nixos/modules/security/lock-kernel-modules.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / modules / security / lock-kernel-modules.nix

at master 1.5 kB view raw

 1{ config, lib, ... }:
 2{
 3  meta = {
 4    maintainers = [ lib.maintainers.joachifm ];
 5  };
 6
 7  options = {
 8    security.lockKernelModules = lib.mkOption {
 9      type = lib.types.bool;
10      default = false;
11      description = ''
12        Disable kernel module loading once the system is fully initialised.
13        Module loading is disabled until the next reboot. Problems caused
14        by delayed module loading can be fixed by adding the module(s) in
15        question to {option}`boot.kernelModules`.
16      '';
17    };
18  };
19
20  config = lib.mkIf config.security.lockKernelModules {
21    boot.kernelModules = lib.concatMap (
22      x:
23      lib.optionals (x.device != null) (
24        if x.fsType == "vfat" then
25          [
26            "vfat"
27            "nls-cp437"
28            "nls-iso8859-1"
29          ]
30        else
31          [ x.fsType ]
32      )
33    ) config.system.build.fileSystems;
34
35    systemd.services.disable-kernel-module-loading = {
36      description = "Disable kernel module loading";
37
38      wants = [ "systemd-udevd.service" ];
39      wantedBy = [ config.systemd.defaultUnit ];
40
41      after = [
42        "firewall.service"
43        "systemd-modules-load.service"
44        config.systemd.defaultUnit
45      ];
46
47      unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel";
48
49      serviceConfig = {
50        Type = "oneshot";
51        RemainAfterExit = true;
52        TimeoutSec = 180;
53      };
54
55      script = ''
56        ${config.systemd.package}/bin/udevadm settle
57        echo -n 1 >/proc/sys/kernel/modules_disabled
58      '';
59    };
60  };
61}