{
  config,
  lib,
  pkgsUnstable,
  ...
}:
let
  cfg = config.module.kernel;
in
{
  config = lib.mkIf cfg.enable (
    lib.mkMerge [
      {
        boot.kernel.sysctl = {
          # Allow sysrq.
          "kernel.sysrq" = 1;

          # Increase file watchers.
          "fs.inotify.max_user_event" = 9999999;
          "fs.inotify.max_user_instances" = 9999999;
          "fs.inotify.max_user_watches" = 9999999;
          # "fs.file-max" = 999999;
        };
      }

      (lib.mkIf cfg.hardening {
        boot.kernel.sysctl = {
          # Spoof protection.
          "net.ipv4.conf.all.rp_filter" = 1;
          "net.ipv4.conf.default.rp_filter" = 1;

          # Packet forwarding.
          "net.ipv4.ip_forward" = 0;
          "net.ipv6.conf.all.forwarding" = 0;

          # MITM protection.
          "net.ipv4.conf.all.accept_redirects" = 0;
          "net.ipv6.conf.all.accept_redirects" = 0;

          # Do not send ICMP redirects (we are not a router).
          "net.ipv4.conf.all.send_redirects" = 0;

          # Do not accept IP source route packets (we are not a router).
          "net.ipv4.conf.all.accept_source_route" = 0;
          "net.ipv6.conf.all.accept_source_route" = 0;

          # Protect filesystem links.
          "fs.protected_hardlinks" = 0;
          "fs.protected_symlinks" = 0;

          # Lynis config.
          "kernel.core_uses_pid" = 1;
          "kernel.kptr_restrict" = 2;
        };
      })

      (lib.mkIf cfg.hotspotTtlBypass { boot.kernel.sysctl."net.ipv4.ip_default_ttl" = 65; })

      (lib.mkIf cfg.latest { boot.kernelPackages = pkgsUnstable.linuxPackages_latest; })

      (lib.mkIf cfg.router {
        boot.kernel.sysctl = {
          # Allow spoofing.
          "net.ipv4.conf.all.rp_filter" = lib.mkForce 0;
          "net.ipv4.conf.default.rp_filter" = lib.mkForce 0;

          # Forward packets.
          "net.ipv4.ip_forward" = lib.mkForce 1;
          "net.ipv6.conf.all.forwarding" = lib.mkForce 1;
          "net.ipv4.conf.all.src_valid_mark" = lib.mkForce 1;

          # Allow redirects.
          "net.ipv4.conf.all.accept_redirects" = lib.mkForce 1;
          "net.ipv6.conf.all.accept_redirects" = lib.mkForce 1;

          # Send ICMP.
          "net.ipv4.conf.all.send_redirects" = lib.mkForce 1;

          # Accept IP source route packets.
          "net.ipv4.conf.all.accept_source_route" = lib.mkForce 1;
          "net.ipv6.conf.all.accept_source_route" = lib.mkForce 1;
        };
      })
    ]
  );
}