Kernel : Disable latest by default.
This commit is contained in:
parent
067c215640
commit
4bdec48282
|
@ -10,17 +10,18 @@
|
|||
};
|
||||
|
||||
module = {
|
||||
autoupdate.enable = true;
|
||||
amd.gpu.enable = true;
|
||||
autoupdate.enable = true;
|
||||
builder.client.enable = true;
|
||||
desktop.sway.enable = true;
|
||||
kernel.enable = true;
|
||||
print.enable = true;
|
||||
strongswan.enable = true;
|
||||
tablet.enable = true;
|
||||
intel.cpu = {
|
||||
enable = true;
|
||||
powersave = true;
|
||||
};
|
||||
print.enable = true;
|
||||
strongswan.enable = true;
|
||||
tablet.enable = true;
|
||||
package = {
|
||||
common.enable = true;
|
||||
core.enable = true;
|
||||
|
|
|
@ -13,6 +13,7 @@
|
|||
autoupdate.enable = true;
|
||||
builder.client.enable = true;
|
||||
desktop.sway.enable = true;
|
||||
kernel.enable = true;
|
||||
ollama.enable = true;
|
||||
print.enable = true;
|
||||
virtmanager.enable = true;
|
||||
|
|
|
@ -8,8 +8,8 @@
|
|||
in {
|
||||
# Allow packet routing (we are a router).
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.conf.all.src_valid_mark" = 1;
|
||||
"net.ipv4.ip_forward" = 1;
|
||||
"net.ipv4.conf.all.src_valid_mark" = lib.mkForce 1;
|
||||
"net.ipv4.ip_forward" = lib.mkForce 1;
|
||||
};
|
||||
|
||||
# Disable SSH access from everywhere, configure access bellow.
|
||||
|
|
|
@ -17,6 +17,7 @@
|
|||
module = {
|
||||
builder.server.enable = true;
|
||||
desktop.sway.enable = true;
|
||||
kernel.enable = true;
|
||||
amd = {
|
||||
cpu.enable = true;
|
||||
gpu.enable = true;
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
autoupdate.enable = true;
|
||||
builder.client.enable = true;
|
||||
desktop.sway.enable = true;
|
||||
kernel.enable = true;
|
||||
print.enable = true;
|
||||
strongswan.enable = true;
|
||||
tablet.enable = true;
|
||||
|
|
|
@ -16,12 +16,13 @@
|
|||
autoupdate.enable = true;
|
||||
builder.client.enable = true;
|
||||
desktop.sway.enable = true;
|
||||
kernel.enable = true;
|
||||
powerlimit.thinkpad.enable = true;
|
||||
print.enable = true;
|
||||
intel.cpu = {
|
||||
enable = true;
|
||||
powersave = true;
|
||||
};
|
||||
powerlimit.thinkpad.enable = true;
|
||||
print.enable = true;
|
||||
package = {
|
||||
common.enable = true;
|
||||
core.enable = true;
|
||||
|
|
|
@ -3,6 +3,15 @@
|
|||
in {
|
||||
options = {
|
||||
module.kernel = {
|
||||
enable = mkEnableOption "Enable kernel tweaks.";
|
||||
hardening = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
};
|
||||
hotspotTtlBypass = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
};
|
||||
latest = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
|
@ -10,67 +19,70 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
config = mkMerge [
|
||||
(mkIf cfg.latest {
|
||||
# Use latest kernel.
|
||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
})
