AeolianDeck Surface Hardening Initiative

Surface Pro 7 Performance & Network Optimization

Codename: “AeolianDeck Surface Hardening Initiative”

Session Overview

Objective
Transform the Surface Pro 7 into a high-performance Ubuntu development workstation with reliable hotspot networking.

Hardware
Microsoft Surface Pro 7 running Ubuntu 22.04.5 LTS (Surface kernel 6.17.1-surface-2).

Network
Samsung S22 Ultra mobile hotspot serving as the primary internet connection.

Primary use cases include Python development for the AskAva AI project, trading and finance tooling, and heavy machine learning workloads.

File & Folder Structure

Created / Modified Paths

/home/ava/
├── surface_fullscan.sh
├── surface_fullscan_report.txt
├── surface_integrity_sweep.sh
├── surface_integrity_sweep_report.txt
│
├── AeolianDeck/
│   ├── ASKAVA/
│   │   ├── .git/
│   │   └── ASKAVA/ (duplicate)
│   └── ASKAVA_backup/
│
├── .config/
│   ├── brave-flags.conf
│   └── askava/
│
├── .local/share/askava_env/
├── .ssh/id_ed25519[.pub]
└── Projects/poetry-test/.venv

System Configuration Touchpoints

/etc/NetworkManager/conf.d/wifi-powersave-off.conf
/etc/modprobe.d/iwlwifi.conf
/etc/NetworkManager/system-connections/AVA's S22 Ultra
/etc/sysctl.d/99-network-tweaks.conf
/etc/udev/rules.d/60-scheduler.rules
/etc/systemd/system/zramswap.service.d/
/etc/systemd/system/snapd.service.d/
/etc/ufw/user.rules

Network Optimization

Completed

Item	Status	Notes
WiFi power management	Disabled	Prevents throughput drops.
Intel WiFi driver tweaks	Applied	`11n_disable=8`, `power_save=0`, `uapsd_disable=1`.
MTU optimization	Configured	Set to 1500 to avoid fragmentation.
Regulatory domain	Set	Country code AU (Australia).
IPv6 privacy extensions	Enabled	Improved privacy posture.

Pending

Item	Status	Action
Hotspot channel	Awaiting change	Force S22 Ultra to non-DFS 5 GHz channel (36/40/44/48).
5 GHz preference	Pending	Lock Surface profile to 5 GHz only in NetworkManager.
WiFi 6 verification	Pending	Confirm sustained HE-MCS modulation after channel lock.

Current link statistics: channel 149 (DFS), throughput 576.4 Mbps TX / 960.7 Mbps RX, signal -55 dBm, TX power reading 0 dBm (unexpectedly low).

System Performance

Completed

Surface kernel 6.17.1-surface-2 installed.
Touch and stylus operational via iptsd.
TLP configured for AC performance mode.
Tuned daemon active for adaptive optimization.
ZRAM swap enabled with default configuration.

Pending Improvements

Enable VAAPI GPU video decode to cut CPU usage by 30-50%.
Re-tune ZRAM based on available RAM (8/16/32 GB).
Remove Snap ecosystem to free RAM and prevent UI freezes.
Switch I/O scheduler to BFQ for smoother multitasking.

Conflicts detected: snap-auto-cpufreq overlaps with TLP duties, and Snap services introduce ~25 mount units.

AskAva Project Structure

Current Issues

Duplicate repository nested at ASKAVA/ASKAVA/.
Git remotes rely on HTTPS instead of SSH.
No project-specific virtual environment in place.
Missing launcher command for system-wide access.

Target Layout

~/AeolianDeck/ASKAVA/
├── .git/
├── .venv/
├── src/
├── config/
└── requirements.txt

~/.config/askava/
~/.local/share/askava_env/
/usr/local/bin/askava

Security Configuration

Current Safeguards

UFW firewall enforcing drop-by-default.
Fail2Ban active.
No exposed Cloudflare tunnels or VPN services.
Docker installed without public services.

Hardening Roadmap

Restrict firewall allowances to hotspot subnet (10.147.136.0/24).
Remove SMB/NetBIOS ports (137-139, 445).
Disable unused services: ModemManager, whoopsie, motd-news, snap.auto-cpufreq.

Repositories & Python Environment

Git Remotes

Repository	Remote	Action
~/AeolianDeck	github.com/Lostboy01/ASKAVA.git	Switch to SSH remote.
~/.oh-my-zsh	github.com/ohmyzsh/ohmyzsh.git	Switch to SSH remote.
~/iptsd	github.com/linux-surface/iptsd.git	Switch to SSH remote.

No SSH keys exist yet—generate id_ed25519 and register with GitHub.

Python Footprint

200+ packages installed globally (TensorFlow, PyTorch, pandas, scikit-learn, etc.).
Potential dependency conflicts and heavy memory usage.
Recommendation: isolate projects via venv and set PIP_REQUIRE_VIRTUALENV=true.

Systemd & Browser Optimization

Service Audit

Performance conflicts: snap.auto-cpufreq, snapd.service, 18 snap mount units.
Disable if unused: ModemManager, whoopsie.path, motd-news.timer.
Core services to keep: NetworkManager, tlp, tuned, docker, fail2ban, ufw.

Browser Tasks

Add VAAPI-friendly launch flags for Brave/Firefox.
Install intel-media-va-driver-non-free.
Key flags: --enable-features=VaapiVideoDecoder,VaapiVideoEncoder, --enable-zero-copy, --use-gl=desktop, --ozone-platform=wayland.

Unified Task List

Critical Path

✅ WiFi power management disabled.
✅ Intel driver optimizations applied.
✅ Regulatory domain set to AU.
⏳ Lock S22 Ultra hotspot to channel 36/40/44/48.
⏳ Remove duplicate ASKAVA/ASKAVA directory.
⏳ Convert Git remotes to SSH.

Performance & Stability

⏳ Remove Snap ecosystem or optimize usage.
⏳ Enable VAAPI GPU decoding.
⏳ Tune ZRAM for installed RAM.
⏳ Create AskAva virtual environment and launcher.
⏳ Harden UFW to hotspot LAN-only.
⏳ Disable unnecessary systemd services.
⏳ Tune I/O scheduler to BFQ.
⏳ Set up monthly integrity checks and Wi-Fi performance monitor.

Pending User Decisions

Provide installed RAM amount (8 / 16 / 32 GB).
Choose Snap strategy: 1 = remove, 2 = optimize.
Confirm ability to adjust hotspot to a non-DFS channel.

Projected Impact

Metric	Before	Target After
Wi-Fi throughput	200-400 Mbps, unstable	700-1200 Mbps, stable
CPU load during video playback	40-60%	10-20% with VAAPI
Available RAM	Limited (Snap overhead)	+2-3 GB reclaimed
Boot time	Slow due to Snap delays	30-40% faster
UI responsiveness	Periodic freezes	Smooth interaction