Personal Nix setup
Move over kernel settings
+16
-1
+9
-1
modules/router/kernel.nix
+9
-1
modules/router/kernel.nix
···
59
59
"net.ipv6.conf.all.autoconf" = false;
60
60
"net.ipv6.conf.all.accept_ra" = false;
61
61
62
-
"net.ipv4.ping_group_range" = "0 65536";
62
+
"kernel.kptr_restrict" = 2;
63
+
"kernel.dmesg_restrict" = 0;
64
+
"kernel.sysrq" = 4;
65
+
"kernel.unprivileged_bpf_disabled" = true;
66
+
"kernel.perf_event_paranoid" = 3;
67
+
"kernel.yama.ptrace_scope" = 2;
68
+
"kernel.kexec_load_disabled" = true;
69
+
"net.core.bpf_jit_harden" = 2;
70
+
"dev.tty.ldisc_autoload" = false;
63
71
};
64
72
};
65
73
}
+7
modules/server/podman.nix
+7
modules/server/podman.nix
···
12
12
description = "Whether to enable Podman.";
13
13
type = types.bool;
14
14
};
15
+
16
+
tweakKernel = mkEnableOption "Whether to tweak kernel configuration";
15
17
};
16
18
17
19
config = mkIf cfg.enable && cfgRoot.enable {
···
25
27
dns_enabled = true;
26
28
};
27
29
};
30
+
};
31
+
32
+
boot.kernel.sysctl = mkIf cfg.tweakKernel {
33
+
"kernel.unprivileged_userns_clone" = true;
34
+
"net.ipv4.ping_group_range" = "0 65536";
28
35
};
29
36
};
30
37
}