diff --git a/flake.lock b/flake.lock index 7bfa6181..085df210 100644 --- a/flake.lock +++ b/flake.lock @@ -288,11 +288,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1743765170, - "narHash": "sha256-aelxLnG4G8nMwpM3J8uK5qzieZ78WgYXQE++ADNso18=", + "lastModified": 1743950177, + "narHash": "sha256-80Y0ElVnd42MdVAM2jyKe5Cg4Jnh8YOxm+5ZyiXrsrc=", "owner": "NuschtOS", "repo": "nuschtpkgs", - "rev": "a61900ad3724a9854282dbebae54902f8ad44136", + "rev": "0ba4ea69e30366047db2307d324cbab50efffd09", "type": "github" }, "original": { @@ -417,11 +417,11 @@ ] }, "locked": { - "lastModified": 1743756170, - "narHash": "sha256-2b11EYa08oqDmF3zEBLkG1AoNn9rB1k39ew/T/mSvbU=", + "lastModified": 1743910657, + "narHash": "sha256-zr2jmWeWyhCD8WmO2aWov2g0WPPuZfcJDKzMJZYGq3Y=", "owner": "mic92", "repo": "sops-nix", - "rev": "cff8437c5fe8c68fc3a840a21bf1f4dc801da40d", + "rev": "523f58a4faff6c67f5f685bed33a7721e984c304", "type": "github" }, "original": { diff --git a/hosts/ixp-as11201/configuration.nix b/hosts/ixp-as11201/configuration.nix index 19cdf5e0..25cef425 100755 --- a/hosts/ixp-as11201/configuration.nix +++ b/hosts/ixp-as11201/configuration.nix @@ -1,3 +1,5 @@ +{ config, ... }: + { dd-ix = { useFpx = true; @@ -19,38 +21,8 @@ }]; networking.ifstate.settings.namespaces.ixp-peering = { - options.sysctl = - let - options = { - ipv6 = { - # this machine should not participate in SLAAC - accept_ra = 0; - autoconf = 0; - # no redirects nor evil RH0 - accept_redirects = 0; - accept_source_route = 0; - # no forwarding - forwarding = 0; - }; - ipv4 = { - # no redirects nor source route - accept_redirects = 0; - send_redirects = 0; - accept_source_route = 0; - # handle arp requests strict - arp_ignore = 1; - arp_notify = 1; - # do strict rp filtering - rp_filter = 1; - # no forwarding - forwarding = 0; - }; - }; - in - { - all = options; - default = options; - }; + # copy sysctl from default netns + options.sysctl = config.networking.ifstate.settings.options.sysctl; interfaces = [ { name = "any112"; diff --git a/modules/dd-ix/default.nix b/modules/dd-ix/default.nix index fd95a00a..970f78d6 100644 --- a/modules/dd-ix/default.nix +++ b/modules/dd-ix/default.nix @@ -12,5 +12,6 @@ ./mariadb.nix ./monitoring.nix ./redis.nix + ./sysctl.nix ]; } diff --git a/modules/dd-ix/sysctl.nix b/modules/dd-ix/sysctl.nix new file mode 100644 index 00000000..9ea77341 --- /dev/null +++ b/modules/dd-ix/sysctl.nix @@ -0,0 +1,46 @@ +{ + networking.ifstate.settings.options.sysctl = + let + options = { + ipv6 = { + # this machine should not participate in SLAAC + autoconf = 0; + # nor accept router advertisements + accept_ra = 0; + # no redirects nor evil RH0 + accept_redirects = 0; + accept_source_route = 0; + # no forwarding + forwarding = 0; + # unsolicited neighbour advertisements + ndisc_notify = 1; + }; + ipv4 = { + # no redirects + accept_redirects = 0; + send_redirects = 0; + accept_source_route = 0; + # handle arp requests strict + arp_ignore = 1; + arp_notify = 1; + # do strict rp filtering + rp_filter = 1; + # no forwarding + forwarding = 0; + }; + }; + in + { + all = options; + default = options; + net.core = { + # Bufferbloat: fair queuing controlled delay + default_qdisc = "cake"; + # tune SoftIRQ packet handling (5x) + netdev_budget_usecs = 10000; + netdev_budget = 1500; + dev_weight = 320; + netdev_max_backlog = 5000; + }; + }; +} diff --git a/modules/management/nextcloud.nix b/modules/management/nextcloud.nix index 1b806fd5..64a5e0e2 100644 --- a/modules/management/nextcloud.nix +++ b/modules/management/nextcloud.nix @@ -3,27 +3,30 @@ let domain = "cloud.${config.dd-ix.domain}"; in { - sops.secrets."cloud_admin_pw" = { - sopsFile = self + "/secrets/management/cloud.yaml"; - owner = config.systemd.services.nextcloud-setup.serviceConfig.User; - }; + sops.secrets = { + "cloud_admin_pw" = { + sopsFile = self + "/secrets/management/cloud.yaml"; + owner = config.systemd.services.nextcloud-setup.serviceConfig.User; + }; - sops.secrets."cloud_db_pw" = { - sopsFile = self + "/secrets/management/cloud.yaml"; - owner = config.systemd.services.nextcloud-setup.serviceConfig.User; - }; + "cloud_db_pw" = { + sopsFile = self + "/secrets/management/cloud.yaml"; + owner = config.systemd.services.nextcloud-setup.serviceConfig.User; + }; - sops.secrets."office_env" = { - sopsFile = self + "/secrets/management/cloud.yaml"; - owner = "root"; + "office_env" = { + sopsFile = self + "/secrets/management/cloud.yaml"; + owner = "root"; + }; }; - systemd.services.nextcloud-setup.after = [ "network.target" ]; + systemd.services.nextcloud-setup = { + after = [ "network-online.target" ]; + requires = [ "network-online.target" ]; + }; services = { - postgresql = { - enable = lib.mkForce false; - }; + postgresql.enable = lib.mkForce false; nextcloud = { enable = true; hostName = domain; @@ -100,10 +103,10 @@ in image = "onlyoffice/documentserver:8.3.0.1"; imageFile = pkgs.dockerTools.pullImage { imageName = "onlyoffice/documentserver"; - imageDigest = "sha256:7bf6a672e1743d62002aa518ea880f486f642c238ee93aa6d572f899a05da486"; - sha256 = "1f26jhczd9p0g17y7r4fl1pnhsj9bisfaggcm2pyfjnqlcyzgdgl"; + imageDigest = "sha256:9c76330ee4be00623e204c5305b20f8868c37e0e90c88e351c27feb148aada80"; + sha256 = "0kxx21ax4y8j5jlhfi6qfrv2iahnsfxc0pzspbp483l4x45fi2vg"; finalImageName = "onlyoffice/documentserver"; - finalImageTag = "8.3.0.1"; + finalImageTag = "8.3.2.1"; }; environmentFiles = [ config.sops.secrets."office_env".path ]; extraOptions = [ "--network=host" ];