Set resource limits for user sessions.
This commit is contained in:
@@ -5,6 +5,7 @@
|
||||
# Note: unattended-encryption is NOT included by default - add it explicitly where needed
|
||||
imports = [
|
||||
./impermanence.nix
|
||||
./resource-limits.nix
|
||||
./sshd.nix
|
||||
./user-ppetru.nix
|
||||
./systemd-boot.nix
|
||||
|
||||
44
common/resource-limits.nix
Normal file
44
common/resource-limits.nix
Normal file
@@ -0,0 +1,44 @@
|
||||
{ ... }:
|
||||
{
|
||||
# Resource limits for user sessions to prevent system wedging
|
||||
#
|
||||
# Modern systemd/cgroups v2 approach to resource control (replaces ulimits).
|
||||
# Limits apply to all user sessions (SSH, GUI, etc.) but NOT to system services.
|
||||
#
|
||||
# Rationale:
|
||||
# - Prevents runaway user processes (nix builds, compiles, etc.) from consuming
|
||||
# all resources and making the system unresponsive
|
||||
# - System services (Nomad jobs, Consul, NFS, etc.) run outside user.slice and
|
||||
# are unaffected by these limits
|
||||
# - Ensures SSH access remains responsive even under heavy load
|
||||
#
|
||||
# CPU: Uses CPUWeight (not CPUQuota) so user sessions can use 100% when idle,
|
||||
# but system services get priority (1.25x) during contention
|
||||
# Memory: Soft limit at 90% (triggers pressure/reclaim), hard limit at 95%
|
||||
# Gives 5% warning buffer before OOM kills
|
||||
|
||||
systemd.slices.user = {
|
||||
sliceConfig = {
|
||||
# CPU weight: 80 vs default 100 for system services
|
||||
# When idle: user sessions use all available CPU
|
||||
# Under contention: system services get 1.25x CPU share
|
||||
CPUWeight = "80";
|
||||
|
||||
# Memory soft limit: triggers reclaim and memory pressure
|
||||
# User will notice slowdown but processes keep running
|
||||
MemoryHigh = "90%";
|
||||
|
||||
# Memory hard limit: OOM killer targets user.slice
|
||||
# 5% buffer between MemoryHigh and MemoryMax provides warning
|
||||
MemoryMax = "95%";
|
||||
|
||||
# Limit number of tasks (processes/threads)
|
||||
# Prevents fork bombs while still allowing nix builds
|
||||
TasksMax = "4096";
|
||||
|
||||
# Lower I/O priority slightly
|
||||
# System services get preference during I/O contention
|
||||
IOWeight = "90";
|
||||
};
|
||||
};
|
||||
}
|
||||
Reference in New Issue
Block a user