commit e371299aac27cc903bbb981b27851dc806ef304c parent 173690f36831772c0ce06c58d84bba46d9b9e36e Author: Vincent Demeester <vincent@sbr.pm> Date: Tue, 22 Feb 2022 18:05:59 +0100 systems/modules: fix buildkitd socket rights Signed-off-by: Vincent Demeester <vincent@sbr.pm> Diffstat:
M | systems/modules/virtualisation/buildkit.nix | | | 33 | +++++++++++++-------------------- |
1 file changed, 13 insertions(+), 20 deletions(-)
diff --git a/systems/modules/virtualisation/buildkit.nix b/systems/modules/virtualisation/buildkit.nix @@ -44,32 +44,25 @@ in users.groups.buildkit.gid = 350; environment.systemPackages = [ cfg.package ]; systemd.packages = [ cfg.package ]; - systemd.services.buildkitd = { after = [ "network.target" "containerd.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = [ - "" - '' - ${cfg.package}/bin/buildkitd \ - ${cfg.extraOptions} - '' - ]; - }; - path = [ cfg.package ] ++ cfg.packages; - }; - + ExecStart = ''${cfg.package}/bin/buildkitd --addr=unix:///run/buildkit/buildkitd.sock --group=buildkit ${cfg.extraOptions}''; + Delegate = "yes"; + KillMode = "process"; + Type = "notify"; + Restart = "always"; + RestartSec = "10"; - systemd.sockets.buildkitd = { - description = "Buildkitd Socket for the API"; - wantedBy = [ "sockets.target" ]; - socketConfig = { - ListenStream = "/run/buildkitd/buildkitd.sock"; - SocketMode = "0660"; - SocketUser = "root"; - SocketGroup = "buildkit"; + # "limits" defined below are adopted from upstream: https://github.com/containerd/containerd/blob/master/containerd.service + LimitNPROC = "infinity"; + LimitCORE = "infinity"; + LimitNOFILE = "infinity"; + TasksMax = "infinity"; + OOMScoreAdjust = "-999"; }; + path = [ cfg.package ] ++ cfg.packages; }; };