diff --git a/profiles/sysadmin.nix b/profiles/sysadmin.nix
index b21ac7a..3e3adf4 100644
--- a/profiles/sysadmin.nix
+++ b/profiles/sysadmin.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }: {
+{ pkgs, lib, ... }: {
   users.users.root.openssh.authorizedKeys.keyFiles = [
     ../pubkeys/raito.keys
     ../pubkeys/bensmrs.keys
@@ -6,10 +6,50 @@
     ../pubkeys/jeltz.keys
   ];
 
+  nix.package = lib.mkDefault pkgs.lix;
+
   users.motd = (builtins.readFile ./federez.motd);
   networking.firewall.logRefusedConnections = false;
   security.auditd.enable = true;
 
+  services.nginx = {
+    recommendedOptimisation = lib.mkDefault true;
+    recommendedTlsSettings = lib.mkDefault true;
+    recommendedProxySettings = lib.mkDefault true;
+    recommendedGzipSettings = lib.mkDefault true;
+    eventsConfig = ''
+      worker_connections 8192;
+    '';
+    appendConfig = ''
+      worker_rlimit_nofile 16384;
+    '';
+  };
+
+  services.journald.extraConfig = "SystemMaxUse=512M";
+
+  nix.gc = {
+    automatic = true;
+    persistent = true;
+    dates = lib.mkDefault "daily";
+    options = "--delete-older-than 30d";
+  };
+
+  boot.kernelParams = [
+    "panic=30" "boot.panic_on_fail"
+  ];
+
+  boot.kernel.sysctl = {
+    # Set default TCP congestion control algorithm
+    "net.ipv4.tcp_congestion_control" = "bbr";
+
+    # Enable ECN
+    "net.ipv4.tcp_ecn" = 1;
+
+    # Enable TCP fast open
+    "net.ipv4.tcp_fastopen" = 3;
+  };
+
+
   environment.systemPackages = [
     pkgs.htop
     pkgs.kitty.terminfo