Fix conntrack issues in microvm

due to bad scaling with lower RAM
2023-01-05 22:13:59 +01:00 · 2023-01-05 22:13:59 +01:00 · ca6fe29106
parent fc105bb0d9
commit ca6fe29106
2 changed files with 16 additions and 12 deletions
--- a/hosts/hedgedoc/default.nix
+++ b/hosts/hedgedoc/default.nix
@ -5,12 +5,6 @@

  microvm.mem = 1024;

-  boot.kernel.sysctl = {
-    # table overflow causing packets from nginx to hedgedoc to drop
-    # nf_conntrack: nf_conntrack: table full, dropping packet
-    "net.netfilter.nf_conntrack_max" = "65536";
-  };
-
  networking.hostName = "hedgedoc";

  services = {
--- a/modules/microvm.nix
+++ b/modules/microvm.nix
@ -72,11 +72,18 @@ in
    # autoupdates do not make sense inside MicroVMs with read-only /nix/store
    c3d2.autoUpdate = false;

-    boot.kernelParams = [
-      "preempt=none"
-      # No server/router runs any untrusted user code
-      "mitigations=off"
-    ];
+    boot = {
+      kernel.sysctl = lib.optionalAttrs (config.microvm.mem <= 1024) {
+        # table overflow causing packets from nginx to the service to drop
+        # nf_conntrack: nf_conntrack: table full, dropping packet
+        "net.netfilter.nf_conntrack_max" = "65536";
+      };
+      kernelParams = [
+        "preempt=none"
+        # No server/router runs any untrusted user code
+        "mitigations=off"
+      ];
+    };

    hardware.enableRedistributableFirmware = false;

@ -114,7 +121,10 @@ in
        }) config.c3d2.deployment.mounts;
    };

-    networking = lib.mkIf config.c3d2.deployment.autoNetSetup {
+    networking = {
+      # required that sysctl contains net.netfilter.nf_conntrack_max on boot
+      firewall.autoLoadConntrackHelpers = true;
+    } // lib.optionalAttrs config.c3d2.deployment.autoNetSetup {
      useDHCP = false;
      dhcpcd.enable = false;
      useNetworkd = true;