unexplrd/nixos-blueprint
2
2
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

config/security: new sysctls

Browse Source 
Signed-off-by: unexplrd <unexplrd@linerds.us>
This commit is contained in:
unexplrd
2025-05-22 09:52:55 +03:00
parent 6658a54631
commit 38579e3cb4
1 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
modules/nixos/config/security/default.nix
View File

@ -50,6 +50,24 @@ in {
#};
};
boot.kernel.sysctl = {
"dev.tty.ldisc_autoload" = 0;
"fs.protected_fifos" = 2;
"fs.protected_regular" = 2;
"fs.suid_dumpable" = 0;
"kernel.kptr_restrict" = 2;
# "kernel.modules_disabled" = 1;
"kernel.sysrq" = 0;
"kernel.unprivileged_bpf_disabled" = 1;
"net.ipv4.conf.all.forwarding" = 0;
"net.ipv4.conf.all.log_martians" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.default.log_martians" = 1;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
};
boot.kernelParams = [
"amd_iommu=force_isolation"
"debugfs=off"