Fix conntrack issues in microvm

due to bad scaling with lower RAM

hosts/hedgedoc/default.nix

@@ -5,12 +5,6 @@
 
   microvm.mem = 1024;
 
-  boot.kernel.sysctl = {
-    # table overflow causing packets from nginx to hedgedoc to drop
-    # nf_conntrack: nf_conntrack: table full, dropping packet
-    "net.netfilter.nf_conntrack_max" = "65536";
-  };
-
   networking.hostName = "hedgedoc";
 
   services = {

modules/microvm.nix

@@ -72,11 +72,18 @@ in
     # autoupdates do not make sense inside MicroVMs with read-only /nix/store
     c3d2.autoUpdate = false;
 
-    boot.kernelParams = [
+    boot = {
-      "preempt=none"
+      kernel.sysctl = lib.optionalAttrs (config.microvm.mem <= 1024) {
-      # No server/router runs any untrusted user code
+        # table overflow causing packets from nginx to the service to drop
-      "mitigations=off"
+        # nf_conntrack: nf_conntrack: table full, dropping packet
-    ];
+        "net.netfilter.nf_conntrack_max" = "65536";
+      };
+      kernelParams = [
+        "preempt=none"
+        # No server/router runs any untrusted user code
+        "mitigations=off"
+      ];
+    };
 
     hardware.enableRedistributableFirmware = false;
 
@@ -114,7 +121,10 @@ in
         }) config.c3d2.deployment.mounts;
     };
 
-    networking = lib.mkIf config.c3d2.deployment.autoNetSetup {
+    networking = {
+      # required that sysctl contains net.netfilter.nf_conntrack_max on boot
+      firewall.autoLoadConntrackHelpers = true;
+    } // lib.optionalAttrs config.c3d2.deployment.autoNetSetup {
       useDHCP = false;
       dhcpcd.enable = false;
       useNetworkd = true;