doc: add systemd chapter #142282
doc: add systemd chapter #142282
Conversation
github-actions
bot
added
the
8.has: documentation
ofborg
bot
added
10.rebuild-darwin: 0
|
Note that there are already a couple chapters about systemd in the manual. So, you may want to merge or move them. |
|
Should not this rather go to NixOS manual? |
|
@happysalada thanks for starting this! Can you make the PR a draft until it is ready to merge? |
|
This should indeed go to nixos manual. |
doc/using/systemd.chapter.md
Outdated
|
|
||
| From the [project's webpage](https://systemd.io/) | ||
| ``` | ||
| systemd is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system. |
There was a problem hiding this comment.
I guess, quoting (i.e. > systemd is [...]) is more correct here semantically, right?
There was a problem hiding this comment.
oh instead of a triple backtick, sure, works for me.
doc/using/systemd.chapter.md
Outdated
| - Initialisation of state and dependents (e.g. database) | ||
| Talk about adding a systemd service to handle database initialisation | ||
| - Database management | ||
| Talk about connection via a unix socket for more performance and reduced secret management |
There was a problem hiding this comment.
Perhaps you should link these to the actual resource, correct?
There was a problem hiding this comment.
I was thinking about adding links to examples in nixpkgs. What do you mean by actual resource ? Perhaps the article that explains why that is ? I don't think I've ever seen it explained all together, more like pieces of the puzzles everywhere. Some place tells you about default authentication method on postgres, and then I've seen somewhere the fact that performances are actually improved with a unix socket. I can probably find 2 references for each of those phenomenon.
There was a problem hiding this comment.
What do you mean by actual resource
Anything where I can read up how to use the mentioned features :)
Also, while I appreciated the overall idea, a general suggestion: we shouldn't duplicate too much systemd docs here because we'll risk having outdated information here in that case, but for now this document seems quite OK (just thought I'd mention this) :)
There was a problem hiding this comment.
Agreed on this. I'm going to try to just describe how things should be used, without giving too much details. Please comment if you see things that you think can potentially rot. It's important to not have documentation that requires too much maintenance.
github-actions
bot
added
the
6.topic: nixos
|
I implemented changes in a separate commit, but it's just for people involved in the PR to track changes more easily. I've moved the systemd chapter under nixos/doc/manual/development and put the systemd chapter right after the module chapter. I've only populated 2 chapters and a half. The style is a little clumsy, I've tried to add the content I want to describe. Feel free to suggest better sentences, or just signal if you feel a section deserves more attention. I tried to add examples to each section, but all the example basically refer to the one module that I wrote. I'm sure there are better examples, feel free to suggest any if a better modules comes to mind. I've left the original section on systemd in the manual and added a little it. Basically the original section was describing how to do service management, so on the point of view of the cli. I added the |
ofborg
bot
added
10.rebuild-linux: 1-10
and removed
10.rebuild-linux: 0
| To pass secret data to a systemd service, systemd has the `LoadCredential` mechanism. | ||
| By passing a file path to systemd, it will make sure that the file is available to the process under a specific path. | ||
| The load credential attribute takes an id a colon and a file path | ||
| let's have a look at an [example](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-apps/lemmy.nix#L182) |
There was a problem hiding this comment.
Maybe a permalink like this https://github.com/NixOS/nixpkgs/blob/3b0bff383f8e894b1ee7a30b62c8b727a68511df/nixos/modules/services/web-apps/lemmy.nix#L182 is better?
There was a problem hiding this comment.
Thinking about those, I thought it would be better to just include the code-snippet rather than a link.
My next iteration will just have the relevant snippets just copied.
There was a problem hiding this comment.
Let's at lest do a permalink for now so that the line doesn't get lost and we can do snippets later.
|
|
||
| Note that this requires your application to read secrets from a file. | ||
|
|
||
| If your service can only read secrets through environment variables, the best alternative is to ask the end user to pass an `environmentFile` containing the secrets. |
There was a problem hiding this comment.
Would be nice to document how that's done or link to an example
| To pass secret data to a systemd service, systemd has the `LoadCredential` mechanism. | ||
| By passing a file path to systemd, it will make sure that the file is available to the process under a specific path. | ||
| The load credential attribute takes an id a colon and a file path | ||
| let's have a look at an [example](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-apps/lemmy.nix#L182) |
There was a problem hiding this comment.
