Kernel : Disable latest by default.

This commit is contained in:
Dmitry Voronin 2024-08-24 20:20:13 +03:00
parent 067c215640
commit 4bdec48282
Signed by: voronind
SSH key fingerprint: SHA256:3kBb4iV2ahufEBNq+vFbUe4QYfHt98DHQjN7QaptY9k
7 changed files with 76 additions and 59 deletions

View file

@ -10,17 +10,18 @@
}; };
module = { module = {
autoupdate.enable = true;
amd.gpu.enable = true; amd.gpu.enable = true;
autoupdate.enable = true;
builder.client.enable = true; builder.client.enable = true;
desktop.sway.enable = true; desktop.sway.enable = true;
kernel.enable = true;
print.enable = true;
strongswan.enable = true;
tablet.enable = true;
intel.cpu = { intel.cpu = {
enable = true; enable = true;
powersave = true; powersave = true;
}; };
print.enable = true;
strongswan.enable = true;
tablet.enable = true;
package = { package = {
common.enable = true; common.enable = true;
core.enable = true; core.enable = true;

View file

@ -13,6 +13,7 @@
autoupdate.enable = true; autoupdate.enable = true;
builder.client.enable = true; builder.client.enable = true;
desktop.sway.enable = true; desktop.sway.enable = true;
kernel.enable = true;
ollama.enable = true; ollama.enable = true;
print.enable = true; print.enable = true;
virtmanager.enable = true; virtmanager.enable = true;

View file

@ -8,8 +8,8 @@
in { in {
# Allow packet routing (we are a router). # Allow packet routing (we are a router).
boot.kernel.sysctl = { boot.kernel.sysctl = {
"net.ipv4.conf.all.src_valid_mark" = 1; "net.ipv4.conf.all.src_valid_mark" = lib.mkForce 1;
"net.ipv4.ip_forward" = 1; "net.ipv4.ip_forward" = lib.mkForce 1;
}; };
# Disable SSH access from everywhere, configure access bellow. # Disable SSH access from everywhere, configure access bellow.

View file

@ -17,6 +17,7 @@
module = { module = {
builder.server.enable = true; builder.server.enable = true;
desktop.sway.enable = true; desktop.sway.enable = true;
kernel.enable = true;
amd = { amd = {
cpu.enable = true; cpu.enable = true;
gpu.enable = true; gpu.enable = true;

View file

@ -14,6 +14,7 @@
autoupdate.enable = true; autoupdate.enable = true;
builder.client.enable = true; builder.client.enable = true;
desktop.sway.enable = true; desktop.sway.enable = true;
kernel.enable = true;
print.enable = true; print.enable = true;
strongswan.enable = true; strongswan.enable = true;
tablet.enable = true; tablet.enable = true;

View file

@ -16,12 +16,13 @@
autoupdate.enable = true; autoupdate.enable = true;
builder.client.enable = true; builder.client.enable = true;
desktop.sway.enable = true; desktop.sway.enable = true;
kernel.enable = true;
powerlimit.thinkpad.enable = true;
print.enable = true;
intel.cpu = { intel.cpu = {
enable = true; enable = true;
powersave = true; powersave = true;
}; };
powerlimit.thinkpad.enable = true;
print.enable = true;
package = { package = {
common.enable = true; common.enable = true;
core.enable = true; core.enable = true;

