diff options
author | Alyssa Ross <hi@alyssa.is> | 2022-05-31 09:59:33 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2022-05-31 09:59:57 +0000 |
commit | 9ff36293d1e428cd7bf03e8d4b03611b6d361c28 (patch) | |
tree | 1ab51a42b868c55b83f6ccdb80371b9888739dd9 /nixos/modules/config/sysctl.nix | |
parent | 1c4fcd0d4b0541e674ee56ace1053e23e562cc80 (diff) | |
parent | ddc3c396a51918043bb0faa6f676abd9562be62c (diff) | |
download | nixpkgs-archive.tar nixpkgs-archive.tar.gz nixpkgs-archive.tar.bz2 nixpkgs-archive.tar.lz nixpkgs-archive.tar.xz nixpkgs-archive.tar.zst nixpkgs-archive.zip |
Last good Nixpkgs for Weston+nouveau? archive
I came this commit hash to terwiz[m] on IRC, who is trying to figure out what the last version of Spectrum that worked on their NUC with Nvidia graphics is.
Diffstat (limited to 'nixos/modules/config/sysctl.nix')
-rw-r--r-- | nixos/modules/config/sysctl.nix | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix new file mode 100644 index 00000000000..db1f5284f50 --- /dev/null +++ b/nixos/modules/config/sysctl.nix @@ -0,0 +1,63 @@ +{ config, lib, ... }: + +with lib; + +let + + sysctlOption = mkOptionType { + name = "sysctl option value"; + check = val: + let + checkType = x: isBool x || isString x || isInt x || x == null; + in + checkType val || (val._type or "" == "override" && checkType val.content); + merge = loc: defs: mergeOneOption loc (filterOverrides defs); + }; + +in + +{ + + options = { + + boot.kernel.sysctl = mkOption { + default = {}; + example = literalExpression '' + { "net.ipv4.tcp_syncookies" = false; "vm.swappiness" = 60; } + ''; + type = types.attrsOf sysctlOption; + description = '' + Runtime parameters of the Linux kernel, as set by + <citerefentry><refentrytitle>sysctl</refentrytitle> + <manvolnum>8</manvolnum></citerefentry>. Note that sysctl + parameters names must be enclosed in quotes + (e.g. <literal>"vm.swappiness"</literal> instead of + <literal>vm.swappiness</literal>). The value of each + parameter may be a string, integer, boolean, or null + (signifying the option will not appear at all). + ''; + }; + + }; + + config = { + + environment.etc."sysctl.d/60-nixos.conf".text = + concatStrings (mapAttrsToList (n: v: + optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n" + ) config.boot.kernel.sysctl); + + systemd.services.systemd-sysctl = + { wantedBy = [ "multi-user.target" ]; + restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ]; + }; + + # Hide kernel pointers (e.g. in /proc/modules) for unprivileged + # users as these make it easier to exploit kernel vulnerabilities. + boot.kernel.sysctl."kernel.kptr_restrict" = mkDefault 1; + + # Disable YAMA by default to allow easy debugging. + boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0; + + }; +} |