2024-06-25 04:04:39 +03:00
|
|
|
{ pkgs, config, lib, ... }: with lib; let
|
2024-06-30 03:56:48 +03:00
|
|
|
cfg = config.module.kernel;
|
2024-06-25 04:04:39 +03:00
|
|
|
in {
|
|
|
|
|
options = {
|
2024-06-30 03:56:48 +03:00
|
|
|
module.kernel = {
|
2024-08-24 20:20:13 +03:00
|
|
|
enable = mkEnableOption "Enable kernel tweaks.";
|
|
|
|
|
hardening = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
};
|
|
|
|
|
hotspotTtlBypass = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
};
|
2024-06-25 04:04:39 +03:00
|
|
|
latest = mkOption {
|
2024-08-24 19:55:55 +03:00
|
|
|
default = false;
|
2024-06-25 04:04:39 +03:00
|
|
|
type = types.bool;
|
|
|
|
|
};
|
|
|
|
|
};
|
2024-06-14 01:14:25 +03:00
|
|
|
};
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-08-24 20:20:13 +03:00
|
|
|
config = mkIf cfg.enable (mkMerge [
|
2024-06-25 04:04:39 +03:00
|
|
|
{
|
|
|
|
|
boot.kernel.sysctl = {
|
2024-08-24 20:20:13 +03:00
|
|
|
# Allow sysrq.
|
|
|
|
|
"kernel.sysrq" = 1;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-08-24 20:20:13 +03:00
|
|
|
# Increase file watchers.
|
|
|
|
|
"fs.inotify.max_user_instances" = 9999999;
|
|
|
|
|
"fs.inotify.max_user_watches" = 9999999;
|
|
|
|
|
"fs.inotify.max_user_event" = 9999999;
|
|
|
|
|
# "fs.file-max" = 999999;
|
|
|
|
|
};
|
|
|
|
|
}
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-08-24 20:20:13 +03:00
|
|
|
(mkIf cfg.hardening {
|
|
|
|
|
boot.kernel.sysctl = {
|
|
|
|
|
# Spoof protection.
|
|
|
|
|
"net.ipv4.conf.all.rp_filter" = 1;
|
|
|
|
|
"net.ipv4.conf.default.rp_filter" = 1;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-08-24 20:20:13 +03:00
|
|
|
# Packet forwarding.
|
|
|
|
|
"net.ipv4.ip_forward" = 0;
|
|
|
|
|
"net.ipv6.conf.all.forwarding" = 1;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-08-24 20:20:13 +03:00
|
|
|
# MITM protection.
|
|
|
|
|
"net.ipv4.conf.all.accept_redirects" = 0;
|
|
|
|
|
"net.ipv6.conf.all.accept_redirects" = 0;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-08-24 20:20:13 +03:00
|
|
|
# Do not send ICMP redirects (we are not a router).
|
|
|
|
|
"net.ipv4.conf.all.send_redirects" = 0;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-08-24 20:20:13 +03:00
|
|
|
# Do not accept IP source route packets (we are not a router).
|
|
|
|
|
"net.ipv4.conf.all.accept_source_route" = 0;
|
|
|
|
|
"net.ipv6.conf.all.accept_source_route" = 0;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-08-24 20:20:13 +03:00
|
|
|
# Protect filesystem links.
|
|
|
|
|
"fs.protected_hardlinks" = 0;
|
|
|
|
|
"fs.protected_symlinks" = 0;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-08-24 20:20:13 +03:00
|
|
|
# Lynis config.
|
|
|
|
|
"kernel.core_uses_pid" = 1;
|
|
|
|
|
"kernel.kptr_restrict" = 2;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-08-24 20:20:13 +03:00
|
|
|
# IP hardening.
|
|
|
|
|
"net.ipv4.conf.all.log_martians" = 1;
|
|
|
|
|
"net.ipv4.conf.default.accept_redirects" = 0;
|
|
|
|
|
"net.ipv4.conf.default.accept_source_route" = 0;
|
|
|
|
|
"net.ipv4.conf.default.log_martians" = 0;
|
|
|
|
|
"net.ipv4.tcp_timestamps" = 0;
|
|
|
|
|
"net.ipv6.conf.default.accept_redirects" = 0;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-08-24 20:20:13 +03:00
|
|
|
# Disable ipv6.
|
|
|
|
|
"net.ipv6.conf.all.disable_ipv6" = 1;
|
|
|
|
|
"net.ipv6.conf.default.disable_ipv6" = 1;
|
|
|
|
|
"net.ipv6.conf.lo.disable_ipv6" = 1;
|
2024-06-25 04:04:39 +03:00
|
|
|
};
|
2024-08-24 20:20:13 +03:00
|
|
|
})
|
|
|
|
|
|
|
|
|
|
(mkIf cfg.hotspotTtlBypass {
|
|
|
|
|
boot.kernel.sysctl."net.ipv4.ip_default_ttl" = 65;
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
(mkIf cfg.latest {
|
|
|
|
|
boot.kernelPackages = pkgs.linuxPackages_latest;
|
|
|
|
|
})
|
|
|
|
|
]);
|
2024-03-04 00:34:39 +03:00
|
|
|
}
|
