harald/nixcfg
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

feat(system/limits): add reusable system limits module

Browse source 
- Created a `limits` module to centralize system limit configurations.
- Replaced inlined user and systemd limits with the new module on aarch64 and x86_64 platforms.
- Simplifies maintenance and ensures consistency across configurations.
This commit is contained in:
Harald Hoyer 2025-03-20 09:39:45 +01:00
parent 6f89baaf94
commit e68012ff09
3 changed files with 65 additions and 34 deletions
modules/nixos/system/limits
default.nix
systems
aarch64-linux/m4nix
default.nix
x86_64-linux/x1
default.nix

46
modules/nixos/system/limits/default.nix Normal file
View file

@ -0,0 +1,46 @@
{
options,
config,
lib,
pkgs,
...
}:
with lib;
with lib.metacfg;
let
cfg = config.metacfg.system.limits;
in
{
options.metacfg.system.limits = with types; {
enable = mkBoolOpt false "Whether or not to enable system limits configuration.";
nofileLimit = mkOption {
type = types.int;
default = 32768;
description = "Maximum number of open file descriptors per process.";
};
memlockLimit = mkOption {
type = types.int;
default = 32768;
description = "Maximum locked-in-memory address space.";
};
};
config = mkIf cfg.enable {
systemd.user.extraConfig = "DefaultLimitNOFILE=${toString cfg.nofileLimit}";
security.pam.loginLimits = [
{
domain = "*";
item = "nofile";
type = "-";
value = toString cfg.nofileLimit;
}
{
domain = "*";
item = "memlock";
type = "-";
value = toString cfg.memlockLimit;
}
];
};
}

26
systems/aarch64-linux/m4nix/default.nix
View file

@ -16,6 +16,15 @@ with lib.metacfg;
nix.enable = true; nix.enable = true;
podman.enable = true; podman.enable = true;
secureboot.enable = false; secureboot.enable = false;
system = {
limits = {
enable = true;
nofileLimit = 32768;
memlockLimit = 32768;
};
};
tools = { tools = {
direnv.enable = true; direnv.enable = true;
}; };
@ -71,22 +80,5 @@ with lib.metacfg;
allowReboot = false; allowReboot = false;
}; };
systemd.user.extraConfig = "DefaultLimitNOFILE=32768";
security.pam.loginLimits = [
{
domain = "*";
item = "nofile";
type = "-";
value = "32768";
}
{
domain = "*";
item = "memlock";
type = "-";
value = "32768";
}
];
system.stateVersion = "23.11"; system.stateVersion = "23.11";
} }

27
systems/x86_64-linux/x1/default.nix
View file

@ -21,6 +21,16 @@ with lib.metacfg;
podman.enable = true; podman.enable = true;
secureboot.enable = true; secureboot.enable = true;
homeprinter.enable = true; homeprinter.enable = true;
system = {
limits = {
enable = true;
nofileLimit = 32768;
memlockLimit = 32768;
};
};
# User configuration
tools = { tools = {
direnv.enable = true; direnv.enable = true;
}; };
@ -77,23 +87,6 @@ with lib.metacfg;
services.trezord.enable = true; services.trezord.enable = true;
systemd.user.extraConfig = "DefaultLimitNOFILE=32768";
security.pam.loginLimits = [
{
domain = "*";
item = "nofile";
type = "-";
value = "32768";
}
{
domain = "*";
item = "memlock";
type = "-";
value = "32768";
}
];
services.ollama = { services.ollama = {
enable = false; enable = false;
acceleration = "rocm"; acceleration = "rocm";