.concatStringsSep " " ( + lib.mapAttrsToList (n: v: "${n}=${lib.escapeShellArg v}") cfg.managerEnvironment + ); + settings.Manager.DefaultEnvironment = "PATH=/bin:/sbin"; contents = { "/tmp/.keep".text = "systemd requires the /tmp mount point in the initrd cpio archive"; @@ -483,13 +487,7 @@ in "/etc/systemd/system.conf".text = '' [Manager] - DefaultEnvironment=PATH=/bin:/sbin ${attrsToSection cfg.settings.Manager} - ManagerEnvironment=${ - lib.concatStringsSep " " ( - lib.mapAttrsToList (n: v: "${n}=${lib.escapeShellArg v}") cfg.managerEnvironment - ) - } ''; "/lib".source = "${config.system.build.modulesClosure}/lib"; From 897933fc9eacb221f3b0ec0f469ab199b4bb9d1d Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sun, 20 Jul 2025 11:05:51 +0200 Subject: [PATCH 10/21] nixos/systemd: move systemd.managerEnvironment to systemd.settings.Manager.ManagerEnvironment --- nixos/modules/system/boot/systemd.nix | 54 ++++++++++++++------------- 1 file changed, 28 insertions(+), 26 deletions(-) diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index fbdf963ead18..e8d4edc44397 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -386,26 +386,6 @@ in ''; }; - managerEnvironment = mkOption { - type = - with types; - attrsOf ( - nullOr (oneOf [ - str - path - package - ]) - ); - default = { }; - example = { - SYSTEMD_LOG_LEVEL = "debug"; - }; - description = '' - Environment variables of PID 1. These variables are - *not* passed to started units. - ''; - }; - enableCgroupAccounting = mkOption { default = true; type = types.bool; @@ -424,6 +404,29 @@ in ''; type = lib.types.submodule { freeformType = types.attrsOf unitOption; + options = { + ManagerEnvironment = mkOption { + type = + with types; + attrsOf ( + nullOr (oneOf [ + str + path + package + ]) + ); + default = { }; + example = { + SYSTEMD_LOG_LEVEL = "debug"; + }; + description = '' + Environment variables of PID 1. These variables are + *not* passed to started units. + ''; + apply = + env: lib.concatStringsSep " " (lib.mapAttrsToList (n: v: "${n}=${lib.escapeShellArg v}") env); + }; + }; }; example = { WatchdogDevice = "/dev/watchdog"; @@ -652,11 +655,6 @@ in "systemd/system.conf".text = '' [Manager] - ManagerEnvironment=${ - lib.concatStringsSep " " ( - lib.mapAttrsToList (n: v: "${n}=${lib.escapeShellArg v}") cfg.managerEnvironment - ) - } ${optionalString cfg.enableCgroupAccounting '' DefaultCPUAccounting=yes DefaultIOAccounting=yes @@ -747,7 +745,7 @@ in // listToAttrs (map (withName automountToUnit) cfg.automounts); # Environment of PID 1 - systemd.managerEnvironment = { + systemd.settings.Manager.ManagerEnvironment = { # Doesn't contain systemd itself - everything works so it seems to use the compiled-in value for its tools # util-linux is needed for the main fsck utility wrapping the fs-specific ones PATH = lib.makeBinPath ( @@ -873,5 +871,9 @@ in NixOS does not officially support this configuration and might cause your system to be unbootable in future versions. You are on your own. '') (mkRemovedOptionModule [ "systemd" "extraConfig" ] "Use systemd.settings.Manager instead.") + (lib.mkRenamedOptionModule + [ "systemd" "managerEnvironment" ] + [ "systemd" "settings.Manager" "ManagerEnvironment" ] + ) ]; } From 4d3ab0e8d39d50cdf1472fa33834e1947b139fc8 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sun, 20 Jul 2025 16:56:38 +0200 Subject: [PATCH 11/21] nixos/systemd: make systemd.managerEnvironment affect systemd.settings.Manager --- nixos/modules/system/boot/systemd.nix | 52 +++++++++++++-------------- 1 file changed, 24 insertions(+), 28 deletions(-) diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index e8d4edc44397..a27a86bf834e 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -386,6 +386,26 @@ in ''; }; + managerEnvironment = mkOption { + type = + with types; + attrsOf ( + nullOr (oneOf [ + str + path + package + ]) + ); + default = { }; + example = { + SYSTEMD_LOG_LEVEL = "debug"; + }; + description = '' + Environment variables of PID 1. These variables are + *not* passed to started units. + ''; + }; + enableCgroupAccounting = mkOption { default = true; type = types.bool; @@ -404,29 +424,6 @@ in ''; type = lib.types.submodule { freeformType = types.attrsOf unitOption; - options = { - ManagerEnvironment = mkOption { - type = - with types; - attrsOf ( - nullOr (oneOf [ - str - path - package - ]) - ); - default = { }; - example = { - SYSTEMD_LOG_LEVEL = "debug"; - }; - description = '' - Environment variables of PID 1. These variables are - *not* passed to started units. - ''; - apply = - env: lib.concatStringsSep " " (lib.mapAttrsToList (n: v: "${n}=${lib.escapeShellArg v}") env); - }; - }; }; example = { WatchdogDevice = "/dev/watchdog"; @@ -745,7 +742,7 @@ in // listToAttrs (map (withName automountToUnit) cfg.automounts); # Environment of PID 1 - systemd.settings.Manager.ManagerEnvironment = { + systemd.managerEnvironment = { # Doesn't contain systemd itself - everything works so it seems to use the compiled-in value for its tools # util-linux is needed for the main fsck utility wrapping the fs-specific ones PATH = lib.makeBinPath ( @@ -761,6 +758,9 @@ in config.boot.extraSystemdUnitPaths != [ ] ) "${builtins.concatStringsSep ":" config.boot.extraSystemdUnitPaths}:"; }; + systemd.settings.Manager.ManagerEnvironment = lib.concatStringsSep " " ( + lib.mapAttrsToList (n: v: "${n}=${lib.escapeShellArg v}") cfg.managerEnvironment + ); system.requiredKernelConfig = map config.lib.kernelConfig.isEnabled [ "DEVTMPFS" @@ -871,9 +871,5 @@ in NixOS does not officially support this configuration and might cause your system to be unbootable in future versions. You are on your own. '') (mkRemovedOptionModule [ "systemd" "extraConfig" ] "Use systemd.settings.Manager instead.") - (lib.mkRenamedOptionModule - [ "systemd" "managerEnvironment" ] - [ "systemd" "settings.Manager" "ManagerEnvironment" ] - ) ]; } From 493f1339b026de47fdaca57f37d881530795935d Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sun, 20 Jul 2025 16:57:49 +0200 Subject: [PATCH 12/21] nixos/systemd: move systemd.watchdog.* to systemd.settings.Manager --- nixos/modules/system/boot/systemd.nix | 136 +++++++++++++------------- nixos/tests/systemd.nix | 11 +-- 2 files changed, 74 insertions(+), 73 deletions(-) diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index a27a86bf834e..b5e22b07dce6 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -424,6 +424,60 @@ in ''; type = lib.types.submodule { freeformType = types.attrsOf unitOption; + options = { + WatchdogDevice = mkOption { + type = types.nullOr types.path; + default = null; + example = "/dev/watchdog"; + description = '' + The path to a hardware watchdog device which will be managed by systemd. + If not specified, systemd will default to `/dev/watchdog`. + ''; + }; + + RuntimeWatchdogSec = mkOption { + type = types.nullOr types.str; + default = null; + example = "30s"; + description = '' + The amount of time which can elapse before a watchdog hardware device + will automatically reboot the system. + + Valid time units include "ms", "s", "min", "h", "d", and "w"; + see {manpage}`systemd.time(7)`. + ''; + }; + + RebootWatchdogSec = mkOption { + type = types.nullOr types.str; + default = null; + example = "10m"; + description = '' + The amount of time which can elapse after a reboot has been triggered + before a watchdog hardware device will automatically reboot the system. + If left `null`, systemd will use its default of 10 minutes; + see {manpage}`systemd-system.conf(5)`. + + Valid time units include "ms", "s", "min", "h", "d", and "w"; + see also {manpage}`systemd.time(7)`. + ''; + }; + + KExecWatchdogSec = mkOption { + type = types.nullOr types.str; + default = null; + example = "10m"; + description = '' + The amount of time which can elapse when `kexec` is being executed before + a watchdog hardware device will automatically reboot the system. This + option should only be enabled if `reloadTime` is also enabled; + see {manpage}`kexec(8)`. + + Valid time units include "ms", "s", "min", "h", "d", and "w"; + see also {manpage}`systemd.time(7)`. + ''; + }; + }; }; example = { WatchdogDevice = "/dev/watchdog"; @@ -471,59 +525,6 @@ in by other NixOS modules. ''; }; - - watchdog.device = mkOption { - type = types.nullOr types.path; - default = null; - example = "/dev/watchdog"; - description = '' - The path to a hardware watchdog device which will be managed by systemd. - If not specified, systemd will default to `/dev/watchdog`. - ''; - }; - - watchdog.runtimeTime = mkOption { - type = types.nullOr types.str; - default = null; - example = "30s"; - description = '' - The amount of time which can elapse before a watchdog hardware device - will automatically reboot the system. - - Valid time units include "ms", "s", "min", "h", "d", and "w"; - see {manpage}`systemd.time(7)`. - ''; - }; - - watchdog.rebootTime = mkOption { - type = types.nullOr types.str; - default = null; - example = "10m"; - description = '' - The amount of time which can elapse after a reboot has been triggered - before a watchdog hardware device will automatically reboot the system. - If left `null`, systemd will use its default of 10 minutes; - see {manpage}`systemd-system.conf(5)`. - - Valid time units include "ms", "s", "min", "h", "d", and "w"; - see also {manpage}`systemd.time(7)`. - ''; - }; - - watchdog.kexecTime = mkOption { - type = types.nullOr types.str; - default = null; - example = "10m"; - description = '' - The amount of time which can elapse when `kexec` is being executed before - a watchdog hardware device will automatically reboot the system. This - option should only be enabled if `reloadTime` is also enabled; - see {manpage}`kexec(8)`. - - Valid time units include "ms", "s", "min", "h", "d", and "w"; - see also {manpage}`systemd.time(7)`. - ''; - }; }; ###### implementation @@ -659,19 +660,6 @@ in DefaultIPAccounting=yes ''} DefaultLimitCORE=infinity - ${optionalString (cfg.watchdog.device != null) '' - WatchdogDevice=${cfg.watchdog.device} - ''} - ${optionalString (cfg.watchdog.runtimeTime != null) '' - RuntimeWatchdogSec=${cfg.watchdog.runtimeTime} - ''} - ${optionalString (cfg.watchdog.rebootTime != null) '' - RebootWatchdogSec=${cfg.watchdog.rebootTime} - ''} - ${optionalString (cfg.watchdog.kexecTime != null) '' - KExecWatchdogSec=${cfg.watchdog.kexecTime} - ''} - ${attrsToSection cfg.settings.Manager} ''; @@ -871,5 +859,21 @@ in NixOS does not officially support this configuration and might cause your system to be unbootable in future versions. You are on your own. '') (mkRemovedOptionModule [ "systemd" "extraConfig" ] "Use systemd.settings.Manager instead.") + (lib.mkRenamedOptionModule + [ "systemd" "watchdog" "device" ] + [ "systemd" "settings" "Manager" "WatchdogDevice" ] + ) + (lib.mkRenamedOptionModule + [ "systemd" "watchdog" "runtimeTime" ] + [ "systemd" "settings" "Manager" "RuntimeWatchdogSec" ] + ) + (lib.mkRenamedOptionModule + [ "systemd" "watchdog" "rebootTime" ] + [ "systemd" "settings" "Manager" "RebootWatchdogSec" ] + ) + (lib.mkRenamedOptionModule + [ "systemd" "watchdog" "kexecTime" ] + [ "systemd" "settings" "Manager" "KExecWatchdogSec" ] + ) ]; } diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix index a39d9d9545a1..1209a90cbc43 100644 --- a/nixos/tests/systemd.nix +++ b/nixos/tests/systemd.nix @@ -29,6 +29,10 @@ systemd.settings.Manager = { DefaultEnvironment = "XXX_SYSTEM=foo"; + WatchdogDevice = "/dev/watchdog"; + RuntimeWatchdogSec = "30s"; + RebootWatchdogSec = "10min"; + KExecWatchdogSec = "5min"; }; systemd.user.extraConfig = "DefaultEnvironment=\"XXX_USER=bar\""; services.journald.extraConfig = "Storage=volatile"; @@ -88,13 +92,6 @@ ''; }; - systemd.watchdog = { - device = "/dev/watchdog"; - runtimeTime = "30s"; - rebootTime = "10min"; - kexecTime = "5min"; - }; - environment.etc."systemd/system-preset/10-testservice.preset".text = '' disable ${config.systemd.services.testservice1.name} ''; From 62acc59148037c85c71c5e9819e696c8c20c30e3 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sun, 20 Jul 2025 17:21:21 +0200 Subject: [PATCH 13/21] nixos/systemd: move systemd.watchdog.