Ensuring sshd is never OOMd?

After bumping the nixpkgs input of my systems’ flake and rebuilding, sshd was unfortunately (presumably; I’m not yet able to verify) OOMed on a remote Nix build server along with VPN and a health monitor service. I presume this because nginx is still serving request and the SSH port is open, but silent.

My question is then if there is anything I can do to minimize, if not ensure, sshd is never OOMd (aside from waiting for hydra to settle). I stumbled upon Use systemd Out-Of-Memory Killer · Issue #113903 · NixOS/nixpkgs · GitHub and found in the options that systemd-oomd is disabled for system.slice within which nix-daemon and sshd lives, but I did not find a way to “mark” sshd as “dont OOM, thanks”. Is this something I can configure?

Thanks.

If sshd got OOMed, I don’t think the SSH port would be open. It would reject requests at that point.

That being said, you can add the systemd property OOMScoreAdjust = -1000 to the sshd service to stop it from being oom killed by the kernel’s oom killer. Systemd’s oomd wont touch sshd AFAICT.