pyrox.dev
1{ config, pkgs, lib, ... }:
2
3with lib;
4
5{
6 meta = {
7 maintainers = [ maintainers.joachifm ];
8 };
9
10 options = {
11 security.lockKernelModules = mkOption {
12 type = types.bool;
13 default = false;
14 description = lib.mdDoc ''
15 Disable kernel module loading once the system is fully initialised.
16 Module loading is disabled until the next reboot. Problems caused
17 by delayed module loading can be fixed by adding the module(s) in
18 question to {option}`boot.kernelModules`.
19 '';
20 };
21 };
22
23 config = mkIf config.security.lockKernelModules {
24 boot.kernelModules = concatMap (x:
25 if x.device != null
26 then
27 if x.fsType == "vfat"
28 then [ "vfat" "nls-cp437" "nls-iso8859-1" ]
29 else [ x.fsType ]
30 else []) config.system.build.fileSystems;
31
32 systemd.services.disable-kernel-module-loading = {
33 description = "Disable kernel module loading";
34
35 wants = [ "systemd-udevd.service" ];
36 wantedBy = [ config.systemd.defaultUnit ];
37
38 after =
39 [ "firewall.service"
40 "systemd-modules-load.service"
41 config.systemd.defaultUnit
42 ];
43
44 unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel";
45
46 serviceConfig =
47 { Type = "oneshot";
48 RemainAfterExit = true;
49 TimeoutSec = 180;
50 };
51
52 script = ''
53 ${pkgs.udev}/bin/udevadm settle
54 echo -n 1 >/proc/sys/kernel/modules_disabled
55 '';
56 };
57 };
58}