{ pkgs, config, lib, ... }: with lib; let cfg = config.module.common.kernel; in { options = { module.common.kernel = { latest = mkOption { default = true; type = types.bool; }; }; }; config = mkMerge [ (mkIf cfg.latest { # Use latest kernel. boot.kernelPackages = pkgs.linuxPackages_latest; }) { boot.kernel.sysctl = { # # Spoof protection. # "net.ipv4.conf.default.rp_filter" = 1; # "net.ipv4.conf.all.rp_filter" = 1; # # Packet forwarding. # "net.ipv4.ip_forward" = 0; # "net.ipv6.conf.all.forwarding" = 1; # # MITM protection. # "net.ipv4.conf.all.accept_redirects" = 0; # "net.ipv6.conf.all.accept_redirects" = 0; # # Do not send ICMP redirects (we are not a router). # "net.ipv4.conf.all.send_redirects" = 0; # # Do not accept IP source route packets (we are not a router). # "net.ipv4.conf.all.accept_source_route" = 0; # "net.ipv6.conf.all.accept_source_route" = 0; # Allow sysrq. "kernel.sysrq" = 1; # # Protect filesystem links. # "fs.protected_hardlinks" = 0; # "fs.protected_symlinks" = 0; # # Specify ttl. # "net.ipv4.ip_default_ttl" = 65; # # Lynis config. # "kernel.core_uses_pid" = 1; # "kernel.kptr_restrict" = 2; # # IP hardening. # "net.ipv4.conf.all.log_martians" = 1; # "net.ipv4.conf.default.accept_redirects" = 0; # "net.ipv4.conf.default.accept_source_route" = 0; # "net.ipv4.conf.default.log_martians" = 0; # "net.ipv4.tcp_timestamps" = 0; # "net.ipv6.conf.default.accept_redirects" = 0; # Increase file watchers. "fs.inotify.max_user_instances" = 9999999; "fs.inotify.max_user_watches" = 9999999; "fs.inotify.max_user_event" = 9999999; # "fs.file-max" = 999999; # # Disable ipv6. # "net.ipv6.conf.all.disable_ipv6" = 1; # "net.ipv6.conf.default.disable_ipv6" = 1; # "net.ipv6.conf.lo.disable_ipv6" = 1; # "net.ipv6.conf.eth0.disable_ipv6" = 1; }; } ]; }