feat(system/limits): add reusable system limits module

- Created a `limits` module to centralize system limit configurations. - Replaced inlined user and systemd limits with the new module on aarch64 and x86_64 platforms. - Simplifies maintenance and ensures consistency across configurations.
2025-03-20 09:39:45 +01:00 · 2025-03-20 09:39:45 +01:00 · e68012ff09
parent 6f89baaf94
commit e68012ff09
3 changed files with 65 additions and 34 deletions
--- a/modules/nixos/system/limits/default.nix
+++ b/modules/nixos/system/limits/default.nix
@ -0,0 +1,46 @@
+{
+  options,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+with lib.metacfg;
+let
+  cfg = config.metacfg.system.limits;
+in
+{
+  options.metacfg.system.limits = with types; {
+    enable = mkBoolOpt false "Whether or not to enable system limits configuration.";
+    nofileLimit = mkOption {
+      type = types.int;
+      default = 32768;
+      description = "Maximum number of open file descriptors per process.";
+    };
+    memlockLimit = mkOption {
+      type = types.int;
+      default = 32768;
+      description = "Maximum locked-in-memory address space.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.user.extraConfig = "DefaultLimitNOFILE=${toString cfg.nofileLimit}";
+
+    security.pam.loginLimits = [
+      {
+        domain = "*";
+        item = "nofile";
+        type = "-";
+        value = toString cfg.nofileLimit;
+      }
+      {
+        domain = "*";
+        item = "memlock";
+        type = "-";
+        value = toString cfg.memlockLimit;
+      }
+    ];
+  };
+}
--- a/systems/aarch64-linux/m4nix/default.nix
+++ b/systems/aarch64-linux/m4nix/default.nix
@ -16,6 +16,15 @@ with lib.metacfg;
    nix.enable = true;
    podman.enable = true;
    secureboot.enable = false;
+
+    system = {
+      limits = {
+        enable = true;
+        nofileLimit = 32768;
+        memlockLimit = 32768;
+      };
+    };
+
    tools = {
      direnv.enable = true;
    };
@ -71,22 +80,5 @@ with lib.metacfg;
    allowReboot = false;
  };

-  systemd.user.extraConfig = "DefaultLimitNOFILE=32768";
-
-  security.pam.loginLimits = [
-    {
-      domain = "*";
-      item = "nofile";
-      type = "-";
-      value = "32768";
-    }
-    {
-      domain = "*";
-      item = "memlock";
-      type = "-";
-      value = "32768";
-    }
-  ];
-
  system.stateVersion = "23.11";
 }
--- a/systems/x86_64-linux/x1/default.nix
+++ b/systems/x86_64-linux/x1/default.nix
@ -21,6 +21,16 @@ with lib.metacfg;
    podman.enable = true;
    secureboot.enable = true;
    homeprinter.enable = true;
+
+    system = {
+      limits = {
+        enable = true;
+        nofileLimit = 32768;
+        memlockLimit = 32768;
+      };
+    };
+
+    # User configuration
    tools = {
      direnv.enable = true;
    };
@ -77,23 +87,6 @@ with lib.metacfg;

  services.trezord.enable = true;

-  systemd.user.extraConfig = "DefaultLimitNOFILE=32768";
-
-  security.pam.loginLimits = [
-    {
-      domain = "*";
-      item = "nofile";
-      type = "-";
-      value = "32768";
-    }
-    {
-      domain = "*";
-      item = "memlock";
-      type = "-";
-      value = "32768";
-    }
-  ];
-
  services.ollama = {
    enable = false;
    acceleration = "rocm";