nixos/systemd-oomd: Add a new module + test

          Add udev rules for the Teensy family of microcontrollers.

        </para>

      </listitem>

      <listitem>

        <para>

          systemd-oomd is enabled by default. Depending on which systemd

          units have <literal>ManagedOOMSwap=kill</literal> or

          <literal>ManagedOOMMemoryPressure=kill</literal>, systemd-oomd

          will SIGKILL all the processes under the appropriate

          descendant cgroups when the configured limits are exceeded.

          NixOS does currently not configure cgroups with oomd by

          default, this can be enabled using

          <link xlink:href="options.html#opt-systemd.oomd.enableRootSlice">systemd.oomd.enableRootSlice</link>,

          <link xlink:href="options.html#opt-systemd.oomd.enableSystemSlice">systemd.oomd.enableSystemSlice</link>,

          and

          <link xlink:href="options.html#opt-systemd.oomd.enableUserServices">systemd.oomd.enableUserServices</link>.

        </para>

      </listitem>

      <listitem>

        <para>

          The <literal>pass-secret-service</literal> package now

- Add udev rules for the Teensy family of microcontrollers.

- systemd-oomd is enabled by default. Depending on which systemd units have

  `ManagedOOMSwap=kill` or `ManagedOOMMemoryPressure=kill`, systemd-oomd will

  SIGKILL all the processes under the appropriate descendant cgroups when the

  configured limits are exceeded. NixOS does currently not configure cgroups

  with oomd by default, this can be enabled using

  [systemd.oomd.enableRootSlice](options.html#opt-systemd.oomd.enableRootSlice),

  [systemd.oomd.enableSystemSlice](options.html#opt-systemd.oomd.enableSystemSlice),

  and [systemd.oomd.enableUserServices](options.html#opt-systemd.oomd.enableUserServices).

- The `pass-secret-service` package now includes systemd units from upstream, so adding it to the NixOS `services.dbus.packages` option will make it start automatically as a systemd user service when an application tries to talk to the libsecret D-Bus API.

- There is a new module for AMD SEV CPU functionality, which grants access to the hardware.

  ./system/boot/systemd/journald.nix

  ./system/boot/systemd/logind.nix

  ./system/boot/systemd/nspawn.nix

  ./system/boot/systemd/oomd.nix

  ./system/boot/systemd/shutdown.nix

  ./system/boot/systemd/tmpfiles.nix

  ./system/boot/systemd/user.nix

{ config, lib, ... }: let

  cfg = config.systemd.oomd;

in {

  options.systemd.oomd = {

    enable = lib.mkEnableOption "the systemd-oomd OOM killer" // { default = true; };

    # Fedora enables the first and third option by default. See the 10-oomd-* files here:

    # https://src.fedoraproject.org/rpms/systemd/tree/acb90c49c42276b06375a66c73673ac351025597

    enableRootSlice = lib.mkEnableOption "oomd on the root slice (-.slice)";

    enableSystemSlice = lib.mkEnableOption "oomd on the system slice (system.slice)";

    enableUserServices = lib.mkEnableOption "oomd on all user services (user@.service)";

    extraConfig = lib.mkOption {

      type = with lib.types; attrsOf (oneOf [ str int bool ]);

      default = {};

      example = lib.literalExpression ''{ DefaultMemoryPressureDurationSec = "20s"; }'';

      description = ''

        Extra config options for systemd-oomd. See man oomd.conf

        for available options.

      '';

    };

  };

  config = lib.mkIf cfg.enable {

    systemd.additionalUpstreamSystemUnits = [

      "systemd-oomd.service"

      "systemd-oomd.socket"

    ];

    systemd.services.systemd-oomd.wantedBy = [ "multi-user.target" ];

    environment.etc."systemd/oomd.conf".text = lib.generators.toINI {} {

      OOM = cfg.extraConfig;

    };

    systemd.oomd.extraConfig.DefaultMemoryPressureDurationSec = lib.mkDefault "20s"; # Fedora default

    users.users.systemd-oom = {

      description = "systemd-oomd service user";

      group = "systemd-oom";

      isSystemUser = true;

    };

    users.groups.systemd-oom = { };

    systemd.slices."-".sliceConfig = lib.mkIf cfg.enableRootSlice {

      ManagedOOMSwap = "kill";

    };

    systemd.slices."system".sliceConfig = lib.mkIf cfg.enableSystemSlice {

      ManagedOOMSwap = "kill";

    };

    systemd.services."user@".serviceConfig = lib.mkIf cfg.enableUserServices {

      ManagedOOMMemoryPressure = "kill";

      ManagedOOMMemoryPressureLimit = "50%";

    };

  };

}

  systemd-networkd-ipv6-prefix-delegation = handleTest ./systemd-networkd-ipv6-prefix-delegation.nix {};

  systemd-networkd-vrf = handleTest ./systemd-networkd-vrf.nix {};

  systemd-nspawn = handleTest ./systemd-nspawn.nix {};

  systemd-oomd = handleTest ./systemd-oomd.nix {};

  systemd-shutdown = handleTest ./systemd-shutdown.nix {};

  systemd-timesyncd = handleTest ./systemd-timesyncd.nix {};

  systemd-misc = handleTest ./systemd-misc.nix {};