mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-16 14:54:29 +01:00
9be0327a49
systemd provides two sysctl snippets, 50-coredump.conf and 50-default.conf. These enable: - Loose reverse path filtering - Source route filtering - `fq_codel` as a packet scheduler (this helps to fight bufferbloat) This also configures the kernel to pass coredumps to `systemd-coredump`. These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`, and overridden via `boot.kernel.sysctl` (which will place the parameters in `/etc/sysctl.d/60-nixos.conf`. Let's start using these, like other distros already do for quite some time, and remove those duplicate `boot.kernel.sysctl` options we previously did set. In the case of rp_filter (which systemd would set to 2 (loose)), make our overrides to "1" more explicit.
63 lines
1.8 KiB
Nix
63 lines
1.8 KiB
Nix
{ config, lib, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
sysctlOption = mkOptionType {
|
|
name = "sysctl option value";
|
|
check = val:
|
|
let
|
|
checkType = x: isBool x || isString x || isInt x || x == null;
|
|
in
|
|
checkType val || (val._type or "" == "override" && checkType val.content);
|
|
merge = loc: defs: mergeOneOption loc (filterOverrides defs);
|
|
};
|
|
|
|
in
|
|
|
|
{
|
|
|
|
options = {
|
|
|
|
boot.kernel.sysctl = mkOption {
|
|
default = {};
|
|
example = literalExample ''
|
|
{ "net.ipv4.tcp_syncookies" = false; "vm.swappiness" = 60; }
|
|
'';
|
|
type = types.attrsOf sysctlOption;
|
|
description = ''
|
|
Runtime parameters of the Linux kernel, as set by
|
|
<citerefentry><refentrytitle>sysctl</refentrytitle>
|
|
<manvolnum>8</manvolnum></citerefentry>. Note that sysctl
|
|
parameters names must be enclosed in quotes
|
|
(e.g. <literal>"vm.swappiness"</literal> instead of
|
|
<literal>vm.swappiness</literal>). The value of each
|
|
parameter may be a string, integer, boolean, or null
|
|
(signifying the option will not appear at all).
|
|
'';
|
|
};
|
|
|
|
};
|
|
|
|
config = {
|
|
|
|
environment.etc."sysctl.d/60-nixos.conf".text =
|
|
concatStrings (mapAttrsToList (n: v:
|
|
optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n"
|
|
) config.boot.kernel.sysctl);
|
|
|
|
systemd.services.systemd-sysctl =
|
|
{ wantedBy = [ "multi-user.target" ];
|
|
restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ];
|
|
};
|
|
|
|
# Hide kernel pointers (e.g. in /proc/modules) for unprivileged
|
|
# users as these make it easier to exploit kernel vulnerabilities.
|
|
boot.kernel.sysctl."kernel.kptr_restrict" = 1;
|
|
|
|
# Disable YAMA by default to allow easy debugging.
|
|
boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0;
|
|
|
|
};
|
|
}
|