diff options
author | Florian Klink <flokli@flokli.de> | 2019-08-11 13:32:24 +0200 |
---|---|---|
committer | Florian Klink <flokli@flokli.de> | 2019-08-18 17:54:26 +0200 |
commit | 9be0327a4975e219957d5108b3753a7640c4a9e0 (patch) | |
tree | f264e6c231f25fcf660af8997e665e78704fc3cb /nixos/modules/config/sysctl.nix | |
parent | e5965bd4897310d1f99ad75f51ef99f1f0e2c274 (diff) |
nixos/systemd: install sysctl snippets
systemd provides two sysctl snippets, 50-coredump.conf and 50-default.conf. These enable: - Loose reverse path filtering - Source route filtering - `fq_codel` as a packet scheduler (this helps to fight bufferbloat) This also configures the kernel to pass coredumps to `systemd-coredump`. These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`, and overridden via `boot.kernel.sysctl` (which will place the parameters in `/etc/sysctl.d/60-nixos.conf`. Let's start using these, like other distros already do for quite some time, and remove those duplicate `boot.kernel.sysctl` options we previously did set. In the case of rp_filter (which systemd would set to 2 (loose)), make our overrides to "1" more explicit.
Diffstat (limited to 'nixos/modules/config/sysctl.nix')
-rw-r--r-- | nixos/modules/config/sysctl.nix | 6 |
1 files changed, 0 insertions, 6 deletions
diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix index 112e5e744d4c0..fb2b58eed7203 100644 --- a/nixos/modules/config/sysctl.nix +++ b/nixos/modules/config/sysctl.nix @@ -52,12 +52,6 @@ in restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ]; }; - # Enable hardlink and symlink restrictions. See - # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7 - # for details. - boot.kernel.sysctl."fs.protected_hardlinks" = true; - boot.kernel.sysctl."fs.protected_symlinks" = true; - # Hide kernel pointers (e.g. in /proc/modules) for unprivileged # users as these make it easier to exploit kernel vulnerabilities. boot.kernel.sysctl."kernel.kptr_restrict" = 1; |