From aaa491c48dbc986bfdbe314093fb0596117c709d Mon Sep 17 00:00:00 2001
From: Dmitry Voronin <account@voronind.com>
Date: Thu, 25 Jan 2024 17:42:42 +0300
Subject: [PATCH] Sysctl : Migrate to nix.

---
 .config/linux/nix/Common.nix | 55 +++++++++++++++++++++
 .config/linux/sysctl.conf    | 96 ------------------------------------
 2 files changed, 55 insertions(+), 96 deletions(-)
 delete mode 100644 .config/linux/sysctl.conf

diff --git a/.config/linux/nix/Common.nix b/.config/linux/nix/Common.nix
index bb8e628..edb6df4 100644
--- a/.config/linux/nix/Common.nix
+++ b/.config/linux/nix/Common.nix
@@ -40,6 +40,61 @@
 	boot.loader.systemd-boot.enable      = true;
 	boot.loader.efi.canTouchEfiVariables = true;
 
+	# Sysctl.
+	boot.kernel.sysctl = {
+		# Spoof protection.
+		"net.ipv4.conf.default.rp_filter" = 1;
+		"net.ipv4.conf.all.rp_filter"     = 1;
+
+		# Packet forwarding.
+		"net.ipv4.ip_forward" = 1;
+		# "net.ipv6.conf.all.forwarding" = 1;
+
+		# MITM protection.
+		"net.ipv4.conf.all.accept_redirects" = 0;
+		"net.ipv6.conf.all.accept_redirects" = 0;
+
+		# Do not send ICMP redirects (we are not a router).
+		"net.ipv4.conf.all.send_redirects" = 0;
+
+		# Do not accept IP source route packets (we are not a router).
+		"net.ipv4.conf.all.accept_source_route" = 0;
+		"net.ipv6.conf.all.accept_source_route" = 0;
+
+		# Allow sysrq.
+		"kernel.sysrq" = 1;
+
+		# Protect filesystem links.
+		# "fs.protected_hardlinks" = 0;
+		# "fs.protected_symlinks"  = 0;
+
+		# Specify ttl.
+		"net.ipv4.ip_default_ttl" = 65;
+
+		# Lynis config.
+		"kernel.core_uses_pid" = 1;
+		"kernel.kptr_restrict" = 2;
+
+		# IP hardening.
+		"net.ipv4.conf.all.log_martians"            = 1;
+		"net.ipv4.conf.default.accept_redirects"    = 0;
+		"net.ipv4.conf.default.accept_source_route" = 0;
+		"net.ipv4.conf.default.log_martians"        = 0;
+		"net.ipv4.tcp_timestamps"                   = 0;
+		"net.ipv6.conf.default.accept_redirects"    = 0;
+
+		# Increase file watchers.
+		"fs.inotify.max_user_instances" = 999999;
+		"fs.inotify.max_user_watches"   = 999999;
+		"fs.inotify.max_user_event"     = 999999;
+
+		# Disable ipv6.
+		"net.ipv6.conf.all.disable_ipv6"     = 1;
+		"net.ipv6.conf.default.disable_ipv6" = 1;
+		"net.ipv6.conf.lo.disable_ipv6"      = 1;
+		"net.ipv6.conf.eth0.disable_ipv6"    = 1;
+	};
+
 	# Network.
 	networking.networkmanager.enable = true;
 
diff --git a/.config/linux/sysctl.conf b/.config/linux/sysctl.conf
deleted file mode 100644
index e7afe8f..0000000
--- a/.config/linux/sysctl.conf
+++ /dev/null
@@ -1,96 +0,0 @@
-#
-# /etc/sysctl.conf - Configuration file for setting system variables
-# See /etc/sysctl.d/ for additional system variables.
-# See sysctl.conf (5) for information.
-#
-
-#kernel.domainname = example.com
-
-# Uncomment the following to stop low-level messages on console
-#kernel.printk = 3 4 1 3
-
-##############################################################3
-# Functions previously found in netbase
-#
-
-# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
-# Turn on Source Address Verification in all interfaces to
-# prevent some spoofing attacks
-net.ipv4.conf.default.rp_filter=1
-net.ipv4.conf.all.rp_filter=1
-
-# Uncomment the next line to enable TCP/IP SYN cookies
-# See http://lwn.net/Articles/277146/
-# Note: This may impact IPv6 TCP sessions too
-#net.ipv4.tcp_syncookies=1
-
-# Uncomment the next line to enable packet forwarding for IPv4
-net.ipv4.ip_forward=1
-
-# Uncomment the next line to enable packet forwarding for IPv6
-#  Enabling this option disables Stateless Address Autoconfiguration
-#  based on Router Advertisements for this host
-#net.ipv6.conf.all.forwarding=1
-
-
-###################################################################
-# Additional settings - these settings can improve the network
-# security of the host and prevent against some network attacks
-# including spoofing attacks and man in the middle attacks through
-# redirection. Some network environments, however, require that these
-# settings are disabled so review and enable them as needed.
-#
-# Do not accept ICMP redirects (prevent MITM attacks)
-net.ipv4.conf.all.accept_redirects = 0
-net.ipv6.conf.all.accept_redirects = 0
-# _or_
-# Accept ICMP redirects only for gateways listed in our default
-# gateway list (enabled by default)
-# net.ipv4.conf.all.secure_redirects = 1
-#
-# Do not send ICMP redirects (we are not a router)
-net.ipv4.conf.all.send_redirects = 0
-#
-# Do not accept IP source route packets (we are not a router)
-net.ipv4.conf.all.accept_source_route = 0
-net.ipv6.conf.all.accept_source_route = 0
-#
-# Log Martian Packets
-#net.ipv4.conf.all.log_martians = 1
-#
-
-###################################################################
-# Magic system request Key
-# 0=disable, 1=enable all
-# Debian kernels have this set to 0 (disable the key)
-# See https://www.kernel.org/doc/Documentation/sysrq.txt
-# for what other values do
-kernel.sysrq=1
-
-###################################################################
-# Protected links
-#
-# Protects against creating or following links under certain conditions
-# Debian kernels have both set to 1 (restricted) 
-# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
-#fs.protected_hardlinks=0
-#fs.protected_symlinks=0
-
-net.ipv4.ip_default_ttl=65
-
-#lynis
-kernel.core_uses_pid=1
-kernel.kptr_restrict=2
-net.ipv4.conf.all.log_martians=1
-net.ipv4.conf.default.accept_redirects=0
-net.ipv4.conf.default.accept_source_route=0
-net.ipv4.conf.default.log_martians=0
-net.ipv4.tcp_timestamps=0
-net.ipv6.conf.default.accept_redirects=0
-fs.inotify.max_user_instances=999999
-fs.inotify.max_user_watches=999999
-fs.inotify.max_user_event=999999
-net.ipv6.conf.all.disable_ipv6=1
-net.ipv6.conf.default.disable_ipv6=1
-net.ipv6.conf.lo.disable_ipv6=1
-net.ipv6.conf.eth0.disable_ipv6=1