From 630c953f2fdf1b1e7c2fe2e1d9532af58438a336 Mon Sep 17 00:00:00 2001
From: uku <hi@uku.moe>
Date: Sat, 17 Aug 2024 19:00:00 +0200
Subject: [PATCH] feat: various improvements

* use tcp bbr for faster internet
* use switch-to-configuration-ng (blazing fast)
* restrict openssh kex algos
* configure watchdog and disable suspend on servers
---
 configs/common.nix | 18 ++++++++++++++++++
 configs/server.nix | 31 ++++++++++++++++++++++++++++++-
 2 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/configs/common.nix b/configs/common.nix
index b8120f1..31be0ba 100644
--- a/configs/common.nix
+++ b/configs/common.nix
@@ -37,6 +37,12 @@ in {
     kernelPackages = pkgs.linuxPackages; # use lts
     kernelParams = ["quiet" "loglevel=3"];
 
+    # faster tcp !!!
+    kernel.sysctl = {
+      "net.core.default_qdisc" = "fq";
+      "net.ipv4.tcp_congestion_control" = "bbr";
+    };
+
     tmp.cleanOnBoot = true;
   };
 
@@ -135,6 +141,13 @@ in {
   security = {
     rtkit.enable = true;
     polkit.enable = true;
+
+    sudo = {
+      execWheelOnly = true;
+      extraConfig = ''
+        Defaults lecture = never
+      '';
+    };
   };
 
   services = {
@@ -157,6 +170,11 @@ in {
     };
   };
 
+  system.switch = {
+    enable = false;
+    enableNg = true;
+  };
+
   systemd.services.NetworkManager-wait-online.enable = lib.mkForce false;
 
   time.timeZone = "Europe/Paris";
diff --git a/configs/server.nix b/configs/server.nix
index 595b57a..f254b6d 100644
--- a/configs/server.nix
+++ b/configs/server.nix
@@ -30,6 +30,16 @@ in {
         PasswordAuthentication = false;
         KbdInteractiveAuthentication = false;
         X11Forwarding = false;
+        UseDns = false;
+
+        # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
+        KexAlgorithms = [
+          "curve25519-sha256"
+          "curve25519-sha256@libssh.org"
+          "diffie-hellman-group16-sha512"
+          "diffie-hellman-group18-sha512"
+          "sntrup761x25519-sha512@openssh.com"
+        ];
       };
     };
 
@@ -62,5 +72,24 @@ in {
     };
   };
 
-  systemd.services.vmagent.serviceConfig.EnvironmentFile = secrets.get "vmAuthToken";
+  systemd = {
+    services.vmagent.serviceConfig.EnvironmentFile = secrets.get "vmAuthToken";
+
+    # For more detail, see:
+    #   https://0pointer.de/blog/projects/watchdog.html
+    watchdog = {
+      # systemd will send a signal to the hardware watchdog at half the interval defined here, so every 10s.
+      # If the hardware watchdog does not get a signal for 20s, it will forcefully reboot the system.
+      runtimeTime = "20s";
+      # Forcefully reboot if the final stage of the reboot hangs without progress for more than 30s.
+      # For more info, see:
+      #   https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog
+      rebootTime = "30s";
+    };
+
+    sleep.extraConfig = ''
+      AllowSuspend=no
+      AllowHibernation=no
+    '';
+  };
 }