My Nix Configuration
1{
2 boot = {
3 tmp.cleanOnBoot = true;
4 # Disable unused kernel modules
5 # https://madaidans-insecurities.github.io/guides/linux-hardening.html?#kasr-kernel-modules
6 blacklistedKernelModules = [
7 # Obscure network protocols
8 "af_802154"
9 "appletalk"
10 "atm"
11 "ax25"
12 "can"
13 "dccp"
14 "decnet"
15 "econet"
16 "ipx"
17 "n-hdlc"
18 "netrom"
19 "p8022"
20 "p8023"
21 "psnap"
22 "rds"
23 "rose"
24 "sctp"
25 "tipc"
26 "x25"
27 # Old or rare or insufficiently audited filesystems
28 # or ones I just don't want loaded
29 "adfs"
30 "affs"
31 "befs"
32 "bfs"
33 "cramfs"
34 "efs"
35 "erofs"
36 "f2fs"
37 "freevxfs"
38 "hfs"
39 "hfsplus"
40 "hpfs"
41 "jffs2"
42 "jfs"
43 "minix"
44 "nilfs2"
45 "ntfs"
46 "ocfs2"
47 "omfs"
48 "orangefs"
49 "qnx4"
50 "qnx6"
51 "reiserfs"
52 "sysv"
53 "ubifs"
54 "ufs"
55 # Network filesystems - I don't use these
56 "gfs2"
57 "nfs"
58 "nfsv3"
59 "nfsv4"
60 # Vivid driver
61 # Only used for testing purposes, has caused security issues. Disable.
62 "vivid"
63 ];
64
65 kernelParams = [
66 # Page allocator randomization
67 # Should hardon and improve performance
68 "page_alloc.shuffle=1"
69 ];
70 # Don't use either of these so disable them
71 kexec.enable = false;
72 bcache.enable = false;
73 };
74}