diff --git a/article.md b/article.md index b4db06f..bde1a42 100644 --- a/article.md +++ b/article.md @@ -12,14 +12,14 @@ What NixOS does - it generates systemd configuration files in accordance to NixO ## overview of systemd services integration within NixOS configuration -NixOS features lots of systemd services, which are ready to use (without even knowing what systemd is) just by setting appropriate options in `configuration.nix`. For example, write `services.netdata.enable = true;` to enable [Netdata](https://www.netdata.cloud/) monitoring service. Documentation for all related options can be found on the [website](https://search.nixos.org/options?channel=unstable&from=0&size=50&sort=relevance&type=packages&query=services.) or in `man configuration.nix` (also in `man home-configuration.nix` for [managing desktop](https://github.com/nix-community/home-manager) user services). Often many useful high-level tunables are available as `services..*` options. +NixOS features lots of systemd services, which are ready to use (without even knowing what systemd is) just by setting appropriate options in `configuration.nix`. For example, write `services.netdata.enable = true;` to enable [Netdata](https://www.netdata.cloud/) monitoring service. Documentation for all related options can be found on the [website](https://search.nixos.org/options?channel=unstable&from=0&size=50&sort=relevance&type=packages&query=services.) or in `man configuration.nix` _(also in `man home-configuration.nix` for [managing desktop](https://github.com/nix-community/home-manager) user services)_. Often many useful high-level tunables are available as `services..*` options. When services, provided by NixOS, are insufficient or additional tuning is demanded, `systemd.services..*` set of options comes into play. They allow to define custom systemd services or modify existing ones. Regardless of the origin of a systemd service (provided by NixOS or written by yourself), `systemd` native directives for sections such as `[Unit]` and `[Service]` can be specified accordingly in the following [nix attribute sets](https://nixos.org/manual/nix/stable/language/values.html#attribute-set): * `[Unix]`: `systemd.services..unitConfig = { SYSTEMD_DIRECTIVE = VALUE; ... }` * `[Service]`: `systemd.services..serviceConfig = { SYSTEMD_DIRECTIVE = VALUE; ... }` -String values must be enclosed in double quotes. Boolean values are written as `true` and `false`. This is just [Nix syntax](https://nixos.org/manual/nix/stable/language/index.html#overview). +String values must be enclosed in double quotes. Boolean values are written as `true` and `false`. This is just [Nix language syntax](https://nixos.org/manual/nix/stable/language/index.html#overview). `[Install]` section directives such as `Alias`, `WantedBy` and `RequiredBy` can be specified as [nix lists](https://learnxinyminutes.com/docs/nix/) in: @@ -180,15 +180,20 @@ _By specifying `1`, we're instructing `iptables` to insert the rule at the begin ## testing, monitoring, analyzing -### basic systemd commands for diagnostics +### some useful commands for diagnostics of systemd services -- `systemctl status`, `systemctl restart`, `systemctl cat`, `htop` tree - -`systemd-analyze`'s words "`SAFE`", "`EXPOSED`" and "`UNSAFE`" do not mean the factual situation, rather whether various systemd hardedning features are in use or not. - -To monitor systemd service output in real time, you can use `journalctl -u nginx -f` (by analogy with `tail -f`). - -In case you want to see logs only for previous boot, use `-1`, like here `journalctl -b-1 -u nginx`. +- `systemctl list-unit-files` - list of all units with their current status +- `systemctl start ` +- `systemctl restart ` +- `systemctl stop ` +- `systemctl status ` - unit state, started/stopped timestamps , running processes, etc +- `systemctl cat ` - contents of a systemd unit file, generated by NixOS +- `systemctl show ` - actual properties of a systemd unit in effect +- `journalctl -u -f` - to monitor systemd service output in real time (by analogy with `tail -f`) +- `journalctl -b-1 -u ` - in case you want to see logs only for previous boot +- `systemd-analyze security` - show security summary for all running services ("`SAFE`", "`EXPOSED`" and "`UNSAFE`" do not mean the factual situation, rather whether various systemd hardedning features are in use or not) +- `systemd-analyze security ` - show more detailed analysis for the specified service +- `htop` using tree view (`F5`) - to inspect the whole tree of processes/threads ### cgroups