implement traffic control, remove adguard, misc tailscale stuff

2025-02-24 13:23:38 -05:00 · 2025-02-24 13:23:38 -05:00 · 131b4b2614
commit 131b4b2614
parent a82a616f11
5 changed files with 39 additions and 5 deletions
--- a/home/yt/ytnix.nix
+++ b/home/yt/ytnix.nix
@ -144,6 +144,9 @@
    telegram-desktop
    jadx
    gradle
+    localsend
+    scrcpy
+    syncthing
  ];

  programs.waybar.enable = true;
--- a/hosts/chunk/default.nix
+++ b/hosts/chunk/default.nix
@ -1,5 +1,6 @@
 {
  pkgs,
+  lib,
  ...
 }:
 {
@ -10,7 +11,6 @@
    ./backup.nix
    ./rclone.nix
    ./postgres.nix
-    ./adguard.nix
    ./hedgedoc.nix
    ./miniflux.nix
    ./redlib.nix
@ -92,9 +92,28 @@
      53
      853
    ];
-    extraCommands = ''
+    extraCommands =
+      let
+        ethtool = lib.getExe pkgs.ethtool;
+        tc = lib.getExe' pkgs.iproute2 "tc";
+      in ''
+      # disable TCP segmentation offload (https://wiki.archlinux.org/title/Advanced_traffic_control#Prerequisites)
+      ${ethtool} -K ens18 tso off
+
+      # clear existing rules
+      ${tc} qdisc del dev ens18 root || true
+
+      # create HTB hierarchy
+      ${tc} qdisc add dev ens18 root handle 1: htb default 20
+      ${tc} class add dev ens18 parent 1: classid 1:1 htb rate 100% ceil 100%
+      ${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 40% ceil 100%
+      ${tc} class add dev ens18 parent 1:1 classid 1:20 htb rate 60% ceil 100%
+
+      # mark traffic
      iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/tailscaled.service" -j MARK --set-mark 1
-      iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/tor.service" -j MARK --set-mark 2
+
+      # route marked packets
+      ${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 1 fw flowid 1:10
    '';
  };
  networking.interfaces.ens18 = {
--- a/hosts/chunk/tailscale.nix
+++ b/hosts/chunk/tailscale.nix
@ -7,6 +7,9 @@
      "--advertise-exit-node"
      "--accept-dns=false"
    ];
+    extraDaemonFlags = [
+      "--no-logs-no-support"
+    ];
    useRoutingFeatures = "server";
    openFirewall = true;
  };
--- a/hosts/ytnix/default.nix
+++ b/hosts/ytnix/default.nix
@ -91,7 +91,10 @@
    resolvconf.enable = true;
    firewall = {
      enable = true;
-      allowedTCPPorts = [ 8080 ]; # for mitmproxy
+      allowedTCPPorts = [
+        8080  # mitmproxy
+        22000 # syncthing
+      ];
    };
  };
  programs.nm-applet.enable = true;
@ -223,6 +226,7 @@
      "/home/yt/.local/share/Steam"
      "**/.wine"
      "/home/yt/Games"
+      "/home/yt/Videos"
    ];
    repo = "yt";
    passFile = config.sops.secrets."borg/rsyncnet".path;
--- a/hosts/ytnix/tailscale.nix
+++ b/hosts/ytnix/tailscale.nix
@ -6,8 +6,13 @@
    openFirewall = true;
    useRoutingFeatures = "client";
    extraUpFlags = [
-      "--exit-node=100.122.132.30"
+      "--exit-node=chunk"
      "--accept-dns=false"
+      "--operator=yt"
+      "--exit-node-allow-lan-access"
+    ];
+    extraDaemonFlags = [
+      "--no-logs-no-support"
    ];
  };
 }