Perfecting Arbitrary Systemd Services with NixOS

I’ve just discovered pkgs.fetchgit in nixos, which enables us elegantly deploy things straight out of git into systemd services.

Here is a simple python service i wrote to serve active dhcp leases as json:

  systemd.services.kea-lease-server = let
    src = pkgs.fetchgit {
      url = "https://github.com/nihr43/kea-lease-server.git";
      rev = "0962c18";
      sha256 = "129q7q1s4329ykk5mdc7zzd8p6d6d0kpx3wlfrv2x9g2smj7q007";
    };
  in {
    after = [ "kea-dhcp4-server.service" ];
    wants = [ "kea-dhcp4-server.service" ];
    wantedBy = [ "default.target" ];
    serviceConfig.Type = "simple";
    serviceConfig.WorkingDirectory = "${src}";
    environment = { NIX_PATH = "nixpkgs=${pkgs.path}"; };
    script = ''
      ${pkgs.nix}/bin/nix-shell --run 'python main.py --host 172.30.190.1'
    '';
  };

The key here is src = pkgs.fetchgit, and serviceConfig.WorkingDirectory = "${src}";. Notice my entrypoint is nix-shell, so dependencies will be sourced from default.nix in that project at runtime.

Why is this a big deal? Everything here is statically declared, everything is ephemeral. WorkingDirectory is just a path under /nix/store/ that will eventually be garbage collected when not referenced anymore.

Heres the generated unit file:

[Unit]
After=kea-dhcp4-server.service
Wants=kea-dhcp4-server.service

[Service]
Environment="LOCALE_ARCHIVE=/nix/store/fiinrcd99rnhgq9jws1pc9dk3dwzgmfd-glibc-locales-2.40-66/lib/locale/locale-archive"
Environment="NIX_PATH=nixpkgs=/nix/store/4zqa9z2dw36j8h29pgvbppmxj4ag1hdh-nixos"
Environment="PATH=/nix/store/9m68vvhnsq5cpkskphgw84ikl9m6wjwp-coreutils-9.5/bin:/nix/store/vc2d1bfy1a5y1195nq7k6p0zcm6q89nx-findutils-4.10.0/bin:/nix/store/qjsj5vnbfpbg6r7jhd7znfgmcy0arn8n-gnugrep-3.11/bin:/nix/store/3ks7b6p43dpvnlnxgvlcy2jaf1np37p2-gnused-4.9/bin:/nix/store/w9qcpyhjrxsqrps91wkz8r4mqvg9zrxc-systemd-256.10/bin:/nix/store/9m68vvhnsq5cpkskphgw84ikl9m6wjwp-coreutils-9.5/sbin:/nix/store/vc2d1bfy1a5y1195nq7k6p0zcm6q89nx-findutils-4.10.0/sbin:/nix/store/qjsj5vnbfpbg6r7jhd7znfgmcy0arn8n-gnugrep-3.11/sbin:/nix/store/3ks7b6p43dpvnlnxgvlcy2jaf1np37p2-gnused-4.9/sbin:/nix/store/w9qcpyhjrxsqrps91wkz8r4mqvg9zrxc-systemd-256.10/sbin"
Environment="TZDIR=/nix/store/l6mypzy4rvkxd5kwzs18d88syirislib-tzdata-2024b/share/zoneinfo"
ExecStart=/nix/store/kr0k33vsshsrf0p0msb56vhmgyshkd32-unit-script-kea-lease-server-start/bin/kea-lease-server-start
Type=simple
WorkingDirectory=/nix/store/n1y0pd37vsyyrbjf85kgrnk7bis2wzl5-kea-lease-server-0962c18

[Install]
WantedBy=default.target

which is itself a link to an artifact in the nix store:

stat /etc/systemd/system/kea-lease-server.service
  File: /etc/systemd/system/kea-lease-server.service -> /nix/store/4r1bw3spxzzpg961k60s8ccj0nhvbbk6-unit-kea-lease-server.service/kea-lease-server.service
...

Heres the ephemeral working directory:

ls /nix/store/n1y0pd37vsyyrbjf85kgrnk7bis2wzl5-kea-lease-server-0962c18
default.nix  justfile  main.py

This is all (99%) of the packaging isolation of containers; with greater efficiency because we aren’t duplicating an entire filesystem.

We can of course achieve greater system and resource isolation with additional systemd features:

systemd.services.kea-lease-server = let
  src = pkgs.fetchgit {
    url = "https://github.com/nihr43/kea-lease-server.git";
    rev = "0962c18";
    sha256 = "129q7q1s4329ykk5mdc7zzd8p6d6d0kpx3wlfrv2x9g2smj7q007";
  };
in {
  after = [ "kea-dhcp4-server.service" ];
  wants = [ "kea-dhcp4-server.service" ];
  wantedBy = [ "default.target" ];
  serviceConfig = {
    Type = "simple";
    WorkingDirectory = "${src}";
    MemoryMax = "1G";
    CPUQuota = "200%";
    ProtectHome = true;
    PrivateDevices = true;
    PrivateTmp = true;
    PrivatePID = true;
  };
  environment = {
    NIX_PATH = "nixpkgs=${pkgs.path}";
  };
  script = ''
    ${pkgs.nix}/bin/nix-shell --run 'python main.py --host 172.30.190.1'
  '';
};

This example of course unfortunately is running as root for kea-specific reasons for which i’m still looking for a workaround.

Upgrading the package with nixa is as easy as this:

nix-shell --run 'python3 nixa'
10.0.0.0 is reachable
applying modules ['gateway.nix', 'grub_sda_common.nix'] to gateway: ['10.0.0.0']
10.0.0.0:
---

+++

@@ -55,8 +55,8 @@

   systemd.services = let
     src = pkgs.fetchgit {
       url = "https://github.com/nihr43/kea-lease-server.git";
-      rev = "0962c18";
-      sha256 = "129q7q1s4329ykk5mdc7zzd8p6d6d0kpx3wlfrv2x9g2smj7q007";
+      rev = "9fc481a";
+      sha256 = "0q803ryilgm6ryhz5jrz6g42mjkrk6n2pap6j4jlz4i48n36z7is";
     };
   in {
     kea-lease-server = {
rebuilding NixOS on 10.0.0.0

sha256 can be found with nix-prefetch-git --url ... --rev ....

Nathan Hensel

on caving, mountaineering, networking, computing, electronics

2025-03-28