feat: various improvements

* use tcp bbr for faster internet
* use switch-to-configuration-ng (blazing fast)
* restrict openssh kex algos
* configure watchdog and disable suspend on servers

configs/server.nix

@@ -30,6 +30,16 @@ in {
         PasswordAuthentication = false;
         KbdInteractiveAuthentication = false;
         X11Forwarding = false;
+        UseDns = false;
+
+        # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
+        KexAlgorithms = [
+          "curve25519-sha256"
+          "curve25519-sha256@libssh.org"
+          "diffie-hellman-group16-sha512"
+          "diffie-hellman-group18-sha512"
+          "sntrup761x25519-sha512@openssh.com"
+        ];
       };
     };
 
@@ -62,5 +72,24 @@ in {
     };
   };
 
-  systemd.services.vmagent.serviceConfig.EnvironmentFile = secrets.get "vmAuthToken";
+  systemd = {
+    services.vmagent.serviceConfig.EnvironmentFile = secrets.get "vmAuthToken";
+
+    # For more detail, see:
+    #   https://0pointer.de/blog/projects/watchdog.html
+    watchdog = {
+      # systemd will send a signal to the hardware watchdog at half the interval defined here, so every 10s.
+      # If the hardware watchdog does not get a signal for 20s, it will forcefully reboot the system.
+      runtimeTime = "20s";
+      # Forcefully reboot if the final stage of the reboot hangs without progress for more than 30s.
+      # For more info, see:
+      #   https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog
+      rebootTime = "30s";
+    };
+
+    sleep.extraConfig = ''
+      AllowSuspend=no
+      AllowHibernation=no
+    '';
+  };
 }