nix/module/common/Kernel.nix

60 lines
1.7 KiB
Nix
Raw Normal View History

{ pkgs, ... }: {
# Use latest kernel.
boot.kernelPackages = pkgs.linuxPackages_latest;
2024-06-14 01:14:25 +03:00
boot.kernel.sysctl = {
# # Spoof protection.
# "net.ipv4.conf.default.rp_filter" = 1;
# "net.ipv4.conf.all.rp_filter" = 1;
# # Packet forwarding.
2024-06-09 23:35:53 +03:00
# "net.ipv4.ip_forward" = 0;
# "net.ipv6.conf.all.forwarding" = 1;
# # MITM protection.
# "net.ipv4.conf.all.accept_redirects" = 0;
# "net.ipv6.conf.all.accept_redirects" = 0;
# # Do not send ICMP redirects (we are not a router).
# "net.ipv4.conf.all.send_redirects" = 0;
# # Do not accept IP source route packets (we are not a router).
# "net.ipv4.conf.all.accept_source_route" = 0;
# "net.ipv6.conf.all.accept_source_route" = 0;
2024-06-15 18:04:50 +03:00
# Allow sysrq.
"kernel.sysrq" = 1;
2024-06-09 23:35:53 +03:00
# # Protect filesystem links.
# "fs.protected_hardlinks" = 0;
# "fs.protected_symlinks" = 0;
2024-06-09 23:35:53 +03:00
# # Specify ttl.
# "net.ipv4.ip_default_ttl" = 65;
2024-06-09 23:35:53 +03:00
# # Lynis config.
# "kernel.core_uses_pid" = 1;
# "kernel.kptr_restrict" = 2;
# # IP hardening.
# "net.ipv4.conf.all.log_martians" = 1;
# "net.ipv4.conf.default.accept_redirects" = 0;
# "net.ipv4.conf.default.accept_source_route" = 0;
# "net.ipv4.conf.default.log_martians" = 0;
# "net.ipv4.tcp_timestamps" = 0;
# "net.ipv6.conf.default.accept_redirects" = 0;
2024-06-14 01:14:25 +03:00
# Increase file watchers.
2024-06-14 01:18:50 +03:00
"fs.inotify.max_user_instances" = 9999999;
"fs.inotify.max_user_watches" = 9999999;
"fs.inotify.max_user_event" = 9999999;
# "fs.file-max" = 999999;
# # Disable ipv6.
# "net.ipv6.conf.all.disable_ipv6" = 1;
# "net.ipv6.conf.default.disable_ipv6" = 1;
# "net.ipv6.conf.lo.disable_ipv6" = 1;
# "net.ipv6.conf.eth0.disable_ipv6" = 1;
2024-06-14 01:14:25 +03:00
};
}