|
||||
|
||||
config = mkIf cfg.enable (mkMerge [
|
||||
{
|
||||
boot.kernel.sysctl = {
|
||||
# # Spoof protection.
|
||||
# "net.ipv4.conf.default.rp_filter" = 1;
|
||||
# "net.ipv4.conf.all.rp_filter" = 1;
|
||||
|
||||
# # Packet forwarding.
|
||||
# "net.ipv4.ip_forward" = 0;
|
||||
# "net.ipv6.conf.all.forwarding" = 1;
|
||||
|
||||
# # MITM protection.
|
||||
# "net.ipv4.conf.all.accept_redirects" = 0;
|
||||
# "net.ipv6.conf.all.accept_redirects" = 0;
|
||||
|
||||
# # Do not send ICMP redirects (we are not a router).
|
||||
# "net.ipv4.conf.all.send_redirects" = 0;
|
||||
|
||||
# # Do not accept IP source route packets (we are not a router).
|
||||
# "net.ipv4.conf.all.accept_source_route" = 0;
|
||||
# "net.ipv6.conf.all.accept_source_route" = 0;
|
||||
|
||||
# Allow sysrq.
|
||||
"kernel.sysrq" = 1;
|
||||
|
||||
# # Protect filesystem links.
|
||||
# "fs.protected_hardlinks" = 0;
|
||||
# "fs.protected_symlinks" = 0;
|
||||
|
||||
# # Specify ttl.
|
||||
# "net.ipv4.ip_default_ttl" = 65;
|
||||
|
||||
# # Lynis config.
|
||||
# "kernel.core_uses_pid" = 1;
|
||||
# "kernel.kptr_restrict" = 2;
|
||||
|
||||
# # IP hardening.
|
||||
# "net.ipv4.conf.all.log_martians" = 1;
|
||||
# "net.ipv4.conf.default.accept_redirects" = 0;
|
||||
# "net.ipv4.conf.default.accept_source_route" = 0;
|
||||
# "net.ipv4.conf.default.log_martians" = 0;
|
||||
# "net.ipv4.tcp_timestamps" = 0;
|
||||
# "net.ipv6.conf.default.accept_redirects" = 0;
|
||||
|
||||
# Increase file watchers.
|
||||
"fs.inotify.max_user_instances" = 9999999;
|
||||
"fs.inotify.max_user_watches" = 9999999;
|
||||
"fs.inotify.max_user_event" = 9999999;
|
||||
# "fs.file-max" = 999999;
|
||||
|
||||
# # Disable ipv6.
|
||||
# "net.ipv6.conf.all.disable_ipv6" = 1;
|
||||
# "net.ipv6.conf.default.disable_ipv6" = 1;
|
||||
# "net.ipv6.conf.lo.disable_ipv6" = 1;
|
||||
# "net.ipv6.conf.eth0.disable_ipv6" = 1;
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
(mkIf cfg.hardening {
|
||||
boot.kernel.sysctl = {
|
||||
# Spoof protection.
|
||||
"net.ipv4.conf.all.rp_filter" = 1;
|
||||
"net.ipv4.conf.default.rp_filter" = 1;
|
||||
|
||||
# Packet forwarding.
|
||||
"net.ipv4.ip_forward" = 0;
|
||||
"net.ipv6.conf.all.forwarding" = 1;
|
||||
|
||||
# MITM protection.
|
||||
"net.ipv4.conf.all.accept_redirects" = 0;
|
||||
"net.ipv6.conf.all.accept_redirects" = 0;
|
||||
|
||||
# Do not send ICMP redirects (we are not a router).
|
||||
"net.ipv4.conf.all.send_redirects" = 0;
|
||||
|
||||
# Do not accept IP source route packets (we are not a router).
|
||||
"net.ipv4.conf.all.accept_source_route" = 0;
|
||||
"net.ipv6.conf.all.accept_source_route" = 0;
|
||||
|
||||
# Protect filesystem links.
|
||||
"fs.protected_hardlinks" = 0;
|
||||
"fs.protected_symlinks" = 0;
|
||||
|
||||
# Lynis config.
|
||||
"kernel.core_uses_pid" = 1;
|
||||
"kernel.kptr_restrict" = 2;
|
||||
|
||||
# IP hardening.
|
||||
"net.ipv4.conf.all.log_martians" = 1;
|
||||
"net.ipv4.conf.default.accept_redirects" = 0;
|
||||
"net.ipv4.conf.default.accept_source_route" = 0;
|
||||
"net.ipv4.conf.default.log_martians" = 0;
|
||||
"net.ipv4.tcp_timestamps" = 0;
|
||||
"net.ipv6.conf.default.accept_redirects" = 0;
|
||||
|
||||
# Disable ipv6.
|
||||
"net.ipv6.conf.all.disable_ipv6" = 1;
|
||||
"net.ipv6.conf.default.disable_ipv6" = 1;
|
||||
"net.ipv6.conf.lo.disable_ipv6" = 1;
|
||||
};
|
||||
})
|
||||
|
||||
(mkIf cfg.hotspotTtlBypass {
|
||||
boot.kernel.sysctl."net.ipv4.ip_default_ttl" = 65;
|
||||
})
|
||||
|
||||
(mkIf cfg.latest {
|
||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
})
|
||||
]);
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue