nixos/estuary: Implement bandwidth limiting

2022-07-10 19:12:16 +01:00 · 2022-07-10 19:12:16 +01:00 · e240b9a54e
commit e240b9a54e
parent ee7b79c686
1 changed files with 57 additions and 0 deletions
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@ -80,6 +80,7 @@
                  waitOnline = "systemd-networkd-wait-online@wan.service";
                in
                {
                  description = "Frequent ICMP6 neighbour solicitations";
                  enable = true;
                  requires = [ waitOnline ];
                  after = [ waitOnline ];
@ -91,6 +92,29 @@
                  '';
                  wantedBy = [ "multi-user.target" ];
                };
                # systemd-networkd doesn't support tc filtering
                wan-filter-to-ifb =
                let
                  waitOnline = [
                    "systemd-networkd-wait-online@wan.service"
                    "systemd-networkd-wait-online@ifb-wan.service"
                  ];
                in
                {
                  description = "Install tc filter to pass WAN traffic to IFB";
                  enable = true;
                  bindsTo = waitOnline;
                  after = waitOnline;
                  serviceConfig = {
                    Type = "oneshot";
                    RemainAfterExit = true;
                  };
                  script = ''
                    ${pkgs.iproute2}/bin/tc filter add dev wan parent ffff: u32 match u32 0 0 action mirred egress redirect dev ifb-wan
                  '';
                  wantedBy = [ "multi-user.target" ];
                };
              };
            };
@ -111,6 +135,13 @@
                };
              };
              netdevs = {
                "25-ifb-wan".netdevConfig = {
                  Name = "ifb-wan";
                  Kind = "ifb";
                };
              };
              networks = {
                "80-wan" = {
                  matchConfig.Name = "wan";
@ -129,7 +160,33 @@
                    LinkLocalAddressing = "no";
                    IPv6AcceptRA = false;
                  };
                  extraConfig = ''
                    [QDisc]
                    Parent=ingress
                    Handle=ffff
                    # Outbound traffic limiting
                    [TokenBucketFilter]
                    Parent=root
                    LatencySec=0.3
                    BurstBytes=512K
                    # *bits
                    Rate=245M
                  '';
                };
                "80-ifb-wan" = {
                  matchConfig.Name = "ifb-wan";
                  extraConfig = ''
                    # Inbound traffic limiting
                    [TokenBucketFilter]
                    Parent=root
                    LatencySec=0.3
                    BurstBytes=512K
                    # *bits
                    Rate=245M
                  '';
                };
                "80-base" = mkMerge [
                  (networkdAssignment "base" assignments.base)
                  {