Tune to the role, not dogmatically. Swap off for k8s nodes, on (small) elsewhere. BBR where it faces the internet. There's no single right answer for the whole fleet.
Apply it the same way everywhere. The benefit is uniformity; a baseline that's applied to 13 of 15 VMs is barely a baseline.
Most defaults assume bare metal. Virtual disks on an SSD pool want a simpler I/O scheduler and TRIM; the defaults don't know they're virtual.
A reboot reminder: these VMs regenerate their SSH host keys on some boots (a provisioning side effect) — so a post-reboot "host key changed" warning is expected here, not a break-in. (See The SSH Bastion for the why and the one-line fix.)
No comments to display
No comments to display