diff options
Diffstat (limited to 'nixos/modules/config/sysctl.nix')
-rw-r--r-- | nixos/modules/config/sysctl.nix | 10 |
1 files changed, 2 insertions, 8 deletions
diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix index 0c6a7e2431aa..fb2b58eed720 100644 --- a/nixos/modules/config/sysctl.nix +++ b/nixos/modules/config/sysctl.nix @@ -42,22 +42,16 @@ in config = { - environment.etc."sysctl.d/nixos.conf".text = + environment.etc."sysctl.d/60-nixos.conf".text = concatStrings (mapAttrsToList (n: v: optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n" ) config.boot.kernel.sysctl); systemd.services.systemd-sysctl = { wantedBy = [ "multi-user.target" ]; - restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ]; + restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ]; }; - # Enable hardlink and symlink restrictions. See - # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7 - # for details. - boot.kernel.sysctl."fs.protected_hardlinks" = true; - boot.kernel.sysctl."fs.protected_symlinks" = true; - # Hide kernel pointers (e.g. in /proc/modules) for unprivileged # users as these make it easier to exploit kernel vulnerabilities. boot.kernel.sysctl."kernel.kptr_restrict" = 1; |