blob: 065587bc286e6c67e892d8edd9bc64040d482885 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
{ config, pkgs, lib, ... }:
with lib;
{
meta = {
maintainers = [ maintainers.joachifm ];
};
options = {
security.lockKernelModules = mkOption {
type = types.bool;
default = false;
description = ''
Disable kernel module loading once the system is fully initialised.
Module loading is disabled until the next reboot. Problems caused
by delayed module loading can be fixed by adding the module(s) in
question to <option>boot.kernelModules</option>.
'';
};
};
config = mkIf config.security.lockKernelModules {
boot.kernelModules = concatMap (x:
if x.device != null
then
if x.fsType == "vfat"
then [ "vfat" "nls-cp437" "nls-iso8859-1" ]
else [ x.fsType ]
else []) config.system.build.fileSystems;
systemd.services.disable-kernel-module-loading = {
description = "Disable kernel module loading";
wants = [ "systemd-udevd.service" ];
wantedBy = [ config.systemd.defaultUnit ];
after =
[ "firewall.service"
"systemd-modules-load.service"
config.systemd.defaultUnit
];
unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel";
serviceConfig =
{ Type = "oneshot";
RemainAfterExit = true;
TimeoutSec = 180;
};
script = ''
${pkgs.udev}/bin/udevadm settle
echo -n 1 >/proc/sys/kernel/modules_disabled
'';
};
};
}
|