From d1d94f9c2488cceb6f5fd76c56944049bc33efec Mon Sep 17 00:00:00 2001
From: "Agatha V. Lovelace" <agatha@technogothic.net>
Date: Fri, 22 Nov 2024 17:26:56 +0100
Subject: [PATCH] Configure EarlyOOM

---
 common/linux-specific.nix | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/common/linux-specific.nix b/common/linux-specific.nix
index 8cf87fb..1bb0df6 100644
--- a/common/linux-specific.nix
+++ b/common/linux-specific.nix
@@ -1,3 +1,4 @@
+{ config, ... }:
 {
   imports = [ ./users ];
 
@@ -50,4 +51,20 @@
     '';
     settings.PasswordAuthentication = false;
   };
+
+  services.earlyoom = {
+    enable = true;
+    freeSwapThreshold = 5;
+    freeMemThreshold = 5;
+    extraArgs = [
+      "-g"
+      "--avoid '^(sshd|systemd.*|tailscale.*|)$'"
+    ];
+  };
+  # Fix Wireguard and Tailscale with NetworkManager
+  networking.firewall = {
+    checkReversePath = "loose";
+    trustedInterfaces = [ "tailscale0" ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+  };
 }