nixos/modules/config/sysctl.nix at 17.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / config / sysctl.nix
at 17.09-beta 2.2 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5let
 6
 7  sysctlOption = mkOptionType {
 8    name = "sysctl option value";
 9    check = val:
10      let
11        checkType = x: isBool x || isString x || isInt x || isNull x;
12      in
13        checkType val || (val._type or "" == "override" && checkType val.content);
14    merge = loc: defs: mergeOneOption loc (filterOverrides defs);
15  };
16
17in
18
19{
20
21  options = {
22
23    boot.kernel.sysctl = mkOption {
24      default = {};
25      example = literalExample ''
26        { "net.ipv4.tcp_syncookies" = false; "vm.swappiness" = 60; }
27      '';
28      type = types.attrsOf sysctlOption;
29      description = ''
30        Runtime parameters of the Linux kernel, as set by
31        <citerefentry><refentrytitle>sysctl</refentrytitle>
32        <manvolnum>8</manvolnum></citerefentry>.  Note that sysctl
33        parameters names must be enclosed in quotes
34        (e.g. <literal>"vm.swappiness"</literal> instead of
35        <literal>vm.swappiness</literal>).  The value of each
36        parameter may be a string, integer, boolean, or null
37        (signifying the option will not appear at all).
38      '';
39    };
40
41  };
42
43  config = {
44
45    environment.etc."sysctl.d/nixos.conf".text =
46      concatStrings (mapAttrsToList (n: v:
47        optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n"
48      ) config.boot.kernel.sysctl);
49
50    systemd.services.systemd-sysctl =
51      { wantedBy = [ "multi-user.target" ];
52        restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ];
53      };
54
55    # Enable hardlink and symlink restrictions.  See
56    # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7
57    # for details.
58    boot.kernel.sysctl."fs.protected_hardlinks" = true;
59    boot.kernel.sysctl."fs.protected_symlinks" = true;
60
61    # Hide kernel pointers (e.g. in /proc/modules) for unprivileged
62    # users as these make it easier to exploit kernel vulnerabilities.
63    boot.kernel.sysctl."kernel.kptr_restrict" = 1;
64
65    # Disable YAMA by default to allow easy debugging.
66    boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0;
67
68  };
69}