Let's at lest do a permalink for now so that the line doesn't get lost and we can do snippets later.
| ### Secret management {#sec-systemd-secrets} | ||
|
|
||
| To pass secret data to a systemd service, systemd has the `LoadCredential` mechanism. | ||
| By passing a file path to systemd, it will make sure that the file is available to the process under a specific path. |
There was a problem hiding this comment.
It is probably a good idea to explicitly highlight that any path in the Nix store is world-readable so in order for this secret to be secret it needs to be managed outside of NixOS.
|
Thanks a lot for commenting to both of you! I have this task for the holidays to finish this PR.
|
|
|
||
| Most databases have 2 modes of connection, over TCP or over Unix socket. Connecting over a unix socket can provide 2 advantages | ||
| - 30% performance improvement as packets don't need to be encoder over TCP | ||
| - The default authentication mode postgres on unix sockets is just with the user name. This will remove the need to manage the password secret |
There was a problem hiding this comment.
| - The default authentication mode postgres on unix sockets is just with the user name. This will remove the need to manage the password secret | |
| - The default authentication mode postgres on unix sockets relies on the client's uid provided by the kernel, rather than a password that you need to be care for. |
There was a problem hiding this comment.
Though it being based on uid, this may be tricky across uid namespaces and therefore containers. I vaguely recall a nixpkgs issue or stackoverflow question about this, but I couldn't find it.
| Systemd is a building block of most nixos modules. | ||
|
|
||
| From the [project's webpage](https://systemd.io/) | ||
| ``` |
There was a problem hiding this comment.
This isn't code but a quote. You should probably use > syntax instead.
|
A react emoji isn't enough -- thank you for this. this will be invaluable to have. |
There was a problem hiding this comment.
some style points that caused me to hesitate while reading
it may be a bit early to start nitpicking
please ignore all of this if it'll take away time from substantive work
(especially the spell checking, which is non-exhaustive)
i'd love to do a more in-depth pass when this is closer to completion (or after it's merged)
thanks for doing this, i look forward to having it in the manual
| [Systemd official website](https://systemd.io/) | ||
| [Wikipedia](https://en.wikipedia.org/wiki/Systemd) | ||
| [Archlinux Wiki](https://wiki.archlinux.org/title/Systemd) | ||
| [Systemd announcement from Lennart Poettering (one of the 2 original developpers of systemd)](http://0pointer.de/blog/projects/systemd.html) |
There was a problem hiding this comment.
| [Systemd announcement from Lennart Poettering (one of the 2 original developpers of systemd)](http://0pointer.de/blog/projects/systemd.html) | |
| [Systemd announcement from Lennart Poettering (one of the 2 original developers of systemd)](http://0pointer.de/blog/projects/systemd.html) |
| } | ||
| ``` | ||
|
|
||
| A file can be passed as well with `environmentFile`. If both are passed, `environmentFile` takes precedence over `environment` |
There was a problem hiding this comment.
| A file can be passed as well with `environmentFile`. If both are passed, `environmentFile` takes precedence over `environment` | |
| A file can be passed in with `environmentFile`. If both are used, `environmentFile` takes precedence over `environment` |
|
|
||
| To pass secret data to a systemd service, systemd has the `LoadCredential` mechanism. | ||
| By passing a file path to systemd, it will make sure that the file is available to the process under a specific path. | ||
| The load credential attribute takes an id a colon and a file path |
There was a problem hiding this comment.
| The load credential attribute takes an id a colon and a file path | |
| The load credential attribute takes an id, a colon and a file path |
| ``` | ||
| LoadCredential = "jwt_secret:${cfg.jwtSecretPath}"; | ||
| ``` | ||
| Inside your application, the jwt secret will be available under `$CREDENTIALS_DIRECTORY/jwt_secret` environment variable. |
There was a problem hiding this comment.
| Inside your application, the jwt secret will be available under `$CREDENTIALS_DIRECTORY/jwt_secret` environment variable. | |
| Inside your application, the jwt secret will be available under the `$CREDENTIALS_DIRECTORY/jwt_secret` environment variable. |
|
|
||
| Note that this requires your application to read secrets from a file. | ||
|
|
||
| If your service can only read secrets through environment variables, the best alternative is to ask the end user to pass an `environmentFile` containing the secrets. |
There was a problem hiding this comment.
| If your service can only read secrets through environment variables, the best alternative is to ask the end user to pass an `environmentFile` containing the secrets. | |
| If your service can only read secrets through environment variables, the best alternative is to ask the end user to pass in an `environmentFile` containing the secrets. |
| PartOf: | ||
| - use `partOf = [ "B" ];`, if service A needs to re-started when service B is. | ||
|
|
||
| Note that `wants,requires,bindsTo` are orthogonal to `after`. The most common occurence in nixpkgs is `requires` and `after`. |
There was a problem hiding this comment.
