Better limiting on nextcloud, crossed things off todo.

hosts/pi-main/default.nix

@@ -100,6 +100,33 @@
   #   "rclone:remote:homey"
   homey.backup.repository = "s3:https://s3.us-east-005.backblazeb2.com/zakobar-home-backup";
 
+  # -------------------------------------------------------------------------
+  # Reliability hardening
+  # -------------------------------------------------------------------------
+
+  # Hardware watchdog — auto-reboot if the system hangs (e.g. blocked USB I/O).
+  # bcm2835_wdt exposes /dev/watchdog; systemd pets it every runtimeTime/2.
+  # If systemd itself stops responding, the hardware resets the Pi after 20s.
+  boot.kernelModules = [ "bcm2835_wdt" ];
+  systemd.watchdog = {
+    runtimeTime = "300s";  # 5 min — generous window for boot I/O storm on USB drive
+    rebootTime  = "360s";
+  };
+
+  # Compressed in-RAM swap via zstd.  Pages evicted from RAM are compressed
+  # (~3:1 ratio) and stored in a 25% RAM region (~2 GB) rather than written
+  # to disk.  Gives the OOM killer breathing room under PHP upload spikes.
+  # CPU overhead is negligible during normal operation.
+  zramSwap = {
+    enable        = true;
+    algorithm     = "zstd";
+    memoryPercent = 25;
+  };
+
+  # hdparm -B udev rule removed: USB-SATA bridges often don't support APM
+  # commands and hdparm can hang indefinitely, causing boot-time crashes.
+  environment.systemPackages = [ pkgs.hdparm ];
+
   # -------------------------------------------------------------------------
   # Local DNS overrides (optional — makes LAN clients hit the Pi directly
   # instead of going through Cloudflare for *.zakobar.com)