swann: reduce write activity on disk

This commit is contained in:
Luke Granger-Brown 2022-03-13 17:34:23 +00:00
parent edf6671aff
commit 615c30ed54

View file

@ -5,12 +5,14 @@
{ depot, lib, pkgs, config, ... }: { depot, lib, pkgs, config, ... }:
let let
inherit (depot.ops) secrets; inherit (depot.ops) secrets;
inherit (lib) mkMerge mkForce;
in { in {
imports = [ imports = [
# We include this just so it sets some sysctls and firewall settings. # We include this just so it sets some sysctls and firewall settings.
../lib/bgp.nix ../lib/bgp.nix
]; ];
config = mkMerge [ {
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [
"sd_mod" "sd_mod"
"ahci" "ahci"
@ -66,10 +68,16 @@ in {
}; };
en-gnet = { en-gnet = {
useDHCP = true; useDHCP = true;
ipv4.addresses = [
{ address = "192.168.201.2"; prefixLength = 24; }
];
# Additional options configured in networkd. # Additional options configured in networkd.
}; };
en-ee = { en-ee = {
useDHCP = true; useDHCP = true;
ipv4.addresses = [
{ address = "192.168.200.2"; prefixLength = 24; }
];
# Additional options configured in networkd. # Additional options configured in networkd.
}; };
en-general = { en-general = {
@ -98,29 +106,6 @@ in {
interface = "en-general"; interface = "en-general";
}; };
}; };
localCommands = ''
ip -4 route flush table 151 >/dev/null 2>&1 || true
ip -4 route add 92.118.30.0/31 dev wg-tuvok-vm table 151
ip -4 route add default via 92.118.30.1 dev wg-tuvok-vm table 151
ip -6 route flush table 151 >/dev/null 2>&1 || true
ip -6 route add 2a09:a442::1:0/112 dev wg-tuvok-vm table 151
ip -6 route add default via 2a09:a442::1:2 dev wg-tuvok-vm table 151
ip -4 route flush table 152 >/dev/null 2>&1 || true
ip -4 route add 92.118.30.2/31 dev wg-tuvok-ee table 152
ip -4 route add default via 92.118.30.3 dev wg-tuvok-ee table 152
ip -6 route flush table 152 >/dev/null 2>&1 || true
ip -6 route add 2a09:a442::2:0/112 dev wg-tuvok-ee table 152
ip -6 route add default via 2a09:a442::2:2 dev wg-tuvok-ee table 152
ip -4 route flush table 153 >/dev/null 2>&1 || true
ip -4 route add 92.118.30.4/31 dev wg-tuvok-gnet table 153
ip -4 route add default via 92.118.30.5 dev wg-tuvok-gnet table 153
ip -6 route flush table 153 >/dev/null 2>&1 || true
ip -6 route add 2a09:a442::3:0/112 dev wg-tuvok-gnet table 153
ip -6 route add default via 2a09:a442::3:2 dev wg-tuvok-gnet table 153
'';
}; };
systemd.network = let systemd.network = let
hexToInt = h: (builtins.fromTOML "h = ${h}").h; hexToInt = h: (builtins.fromTOML "h = ${h}").h;
@ -222,26 +207,37 @@ in {
Table = table; Table = table;
}; };
}; };
in let
routeTables = {
bgp = 150;
wg-vm = 151;
wg-ee = 152;
wg-gnet = 153;
ee = 201;
vm = 202;
gnet = 203;
};
in { in {
enable = true; enable = true;
config.routeTables = routeTables;
networks."50-wg-tuvok-vm" = wireguardNetwork { networks."50-wg-tuvok-vm" = wireguardNetwork {
linkName = "wg-tuvok-vm"; linkName = "wg-tuvok-vm";
relativePriority = 2; relativePriority = 2;
rtID = 151; rtID = routeTables.wg-vm;
v4Linknet = "92.118.30.0"; v4Linknet = "92.118.30.0";
v6Linknet = "2a09:a442::1:1"; v6Linknet = "2a09:a442::1:1";
}; };
networks."50-wg-tuvok-ee" = wireguardNetwork { networks."50-wg-tuvok-ee" = wireguardNetwork {
linkName = "wg-tuvok-ee"; linkName = "wg-tuvok-ee";
relativePriority = 3; relativePriority = 3;
rtID = 152; rtID = routeTables.wg-ee;
v4Linknet = "92.118.30.2"; v4Linknet = "92.118.30.2";
v6Linknet = "2a09:a442::2:1"; v6Linknet = "2a09:a442::2:1";
}; };
networks."50-wg-tuvok-gnet" = wireguardNetwork { networks."50-wg-tuvok-gnet" = wireguardNetwork {
linkName = "wg-tuvok-gnet"; linkName = "wg-tuvok-gnet";
relativePriority = 1; relativePriority = 1;
rtID = 153; rtID = routeTables.wg-gnet;
v4Linknet = "92.118.30.4"; v4Linknet = "92.118.30.4";
v6Linknet = "2a09:a442::3:1"; v6Linknet = "2a09:a442::3:1";
}; };
@ -285,32 +281,32 @@ in {
routingPolicyRuleConfig = { routingPolicyRuleConfig = {
Family = "both"; Family = "both";
Priority = 10080; Priority = 10080;
Table = 150; Table = routeTables.bgp;
}; };
} }
]; ];
}; };
networks."40-en-ee" = (physicalNetwork 201 "0xdead" [{ networks."40-en-ee" = (physicalNetwork routeTables.ee "0xdead" [{
routingPolicyRuleConfig = { routingPolicyRuleConfig = {
# add-on.ee.co.uk goes via EE. # add-on.ee.co.uk goes via EE.
To = "82.192.97.153/32"; To = "82.192.97.153/32";
Table = 201; Table = routeTables.ee;
Priority = 10031; Priority = 10031;
}; };
} { } {
routingPolicyRuleConfig = { routingPolicyRuleConfig = {
# as does anything from 192.168.200.0/24. # as does anything from 192.168.200.0/24.
From = "192.168.200.0/24"; From = "192.168.200.0/24";
Table = 201; Table = routeTables.ee;
Priority = 10031; Priority = 10031;
}; };
}]) // { }]) // {
linkConfig.RequiredForOnline = "no"; linkConfig.RequiredForOnline = "no";
}; };
networks."40-en-virginmedia" = (physicalNetwork 202 "0xbeef" []) // { networks."40-en-virginmedia" = (physicalNetwork routeTables.vm "0xbeef" []) // {
linkConfig.RequiredForOnline = "no"; linkConfig.RequiredForOnline = "no";
}; };
networks."40-en-gnet" = (physicalNetwork 203 "0xcafe" []); networks."40-en-gnet" = (physicalNetwork routeTables.gnet "0xcafe" []);
netdevs = let netdevs = let
wireguard = { name, listenPort, privateKey, endpoint, publicKey, fwmark }: { wireguard = { name, listenPort, privateKey, endpoint, publicKey, fwmark }: {
@ -416,8 +412,8 @@ in {
authoritative = true; authoritative = true;
extraConfig = '' extraConfig = ''
shared-network int { shared-network int {
default-lease-time 600; default-lease-time 3600;
max-lease-time 3600; max-lease-time 86400;
option interface-mtu 1420; # Wireguard option interface-mtu 1420; # Wireguard
subnet 192.168.1.0 netmask 255.255.255.0 { subnet 192.168.1.0 netmask 255.255.255.0 {
@ -816,4 +812,15 @@ in {
}; };
system.stateVersion = "21.03"; system.stateVersion = "21.03";
} {
# Minimize writes to storage.
boot.tmpOnTmpfs = true;
services.journald.extraConfig = ''
Storage=volatile
'';
systemd.services.tailscaled.environment.TS_LOGS_DIR = "/var/run/tailscale";
services.unifi.enable = mkForce false;
my.vault.enable = mkForce false;
} ];
} }