feat(hosts,lib): adjust kernel sysctl for k8s/dae

2026-03-26 03:11:32 +01:00 · 2024-03-29 23:45:30 +08:00
parent 6ae98566ed
commit e85712ca53
3 changed files with 33 additions and 20 deletions
--- a/hosts/12kingdoms-suzu/networking.nix
+++ b/hosts/12kingdoms-suzu/networking.nix
@@ -5,14 +5,10 @@

  ipv4WithMask = "${ipv4}/24";
 in {
-  boot = {
-    kernel = {
-      sysctl = {
-        # forward network packets that are not destined for the interface on which they were received
-        "net.ipv4.conf.all.forwarding" = true;
-        "net.ipv6.conf.all.forwarding" = true;
-      };
-    };
+  boot.kernel.sysctl = {
+    # forward network packets that are not destined for the interface on which they were received
+    "net.ipv4.conf.all.forwarding" = true;
+    "net.ipv6.conf.all.forwarding" = true;
  };

  networking.useNetworkd = true;
--- a/hosts/12kingdoms-suzu/suzi/networking.nix
+++ b/hosts/12kingdoms-suzu/suzi/networking.nix
@@ -13,18 +13,14 @@
    end = "192.168.5.99";
  };
 in {
-  # https://github.com/ghostbuster91/blogposts/blob/main/router2023-part2/main.md
-  boot = {
-    kernel = {
-      # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md
-      sysctl = {
-        # forward network packets that are not destined for the interface on which they were received
-        "net.ipv4.conf.all.forwarding" = true;
-        "net.ipv6.conf.all.forwarding" = true;
-        "net.ipv4.conf.br-lan.rp_filter" = 1;
-        "net.ipv4.conf.br-lan.send_redirects" = 0;
-      };
-    };
+  boot.kernel.sysctl = {
+    # https://github.com/ghostbuster91/blogposts/blob/main/router2023-part2/main.md
+    # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md
+    # forward network packets that are not destined for the interface on which they were received
+    "net.ipv4.conf.all.forwarding" = true;
+    "net.ipv6.conf.all.forwarding" = true;
+    "net.ipv4.conf.br-lan.rp_filter" = 1;
+    "net.ipv4.conf.br-lan.send_redirects" = 0;
  };

  # Docker uses iptables internally to setup NAT for containers.
--- a/lib/genKubeVirtCoreModule.nix
+++ b/lib/genKubeVirtCoreModule.nix
@@ -23,6 +23,27 @@ in {
  boot.kernelModules = ["kvm-amd" "vfio-pci"];
  boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu

+  boot.kernel.sysctl = {
+    # --- filesystem --- #
+    # increase the limits to avoid running out of inotify watches
+    "fs.inotify.max_user_watches" = 524288;
+    "fs.inotify.max_user_instances" = 1024;
+
+    # --- network --- #
+    "net.bridge.bridge-nf-call-iptables" = 1;
+    "net.core.somaxconn" = 32768;
+    "net.ipv4.ip_forward" = 1;
+    "net.ipv4.conf.all.forwarding" = 1;
+    "net.ipv4.neigh.default.gc_thresh1" = 4096;
+    "net.ipv4.neigh.default.gc_thresh2" = 6144;
+    "net.ipv4.neigh.default.gc_thresh3" = 8192;
+    "net.ipv4.neigh.default.gc_interval" = 60;
+    "net.ipv4.neigh.default.gc_stale_time" = 120;
+
+    # --- memory --- #
+    "vm.swappiness" = 0; # don't swap unless absolutely necessary
+  };
+
  environment.systemPackages = with pkgs; [
    # Validate Hardware Virtualization Support via:
    #   virt-host-validate qemu