swann: reduce write activity on disk
This commit is contained in:
parent
edf6671aff
commit
615c30ed54
1 changed files with 775 additions and 768 deletions
|
@ -5,12 +5,14 @@
|
||||||
{ depot, lib, pkgs, config, ... }:
|
{ depot, lib, pkgs, config, ... }:
|
||||||
let
|
let
|
||||||
inherit (depot.ops) secrets;
|
inherit (depot.ops) secrets;
|
||||||
|
inherit (lib) mkMerge mkForce;
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
# We include this just so it sets some sysctls and firewall settings.
|
# We include this just so it sets some sysctls and firewall settings.
|
||||||
../lib/bgp.nix
|
../lib/bgp.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
config = mkMerge [ {
|
||||||
boot.initrd.availableKernelModules = [
|
boot.initrd.availableKernelModules = [
|
||||||
"sd_mod"
|
"sd_mod"
|
||||||
"ahci"
|
"ahci"
|
||||||
|
@ -66,10 +68,16 @@ in {
|
||||||
};
|
};
|
||||||
en-gnet = {
|
en-gnet = {
|
||||||
useDHCP = true;
|
useDHCP = true;
|
||||||
|
ipv4.addresses = [
|
||||||
|
{ address = "192.168.201.2"; prefixLength = 24; }
|
||||||
|
];
|
||||||
# Additional options configured in networkd.
|
# Additional options configured in networkd.
|
||||||
};
|
};
|
||||||
en-ee = {
|
en-ee = {
|
||||||
useDHCP = true;
|
useDHCP = true;
|
||||||
|
ipv4.addresses = [
|
||||||
|
{ address = "192.168.200.2"; prefixLength = 24; }
|
||||||
|
];
|
||||||
# Additional options configured in networkd.
|
# Additional options configured in networkd.
|
||||||
};
|
};
|
||||||
en-general = {
|
en-general = {
|
||||||
|
@ -98,29 +106,6 @@ in {
|
||||||
interface = "en-general";
|
interface = "en-general";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
localCommands = ''
|
|
||||||
ip -4 route flush table 151 >/dev/null 2>&1 || true
|
|
||||||
ip -4 route add 92.118.30.0/31 dev wg-tuvok-vm table 151
|
|
||||||
ip -4 route add default via 92.118.30.1 dev wg-tuvok-vm table 151
|
|
||||||
ip -6 route flush table 151 >/dev/null 2>&1 || true
|
|
||||||
ip -6 route add 2a09:a442::1:0/112 dev wg-tuvok-vm table 151
|
|
||||||
ip -6 route add default via 2a09:a442::1:2 dev wg-tuvok-vm table 151
|
|
||||||
|
|
||||||
ip -4 route flush table 152 >/dev/null 2>&1 || true
|
|
||||||
ip -4 route add 92.118.30.2/31 dev wg-tuvok-ee table 152
|
|
||||||
ip -4 route add default via 92.118.30.3 dev wg-tuvok-ee table 152
|
|
||||||
ip -6 route flush table 152 >/dev/null 2>&1 || true
|
|
||||||
ip -6 route add 2a09:a442::2:0/112 dev wg-tuvok-ee table 152
|
|
||||||
ip -6 route add default via 2a09:a442::2:2 dev wg-tuvok-ee table 152
|
|
||||||
|
|
||||||
ip -4 route flush table 153 >/dev/null 2>&1 || true
|
|
||||||
ip -4 route add 92.118.30.4/31 dev wg-tuvok-gnet table 153
|
|
||||||
ip -4 route add default via 92.118.30.5 dev wg-tuvok-gnet table 153
|
|
||||||
ip -6 route flush table 153 >/dev/null 2>&1 || true
|
|
||||||
ip -6 route add 2a09:a442::3:0/112 dev wg-tuvok-gnet table 153
|
|
||||||
ip -6 route add default via 2a09:a442::3:2 dev wg-tuvok-gnet table 153
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
systemd.network = let
|
systemd.network = let
|
||||||
hexToInt = h: (builtins.fromTOML "h = ${h}").h;
|
hexToInt = h: (builtins.fromTOML "h = ${h}").h;
|
||||||
|
@ -222,26 +207,37 @@ in {
|
||||||
Table = table;
|
Table = table;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
in let
|
||||||
|
routeTables = {
|
||||||
|
bgp = 150;
|
||||||
|
wg-vm = 151;
|
||||||
|
wg-ee = 152;
|
||||||
|
wg-gnet = 153;
|
||||||
|
ee = 201;
|
||||||
|
vm = 202;
|
||||||
|
gnet = 203;
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
config.routeTables = routeTables;
|
||||||
networks."50-wg-tuvok-vm" = wireguardNetwork {
|
networks."50-wg-tuvok-vm" = wireguardNetwork {
|
||||||
linkName = "wg-tuvok-vm";
|
linkName = "wg-tuvok-vm";
|
||||||
relativePriority = 2;
|
relativePriority = 2;
|
||||||
rtID = 151;
|
rtID = routeTables.wg-vm;
|
||||||
v4Linknet = "92.118.30.0";
