Set resource limits for user sessions.
This commit is contained in:
@@ -5,6 +5,7 @@
|
|||||||
# Note: unattended-encryption is NOT included by default - add it explicitly where needed
|
# Note: unattended-encryption is NOT included by default - add it explicitly where needed
|
||||||
imports = [
|
imports = [
|
||||||
./impermanence.nix
|
./impermanence.nix
|
||||||
|
./resource-limits.nix
|
||||||
./sshd.nix
|
./sshd.nix
|
||||||
./user-ppetru.nix
|
./user-ppetru.nix
|
||||||
./systemd-boot.nix
|
./systemd-boot.nix
|
||||||
|
|||||||
44
common/resource-limits.nix
Normal file
44
common/resource-limits.nix
Normal file
@@ -0,0 +1,44 @@
|
|||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
# Resource limits for user sessions to prevent system wedging
|
||||||
|
#
|
||||||
|
# Modern systemd/cgroups v2 approach to resource control (replaces ulimits).
|
||||||
|
# Limits apply to all user sessions (SSH, GUI, etc.) but NOT to system services.
|
||||||
|
#
|
||||||
|
# Rationale:
|
||||||
|
# - Prevents runaway user processes (nix builds, compiles, etc.) from consuming
|
||||||
|
# all resources and making the system unresponsive
|
||||||
|
# - System services (Nomad jobs, Consul, NFS, etc.) run outside user.slice and
|
||||||
|
# are unaffected by these limits
|
||||||
|
# - Ensures SSH access remains responsive even under heavy load
|
||||||
|
#
|
||||||
|
# CPU: Uses CPUWeight (not CPUQuota) so user sessions can use 100% when idle,
|
||||||
|
# but system services get priority (1.25x) during contention
|
||||||
|
# Memory: Soft limit at 90% (triggers pressure/reclaim), hard limit at 95%
|
||||||
|
# Gives 5% warning buffer before OOM kills
|
||||||
|
|
||||||
|
systemd.slices.user = {
|
||||||
|
sliceConfig = {
|
||||||
|
# CPU weight: 80 vs default 100 for system services
|
||||||
|
# When idle: user sessions use all available CPU
|
||||||
|
# Under contention: system services get 1.25x CPU share
|
||||||
|
CPUWeight = "80";
|
||||||
|
|
||||||
|
# Memory soft limit: triggers reclaim and memory pressure
|
||||||
|
# User will notice slowdown but processes keep running
|
||||||
|
MemoryHigh = "90%";
|
||||||
|
|
||||||
|
# Memory hard limit: OOM killer targets user.slice
|
||||||
|
# 5% buffer between MemoryHigh and MemoryMax provides warning
|
||||||
|
MemoryMax = "95%";
|
||||||
|
|
||||||
|
# Limit number of tasks (processes/threads)
|
||||||
|
# Prevents fork bombs while still allowing nix builds
|
||||||
|
TasksMax = "4096";
|
||||||
|
|
||||||
|
# Lower I/O priority slightly
|
||||||
|
# System services get preference during I/O contention
|
||||||
|
IOWeight = "90";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user