feat: various improvements
* use tcp bbr for faster internet * use switch-to-configuration-ng (blazing fast) * restrict openssh kex algos * configure watchdog and disable suspend on servers
This commit is contained in:
parent
d2e32f8b38
commit
630c953f2f
2 changed files with 48 additions and 1 deletions
|
@ -37,6 +37,12 @@ in {
|
||||||
kernelPackages = pkgs.linuxPackages; # use lts
|
kernelPackages = pkgs.linuxPackages; # use lts
|
||||||
kernelParams = ["quiet" "loglevel=3"];
|
kernelParams = ["quiet" "loglevel=3"];
|
||||||
|
|
||||||
|
# faster tcp !!!
|
||||||
|
kernel.sysctl = {
|
||||||
|
"net.core.default_qdisc" = "fq";
|
||||||
|
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||||
|
};
|
||||||
|
|
||||||
tmp.cleanOnBoot = true;
|
tmp.cleanOnBoot = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -135,6 +141,13 @@ in {
|
||||||
security = {
|
security = {
|
||||||
rtkit.enable = true;
|
rtkit.enable = true;
|
||||||
polkit.enable = true;
|
polkit.enable = true;
|
||||||
|
|
||||||
|
sudo = {
|
||||||
|
execWheelOnly = true;
|
||||||
|
extraConfig = ''
|
||||||
|
Defaults lecture = never
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
|
@ -157,6 +170,11 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
system.switch = {
|
||||||
|
enable = false;
|
||||||
|
enableNg = true;
|
||||||
|
};
|
||||||
|
|
||||||
systemd.services.NetworkManager-wait-online.enable = lib.mkForce false;
|
systemd.services.NetworkManager-wait-online.enable = lib.mkForce false;
|
||||||
|
|
||||||
time.timeZone = "Europe/Paris";
|
time.timeZone = "Europe/Paris";
|
||||||
|
|
|
@ -30,6 +30,16 @@ in {
|
||||||
PasswordAuthentication = false;
|
PasswordAuthentication = false;
|
||||||
KbdInteractiveAuthentication = false;
|
KbdInteractiveAuthentication = false;
|
||||||
X11Forwarding = false;
|
X11Forwarding = false;
|
||||||
|
UseDns = false;
|
||||||
|
|
||||||
|
# Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
|
||||||
|
KexAlgorithms = [
|
||||||
|
"curve25519-sha256"
|
||||||
|
"curve25519-sha256@libssh.org"
|
||||||
|
"diffie-hellman-group16-sha512"
|
||||||
|
"diffie-hellman-group18-sha512"
|
||||||
|
"sntrup761x25519-sha512@openssh.com"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -62,5 +72,24 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.vmagent.serviceConfig.EnvironmentFile = secrets.get "vmAuthToken";
|
systemd = {
|
||||||
|
services.vmagent.serviceConfig.EnvironmentFile = secrets.get "vmAuthToken";
|
||||||
|
|
||||||
|
# For more detail, see:
|
||||||
|
# https://0pointer.de/blog/projects/watchdog.html
|
||||||
|
watchdog = {
|
||||||
|
# systemd will send a signal to the hardware watchdog at half the interval defined here, so every 10s.
|
||||||
|
# If the hardware watchdog does not get a signal for 20s, it will forcefully reboot the system.
|
||||||
|
runtimeTime = "20s";
|
||||||
|
# Forcefully reboot if the final stage of the reboot hangs without progress for more than 30s.
|
||||||
|
# For more info, see:
|
||||||
|
# https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog
|
||||||
|
rebootTime = "30s";
|
||||||
|
};
|
||||||
|
|
||||||
|
sleep.extraConfig = ''
|
||||||
|
AllowSuspend=no
|
||||||
|
AllowHibernation=no
|
||||||
|
'';
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue