common: cap parallel builds + zramSwap to survive local rebuild storms

The mediaserver (56 cores, 31 GiB RAM, no swap) was hard-freezing on
local builds of gnupg/openldap because Nix defaulted max-jobs=auto and
launched ~56 parallel gcc compilations, blowing past available memory
and OOM-stalling AdGuard.

Cap parallelism (max-jobs=4, cores=8 per build) and add zramSwap as a
compressed in-memory safety net so a build storm can't take services
with it.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

common.nix

@@ -59,12 +59,24 @@
   boot.initrd.verbose = false;
 #############################################################################
 
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings = {
+    experimental-features = [ "nix-command" "flakes" ];
+    # Default max-jobs is the host's core count, which on the 56-core
+    # mediaserver was launching ~56 parallel gcc builds and blowing past
+    # 30 GiB RAM during gnupg/openldap. Cap parallel builds and per-build
+    # cores so a local rebuild storm can't OOM the box.
+    max-jobs = 4;
+    cores = 8;
+  };
 
-  # Keep services responsive while heavy local builds run (gnupg/openldap
-  # checkPhase etc. were starving AdGuard until the binary cache catches up).
-  # Default CPUWeight is 100; halving the daemon's share lets latency-sensitive
-  # services breathe without meaningfully slowing builds on an idle box.
+  # Compressed in-memory swap as a safety net during local build storms.
+  # Without it, OOM stalls AdGuard/Jellyfin to the point of freezing the box.
+  zramSwap = {
+    enable = true;
+    memoryPercent = 50;
+  };
+
+  # Keep services responsive when nix-daemon is contending for CPU.
   systemd.services.nix-daemon.serviceConfig.CPUWeight = 50;
 
   # Use latest kernel