this repo has no description
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

nixos/profiles/workstation: tweak settings for more security, add warning

Aly Raffauf cffd3434 2cc8ba54

+5 -5
+1 -1
modules/nixos/profiles/workstation/README.md
··· 24 24 25 25 ⚠️ **Ananicy and GameMode are incompatible** - this profile enables Ananicy by default, so don't enable GameMode simultaneously. 26 26 27 - Some optimizations trade system resiliency for performance (e.g., disabled watchdogs). 27 + ⚠️ **Security and stability trade-offs**: Some optimizations trade system resiliency for performance (e.g., disabled watchdogs). This profile prioritizes performance over maximum security.
+4 -4
modules/nixos/profiles/workstation/default.nix
··· 32 32 "kernel.sched_wakeup_granularity_ns" = lib.mkDefault 500000; 33 33 "kernel.soft_watchdog" = lib.mkDefault 0; 34 34 "kernel.split_lock_mitigate" = lib.mkDefault 0; 35 - "kernel.unprivileged_userns_clone" = lib.mkDefault 1; 35 + # "kernel.unprivileged_userns_clone" = lib.mkDefault 1; 36 36 "kernel.watchdog" = lib.mkDefault 0; 37 37 38 38 # Network optimizations ··· 45 45 "net.ipv4.tcp_mtu_probing" = lib.mkForce 1; 46 46 "net.ipv4.tcp_rfc1337" = lib.mkDefault 1; # Protect against tcp time-wait assassination hazards, drop RST packets for sockets in the time-wait state. Not widely supported outside of Linux, but conforms to RFC. 47 47 "net.ipv4.tcp_slow_start_after_idle" = 0; # Disable TCP slow start after idle 48 - "net.ipv4.tcp_timestamps" = lib.mkDefault 0; # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_for_real_time/7/html/tuning_guide/reduce_tcp_performance_spikes 48 + # "net.ipv4.tcp_timestamps" = lib.mkDefault 0; # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_for_real_time/7/html/tuning_guide/reduce_tcp_performance_spikes 49 49 50 50 # Memory management 51 51 "vm.dirty_background_bytes" = lib.mkDefault 134217728; ··· 91 91 ## SSDs use kyber scheduler. 92 92 ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="kyber" 93 93 94 - ## HHDs use BFW scheduler. 94 + ## HDDs use BFQ scheduler. 95 95 ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="bfq" 96 96 97 97 ## Allow @audio to write to /dev/cpu_dma_latency. 98 98 DEVPATH=="/devices/virtual/misc/cpu_dma_latency", OWNER="root",GROUP="audio", MODE="0660" 99 99 100 100 ## Allow users to write to /dev/ntsync. 101 - KERNEL=="ntsync", MODE="0644" 101 + # KERNEL=="ntsync", MODE="0644" 102 102 ''; 103 103 }; 104 104