kitten.sh / system
Personal Nix setup
fork atom

Move over kernel settings

kitten.sh 4e16f5a8 5b34a1c2

options
unified split
Changed files
+16 -1
modules
router
kernel.nix
server
podman.nix
+9 -1
modules/router/kernel.nix 
···

       
59

       
59

       
 

       
      "net.ipv6.conf.all.autoconf" = false;


     

       
60

       
60

       
 

       
      "net.ipv6.conf.all.accept_ra" = false;


     

       
61

       
61

       
 

       



     

       
62

       

       
-

       
      "net.ipv4.ping_group_range" = "0 65536";


     

       

       
62

       
+

       
      "kernel.kptr_restrict" = 2;


     

       

       
63

       
+

       
      "kernel.dmesg_restrict" = 0;


     

       

       
64

       
+

       
      "kernel.sysrq" = 4;


     

       

       
65

       
+

       
      "kernel.unprivileged_bpf_disabled" = true;


     

       

       
66

       
+

       
      "kernel.perf_event_paranoid" = 3;


     

       

       
67

       
+

       
      "kernel.yama.ptrace_scope" = 2;


     

       

       
68

       
+

       
      "kernel.kexec_load_disabled" = true;


     

       

       
69

       
+

       
      "net.core.bpf_jit_harden" = 2;


     

       

       
70

       
+

       
      "dev.tty.ldisc_autoload" = false;


     

       
63

       
71

       
 

       
    };


     

       
64

       
72

       
 

       
  };


     

       
65

       
73

       
 

       
}
+7
modules/server/podman.nix 
···

       
12

       
12

       
 

       
      description = "Whether to enable Podman.";


     

       
13

       
13

       
 

       
      type = types.bool;


     

       
14

       
14

       
 

       
    };


     

       

       
15

       
+

       



     

       

       
16

       
+

       
    tweakKernel = mkEnableOption "Whether to tweak kernel configuration";


     

       
15

       
17

       
 

       
  };


     

       
16

       
18

       
 

       



     

       
17

       
19

       
 

       
  config = mkIf cfg.enable && cfgRoot.enable {


     
···

       
25

       
27

       
 

       
          dns_enabled = true;


     

       
26

       
28

       
 

       
        };


     

       
27

       
29

       
 

       
      };


     

       

       
30

       
+

       
    };


     

       

       
31

       
+

       



     

       

       
32

       
+

       
    boot.kernel.sysctl = mkIf cfg.tweakKernel {


     

       

       
33

       
+

       
      "kernel.unprivileged_userns_clone" = true;


     

       

       
34

       
+

       
      "net.ipv4.ping_group_range" = "0 65536";


     

       
28

       
35

       
 

       
    };


     

       
29

       
36

       
 

       
  };


     

       
30

       
37

       
 

       
}