swann: reduce write activity on disk
This commit is contained in:
parent
edf6671aff
commit
615c30ed54
1 changed files with 775 additions and 768 deletions
|
@ -5,12 +5,14 @@
|
|||
{ depot, lib, pkgs, config, ... }:
|
||||
let
|
||||
inherit (depot.ops) secrets;
|
||||
inherit (lib) mkMerge mkForce;
|
||||
in {
|
||||
imports = [
|
||||
# We include this just so it sets some sysctls and firewall settings.
|
||||
../lib/bgp.nix
|
||||
];
|
||||
|
||||
config = mkMerge [ {
|
||||
boot.initrd.availableKernelModules = [
|
||||
"sd_mod"
|
||||
"ahci"
|
||||
|
@ -66,10 +68,16 @@ in {
|
|||
};
|
||||
en-gnet = {
|
||||
useDHCP = true;
|
||||
ipv4.addresses = [
|
||||
{ address = "192.168.201.2"; prefixLength = 24; }
|
||||
];
|
||||
# Additional options configured in networkd.
|
||||
};
|
||||
en-ee = {
|
||||
useDHCP = true;
|
||||
ipv4.addresses = [
|
||||
{ address = "192.168.200.2"; prefixLength = 24; }
|
||||
];
|
||||
# Additional options configured in networkd.
|
||||
};
|
||||
en-general = {
|
||||
|
@ -98,29 +106,6 @@ in {
|
|||
interface = "en-general";
|
||||
};
|
||||
};
|
||||
|
||||
localCommands = ''
|
||||
ip -4 route flush table 151 >/dev/null 2>&1 || true
|
||||
ip -4 route add 92.118.30.0/31 dev wg-tuvok-vm table 151
|
||||
ip -4 route add default via 92.118.30.1 dev wg-tuvok-vm table 151
|
||||
ip -6 route flush table 151 >/dev/null 2>&1 || true
|
||||
ip -6 route add 2a09:a442::1:0/112 dev wg-tuvok-vm table 151
|
||||
ip -6 route add default via 2a09:a442::1:2 dev wg-tuvok-vm table 151
|
||||
|
||||
ip -4 route flush table 152 >/dev/null 2>&1 || true
|
||||
ip -4 route add 92.118.30.2/31 dev wg-tuvok-ee table 152
|
||||
ip -4 route add default via 92.118.30.3 dev wg-tuvok-ee table 152
|
||||
ip -6 route flush table 152 >/dev/null 2>&1 || true
|
||||
ip -6 route add 2a09:a442::2:0/112 dev wg-tuvok-ee table 152
|
||||
ip -6 route add default via 2a09:a442::2:2 dev wg-tuvok-ee table 152
|
||||
|
||||
ip -4 route flush table 153 >/dev/null 2>&1 || true
|
||||
ip -4 route add 92.118.30.4/31 dev wg-tuvok-gnet table 153
|
||||
ip -4 route add default via 92.118.30.5 dev wg-tuvok-gnet table 153
|
||||
ip -6 route flush table 153 >/dev/null 2>&1 || true
|
||||
ip -6 route add 2a09:a442::3:0/112 dev wg-tuvok-gnet table 153
|
||||
ip -6 route add default via 2a09:a442::3:2 dev wg-tuvok-gnet table 153
|
||||
'';
|
||||
};
|
||||
systemd.network = let
|
||||
hexToInt = h: (builtins.fromTOML "h = ${h}").h;
|
||||
|
@ -222,26 +207,37 @@ in {
|
|||
Table = table;
|
||||
};
|
||||
};
|
||||
in let
|
||||
routeTables = {
|
||||
bgp = 150;
|
||||
wg-vm = 151;
|
||||
wg-ee = 152;
|
||||
wg-gnet = 153;
|
||||
ee = 201;
|
||||
vm = 202;
|
||||
gnet = 203;
|
||||
};
|
||||
in {
|
||||
enable = true;
|
||||
config.routeTables = routeTables;
|
||||
networks."50-wg-tuvok-vm" = wireguardNetwork {
