nixpkgs/nixos/modules/config/sysctl.nix
Eelco Dolstra 179acfb664 Allow upstream systemd units to be extended
If you define a unit, and either systemd or a package in
systemd.packages already provides that unit, then we now generate a
file /etc/systemd/system/<unit>.d/overrides.conf. This makes it
possible to use upstream units, while allowing them to be customised
from the NixOS configuration. For instance, the module nix-daemon.nix
now uses the units provided by the Nix package. And all unit
definitions that duplicated upstream systemd units are finally gone.

This makes the baseUnit option unnecessary, so I've removed it.
2014-04-17 18:52:31 +02:00

65 lines
2 KiB
Nix

{ config, lib, pkgs, ... }:
with lib;
let
sysctlOption = mkOptionType {
name = "sysctl option value";
check = x: isBool x || isString x || isInt x || isNull x;
merge = args: defs: (last defs).value; # FIXME: hacky way to allow overriding in configuration.nix.
};
in
{
options = {
boot.kernel.sysctl = mkOption {
default = {};
example = {
"net.ipv4.tcp_syncookies" = false;
"vm.swappiness" = 60;
};
type = types.attrsOf sysctlOption;
description = ''
Runtime parameters of the Linux kernel, as set by
<citerefentry><refentrytitle>sysctl</refentrytitle>
<manvolnum>8</manvolnum></citerefentry>. Note that sysctl
parameters names must be enclosed in quotes
(e.g. <literal>"vm.swappiness"</literal> instead of
<literal>vm.swappiness</literal>). The value of each
parameter may be a string, integer, boolean, or null
(signifying the option will not appear at all).
'';
};
};
config = {
environment.etc."sysctl.d/nixos.conf".text =
concatStrings (mapAttrsToList (n: v:
optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n"
) config.boot.kernel.sysctl);
systemd.services.systemd-sysctl =
{ wantedBy = [ "multi-user.target" ];
restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ];
};
# Enable hardlink and symlink restrictions. See
# https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7
# for details.
boot.kernel.sysctl."fs.protected_hardlinks" = true;
boot.kernel.sysctl."fs.protected_symlinks" = true;
# Hide kernel pointers (e.g. in /proc/modules) for unprivileged
# users as these make it easier to exploit kernel vulnerabilities.
#
# Removed under grsecurity.
boot.kernel.sysctl."kernel.kptr_restrict" =
if config.security.grsecurity.enable then null else 1;
};
}