* to systemd.settings.Manager --- nixos/modules/system/boot/systemd.nix | 54 --------------------------- 1 file changed, 54 deletions(-) diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index b5e22b07dce6..dc8072521715 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -424,60 +424,6 @@ in ''; type = lib.types.submodule { freeformType = types.attrsOf unitOption; - options = { - WatchdogDevice = mkOption { - type = types.nullOr types.path; - default = null; - example = "/dev/watchdog"; - description = '' - The path to a hardware watchdog device which will be managed by systemd. - If not specified, systemd will default to `/dev/watchdog`. - ''; - }; - - RuntimeWatchdogSec = mkOption { - type = types.nullOr types.str; - default = null; - example = "30s"; - description = '' - The amount of time which can elapse before a watchdog hardware device - will automatically reboot the system. - - Valid time units include "ms", "s", "min", "h", "d", and "w"; - see {manpage}`systemd.time(7)`. - ''; - }; - - RebootWatchdogSec = mkOption { - type = types.nullOr types.str; - default = null; - example = "10m"; - description = '' - The amount of time which can elapse after a reboot has been triggered - before a watchdog hardware device will automatically reboot the system. - If left `null`, systemd will use its default of 10 minutes; - see {manpage}`systemd-system.conf(5)`. - - Valid time units include "ms", "s", "min", "h", "d", and "w"; - see also {manpage}`systemd.time(7)`. - ''; - }; - - KExecWatchdogSec = mkOption { - type = types.nullOr types.str; - default = null; - example = "10m"; - description = '' - The amount of time which can elapse when `kexec` is being executed before - a watchdog hardware device will automatically reboot the system. This - option should only be enabled if `reloadTime` is also enabled; - see {manpage}`kexec(8)`. - - Valid time units include "ms", "s", "min", "h", "d", and "w"; - see also {manpage}`systemd.time(7)`. - ''; - }; - }; }; example = { WatchdogDevice = "/dev/watchdog"; From 69e833f187993396b1bcaf0fc8792497fe95c9d6 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sun, 20 Jul 2025 17:22:20 +0200 Subject: [PATCH 14/21] nixos/systemd: set DefaultLimitCORE in systemd.settings.Manager explicitly --- nixos/modules/system/boot/systemd.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index dc8072521715..9f7a5b57916a 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -424,6 +424,15 @@ in ''; type = lib.types.submodule { freeformType = types.attrsOf unitOption; + options = { + DefaultLimitCORE = mkOption { + type = types.nullOr types.str; + default = "infinity"; + description = '' + Default for the maximum size of core files created by services. + ''; + }; + }; }; example = { WatchdogDevice = "/dev/watchdog"; @@ -605,7 +614,6 @@ in DefaultBlockIOAccounting=yes DefaultIPAccounting=yes ''} - DefaultLimitCORE=infinity ${attrsToSection cfg.settings.Manager} ''; From 9c429f004d100ff895b9b08432bdab38b5a73fb6 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sun, 20 Jul 2025 17:23:04 +0200 Subject: [PATCH 15/21] nixos/systemd: remove obsolete definition for DefaultLimitCORE The limit was introduced in 2016 in 840f3230a202e40a4107c4ce0ccb910be69c2792, and broken iin 2019 in bafc25691596caf2f6e034cbe5933fdd90a92b6a. Since then, it is the exact same as systemd itself sets as default. --- nixos/modules/system/boot/systemd.nix | 9 --------- 1 file changed, 9 deletions(-) diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 9f7a5b57916a..0da75aa40b03 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -424,15 +424,6 @@ in ''; type = lib.types.submodule { freeformType = types.attrsOf unitOption; - options = { - DefaultLimitCORE = mkOption { - type = types.nullOr types.str; - default = "infinity"; - description = '' - Default for the maximum size of core files created by services. - ''; - }; - }; }; example = { WatchdogDevice = "/dev/watchdog"; From 265152f770a8ccd503bd93f5638d0c68aff82536 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sun, 20 Jul 2025 17:23:50 +0200 Subject: [PATCH 16/21] nixos/systemd: explicitly set systemd.settings.Manager.Default*Accounting --- nixos/modules/system/boot/systemd.nix | 38 ++++++++++++++++++++++----- 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 0da75aa40b03..c5317b1c40af 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -424,6 +424,38 @@ in ''; type = lib.types.submodule { freeformType = types.attrsOf unitOption; + options = { + DefaultCPUAccounting = mkOption { + type = types.bool; + default = cfg.enableCgroupAccounting; + defaultText = lib.literalExpression "config.systemd.enableCgroupAccounting"; + description = "Turn on CPU usage accounting"; + }; + + DefaultIOAccounting = mkOption { + type = types.bool; + default = cfg.enableCgroupAccounting; + defaultText = lib.literalExpression "config.systemd.enableCgroupAccounting"; + description = "Turn on Block I/O accounting."; + }; + + DefaultBlockIOAccounting = mkOption { + type = types.bool; + default = cfg.enableCgroupAccounting; + defaultText = lib.literalExpression "config.systemd.enableCgroupAccounting"; + description = "(Deprecated since systemd 252)."; + }; + + DefaultIPAccounting = mkOption { + type = types.bool; + default = cfg.enableCgroupAccounting; + defaultText = lib.literalExpression "config.systemd.enableCgroupAccounting"; + description = '' + If true, turns on IPv4 and IPv6 network traffic accounting for packets sent or received by the unit. When + this option is turned on, all IPv4 and IPv6 sockets created by any process are accounted for. + ''; + }; + }; }; example = { WatchdogDevice = "/dev/watchdog"; @@ -599,12 +631,6 @@ in "systemd/system.conf".text = '' [Manager] - ${optionalString cfg.enableCgroupAccounting '' - DefaultCPUAccounting=yes - DefaultIOAccounting=yes - DefaultBlockIOAccounting=yes - DefaultIPAccounting=yes - ''} ${attrsToSection cfg.settings.Manager} ''; From f47b100763688781069914595aaf9261d426672a Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sun, 20 Jul 2025 15:13:26 +0200 Subject: [PATCH 17/21] nixos/systemd: remove obsolete DefaultBlockIOAccounting option This option is now being ignored by systemd, so we do not need to explicitly define it. --- nixos/modules/system/boot/systemd.nix | 7 ------- 1 file changed, 7 deletions(-) diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index c5317b1c40af..c1eb904134cf 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -439,13 +439,6 @@ in description = "Turn on Block I/O accounting."; }; - DefaultBlockIOAccounting = mkOption { - type = types.bool; - default = cfg.enableCgroupAccounting; - defaultText = lib.literalExpression "config.systemd.enableCgroupAccounting"; - description = "(Deprecated since systemd 252)."; - }; - DefaultIPAccounting = mkOption { type = types.bool; default = cfg.enableCgroupAccounting; From 231c14276631a2f9530c9af93f27616abd3bfb69 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sun, 20 Jul 2025 17:24:22 +0200 Subject: [PATCH 18/21] nixos/systemd: remove obsolete DefaultCPUAccounting option This option is made uncondiotional in systemd 258 [1]. Earlier, it defaulted to true on kernels newer than 4.15, which applies to all supported nixos kernels. This means removing the option does not change behavior. [1] https://github.com/systemd/systemd/commit/29da53dde32a0097134f6c3ba5fb5220dd6e5423 --- nixos/modules/system/boot/systemd.nix | 7 ------- 1 file changed, 7 deletions(-) diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index c1eb904134cf..c158f1bab429 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -425,13 +425,6 @@ in type = lib.types.submodule { freeformType = types.attrsOf unitOption; options = { - DefaultCPUAccounting = mkOption { - type = types.bool; - default = cfg.enableCgroupAccounting; - defaultText = lib.literalExpression "config.systemd.enableCgroupAccounting"; - description = "Turn on CPU usage accounting"; - }; - DefaultIOAccounting = mkOption { type = types.bool; default = cfg.enableCgroupAccounting; From 84cbe9dce4bab8d3172fef22c496cfd9d6aa5815 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Mon, 28 Jul 2025 11:09:49 +0200 Subject: [PATCH 19/21] nixos/netdata: remove cgroup accounting enable cgroup accounting is enabled by default, and the option is scheduled for removal. --- nixos/modules/services/monitoring/netdata.