|
v4Linknet = "92.118.30.0";
|
||||||
v6Linknet = "2a09:a442::1:1";
|
v6Linknet = "2a09:a442::1:1";
|
||||||
};
|
};
|
||||||
networks."50-wg-tuvok-ee" = wireguardNetwork {
|
networks."50-wg-tuvok-ee" = wireguardNetwork {
|
||||||
linkName = "wg-tuvok-ee";
|
linkName = "wg-tuvok-ee";
|
||||||
relativePriority = 3;
|
relativePriority = 3;
|
||||||
rtID = 152;
|
rtID = routeTables.wg-ee;
|
||||||
v4Linknet = "92.118.30.2";
|
v4Linknet = "92.118.30.2";
|
||||||
v6Linknet = "2a09:a442::2:1";
|
v6Linknet = "2a09:a442::2:1";
|
||||||
};
|
};
|
||||||
networks."50-wg-tuvok-gnet" = wireguardNetwork {
|
networks."50-wg-tuvok-gnet" = wireguardNetwork {
|
||||||
linkName = "wg-tuvok-gnet";
|
linkName = "wg-tuvok-gnet";
|
||||||
relativePriority = 1;
|
relativePriority = 1;
|
||||||
rtID = 153;
|
rtID = routeTables.wg-gnet;
|
||||||
v4Linknet = "92.118.30.4";
|
v4Linknet = "92.118.30.4";
|
||||||
v6Linknet = "2a09:a442::3:1";
|
v6Linknet = "2a09:a442::3:1";
|
||||||
};
|
};
|
||||||
|
@ -285,32 +281,32 @@ in {
|
||||||
routingPolicyRuleConfig = {
|
routingPolicyRuleConfig = {
|
||||||
Family = "both";
|
Family = "both";
|
||||||
Priority = 10080;
|
Priority = 10080;
|
||||||
Table = 150;
|
Table = routeTables.bgp;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
networks."40-en-ee" = (physicalNetwork 201 "0xdead" [{
|
networks."40-en-ee" = (physicalNetwork routeTables.ee "0xdead" [{
|
||||||
routingPolicyRuleConfig = {
|
routingPolicyRuleConfig = {
|
||||||
# add-on.ee.co.uk goes via EE.
|
# add-on.ee.co.uk goes via EE.
|
||||||
To = "82.192.97.153/32";
|
To = "82.192.97.153/32";
|
||||||
Table = 201;
|
Table = routeTables.ee;
|
||||||
Priority = 10031;
|
Priority = 10031;
|
||||||
};
|
};
|
||||||
} {
|
} {
|
||||||
routingPolicyRuleConfig = {
|
routingPolicyRuleConfig = {
|
||||||
# as does anything from 192.168.200.0/24.
|
# as does anything from 192.168.200.0/24.
|
||||||
From = "192.168.200.0/24";
|
From = "192.168.200.0/24";
|
||||||
Table = 201;
|
Table = routeTables.ee;
|
||||||
Priority = 10031;
|
Priority = 10031;
|
||||||
};
|
};
|
||||||
}]) // {
|
}]) // {
|
||||||
linkConfig.RequiredForOnline = "no";
|
linkConfig.RequiredForOnline = "no";
|
||||||
};
|
};
|
||||||
networks."40-en-virginmedia" = (physicalNetwork 202 "0xbeef" []) // {
|
networks."40-en-virginmedia" = (physicalNetwork routeTables.vm "0xbeef" []) // {
|
||||||
linkConfig.RequiredForOnline = "no";
|
linkConfig.RequiredForOnline = "no";
|
||||||
};
|
};
|
||||||
networks."40-en-gnet" = (physicalNetwork 203 "0xcafe" []);
|
networks."40-en-gnet" = (physicalNetwork routeTables.gnet "0xcafe" []);
|
||||||
|
|
||||||
netdevs = let
|
netdevs = let
|
||||||
wireguard = { name, listenPort, privateKey, endpoint, publicKey, fwmark }: {
|
wireguard = { name, listenPort, privateKey, endpoint, publicKey, fwmark }: {
|
||||||
|
@ -416,8 +412,8 @@ in {
|
||||||
authoritative = true;
|
authoritative = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
shared-network int {
|
shared-network int {
|
||||||
default-lease-time 600;
|
default-lease-time 3600;
|
||||||
max-lease-time 3600;
|
max-lease-time 86400;
|
||||||
option interface-mtu 1420; # Wireguard
|
option interface-mtu 1420; # Wireguard
|
||||||
|
|
||||||
subnet 192.168.1.0 netmask 255.255.255.0 {
|
subnet 192.168.1.0 netmask 255.255.255.0 {
|
||||||
|
@ -816,4 +812,15 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
system.stateVersion = "21.03";
|
system.stateVersion = "21.03";
|
||||||
|
} {
|
||||||
|
# Minimize writes to storage.
|
||||||
|
boot.tmpOnTmpfs = true;
|
||||||
|
services.journald.extraConfig = ''
|
||||||
|
Storage=volatile
|
||||||
|
'';
|
||||||
|
systemd.services.tailscaled.environment.TS_LOGS_DIR = "/var/run/tailscale";
|
||||||
|
|
||||||
|
services.unifi.enable = mkForce false;
|
||||||
|
my.vault.enable = mkForce false;
|
||||||
|
} ];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue