Slides for my talk "Yes, even you can harden your systemd services!" are up now on my homepage: https://axiomatization.space/slides/39c3-systemd-hardening.pdf

Thanks again to my wonderful audience!

#39C3 #NixOS #systemd

There are two things I really only started appreciating enough since I found NixOS (or it found me, or whatever).

One of them is the Linux kernel itself, and the other is systemd.

When I think about the operating system on my computer, the first image that comes to mind is the kernel and/or systemd, depending on what the last thing I just got done working on was. This is not, in fact, because I have a high number of hours under my belt with respect to either of those things; as compared to a lot of people, I really don't. It is, instead, the way that both of those things integrate seamlessly into the rest of the config, which is to say the exact same file that's been there since day 1, that declares the rest of the operating system as well. Having the entire setup declared like this actually, properly makes both the kernel and systemd subjectively FEEL like they are crucial pieces of the operating system. They are objectively that, whether they feel that way or not, of course. So the feeling is more accurate, in other words. It takes most of the mental overhead away, too, at least for me. You are at this point, quite literally, making low level changes at a high level of abstraction. There's nothing that feels like it's in your way. It feels like you have total control over the software that runs on your hardware, and at that, at a level far deeper than anything other than NixOS ever would, or ever could present in such a tangible way. It feels that way because that's what it is.

This is why I not only don't say I use Linux without putting GNU in front of it, but also why I don't call it at all, that even with GNU in front of it: I never have felt directly connected to the GNU core utils, and I still don't. I also know that that feeling would be lost if, hypothetically of course, I were to ditch NixOS in favor of anything else—be that Windows, Mac OS, or any other Linux distribution I've ever heard of while we're at it. I have almost no time on any BSD, but I don't count that anyway, because it's a completely different kernel and it also lacks systemd, and if we're going all the way back then it predates anything else I can honestly, technically say I've "used."

I literally just tell people the meme that's directly copied from the other meme: I use NixOS, btw.

It's its own thing entirely, by design.

#Linux #LinuxKernel #systemd #NixOS #Random

✅ #livekit Installation für #Matrix #Web-RTC in naitve rootless Pods via #Quadlet.

Ich muss zu meiner Schande gestehen, dass ich bei der Integration von #systemd massiv auf AI zurückgegriffen habe. Bin mir nicht sicher, ob ich das allein hin bekommen hätte.

Das muss einfacher werden!

Jetzt fehlt noch die Anbindung an den ReverseProxy, dann sollten A/V-Calls auch mit #ElementX klappen.

#Podman

TIL: Restarting systemd services on sustained CPU abuse

I kept finding avahi-daemon pegging the CPU in some of my LXC containers, and I wanted a service policy that behaves like a human would: limit it to 10%, restart immediately if peg(...)

#avahi #cpu #limiting #linux #lxc #monitoring #performance #systemd #watchdog

https://taoofmac.com/space/til/2025/12/28/1400

Pengalaman menjalankan banyak #VM ataupun #container (nested di vm ataupun langsung di baremetal) dalam satu baremetal, biasanya bukan kejedot sama kapasitas prosesor.

Mungkin kejedot oleh kapasitas RAM, tapi RAM mudah ditambah (walau sekarang harga RAM lagi edan).

Tp seringkali kejedot #iorate, apalagi jika storage nya backed by #hdd.

Salah satu trik mengurangi io-rate adalah dengan mengubah konfigurasi storage #systemd #journald ke "volatile".

Why do so many people who refuse to learn #systemd somehow feel smarter than people who do learn it.

Make it make sense.

#Linux

I have made peace with #systemd. It may even be good.

It has embraced and extended Linux's UNIX origins.

The extinguish phase is gonna be wild.