{ lib, ... }:

{
  boot.kernel.sysctl = {
    # PhotonCloud control-plane services bind within this band. Reserve it from the
    # ephemeral allocator so outbound peer/backend connections cannot steal a service
    # port during boot and block the later listener bind.
    "net.ipv4.ip_local_reserved_ports" = lib.mkDefault "50051-50090";
  };
}