View file

@ -3,6 +3,15 @@
in { in {
options = { options = {
module.kernel = { module.kernel = {
enable = mkEnableOption "Enable kernel tweaks.";
hardening = mkOption {
default = false;
type = types.bool;
};
hotspotTtlBypass = mkOption {
default = false;
type = types.bool;
};
latest = mkOption { latest = mkOption {
default = false; default = false;
type = types.bool; type = types.bool;
@ -10,67 +19,70 @@ in {
}; };
}; };
config = mkMerge [ config = mkIf cfg.enable (mkMerge [
(mkIf cfg.latest {
# Use latest kernel.
boot.kernelPackages = pkgs.linuxPackages_latest;
})
{ {
boot.kernel.sysctl = { boot.kernel.sysctl = {
# # Spoof protection.
# "net.ipv4.conf.default.rp_filter" = 1;
# "net.ipv4.conf.all.rp_filter" = 1;
# # Packet forwarding.
# "net.ipv4.ip_forward" = 0;
# "net.ipv6.conf.all.forwarding" = 1;
# # MITM protection.
# "net.ipv4.conf.all.accept_redirects" = 0;
# "net.ipv6.conf.all.accept_redirects" = 0;
# # Do not send ICMP redirects (we are not a router).
# "net.ipv4.conf.all.send_redirects" = 0;
# # Do not accept IP source route packets (we are not a router).
# "net.ipv4.conf.all.accept_source_route" = 0;
# "net.ipv6.conf.all.accept_source_route" = 0;
# Allow sysrq. # Allow sysrq.
"kernel.sysrq" = 1; "kernel.sysrq" = 1;
# # Protect filesystem links.
# "fs.protected_hardlinks" = 0;
# "fs.protected_symlinks" = 0;
# # Specify ttl.
# "net.ipv4.ip_default_ttl" = 65;
# # Lynis config.
# "kernel.core_uses_pid" = 1;
# "kernel.kptr_restrict" = 2;
# # IP hardening.
# "net.ipv4.conf.all.log_martians" = 1;
# "net.ipv4.conf.default.accept_redirects" = 0;
# "net.ipv4.conf.default.accept_source_route" = 0;
# "net.ipv4.conf.default.log_martians" = 0;
# "net.ipv4.tcp_timestamps" = 0;
# "net.ipv6.conf.default.accept_redirects" = 0;
# Increase file watchers. # Increase file watchers.
"fs.inotify.max_user_instances" = 9999999; "fs.inotify.max_user_instances" = 9999999;
"fs.inotify.max_user_watches" = 9999999; "fs.inotify.max_user_watches" = 9999999;
"fs.inotify.max_user_event" = 9999999; "fs.inotify.max_user_event" = 9999999;
# "fs.file-max" = 999999; # "fs.file-max" = 999999;
# # Disable ipv6.
# "net.ipv6.conf.all.disable_ipv6" = 1;
# "net.ipv6.conf.default.disable_ipv6" = 1;
# "net.ipv6.conf.lo.disable_ipv6" = 1;
# "net.ipv6.conf.eth0.disable_ipv6" = 1;
}; };
} }
];
(mkIf cfg.hardening {
boot.kernel.sysctl = {
# Spoof protection.
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.default.rp_filter" = 1;
# Packet forwarding.
"net.ipv4.ip_forward" = 0;
"net.ipv6.conf.all.forwarding" = 1;
# MITM protection.
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
# Do not send ICMP redirects (we are not a router).
"net.ipv4.conf.all.send_redirects" = 0;
# Do not accept IP source route packets (we are not a router).
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Protect filesystem links.
"fs.protected_hardlinks" = 0;
"fs.protected_symlinks" = 0;
# Lynis config.
"kernel.core_uses_pid" = 1;
"kernel.kptr_restrict" = 2;
# IP hardening.
"net.ipv4.conf.all.log_martians" = 1;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.default.accept_source_route" = 0;
"net.ipv4.conf.default.log_martians" = 0;
"net.ipv4.tcp_timestamps" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Disable ipv6.
"net.ipv6.conf.all.disable_ipv6" = 1;
"net.ipv6.conf.default.disable_ipv6" = 1;
"net.ipv6.conf.lo.disable_ipv6" = 1;
};
})
(mkIf cfg.hotspotTtlBypass {
boot.kernel.sysctl."net.ipv4.ip_default_ttl" = 65;
})
(mkIf cfg.latest {
boot.kernelPackages = pkgs.linuxPackages_latest;
})
]);
} }