public-access-proxy: bump nfconntrack table size, loda module even earlier
This commit is contained in:
parent
5560deef4c
commit
626f7a1d38
|
@ -6,6 +6,12 @@
|
||||||
./stats.nix
|
./stats.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
boot.kernel.sysctl = {
|
||||||
|
# table overflow causing packets from nginx to the service to drop
|
||||||
|
# nf_conntrack: nf_conntrack: table full, dropping packet
|
||||||
|
"net.netfilter.nf_conntrack_max" = toString (4096*32);
|
||||||
|
};
|
||||||
|
|
||||||
c3d2.deployment.server = "server10";
|
c3d2.deployment.server = "server10";
|
||||||
|
|
||||||
networking.hostName = "public-access-proxy";
|
networking.hostName = "public-access-proxy";
|
||||||
|
|
|
@ -9,6 +9,10 @@
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
loader.grub.enable = false;
|
loader.grub.enable = false;
|
||||||
|
initrd.kernelModules = [
|
||||||
|
# required for net.netfilter.nf_conntrack_max appearing in sysfs early at boot
|
||||||
|
"nf_conntrack"
|
||||||
|
];
|
||||||
kernel.sysctl =
|
kernel.sysctl =
|
||||||
let
|
let
|
||||||
mem = if (config?microvm) then config.microvm.mem else config.deployment.mem;
|
mem = if (config?microvm) then config.microvm.mem else config.deployment.mem;
|
||||||
|
@ -16,12 +20,8 @@
|
||||||
lib.optionalAttrs (mem <= 2*1024) {
|
lib.optionalAttrs (mem <= 2*1024) {
|
||||||
# table overflow causing packets from nginx to the service to drop
|
# table overflow causing packets from nginx to the service to drop
|
||||||
# nf_conntrack: nf_conntrack: table full, dropping packet
|
# nf_conntrack: nf_conntrack: table full, dropping packet
|
||||||
"net.netfilter.nf_conntrack_max" = "65536";
|
"net.netfilter.nf_conntrack_max" = lib.mkDefault "65536";
|
||||||
};
|
};
|
||||||
kernelModules = [
|
|
||||||
# required for net.netfilter.nf_conntrack_max appearing in sysfs early at boot
|
|
||||||
"nf_conntrack"
|
|
||||||
];
|
|
||||||
kernelParams = [
|
kernelParams = [
|
||||||
"preempt=none"
|
"preempt=none"
|
||||||
# No server/router runs any untrusted user code
|
# No server/router runs any untrusted user code
|
||||||
|
|
Loading…
Reference in New Issue