feat: make default sysctl rewritable

X01A · Feb 18, 2024 · 7d2a800 · 7d2a800
1 parent 3c8e8d1
commit 7d2a800
Showing 1 changed file with 22 additions and 22 deletions.
diff --git a/modules/environment/base.nix b/modules/environment/base.nix
@@ -100,40 +100,40 @@ in
       nixpkgs.config.allowUnfree = true;
       boot.kernel.sysctl = {
         # Disable magic SysRq key
-        "kernel.sysrq" = 0;
+        "kernel.sysrq" = lib.mkDefault 0;
         # Ignore ICMP broadcasts to avoid participating in Smurf attacks
-        "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
+        "net.ipv4.icmp_echo_ignore_broadcasts" = lib.mkDefault 1;
         # Ignore bad ICMP errors
-        "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+        "net.ipv4.icmp_ignore_bogus_error_responses" = lib.mkDefault 1;
         # Reverse-path filter for spoof protection
-        "net.ipv4.conf.default.rp_filter" = 1;
-        "net.ipv4.conf.all.rp_filter" = 1;
+        "net.ipv4.conf.default.rp_filter" = lib.mkDefault 1;
+        "net.ipv4.conf.all.rp_filter" = lib.mkDefault 1;
         # SYN flood protection
-        "net.ipv4.tcp_syncookies" = 1;
+        "net.ipv4.tcp_syncookies" = lib.mkDefault 1;
         # Do not accept ICMP redirects (prevent MITM attacks)
-        "net.ipv4.conf.all.accept_redirects" = 0;
-        "net.ipv4.conf.default.accept_redirects" = 0;
-        "net.ipv4.conf.all.secure_redirects" = 0;
-        "net.ipv4.conf.default.secure_redirects" = 0;
-        "net.ipv6.conf.all.accept_redirects" = 0;
-        "net.ipv6.conf.default.accept_redirects" = 0;
+        "net.ipv4.conf.all.accept_redirects" = lib.mkDefault 0;
+        "net.ipv4.conf.default.accept_redirects" = lib.mkDefault 0;
+        "net.ipv4.conf.all.secure_redirects" = lib.mkDefault 0;
+        "net.ipv4.conf.default.secure_redirects" = lib.mkDefault 0;
+        "net.ipv6.conf.all.accept_redirects" = lib.mkDefault 0;
+        "net.ipv6.conf.default.accept_redirects" = lib.mkDefault 0;
         # Protect against tcp time-wait assassination hazards
-        "net.ipv4.tcp_rfc1337" = 1;
+        "net.ipv4.tcp_rfc1337" = lib.mkDefault 1;
         # TCP Fast Open (TFO)
-        "net.ipv4.tcp_fastopen" = 3;
+        "net.ipv4.tcp_fastopen" = lib.mkDefault 3;
         ## Bufferbloat mitigations
         # Requires >= 4.9 & kernel module
-        "net.ipv4.tcp_congestion_control" = "bbr";
+        "net.ipv4.tcp_congestion_control" = lib.mkDefault "bbr";
         # Requires >= 4.19
-        "net.core.default_qdisc" = "cake";
+        "net.core.default_qdisc" = lib.mkDefault "cake";
 
-        "net.ipv4.tcp_tw_recycle" = 1;
-        "net.ipv4.tcp_tw_reuse" = 1;
-        "net.ipv4.tcp_no_metrics_save" = 1;
-        "net.ipv4.tcp_sack" = 1;
+        "net.ipv4.tcp_tw_recycle" = lib.mkDefault 1;
+        "net.ipv4.tcp_tw_reuse" = lib.mkDefault 1;
+        "net.ipv4.tcp_no_metrics_save" = lib.mkDefault 1;
+        "net.ipv4.tcp_sack" = lib.mkDefault 1;
         "vm.overcommit_memory" = lib.mkDefault 1;
-        "vm.swappiness" = 1;
-        "net.ipv4.tcp_ecn" = 1;
+        "vm.swappiness" = lib.mkDefault 1;
+        "net.ipv4.tcp_ecn" = lib.mkDefault 1;
       };