···24242525⚠️ **Ananicy and GameMode are incompatible** - this profile enables Ananicy by default, so don't enable GameMode simultaneously.
26262727-Some optimizations trade system resiliency for performance (e.g., disabled watchdogs).
2727+⚠️ **Security and stability trade-offs**: Some optimizations trade system resiliency for performance (e.g., disabled watchdogs). This profile prioritizes performance over maximum security.
+4-4
modules/nixos/profiles/workstation/default.nix
···3232 "kernel.sched_wakeup_granularity_ns" = lib.mkDefault 500000;
3333 "kernel.soft_watchdog" = lib.mkDefault 0;
3434 "kernel.split_lock_mitigate" = lib.mkDefault 0;
3535- "kernel.unprivileged_userns_clone" = lib.mkDefault 1;
3535+ # "kernel.unprivileged_userns_clone" = lib.mkDefault 1;
3636 "kernel.watchdog" = lib.mkDefault 0;
37373838 # Network optimizations
···4545 "net.ipv4.tcp_mtu_probing" = lib.mkForce 1;
4646 "net.ipv4.tcp_rfc1337" = lib.mkDefault 1; # Protect against tcp time-wait assassination hazards, drop RST packets for sockets in the time-wait state. Not widely supported outside of Linux, but conforms to RFC.
4747 "net.ipv4.tcp_slow_start_after_idle" = 0; # Disable TCP slow start after idle
4848- "net.ipv4.tcp_timestamps" = lib.mkDefault 0; # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_for_real_time/7/html/tuning_guide/reduce_tcp_performance_spikes
4848+ # "net.ipv4.tcp_timestamps" = lib.mkDefault 0; # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_for_real_time/7/html/tuning_guide/reduce_tcp_performance_spikes
49495050 # Memory management
5151 "vm.dirty_background_bytes" = lib.mkDefault 134217728;
···9191 ## SSDs use kyber scheduler.
9292 ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="kyber"
93939494- ## HHDs use BFW scheduler.
9494+ ## HDDs use BFQ scheduler.
9595 ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="bfq"
96969797 ## Allow @audio to write to /dev/cpu_dma_latency.
9898 DEVPATH=="/devices/virtual/misc/cpu_dma_latency", OWNER="root",GROUP="audio", MODE="0660"
9999100100 ## Allow users to write to /dev/ntsync.
101101- KERNEL=="ntsync", MODE="0644"
101101+ # KERNEL=="ntsync", MODE="0644"
102102 '';
103103 };
104104