From 4bdec4828267e0514c77c71892603cb2e18f1daf Mon Sep 17 00:00:00 2001
From: Dmitry Voronin <hi@voronind.com>
Date: Sat, 24 Aug 2024 20:20:13 +0300
Subject: [PATCH] Kernel : Disable latest by default.

---
 host/x86_64-linux/dasha/default.nix   |   9 +-
 host/x86_64-linux/desktop/default.nix |   1 +
 host/x86_64-linux/home/Network.nix    |   4 +-
 host/x86_64-linux/home/default.nix    |   1 +
 host/x86_64-linux/laptop/default.nix  |   1 +
 host/x86_64-linux/work/default.nix    |   5 +-
 module/Kernel.nix                     | 114 ++++++++++++++------------
 7 files changed, 76 insertions(+), 59 deletions(-)

diff --git a/host/x86_64-linux/dasha/default.nix b/host/x86_64-linux/dasha/default.nix
index e70e014..3410385 100644
--- a/host/x86_64-linux/dasha/default.nix
+++ b/host/x86_64-linux/dasha/default.nix
@@ -10,17 +10,18 @@
 	};
 
 	module = {
-		autoupdate.enable     = true;
 		amd.gpu.enable        = true;
+		autoupdate.enable     = true;
 		builder.client.enable = true;
 		desktop.sway.enable   = true;
+		kernel.enable         = true;
+		print.enable          = true;
+		strongswan.enable     = true;
+		tablet.enable         = true;
 		intel.cpu = {
 			enable    = true;
 			powersave = true;
 		};
-		print.enable          = true;
-		strongswan.enable     = true;
-		tablet.enable         = true;
 		package = {
 			common.enable   = true;
 			core.enable     = true;
diff --git a/host/x86_64-linux/desktop/default.nix b/host/x86_64-linux/desktop/default.nix
index 8a9ec9a..8af1c2d 100644
--- a/host/x86_64-linux/desktop/default.nix
+++ b/host/x86_64-linux/desktop/default.nix
@@ -13,6 +13,7 @@
 		autoupdate.enable     = true;
 		builder.client.enable = true;
 		desktop.sway.enable   = true;
+		kernel.enable         = true;
 		ollama.enable         = true;
 		print.enable          = true;
 		virtmanager.enable    = true;
diff --git a/host/x86_64-linux/home/Network.nix b/host/x86_64-linux/home/Network.nix
index a4d2139..c3df025 100644
--- a/host/x86_64-linux/home/Network.nix
+++ b/host/x86_64-linux/home/Network.nix
@@ -8,8 +8,8 @@
 in {
 	# Allow packet routing (we are a router).
 	boot.kernel.sysctl = {
-		"net.ipv4.conf.all.src_valid_mark" = 1;
-		"net.ipv4.ip_forward" = 1;
+		"net.ipv4.conf.all.src_valid_mark" = lib.mkForce 1;
+		"net.ipv4.ip_forward" = lib.mkForce 1;
 	};
 
 	# Disable SSH access from everywhere, configure access bellow.
diff --git a/host/x86_64-linux/home/default.nix b/host/x86_64-linux/home/default.nix
index 6f9b1b8..f8fb08c 100644
--- a/host/x86_64-linux/home/default.nix
+++ b/host/x86_64-linux/home/default.nix
@@ -17,6 +17,7 @@
 	module = {
 		builder.server.enable = true;
 		desktop.sway.enable   = true;
+		kernel.enable         = true;
 		amd = {
 			cpu.enable = true;
 			gpu.enable = true;
diff --git a/host/x86_64-linux/laptop/default.nix b/host/x86_64-linux/laptop/default.nix
index 7701e3d..a47dad4 100644
--- a/host/x86_64-linux/laptop/default.nix
+++ b/host/x86_64-linux/laptop/default.nix
@@ -14,6 +14,7 @@
 		autoupdate.enable     = true;
 		builder.client.enable = true;
 		desktop.sway.enable   = true;
+		kernel.enable         = true;
 		print.enable          = true;
 		strongswan.enable     = true;
 		tablet.enable         = true;
diff --git a/host/x86_64-linux/work/default.nix b/host/x86_64-linux/work/default.nix
index f29a4fb..bc523cd 100644
--- a/host/x86_64-linux/work/default.nix
+++ b/host/x86_64-linux/work/default.nix
@@ -16,12 +16,13 @@
 		autoupdate.enable          = true;
 		builder.client.enable      = true;
 		desktop.sway.enable        = true;
+		kernel.enable              = true;
+		powerlimit.thinkpad.enable = true;
+		print.enable               = true;
 		intel.cpu = {
 			enable    = true;
 			powersave = true;
 		};
-		powerlimit.thinkpad.enable = true;
-		print.enable               = true;
 		package = {
 			common.enable   = true;
 			core.enable     = true;
diff --git a/module/Kernel.nix b/module/Kernel.nix
index 54259d7..20324b7 100644
--- a/module/Kernel.nix
+++ b/module/Kernel.nix
@@ -3,6 +3,15 @@
 in {
 	options = {
 		module.kernel = {
+			enable = mkEnableOption "Enable kernel tweaks.";
+			hardening = mkOption {
+				default = false;
+				type    = types.bool;
+			};
+			hotspotTtlBypass = mkOption {
+				default = false;
+				type    = types.bool;
+			};
 			latest = mkOption {
 				default = false;
 				type    = types.bool;
@@ -10,67 +19,70 @@ in {
 		};
 	};
 
