{ config, lib, pkgs, ... }: let cfg = config.module.kernel; in { options.module.kernel = { enable = lib.mkEnableOption "the kernel tweaks."; hardening = lib.mkOption { default = false; type = lib.types.bool; }; hotspotTtlBypass = lib.mkOption { default = false; type = lib.types.bool; }; latest = lib.mkOption { default = false; type = lib.types.bool; }; }; config = lib.mkIf cfg.enable (lib.mkMerge [ { boot.kernel.sysctl = { # Allow sysrq. "kernel.sysrq" = 1; # Increase file watchers. "fs.inotify.max_user_event" = 9999999; "fs.inotify.max_user_instances" = 9999999; "fs.inotify.max_user_watches" = 9999999; # "fs.file-max" = 999999; }; } (lib.mkIf cfg.hardening { boot.kernel.sysctl = { # Spoof protection. "net.ipv4.conf.all.rp_filter" = 1; "net.ipv4.conf.default.rp_filter" = 1; # Packet forwarding. "net.ipv4.ip_forward" = 0; "net.ipv6.conf.all.forwarding" = 1; # MITM protection. "net.ipv4.conf.all.accept_redirects" = 0; "net.ipv6.conf.all.accept_redirects" = 0; # Do not send ICMP redirects (we are not a router). "net.ipv4.conf.all.send_redirects" = 0; # Do not accept IP source route packets (we are not a router). "net.ipv4.conf.all.accept_source_route" = 0; "net.ipv6.conf.all.accept_source_route" = 0; # Protect filesystem links. "fs.protected_hardlinks" = 0; "fs.protected_symlinks" = 0; # Lynis config. "kernel.core_uses_pid" = 1; "kernel.kptr_restrict" = 2; # IP hardening. "net.ipv4.conf.all.log_martians" = 1; "net.ipv4.conf.default.accept_redirects" = 0; "net.ipv4.conf.default.accept_source_route" = 0; "net.ipv4.conf.default.log_martians" = 0; "net.ipv4.tcp_timestamps" = 0; "net.ipv6.conf.default.accept_redirects" = 0; # Disable ipv6. "net.ipv6.conf.all.disable_ipv6" = 1; "net.ipv6.conf.default.disable_ipv6" = 1; "net.ipv6.conf.lo.disable_ipv6" = 1; }; }) (lib.mkIf cfg.hotspotTtlBypass { boot.kernel.sysctl."net.ipv4.ip_default_ttl" = 65; }) (lib.mkIf cfg.latest { boot.kernelPackages = pkgs.linuxPackages_latest; }) ]); }