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index b7c8f4b42ba9..24abc3d9ac12 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -412,8 +412,6 @@ in }); }; - systemd.enableCgroupAccounting = true; - security.wrappers = { "apps.plugin" = { source = "${cfg.package}/libexec/netdata/plugins.d/apps.plugin.org"; From fad6dbb9e67642a8daec2cfb9533dc899ec6531a Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sun, 20 Jul 2025 18:08:51 +0200 Subject: [PATCH 20/21] nixos/systemd: remove enableCgroupAccounting option --- nixos/modules/system/boot/systemd.nix | 40 ++++++++------------------- 1 file changed, 11 insertions(+), 29 deletions(-) diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index c158f1bab429..f543142a60ec 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -406,14 +406,6 @@ in ''; }; - enableCgroupAccounting = mkOption { - default = true; - type = types.bool; - description = '' - Whether to enable cgroup accounting; see {manpage}`cgroups(7)`. - ''; - }; - settings.Manager = mkOption { default = { }; defaultText = lib.literalExpression '' @@ -424,24 +416,6 @@ in ''; type = lib.types.submodule { freeformType = types.attrsOf unitOption; - options = { - DefaultIOAccounting = mkOption { - type = types.bool; - default = cfg.enableCgroupAccounting; - defaultText = lib.literalExpression "config.systemd.enableCgroupAccounting"; - description = "Turn on Block I/O accounting."; - }; - - DefaultIPAccounting = mkOption { - type = types.bool; - default = cfg.enableCgroupAccounting; - defaultText = lib.literalExpression "config.systemd.enableCgroupAccounting"; - description = '' - If true, turns on IPv4 and IPv6 network traffic accounting for packets sent or received by the unit. When - this option is turned on, all IPv4 and IPv6 sockets created by any process are accounted for. - ''; - }; - }; }; example = { WatchdogDevice = "/dev/watchdog"; @@ -703,9 +677,13 @@ in config.boot.extraSystemdUnitPaths != [ ] ) "${builtins.concatStringsSep ":" config.boot.extraSystemdUnitPaths}:"; }; - systemd.settings.Manager.ManagerEnvironment = lib.concatStringsSep " " ( - lib.mapAttrsToList (n: v: "${n}=${lib.escapeShellArg v}") cfg.managerEnvironment - ); + systemd.settings.Manager = { + ManagerEnvironment = lib.concatStringsSep " " ( + lib.mapAttrsToList (n: v: "${n}=${lib.escapeShellArg v}") cfg.managerEnvironment + ); + DefaultIOAccounting = lib.mkDefault true; + DefaultIPAccounting = lib.mkDefault true; + }; system.requiredKernelConfig = map config.lib.kernelConfig.isEnabled [ "DEVTMPFS" @@ -832,5 +810,9 @@ in [ "systemd" "watchdog" "kexecTime" ] [ "systemd" "settings" "Manager" "KExecWatchdogSec" ] ) + (mkRemovedOptionModule [ + "systemd" + "enableCgroupAccounting" + ] "To disable cgroup accounting, disable systemd.settings.Manager.*Accounting directly.") ]; } From 6cd6573d41643a989a7e3f11fc3b4d2fd5484720 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Mon, 21 Jul 2025 08:51:59 +0200 Subject: [PATCH 21/21] nixos/doc/rl-2511: document rfc42 conversion for systemd.extraConfig --- nixos/doc/manual/release-notes/rl-2511.section.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nixos/doc/manual/release-notes/rl-2511.section.md b/nixos/doc/manual/release-notes/rl-2511.section.md index b03412275d90..ee3df919cf4c 100644 --- a/nixos/doc/manual/release-notes/rl-2511.section.md +++ b/nixos/doc/manual/release-notes/rl-2511.section.md @@ -141,6 +141,13 @@ - `libvirt` now supports using `nftables` backend. +- `systemd.extraConfig` and `boot.initrd.systemd.extraConfig` was converted to RFC42-style `systemd.settings.Manager` and `boot.initrd.systemd.settings.Manager` respectively. + - `systemd.watchdog.runtimeTime` was renamed to `systemd.settings.Manager.RuntimeWatchdogSec` + - `systemd.watchdog.device` was renamed to `systemd.settings.Manager.WatchdogDevice` + - `systemd.watchdog.rebootTime` was renamed to `systemd.settings.Manager.RebootWatchdogSec` + - `systemd.watchdog.kexecTime` was renamed to `systemd.settings.Manager.KExecWatchdogSec` + - `systemd.enableCgroupAccounting` was removed. Cgroup accounting now needs to be disabled directly using `systemd.settings.Manager.*Accounting`. + - `services.ntpd-rs` now performs configuration validation. - `services.postsrsd` now automatically integrates with the local Postfix instance, when enabled. This behavior can disabled using the [services.postsrsd.configurePostfix](#opt-services.postsrsd.configurePostfix) option.