2024-10-11 23:27:07 +03:00
|
|
|
{
|
2024-11-04 04:37:29 +03:00
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
pkgs,
|
2024-11-15 01:42:21 +03:00
|
|
|
pkgsUnstable,
|
2024-11-04 04:37:29 +03:00
|
|
|
...
|
|
|
|
}: let
|
|
|
|
cfg = config.module.kernel;
|
|
|
|
in {
|
|
|
|
options.module.kernel = {
|
|
|
|
enable = lib.mkEnableOption "the kernel tweaks.";
|
|
|
|
hardening = lib.mkOption {
|
|
|
|
default = false;
|
|
|
|
type = lib.types.bool;
|
|
|
|
};
|
|
|
|
hotspotTtlBypass = lib.mkOption {
|
|
|
|
default = false;
|
|
|
|
type = lib.types.bool;
|
|
|
|
};
|
|
|
|
latest = lib.mkOption {
|
|
|
|
default = false;
|
|
|
|
type = lib.types.bool;
|
|
|
|
};
|
|
|
|
};
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
config = lib.mkIf cfg.enable (lib.mkMerge [
|
|
|
|
{
|
|
|
|
boot.kernel.sysctl = {
|
|
|
|
# Allow sysrq.
|
|
|
|
"kernel.sysrq" = 1;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# Increase file watchers.
|
|
|
|
"fs.inotify.max_user_event" = 9999999;
|
|
|
|
"fs.inotify.max_user_instances" = 9999999;
|
|
|
|
"fs.inotify.max_user_watches" = 9999999;
|
|
|
|
# "fs.file-max" = 999999;
|
|
|
|
};
|
|
|
|
}
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
(lib.mkIf cfg.hardening {
|
|
|
|
boot.kernel.sysctl = {
|
|
|
|
# Spoof protection.
|
|
|
|
"net.ipv4.conf.all.rp_filter" = 1;
|
|
|
|
"net.ipv4.conf.default.rp_filter" = 1;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# Packet forwarding.
|
|
|
|
"net.ipv4.ip_forward" = 0;
|
|
|
|
"net.ipv6.conf.all.forwarding" = 1;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# MITM protection.
|
|
|
|
"net.ipv4.conf.all.accept_redirects" = 0;
|
|
|
|
"net.ipv6.conf.all.accept_redirects" = 0;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# Do not send ICMP redirects (we are not a router).
|
|
|
|
"net.ipv4.conf.all.send_redirects" = 0;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# Do not accept IP source route packets (we are not a router).
|
|
|
|
"net.ipv4.conf.all.accept_source_route" = 0;
|
|
|
|
"net.ipv6.conf.all.accept_source_route" = 0;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# Protect filesystem links.
|
|
|
|
"fs.protected_hardlinks" = 0;
|
|
|
|
"fs.protected_symlinks" = 0;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# Lynis config.
|
|
|
|
"kernel.core_uses_pid" = 1;
|
|
|
|
"kernel.kptr_restrict" = 2;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# IP hardening.
|
|
|
|
"net.ipv4.conf.all.log_martians" = 1;
|
|
|
|
"net.ipv4.conf.default.accept_redirects" = 0;
|
|
|
|
"net.ipv4.conf.default.accept_source_route" = 0;
|
|
|
|
"net.ipv4.conf.default.log_martians" = 0;
|
|
|
|
"net.ipv4.tcp_timestamps" = 0;
|
|
|
|
"net.ipv6.conf.default.accept_redirects" = 0;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# Disable ipv6.
|
|
|
|
"net.ipv6.conf.all.disable_ipv6" = 1;
|
|
|
|
"net.ipv6.conf.default.disable_ipv6" = 1;
|
|
|
|
"net.ipv6.conf.lo.disable_ipv6" = 1;
|
|
|
|
};
|
|
|
|
})
|
2024-08-24 20:20:13 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
(lib.mkIf cfg.hotspotTtlBypass {
|
|
|
|
boot.kernel.sysctl."net.ipv4.ip_default_ttl" = 65;
|
|
|
|
})
|
2024-08-24 20:20:13 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
(lib.mkIf cfg.latest {
|
2024-11-15 01:42:21 +03:00
|
|
|
boot.kernelPackages = pkgsUnstable.linuxPackages_latest;
|
2024-11-04 04:37:29 +03:00
|
|
|
})
|
|
|
|
]);
|
2024-03-04 00:34:39 +03:00
|
|
|
}
|