~ruther/guix-local

ref: version-1.5.0 guix-local/etc/guix-daemon.service.in -rw-r--r-- 2.3 KiB
2ae3c696 — Hilton Chain import: crate: Generate comments with ‘TODO REVIEW:’ prefix. 2 months ago 
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

# This is a "service unit file" for the systemd init system to launch
# 'guix-daemon'.  Drop it in /etc/systemd/system or similar to have
# 'guix-daemon' automatically started.

[Unit]
Description=Build daemon for GNU Guix

# Start before 'gnu-store.mount' to get a writable view of the store.
Before=gnu-store.mount

[Service]
ExecStart=@localstatedir@/guix/profiles/per-user/root/current-guix/bin/guix-daemon \
    --discover=no \
    --substitute-urls='@GUIX_SUBSTITUTE_URLS@'
Environment='GUIX_STATE_DIRECTORY=@localstatedir@/guix' 'GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8

# Stop the gnu-store.mount so that the daemon can capture the store as
# read-write in its private mount namespace.
# See <https://codeberg.org/guix/guix/issues/4744>.
ExecStartPre=-+systemctl stop gnu-store.mount
ExecStartPost=-+systemctl start gnu-store.mount --no-block

# Run under a dedicated unprivileged user account.
User=guix-daemon

# Bind-mount the store read-write in a private namespace, to counter the
# effect of 'gnu-store.mount'.
PrivateMounts=true
BindPaths=@storedir@
# Disable host file system mount propagation to keep service view of the
# store read-write after 'gnu-store.mount' makes it read-only system-wide.
MountFlags=private
# Mitigate race condition between guix-daemon and 'gnu-store.mount'.
# Dependent units will only start after daemon binary is started AND THUS
# the mount point is acquired in a private namespace.
Type=exec

# Provide the CAP_CHOWN capability so that guix-daemon can create and chown
# /var/guix/profiles/per-user/$USER and also chown failed build directories
# when using '--keep-failed'.  Note that guix-daemon explicitly drops ambient
# capabilities before executing build processes so they don't inherit them.
AmbientCapabilities=CAP_CHOWN

StandardOutput=journal
StandardError=journal

# Work around a nasty systemd ‘feature’ that kills the entire process tree
# (including the daemon!) if any child, such as cc1plus, runs out of memory.
OOMPolicy=continue

# Despite the name, this is rate-limited: a broken daemon will eventually fail.
Restart=always

# See <https://lists.gnu.org/archive/html/guix-devel/2016-04/msg00608.html>.
# Some package builds (for example, go@1.8.1) may require even more than
# 1024 tasks.
TasksMax=8192

[Install]
WantedBy=multi-user.target