|
||||
linkName = "wg-tuvok-vm";
|
||||
relativePriority = 2;
|
||||
rtID = 151;
|
||||
rtID = routeTables.wg-vm;
|
||||
v4Linknet = "92.118.30.0";
|
||||
v6Linknet = "2a09:a442::1:1";
|
||||
};
|
||||
networks."50-wg-tuvok-ee" = wireguardNetwork {
|
||||
linkName = "wg-tuvok-ee";
|
||||
relativePriority = 3;
|
||||
rtID = 152;
|
||||
rtID = routeTables.wg-ee;
|
||||
v4Linknet = "92.118.30.2";
|
||||
v6Linknet = "2a09:a442::2:1";
|
||||
};
|
||||
networks."50-wg-tuvok-gnet" = wireguardNetwork {
|
||||
linkName = "wg-tuvok-gnet";
|
||||
relativePriority = 1;
|
||||
rtID = 153;
|
||||
rtID = routeTables.wg-gnet;
|
||||
v4Linknet = "92.118.30.4";
|
||||
v6Linknet = "2a09:a442::3:1";
|
||||
};
|
||||
|
@ -285,32 +281,32 @@ in {
|
|||
routingPolicyRuleConfig = {
|
||||
Family = "both";
|
||||
Priority = 10080;
|
||||
Table = 150;
|
||||
Table = routeTables.bgp;
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
networks."40-en-ee" = (physicalNetwork 201 "0xdead" [{
|
||||
networks."40-en-ee" = (physicalNetwork routeTables.ee "0xdead" [{
|
||||
routingPolicyRuleConfig = {
|
||||
# add-on.ee.co.uk goes via EE.
|
||||
To = "82.192.97.153/32";
|
||||
Table = 201;
|
||||
Table = routeTables.ee;
|
||||
Priority = 10031;
|
||||
};
|
||||
} {
|
||||
routingPolicyRuleConfig = {
|
||||
# as does anything from 192.168.200.0/24.
|
||||
From = "192.168.200.0/24";
|
||||
Table = 201;
|
||||
Table = routeTables.ee;
|
||||
Priority = 10031;
|
||||
};
|
||||
}]) // {
|
||||
linkConfig.RequiredForOnline = "no";
|
||||
};
|
||||
networks."40-en-virginmedia" = (physicalNetwork 202 "0xbeef" []) // {
|
||||
networks."40-en-virginmedia" = (physicalNetwork routeTables.vm "0xbeef" []) // {
|
||||
linkConfig.RequiredForOnline = "no";
|
||||
};
|
||||
networks."40-en-gnet" = (physicalNetwork 203 "0xcafe" []);
|
||||
networks."40-en-gnet" = (physicalNetwork routeTables.gnet "0xcafe" []);
|
||||
|
||||
netdevs = let
|
||||
wireguard = { name, listenPort, privateKey, endpoint, publicKey, fwmark }: {
|
||||
|
@ -416,8 +412,8 @@ in {
|
|||
authoritative = true;
|
||||
extraConfig = ''
|
||||
shared-network int {
|
||||
default-lease-time 600;
|
||||
max-lease-time 3600;
|
||||
default-lease-time 3600;
|
||||
max-lease-time 86400;
|
||||
option interface-mtu 1420; # Wireguard
|
||||
|
||||
subnet 192.168.1.0 netmask 255.255.255.0 {
|
||||
|
@ -816,4 +812,15 @@ in {
|
|||
};
|
||||
|
||||
system.stateVersion = "21.03";
|
||||
} {
|
||||
# Minimize writes to storage.
|
||||
boot.tmpOnTmpfs = true;
|
||||
services.journald.extraConfig = ''
|
||||
Storage=volatile
|
||||
'';
|
||||
systemd.services.tailscaled.environment.TS_LOGS_DIR = "/var/run/tailscale";
|
||||
|
||||
services.unifi.enable = mkForce false;
|
||||
my.vault.enable = mkForce false;
|
||||
} ];
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue