swann: reduce write activity on disk

This commit is contained in:
Luke Granger-Brown 2022-03-13 17:34:23 +00:00
parent edf6671aff
commit 615c30ed54

View file

@ -5,12 +5,14 @@
{ depot, lib, pkgs, config, ... }:
let
inherit (depot.ops) secrets;
inherit (lib) mkMerge mkForce;
in {
imports = [
# We include this just so it sets some sysctls and firewall settings.
../lib/bgp.nix
];
config = mkMerge [ {
boot.initrd.availableKernelModules = [
"sd_mod"
"ahci"
@ -66,10 +68,16 @@ in {
};
en-gnet = {
useDHCP = true;
ipv4.addresses = [
{ address = "192.168.201.2"; prefixLength = 24; }
];
# Additional options configured in networkd.
};
en-ee = {
useDHCP = true;
ipv4.addresses = [
{ address = "192.168.200.2"; prefixLength = 24; }
];
# Additional options configured in networkd.
};
en-general = {
@ -98,29 +106,6 @@ in {
interface = "en-general";
};
};
localCommands = ''
ip -4 route flush table 151 >/dev/null 2>&1 || true
ip -4 route add 92.118.30.0/31 dev wg-tuvok-vm table 151
ip -4 route add default via 92.118.30.1 dev wg-tuvok-vm table 151
ip -6 route flush table 151 >/dev/null 2>&1 || true
ip -6 route add 2a09:a442::1:0/112 dev wg-tuvok-vm table 151
ip -6 route add default via 2a09:a442::1:2 dev wg-tuvok-vm table 151
ip -4 route flush table 152 >/dev/null 2>&1 || true
ip -4 route add 92.118.30.2/31 dev wg-tuvok-ee table 152
ip -4 route add default via 92.118.30.3 dev wg-tuvok-ee table 152
ip -6 route flush table 152 >/dev/null 2>&1 || true
ip -6 route add 2a09:a442::2:0/112 dev wg-tuvok-ee table 152
ip -6 route add default via 2a09:a442::2:2 dev wg-tuvok-ee table 152
ip -4 route flush table 153 >/dev/null 2>&1 || true
ip -4 route add 92.118.30.4/31 dev wg-tuvok-gnet table 153
ip -4 route add default via 92.118.30.5 dev wg-tuvok-gnet table 153
ip -6 route flush table 153 >/dev/null 2>&1 || true
ip -6 route add 2a09:a442::3:0/112 dev wg-tuvok-gnet table 153
ip -6 route add default via 2a09:a442::3:2 dev wg-tuvok-gnet table 153
'';
};
systemd.network = let
hexToInt = h: (builtins.fromTOML "h = ${h}").h;
@ -222,26 +207,37 @@ in {
Table = table;
};
};
in let
routeTables = {
bgp = 150;
wg-vm = 151;
wg-ee = 152;
wg-gnet = 153;
ee = 201;
vm = 202;
gnet = 203;
};
in {
enable = true;
config.routeTables = routeTables;
networks."50-wg-tuvok-vm" = wireguardNetwork {
linkName = "wg-tuvok-vm";
relativePriority = 2;
rtID = 151;
rtID = routeTables.wg-vm;
v4Linknet = "92.118.30.0";
v6Linknet = "2a09:a442::1:1";
};
networks."50-wg-tuvok-ee" = wireguardNetwork {
linkName = "wg-tuvok-ee";
relativePriority = 3;
rtID = 152;
rtID = routeTables.wg-ee;
v4Linknet = "92.118.30.2";
v6Linknet = "2a09:a442::2:1";
};
networks."50-wg-tuvok-gnet" = wireguardNetwork {
linkName = "wg-tuvok-gnet";
relativePriority = 1;
rtID = 153;
rtID = routeTables.wg-gnet;
v4Linknet = "92.118.30.4";
v6Linknet = "2a09:a442::3:1";
};
@ -285,32 +281,32 @@ in {
routingPolicyRuleConfig = {
Family = "both";
Priority = 10080;
Table = 150;
Table = routeTables.bgp;
};
}
];
};
networks."40-en-ee" = (physicalNetwork 201 "0xdead" [{
networks."40-en-ee" = (physicalNetwork routeTables.ee "0xdead" [{
routingPolicyRuleConfig = {
# add-on.ee.co.uk goes via EE.
To = "82.192.97.153/32";
Table = 201;
Table = routeTables.ee;
Priority = 10031;
};
} {
routingPolicyRuleConfig = {
# as does anything from 192.168.200.0/24.
From = "192.168.200.0/24";
Table = 201;
Table = routeTables.ee;
Priority = 10031;
};
}]) // {
linkConfig.RequiredForOnline = "no";
};
networks."40-en-virginmedia" = (physicalNetwork 202 "0xbeef" []) // {
networks."40-en-virginmedia" = (physicalNetwork routeTables.vm "0xbeef" []) // {
linkConfig.RequiredForOnline = "no";
};
networks."40-en-gnet" = (physicalNetwork 203 "0xcafe" []);
networks."40-en-gnet" = (physicalNetwork routeTables.gnet "0xcafe" []);
netdevs = let
wireguard = { name, listenPort, privateKey, endpoint, publicKey, fwmark }: {
@ -416,8 +412,8 @@ in {
authoritative = true;
extraConfig = ''
shared-network int {
default-lease-time 600;
max-lease-time 3600;
default-lease-time 3600;
max-lease-time 86400;
option interface-mtu 1420; # Wireguard
subnet 192.168.1.0 netmask 255.255.255.0 {
@ -816,4 +812,15 @@ in {
};
system.stateVersion = "21.03";
} {
# Minimize writes to storage.
boot.tmpOnTmpfs = true;
services.journald.extraConfig = ''
Storage=volatile
'';
systemd.services.tailscaled.environment.TS_LOGS_DIR = "/var/run/tailscale";
services.unifi.enable = mkForce false;
my.vault.enable = mkForce false;
} ];
}