diff --git a/hosts/skydick/default.nix b/hosts/skydick/default.nix index 666b874..612b730 100644 --- a/hosts/skydick/default.nix +++ b/hosts/skydick/default.nix @@ -70,27 +70,34 @@ useDHCP = false; useNetworkd = true; - bonds.bond0 = { - interfaces = [ "enp4s0f0np0" "enp4s0f1np1" ]; + + # bond40g: 2x40G ConnectX-3 (enp130s0 + enp130s0d1), LACP 802.3ad + # layer3+4 to cisco port-channel (Po?). Carries 10.0.1.1/16 since the + # switch side configured + cabled; cutover done 2026-05-15. bond40g now + # carries 10.0.1.1/16; the old bond0 (ConnectX-4 LX 25G) was removed. + bonds.bond40g = { + interfaces = [ "enp130s0" "enp130s0d1" ]; driverOptions = { - mode = "active-backup"; - primary = "enp4s0f0np0"; + mode = "802.3ad"; miimon = "100"; - fail_over_mac = "active"; + xmit_hash_policy = "layer3+4"; + lacp_rate = "fast"; }; }; - interfaces.bond0 = { + + # bond40g carries the host IP (was on bond0 before 2026-05-15 cutover). + interfaces.bond40g = { ipv4.addresses = [{ address = "10.0.1.1"; prefixLength = 16; }]; - mtu = 9200; # Jumbo (matches cisco Po4 9216 / gateway 9200 / door-pek 9200) + mtu = 9200; }; defaultGateway = { address = "10.0.0.1"; - interface = "bond0"; + interface = "bond40g"; }; # Single primary so systemd-resolved doesn't load-balance us off to a # resolver that has no analytics-blocking. Fallback handled below. @@ -99,7 +106,7 @@ # Prefer IPv4 for outbound connections — IPv6 goes through wg-outbound # on 10.0.0.1 which masquerades with ULA (not globally routable). # `enableIPv6 = false` alone doesn't stop the kernel from processing - # router advertisements on bond0 — the gateway's radvd was leaking + # router advertisements on bond40g — the gateway's radvd was leaking # an IPv6 link-DNS (fd99:23eb:1682::1) into systemd-resolved, which # then took precedence for AAAA queries and broke clean NXDOMAIN. # Sysctl accept_ra=0 (in boot.kernel.sysctl) handles kernel-level RA @@ -113,10 +120,10 @@ }; }; - # systemd-networkd: explicitly refuse RA on bond0. The kernel-level + # systemd-networkd: explicitly refuse RA on bond40g. The kernel-level # sysctl above gates the kernel; this gates networkd's userspace # processing, which is what was caching the link-DNS in resolved. - systemd.network.networks."40-bond0".networkConfig.IPv6AcceptRA = false; + systemd.network.networks."40-bond40g".networkConfig.IPv6AcceptRA = false; # DNS routed through the network's mosdns at 10.0.0.1 so this host inherits # CN-aware split routing and analytics blocking. AliDNS is the first @@ -126,7 +133,7 @@ fallbackDns = [ "223.5.5.5" "1.1.1.1" ]; }; - # Wait only for bond0, not individual member ports — a disconnected port + # Wait only for bond40g, not individual member ports — a disconnected port # (cable maintenance) should not stall boot by 2 minutes. systemd.network.wait-online.anyInterface = true; @@ -173,10 +180,10 @@ boot.kernel.sysctl = { # IPv6 RA suppression — see networking.enableIPv6 = false. Without # these, the gateway's radvd kept seeding fd99:23eb:1682::1 as a - # link-DNS on bond0, breaking clean NXDOMAIN for AAAA queries. + # link-DNS on bond40g (was bond0 pre-cutover), breaking clean NXDOMAIN for AAAA queries. "net.ipv6.conf.all.accept_ra" = 0; "net.ipv6.conf.default.accept_ra" = 0; - "net.ipv6.conf.bond0.accept_ra" = 0; + "net.ipv6.conf.bond40g.accept_ra" = 0; # Network buffers for high-throughput storage "net.core.rmem_max" = 134217728; @@ -354,7 +361,7 @@ enable = true; influxUrl = "http://127.0.0.1:8086"; bucket = "skydick"; - netInterfaces = [ "bond0" ]; + netInterfaces = [ "bond40g" ]; nodeExporter.enable = true; };