-	config = mkMerge [
-		(mkIf cfg.latest {
-			# Use latest kernel.
-			boot.kernelPackages = pkgs.linuxPackages_latest;
-		})
-
+	config = mkIf cfg.enable (mkMerge [
 		{
 			boot.kernel.sysctl = {
-			# 	# Spoof protection.
-			# 	"net.ipv4.conf.default.rp_filter" = 1;
-			# 	"net.ipv4.conf.all.rp_filter"     = 1;
-
-			# 	# Packet forwarding.
-			# 	"net.ipv4.ip_forward" = 0;
-			# 	"net.ipv6.conf.all.forwarding" = 1;
-
-			# 	# MITM protection.
-			# 	"net.ipv4.conf.all.accept_redirects" = 0;
-			# 	"net.ipv6.conf.all.accept_redirects" = 0;
-
-			# 	# Do not send ICMP redirects (we are not a router).
-			# 	"net.ipv4.conf.all.send_redirects" = 0;
-
-			# 	# Do not accept IP source route packets (we are not a router).
-			# 	"net.ipv4.conf.all.accept_source_route" = 0;
-			# 	"net.ipv6.conf.all.accept_source_route" = 0;
-
 				# Allow sysrq.
 				"kernel.sysrq" = 1;
 
-			# 	# Protect filesystem links.
-			# 	"fs.protected_hardlinks" = 0;
-			# 	"fs.protected_symlinks"  = 0;
-
-			# 	# Specify ttl.
-			# 	"net.ipv4.ip_default_ttl" = 65;
-
-			# 	# Lynis config.
-			# 	"kernel.core_uses_pid" = 1;
-			# 	"kernel.kptr_restrict" = 2;
-
-			# 	# IP hardening.
-			# 	"net.ipv4.conf.all.log_martians"            = 1;
-			# 	"net.ipv4.conf.default.accept_redirects"    = 0;
-			# 	"net.ipv4.conf.default.accept_source_route" = 0;
-			# 	"net.ipv4.conf.default.log_martians"        = 0;
-			# 	"net.ipv4.tcp_timestamps"                   = 0;
-			# 	"net.ipv6.conf.default.accept_redirects"    = 0;
-
 				# Increase file watchers.
 				"fs.inotify.max_user_instances" = 9999999;
 				"fs.inotify.max_user_watches"   = 9999999;
 				"fs.inotify.max_user_event"     = 9999999;
 				# "fs.file-max"                   = 999999;
-
-			# 	# Disable ipv6.
-			# 	"net.ipv6.conf.all.disable_ipv6"     = 1;
-			# 	"net.ipv6.conf.default.disable_ipv6" = 1;
-			# 	"net.ipv6.conf.lo.disable_ipv6"      = 1;
-			# 	"net.ipv6.conf.eth0.disable_ipv6"    = 1;
 			};
 		}
-	];
+
+		(mkIf cfg.hardening {
+			boot.kernel.sysctl = {
+				# Spoof protection.
+				"net.ipv4.conf.all.rp_filter"     = 1;
+				"net.ipv4.conf.default.rp_filter" = 1;
+
+				# Packet forwarding.
+				"net.ipv4.ip_forward"          = 0;
+				"net.ipv6.conf.all.forwarding" = 1;
+
+				# MITM protection.
+				"net.ipv4.conf.all.accept_redirects" = 0;
+				"net.ipv6.conf.all.accept_redirects" = 0;
+
+				# Do not send ICMP redirects (we are not a router).
+				"net.ipv4.conf.all.send_redirects" = 0;
+
+				# Do not accept IP source route packets (we are not a router).
+				"net.ipv4.conf.all.accept_source_route" = 0;
+				"net.ipv6.conf.all.accept_source_route" = 0;
+
+				# Protect filesystem links.
+				"fs.protected_hardlinks" = 0;
+				"fs.protected_symlinks"  = 0;
+
+				# Lynis config.
+				"kernel.core_uses_pid" = 1;
+				"kernel.kptr_restrict" = 2;
+
+				# IP hardening.
+				"net.ipv4.conf.all.log_martians"            = 1;
+				"net.ipv4.conf.default.accept_redirects"    = 0;
+				"net.ipv4.conf.default.accept_source_route" = 0;
+				"net.ipv4.conf.default.log_martians"        = 0;
+				"net.ipv4.tcp_timestamps"                   = 0;
+				"net.ipv6.conf.default.accept_redirects"    = 0;
+
+				# Disable ipv6.
+				"net.ipv6.conf.all.disable_ipv6"     = 1;
+				"net.ipv6.conf.default.disable_ipv6" = 1;
+				"net.ipv6.conf.lo.disable_ipv6"      = 1;
+			};
+		})
+
+		(mkIf cfg.hotspotTtlBypass {
+			boot.kernel.sysctl."net.ipv4.ip_default_ttl" = 65;
+		})
+
+		(mkIf cfg.latest {
+			boot.kernelPackages = pkgs.linuxPackages_latest;
+		})
+	]);
 }