pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / security / lock-kernel-modules.nix
at 25.11-pre 1.5 kB view raw
1{ config, lib, ... }: 2{ 3 meta = { 4 maintainers = [ lib.maintainers.joachifm ]; 5 }; 6 7 options = { 8 security.lockKernelModules = lib.mkOption { 9 type = lib.types.bool; 10 default = false; 11 description = '' 12 Disable kernel module loading once the system is fully initialised. 13 Module loading is disabled until the next reboot. Problems caused 14 by delayed module loading can be fixed by adding the module(s) in 15 question to {option}`boot.kernelModules`. 16 ''; 17 }; 18 }; 19 20 config = lib.mkIf config.security.lockKernelModules { 21 boot.kernelModules = lib.concatMap ( 22 x: 23 lib.optionals (x.device != null) ( 24 if x.fsType == "vfat" then 25 [ 26 "vfat" 27 "nls-cp437" 28 "nls-iso8859-1" 29 ] 30 else 31 [ x.fsType ] 32 ) 33 ) config.system.build.fileSystems; 34 35 systemd.services.disable-kernel-module-loading = { 36 description = "Disable kernel module loading"; 37 38 wants = [ "systemd-udevd.service" ]; 39 wantedBy = [ config.systemd.defaultUnit ]; 40 41 after = [ 42 "firewall.service" 43 "systemd-modules-load.service" 44 config.systemd.defaultUnit 45 ]; 46 47 unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel"; 48 49 serviceConfig = { 50 Type = "oneshot"; 51 RemainAfterExit = true; 52 TimeoutSec = 180; 53 }; 54 55 script = '' 56 ${config.systemd.package}/bin/udevadm settle 57 echo -n 1 >/proc/sys/kernel/modules_disabled 58 ''; 59 }; 60 }; 61}