nix/module/Kernel.nix

93 lines
2.3 KiB
Nix
Raw Normal View History

{
2024-11-04 04:37:29 +03:00
config,
lib,
pkgs,
2024-11-15 01:42:21 +03:00
pkgsUnstable,
2024-11-04 04:37:29 +03:00
...
}: let
cfg = config.module.kernel;
in {
options.module.kernel = {
enable = lib.mkEnableOption "the kernel tweaks.";
hardening = lib.mkOption {
default = false;
type = lib.types.bool;
};
hotspotTtlBypass = lib.mkOption {
default = false;
type = lib.types.bool;
};
latest = lib.mkOption {
default = false;
type = lib.types.bool;
};
};
2024-06-25 04:04:39 +03:00
2024-11-04 04:37:29 +03:00
config = lib.mkIf cfg.enable (lib.mkMerge [
{
boot.kernel.sysctl = {
# Allow sysrq.
"kernel.sysrq" = 1;
2024-06-25 04:04:39 +03:00
2024-11-04 04:37:29 +03:00
# Increase file watchers.
"fs.inotify.max_user_event" = 9999999;
"fs.inotify.max_user_instances" = 9999999;
"fs.inotify.max_user_watches" = 9999999;
# "fs.file-max" = 999999;
};
}
2024-06-25 04:04:39 +03:00
2024-11-04 04:37:29 +03:00
(lib.mkIf cfg.hardening {
boot.kernel.sysctl = {
# Spoof protection.
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.default.rp_filter" = 1;
2024-06-25 04:04:39 +03:00
2024-11-04 04:37:29 +03:00
# Packet forwarding.
"net.ipv4.ip_forward" = 0;
"net.ipv6.conf.all.forwarding" = 1;
2024-06-25 04:04:39 +03:00
2024-11-04 04:37:29 +03:00
# MITM protection.
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
2024-06-25 04:04:39 +03:00
2024-11-04 04:37:29 +03:00
# Do not send ICMP redirects (we are not a router).
"net.ipv4.conf.all.send_redirects" = 0;
2024-06-25 04:04:39 +03:00
2024-11-04 04:37:29 +03:00
# Do not accept IP source route packets (we are not a router).
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
2024-06-25 04:04:39 +03:00
2024-11-04 04:37:29 +03:00
# Protect filesystem links.
"fs.protected_hardlinks" = 0;
"fs.protected_symlinks" = 0;
2024-06-25 04:04:39 +03:00
2024-11-04 04:37:29 +03:00
# Lynis config.
"kernel.core_uses_pid" = 1;
"kernel.kptr_restrict" = 2;
2024-06-25 04:04:39 +03:00
2024-11-04 04:37:29 +03:00
# IP hardening.
"net.ipv4.conf.all.log_martians" = 1;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.default.accept_source_route" = 0;
"net.ipv4.conf.default.log_martians" = 0;
"net.ipv4.tcp_timestamps" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
2024-06-25 04:04:39 +03:00
2024-11-04 04:37:29 +03:00
# Disable ipv6.
"net.ipv6.conf.all.disable_ipv6" = 1;
"net.ipv6.conf.default.disable_ipv6" = 1;
"net.ipv6.conf.lo.disable_ipv6" = 1;
};
})
2024-08-24 20:20:13 +03:00
2024-11-04 04:37:29 +03:00
(lib.mkIf cfg.hotspotTtlBypass {
boot.kernel.sysctl."net.ipv4.ip_default_ttl" = 65;
})
2024-08-24 20:20:13 +03:00
2024-11-04 04:37:29 +03:00
(lib.mkIf cfg.latest {
2024-11-15 01:42:21 +03:00
boot.kernelPackages = pkgsUnstable.linuxPackages_latest;
2024-11-04 04:37:29 +03:00
})
]);
}