{...}: {
  boot.kernel.sysctl = {
    "kernel.panic" = 60;
    "vm.swappiness" = 2;
    #"vm.vfs_cache_pressure" = 80;
    "net.ipv4.ip_forward" = 1;
    "net.ipv6.conf.all.forwarding" = 1;
    #"net.ipv4.tcp_window_scaling" = 0;
    # as per https://wiki.archlinux.org/index.php/Sysctl#Improving_performance
    "net.core.rmem_default" = 1048576;
    "net.core.rmem_max" = 16777216;
    # "net.core.rmem_max" = 268435456;
    "net.core.wmem_default" = 1048576;
    "net.core.wmem_max" = 16777216;
    # "net.core.wmem_max" = 268435456;
    "net.core.optmem_max" = 65536;

    # https://unix.stackexchange.com/a/471951
    #
    # "net.ipv4.tcp_rmem" = "4096 87380 20097152";
    # "net.ipv4.tcp_wmem" = "4096 65536 16777216";
    "net.ipv4.tcp_rmem" = "4096 87380 134217728";
    "net.ipv4.tcp_wmem" = "4096 65536 134217728";

    "net.ipv4.udp_rmem_min" = 8192;
    "net.ipv4.udp_wmem_min" = 8192;

    # TCP Fast Open is an extension to the transmission control protocol (TCP) that
    # helps reduce network latency by enabling data to be exchanged during the
    # sender's initial TCP SYN. Using the value 3 instead of the default 1 allows
    # TCP Fast Open for both incoming and outgoing connections
    "net.ipv4.tcp_fastopen" = 3;

    # tcp_max_tw_buckets is the maximum number of sockets in TIME_WAIT state.
    # After reaching this number the system will start destroying the socket that
    # are in this state.  Increase this to prevent simple DOS attacks
    "net.ipv4.tcp_max_tw_buckets" = 2000000;

    # tcp_tw_reuse sets whether TCP should reuse an existing connection in the
    # TIME-WAIT state for a new outgoing connection if the new timestamp is
    # strictly bigger than the most recent timestamp recorded for the previous
    # connection.
    # This helps avoid from running out of available network sockets
    "net.ipv4.tcp_tw_reuse" = 1;

    # With the following settings, your application will detect dead TCP
    # connections after 120 seconds (60s + 10s + 10s + 10s + 10s + 10s + 10s).
    "net.ipv4.tcp_keepalive_time" = 60;
    "net.ipv4.tcp_keepalive_intvl" = 10;
    "net.ipv4.tcp_keepalive_probes" = 6;

    "net.ipv4.conf.default.rp_filter" = 2;
    "net.ipv4.conf.all.rp_filter" = 2;

    "net.ipv4.conf.default.log_martians" = 1;
    "net.ipv4.conf.all.log_martians" = 1;

    # Route cache is full: consider increasing sysctl net.ipv6.route.max_size
    # net.ipv6.route.max_size = 8192;
    "net.ipv6.route.max_size" = 65536;

    # https://developer.akamai.com/blog/2012/09/27/linux-tcpip-tuning-scalability
    "net.ipv4.ip_local_port_range" = "18000 65535";
    #"net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 30;
    "net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 60;
    "net.netfilter.nf_conntrack_tcp_timeout_established" = 600;
    "net.ipv4.tcp_slow_start_after_idle" = 0;

    "net.ipv4.tcp_no_metrics_save" = 1;
    # doesn't work on arch with Zen, works on fedora with XanMod.
    "net.core.default_qdisc" = "fq";

    # failed to initialize inotify - default value here was 128
    "fs.inotify.max_user_instances" = 256;

    "net.ipv4.tcp_window_scaling" = 1;

    # The longer the maximum transmission unit (MTU) the better for performance,
    # but the worse for reliability.  This is because a lost packet means more data
    # to be retransmitted and because many routers on the Internet cannot deliver
    # very long packets
    "net.ipv4.tcp_mtu_probing" = 1;

    # sync disk when buffer reach 6% of memory
    "vm.dirty_ratio" = 6;

    "kernel.numa_balancing" = 1;

    "net.core.netdev_max_backlog" = 250000;

    # tcp_max_syn_backlog is the maximum queue length of pending connections
    # 'Waiting Acknowledgment'.  In the event of a synflood DOS attack, this queue
    # can fill up pretty quickly, at which point TCP SYN cookies will kick in
    # allowing your system to continue to respond to legitimate traffic, and
    # allowing you to gain access to block malicious IPs.  If the server suffers
    # from overloads at peak times, you may want to increase this value a little
    # bit
    "net.ipv4.tcp_max_syn_backlog" = 8192;

    # TCP SYN cookie protection
    # Helps protect against SYN flood attacks. Only kicks in when
    # net.ipv4.tcp_max_syn_backlog is reached. More details at, for example, [6].
    # As of linux 5.10, it is set by default.
    "net.ipv4.tcp_syncookies" = 1;

    # Protect against tcp time-wait assassination hazards, drop RST packets for
    # sockets in the time-wait state. Not widely supported outside of Linux, but
    # conforms to RFC
    "net.ipv4.tcp_rfc1337" = 1;

    # Specify how many seconds to wait for a final FIN packet before the socket is
    # forcibly closed. This is strictly a violation of the TCP specification, but
    # required to prevent denial-of-service attacks. In Linux 2.2, the default
    # value was 180
    "net.ipv4.tcp_fin_timeout" = 30;

    # When an attacker is trying to exploit the local kernel, it is often
    # helpful to be able to examine where in memory the kernel, modules,
    # and data structures live. As such, kernel addresses should be treated
    # as sensitive information.
    #
    # Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
    # /proc/modules, etc), and this setting can censor the addresses. A value
    # of "0" allows all users to see the kernel addresses. A value of "1"
    # limits visibility to the root user, and "2" blocks even the root user.
    "kernel.kptr_restrict" = 1;

    # mitigate JIT spraying attacks from unprivileged users
    "net.core.bpf_jit_harden" = 1;
    # disallow regular users to run BPF programs
    "kernel.unprivileged_bpf_disabled" = 0;

    "fs.protected_fifos" = 1;
    "fs.protected_symlinks" = 1;
    "fs.protected_hardlinks" = 1;
    "fs.protected_regular" = 2;

    # full randomisation
    "kernel.randomize_va_space" = 2;

    "kernel.pid_max " = 4194304;

    # ad rootless podman
    "user.max_user_namespaces" = 15000;
    "net.ipv4.ping_group_range" = "0 2000000";
  };
}