docs

README.md

@@ -31,11 +31,11 @@ See also:
     * [Add NUR with niv](#add-nur-with-niv)
   * [Colmena: Deployment and secret management](#colmena-deployment-and-secret-management)
   * [BTRFS swap file](#btrfs-swap-file)
+  * [BTRFS CoW](#btrfs-cow)
   * [LUKS Parameters](#luks-parameters)
   * [Automount encrypted drive](#automount-encrypted-drive)
   * [Failed services](#failed-services)
   * [Garbage collection](#garbage-collection)
-  * [References](#references)
 <!-- TOC -->
 
 ## NixOS installation
@@ -354,9 +354,32 @@ Summary:
 * Regenerate hardware-configuration: `sudo nixos-generate-config --dir hosts/$(hostname)`
 * Add `swapDevices = [ { device = "/swap/swapfile"; } ];` to hardware configuration and run `nixos-rebuild switch` (see above).
 
+## BTRFS CoW
+
+* https://wiki.archlinux.org/title/btrfs#Disabling_CoW
+
+The Arch wiki has the following warning about disabling CoW:
+
+> Disabling CoW in Btrfs also disables checksums. Btrfs will not be able to detect corrupted nodatacow files. When combined with RAID 1, power outages or other sources of corruption can cause the data to become out of sync.
+
+Thus, we e.g. don't disable CoW for increased DB performance.
+
+When systemd initially creates its journal file, it warns us about enabled CoW:
+
+> Creating journal file /var/log/journal/.../system.journal on a btrfs file system, and copy-on-write is enabled. This is likely to slow down journal access substantially, please consider turning off the copy-on-write file attribute on the journal directory, using chattr +C.
+
+As corruption of log files is not dramatic, we disable CoW for `/var/log` with
+
+```shell
+sudo chattr +C /var/log
+```
+
+Note from Arch wiki:
+> If the 'C' flag is set on a directory, it will have no effect on the directory, but new files created in that directory will have the No_COW attribute.
+
 ## LUKS Parameters
 
-**Warning**: NixOS has a hardcoded timeout of 10 seconds when opening encrypted drives during boot. Please choose `--iter-time` <= `5000`.
+**Warning**: NixOS has a hardcoded timeout of 10 seconds when opening encrypted drives during boot. Please choose `--iter-time` <= `7500`.
 
 * https://github.com/NixOS/nixpkgs/blob/ed2ccd4d1748e52d5d28c440d5be4b25a4f21c08/nixos/modules/system/boot/luksroot.nix#L498
 * https://github.com/NixOS/nixpkgs/blob/ed2ccd4d1748e52d5d28c440d5be4b25a4f21c08/nixos/modules/system/boot/luksroot.nix#L30
@@ -364,7 +387,6 @@ Summary:
 
 ## Automount encrypted drive
 
-~~* Generate and add keyfile to LUKS device~~
 * Use the same password for all attached LUKS devices to be only prompted once while booting
   * Discussion: https://discourse.nixos.org/t/how-to-unlock-some-luks-devices-with-a-keyfile-on-a-first-luks-device/18949/11
   * Related NixOS config option: https://github.com/NixOS/nixpkgs/blob/ed2ccd4d1748e52d5d28c440d5be4b25a4f21c08/nixos/modules/system/boot/luksroot.nix#L570-L584

modules/journalwatch.nix

@@ -31,6 +31,10 @@
   #   journalctl -b -p5 -o json-pretty
   #   Then press "/", enter a pattern and press "Enter".
 
+  # TODO: Wait until issue is resolved
+  # https://github.com/NixOS/nixpkgs/issues/267857
+  # /etc/tmpfiles.d/tmp.conf:11: Duplicate line for path "/tmp", ignoring.
+
   assertions = [{
     assertion = config.services.opensmtpd.enable;
     message = "journalwatch requires a configured sendmail MTA, see sendmail-mta.nix.";
@@ -38,7 +42,7 @@
 
   services.journalwatch = {
     enable = true;
-    # TODO: Same as configured by sendmail MTA.
+    # Same as configured by sendmail MTA.
     mailFrom = "langbein@mail.de";
     mailTo = "daniel+journalwatch@systemli.org";
     #interval = "hourly";