From ca6fe2910662946c047d57ea7ebc38ea8a9d1a94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Thu, 5 Jan 2023 22:13:59 +0100 Subject: [PATCH] Fix conntrack issues in microvm due to bad scaling with lower RAM --- hosts/hedgedoc/default.nix | 6 ------ modules/microvm.nix | 22 ++++++++++++++++------ 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/hosts/hedgedoc/default.nix b/hosts/hedgedoc/default.nix index e90b9a17..6805bf75 100644 --- a/hosts/hedgedoc/default.nix +++ b/hosts/hedgedoc/default.nix @@ -5,12 +5,6 @@ microvm.mem = 1024; - boot.kernel.sysctl = { - # table overflow causing packets from nginx to hedgedoc to drop - # nf_conntrack: nf_conntrack: table full, dropping packet - "net.netfilter.nf_conntrack_max" = "65536"; - }; - networking.hostName = "hedgedoc"; services = { diff --git a/modules/microvm.nix b/modules/microvm.nix index d46d0443..a48dd3e7 100644 --- a/modules/microvm.nix +++ b/modules/microvm.nix @@ -72,11 +72,18 @@ in # autoupdates do not make sense inside MicroVMs with read-only /nix/store c3d2.autoUpdate = false; - boot.kernelParams = [ - "preempt=none" - # No server/router runs any untrusted user code - "mitigations=off" - ]; + boot = { + kernel.sysctl = lib.optionalAttrs (config.microvm.mem <= 1024) { + # table overflow causing packets from nginx to the service to drop + # nf_conntrack: nf_conntrack: table full, dropping packet + "net.netfilter.nf_conntrack_max" = "65536"; + }; + kernelParams = [ + "preempt=none" + # No server/router runs any untrusted user code + "mitigations=off" + ]; + }; hardware.enableRedistributableFirmware = false; @@ -114,7 +121,10 @@ in }) config.c3d2.deployment.mounts; }; - networking = lib.mkIf config.c3d2.deployment.autoNetSetup { + networking = { + # required that sysctl contains net.netfilter.nf_conntrack_max on boot + firewall.autoLoadConntrackHelpers = true; + } // lib.optionalAttrs config.c3d2.deployment.autoNetSetup { useDHCP = false; dhcpcd.enable = false; useNetworkd = true;