modules/router/kernel.nix at main · kitten.sh/system

kitten.sh / system
Personal Nix setup
system / modules / router / kernel.nix
at main 2.1 kB view raw
 1{ lib, config, ... }:
 2
 3with lib;
 4let
 5  cfg = config.modules.router;
 6in {
 7  options.modules.router = {
 8    tweakKernel = mkOption {
 9      default = cfg.enable;
10      description = "Whether to tweak kernel configuration";
11      type = types.bool;
12    };
13  };
14
15  config = mkIf cfg.enable {
16    boot.initrd.systemd.enable = mkDefault true;
17
18    boot.kernel.sysctl = mkIf cfg.tweakKernel {
19      "net.core.somaxconn" = 4096;
20      "net.core.netdev_max_backlog" = 2000;
21
22      "net.ipv4.ip_nonlocal_bind" = true;
23      "net.ipv4.ip_dynaddr" = true;
24
25      "net.core.rmem_default" = 1048576;
26      "net.core.rmem_max" = 26214400;
27      "net.core.wmem_default" = 1048576;
28      "net.core.wmem_max" = 16777216;
29      "net.core.optmem_max" = 65536;
30
31      "net.ipv4.tcp_rmem" = "4096 1048576 2097152";
32      "net.ipv4.tcp_wmem" = "4096 65536 16777216";
33
34      "net.ipv4.tcp_max_syn_backlog" = 8192;
35
36      "net.ipv4.udp_rmem_min" = 8192;
37      "net.ipv4.udp_wmem_min" = 8192;
38
39      "net.ipv4.tcp_fastopen" = 3;
40
41      "net.ipv4.tcp_max_tw_buckets" = 2000000;
42      "net.ipv4.tcp_tw_reuse" = true;
43      "net.ipv4.tcp_slow_start_after_idle" = false;
44      "net.ipv4.tcp_mtu_probing" = true;
45
46      "net.ipv4.tcp_rfc1337" = true;
47      "net.ipv4.tcp_fin_timeout" = 5;
48
49      "net.ipv4.tcp_keepalive_time" = 60;
50      "net.ipv4.tcp_keepalive_intvl" = 10;
51      "net.ipv4.tcp_keepalive_probes" = 6;
52
53      "net.core.default_qdisc" = "fq_codel";
54      "net.ipv4.tcp_congestion_control" = "bbr";
55      "net.ipv4.tcp_window_scaling" = true;
56      "net.ipv4.tcp_syncookies" = true;
57
58      "net.ipv6.conf.all.forwarding" = true;
59      "net.ipv6.conf.all.accept_ra" = if cfg.ipv6 then 2 else false;
60      "net.ipv6.conf.all.autoconf" = false;
61      "net.ipv6.conf.all.use_tempaddr" = false;
62
63      "kernel.kptr_restrict" = 2;
64      "kernel.dmesg_restrict" = 0;
65      "kernel.sysrq" = 4;
66      "kernel.unprivileged_bpf_disabled" = true;
67      "kernel.perf_event_paranoid" = 3;
68      "kernel.kexec_load_disabled" = true;
69      "net.core.bpf_jit_harden" = 2;
70      "dev.tty.ldisc_autoload" = false;
71    };
72  };
73}