Here’s a few highlights that might be good for general use:
# I could argue that all of these should be set by default
boot.tmp.useTmpfs = true;
nix.settings.auto-optimise-store = true;
nix.gc.automatic = true;
security.sudo.enable = false;
# AIUI this is the best current choice for SSDs
hardware.block.defaultScheduler = "kyber";
# lazy binding is a net security lose
# ideally all programs would be built with -fPIE -z relro -z now
# but that's a much bigger project
environment.variables.LD_BIND_NOW = "t";
boot.kernel.sysctl = {
# I conjecture that the bulk of Linux's problems with swap
# thrashing are caused by the huge amount of RAM that's
# allowed to be consumed by dirty pages by default.
# These would ideally be tuned based on the speed at which
# the system's persistent storage can sink random-offset writes.
"vm.dirty_background_bytes" = 1048576; # 0x100000 = 1M
"vm.dirty_bytes" = 2097152; # 0x200000 = 2M
"vm.admin_reserve_kbytes" = 131072; # 0x20000 = 128k
"vm.overcommit_memory" = 2;
"vm.overcommit_ratio" = 90;
# Ideally, this would be set to 2**32, to ensure that pointers
# that get truncated to 32 bits are trapped. However, fixed-
# position executables are linked with a base address of 0x400000;
# if we go any higher than that, they won't load. I'd like to
# enforce "all executables must be position-independent" as well,
# but that's presently infeasible. And finally, patchelf (as
# currently implemented) sometimes creates a one-page segment
# just below 0x400000 to give itself more space to work with.
"vm.mmap_min_addr" = 4190208; # 0x3FF000
"vm.mmap_rnd_bits" = 32;
};
}
The common/coredumps.nix, services/monitoring.nix, and services/serial-console.nix mini-modules might also be useful to people running servers.