diff options
| author | Mx Kookie <kookie@spacekookie.de> | 2020-10-31 19:35:09 +0100 |
|---|---|---|
| committer | Mx Kookie <kookie@spacekookie.de> | 2020-10-31 19:35:09 +0100 |
| commit | c4625b175f8200f643fd6e11010932ea44c78433 (patch) | |
| tree | bce3f89888c8ac3991fa5569a878a9eab6801ccc /infra/libkookie/nixpkgs/nixos/modules/config/sysctl.nix | |
| parent | 49f735974dd103039ddc4cb576bb76555164a9e7 (diff) | |
| parent | d661aa56a8843e991261510c1bb28fdc2f6975ae (diff) | |
Add 'infra/libkookie/' from commit 'd661aa56a8843e991261510c1bb28fdc2f6975ae'
git-subtree-dir: infra/libkookie
git-subtree-mainline: 49f735974dd103039ddc4cb576bb76555164a9e7
git-subtree-split: d661aa56a8843e991261510c1bb28fdc2f6975ae
Diffstat (limited to 'infra/libkookie/nixpkgs/nixos/modules/config/sysctl.nix')
| -rw-r--r-- | infra/libkookie/nixpkgs/nixos/modules/config/sysctl.nix | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/infra/libkookie/nixpkgs/nixos/modules/config/sysctl.nix b/infra/libkookie/nixpkgs/nixos/modules/config/sysctl.nix new file mode 100644 index 000000000000..e59c7a32c287 --- /dev/null +++ b/infra/libkookie/nixpkgs/nixos/modules/config/sysctl.nix @@ -0,0 +1,63 @@ +{ config, lib, ... }: + +with lib; + +let + + sysctlOption = mkOptionType { + name = "sysctl option value"; + check = val: + let + checkType = x: isBool x || isString x || isInt x || x == null; + in + checkType val || (val._type or "" == "override" && checkType val.content); + merge = loc: defs: mergeOneOption loc (filterOverrides defs); + }; + +in + +{ + + options = { + + boot.kernel.sysctl = mkOption { + default = {}; + example = literalExample '' + { "net.ipv4.tcp_syncookies" = false; "vm.swappiness" = 60; } + ''; + type = types.attrsOf sysctlOption; + description = '' + Runtime parameters of the Linux kernel, as set by + <citerefentry><refentrytitle>sysctl</refentrytitle> + <manvolnum>8</manvolnum></citerefentry>. Note that sysctl + parameters names must be enclosed in quotes + (e.g. <literal>"vm.swappiness"</literal> instead of + <literal>vm.swappiness</literal>). The value of each + parameter may be a string, integer, boolean, or null + (signifying the option will not appear at all). + ''; + }; + + }; + + config = { + + environment.etc."sysctl.d/60-nixos.conf".text = + concatStrings (mapAttrsToList (n: v: + optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n" + ) config.boot.kernel.sysctl); + + systemd.services.systemd-sysctl = + { wantedBy = [ "multi-user.target" ]; + restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ]; + }; + + # Hide kernel pointers (e.g. in /proc/modules) for unprivileged + # users as these make it easier to exploit kernel vulnerabilities. + boot.kernel.sysctl."kernel.kptr_restrict" = mkDefault 1; + + # Disable YAMA by default to allow easy debugging. + boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0; + + }; +} |