forked from mirrors/nixpkgs
179acfb664
If you define a unit, and either systemd or a package in systemd.packages already provides that unit, then we now generate a file /etc/systemd/system/<unit>.d/overrides.conf. This makes it possible to use upstream units, while allowing them to be customised from the NixOS configuration. For instance, the module nix-daemon.nix now uses the units provided by the Nix package. And all unit definitions that duplicated upstream systemd units are finally gone. This makes the baseUnit option unnecessary, so I've removed it.
66 lines
2 KiB
Nix
66 lines
2 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
sysctlOption = mkOptionType {
|
|
name = "sysctl option value";
|
|
check = x: isBool x || isString x || isInt x || isNull x;
|
|
merge = args: defs: (last defs).value; # FIXME: hacky way to allow overriding in configuration.nix.
|
|
};
|
|
|
|
in
|
|
|
|
{
|
|
|
|
options = {
|
|
|
|
boot.kernel.sysctl = mkOption {
|
|
default = {};
|
|
example = {
|
|
"net.ipv4.tcp_syncookies" = false;
|
|
"vm.swappiness" = 60;
|
|
};
|
|
type = types.attrsOf sysctlOption;
|
|
description = ''
|
|
Runtime parameters of the Linux kernel, as set by
|
|
<citerefentry><refentrytitle>sysctl</refentrytitle>
|
|
<manvolnum>8</manvolnum></citerefentry>. Note that sysctl
|
|
parameters names must be enclosed in quotes
|
|
(e.g. <literal>"vm.swappiness"</literal> instead of
|
|
<literal>vm.swappiness</literal>). The value of each
|
|
parameter may be a string, integer, boolean, or null
|
|
(signifying the option will not appear at all).
|
|
'';
|
|
};
|
|
|
|
};
|
|
|
|
config = {
|
|
|
|
environment.etc."sysctl.d/nixos.conf".text =
|
|
concatStrings (mapAttrsToList (n: v:
|
|
optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n"
|
|
) config.boot.kernel.sysctl);
|
|
|
|
systemd.services.systemd-sysctl =
|
|
{ wantedBy = [ "multi-user.target" ];
|
|
restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ];
|
|
};
|
|
|
|
# Enable hardlink and symlink restrictions. See
|
|
# https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7
|
|
# for details.
|
|
boot.kernel.sysctl."fs.protected_hardlinks" = true;
|
|
boot.kernel.sysctl."fs.protected_symlinks" = true;
|
|
|
|
# Hide kernel pointers (e.g. in /proc/modules) for unprivileged
|
|
# users as these make it easier to exploit kernel vulnerabilities.
|
|
#
|
|
# Removed under grsecurity.
|
|
boot.kernel.sysctl."kernel.kptr_restrict" =
|
|
if config.security.grsecurity.enable then null else 1;
|
|
};
|
|
}
|