"and" makes it sound (to me) like the 2 most common occurrences are being listed
| Note that `wants,requires,bindsTo` are orthogonal to `after`. The most common occurence in nixpkgs is `requires` and `after`. | |
| Note that `wants,requires,bindsTo` are orthogonal to `after`. The most common occurrence in nixpkgs is `requires` with `after`. |
| ### Examples {#sec-systemd-handling-dependencies-examples} | ||
|
|
||
| - Web-app dependency on a database. If the web-app cannot start without the database, use `requires` and `after`. If you would rather have it operate even without a database use `wants` and `after`. [example in nixpkgs](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-apps/lemmy.nix#L169) | ||
| - Database migration and setup script for a web-app. It is common to make a service for database setup and migration. This service should be `partOf` the webapp service as everytime the webapp is restarted, this service should be restarted as well. |
There was a problem hiding this comment.
| - Database migration and setup script for a web-app. It is common to make a service for database setup and migration. This service should be `partOf` the webapp service as everytime the webapp is restarted, this service should be restarted as well. | |
| - Database migration and setup script for a web-app. It is common to make a service for database setup and migration. This service should be `partOf` the web-app service as every time the web-app restarts, this service should be restarted as well. |
| - Web-app dependency on a database. If the web-app cannot start without the database, use `requires` and `after`. If you would rather have it operate even without a database use `wants` and `after`. [example in nixpkgs](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-apps/lemmy.nix#L169) | ||
| - Database migration and setup script for a web-app. It is common to make a service for database setup and migration. This service should be `partOf` the webapp service as everytime the webapp is restarted, this service should be restarted as well. | ||
| [example in nixpkgs](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-apps/lemmy.nix#L214) | ||
| - A web-app has two separate services, a UI and a server. The ui `requires` `after` the server. [example in nixpkgs](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-apps/lemmy.nix#L205) |
There was a problem hiding this comment.
this is hard to parse as a sentence, also hard to keep it short :)
| - A web-app has two separate services, a UI and a server. The ui `requires` `after` the server. [example in nixpkgs](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-apps/lemmy.nix#L205) | |
| - A web-app with two separate services, a UI and a server. The UI `requires` the server and starts `after` it. [example in nixpkgs](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-apps/lemmy.nix#L205) |
| - 30% performance improvement as packets don't need to be encoder over TCP | ||
| - The default authentication mode postgres on unix sockets is just with the user name. This will remove the need to manage the password secret | ||
|
|
||
| Therefore the default for database connection for services is recommended to be with a unix socket. For postgres for example, the `host` needs to start with a `/`. |
There was a problem hiding this comment.
| Therefore the default for database connection for services is recommended to be with a unix socket. For postgres for example, the `host` needs to start with a `/`. | |
| Therefore the recommended default for database connections for services is a unix socket. With postgres for example, `host` needs to start with a `/`. |
| The initialisation service should be run by the database superuser so as not to require sudo. | ||
| Typically it will involve creating the database and the user. | ||
| There will be a step to see if the database is already created. | ||
| That check is best implemented by going throug the created tables and exiting if the table already exists. |
There was a problem hiding this comment.
| That check is best implemented by going throug the created tables and exiting if the table already exists. | |
| That check is best implemented by going through the created tables and exiting if the table already exists. |
stale
bot
added
the
2.status: stale
|
Any reason this hasn't been merged? |
stale
bot
removed
the
2.status: stale
|
This was too early in the process its just incomplete. If anyone ever wants to take it up, they are more than welcome to take any part they want |
wegank
added
the
12.approvals: 1
wegank
added
2.status: stale
stale
bot
removed
the
2.status: stale
wegank
added
the
2.status: stale
|
FYI I'm working on #328472 and will pick this PR up afterwards if no one beats me to it, at least for the credentials part. |
stale
bot
removed
the
2.status: stale
wegank
added
the
2.status: stale
Motivation for this change
Systemd has many features, some useful to create modules, but most features are hard to discover and use if you don't already know about them. This is an attempt at covering the basics that are useful in nixpkgs
see #102397 for more details.
Please note that this is still an overview, I would like feedback on
I will populate each sections shortly, ideally there is consensus on the sections and their order before that.
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)