From 7d2a8005fd720da1ffae4d295a0be55a8b39a9a6 Mon Sep 17 00:00:00 2001
From: Indexyz <7685264+5aaee9@users.noreply.github.com>
Date: Sun, 18 Feb 2024 16:03:32 +0800
Subject: [PATCH] feat: make default sysctl rewritable

---
 modules/environment/base.nix | 44 ++++++++++++++++++------------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/modules/environment/base.nix b/modules/environment/base.nix
index aac28b81..92ab238a 100644
--- a/modules/environment/base.nix
+++ b/modules/environment/base.nix
@@ -100,40 +100,40 @@ in
       nixpkgs.config.allowUnfree = true;
       boot.kernel.sysctl = {
         # Disable magic SysRq key
-        "kernel.sysrq" = 0;
+        "kernel.sysrq" = lib.mkDefault 0;
         # Ignore ICMP broadcasts to avoid participating in Smurf attacks
-        "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
+        "net.ipv4.icmp_echo_ignore_broadcasts" = lib.mkDefault 1;
         # Ignore bad ICMP errors
-        "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+        "net.ipv4.icmp_ignore_bogus_error_responses" = lib.mkDefault 1;
         # Reverse-path filter for spoof protection
-        "net.ipv4.conf.default.rp_filter" = 1;
-        "net.ipv4.conf.all.rp_filter" = 1;
+        "net.ipv4.conf.default.rp_filter" = lib.mkDefault 1;
+        "net.ipv4.conf.all.rp_filter" = lib.mkDefault 1;
         # SYN flood protection
-        "net.ipv4.tcp_syncookies" = 1;
+        "net.ipv4.tcp_syncookies" = lib.mkDefault 1;
         # Do not accept ICMP redirects (prevent MITM attacks)
-        "net.ipv4.conf.all.accept_redirects" = 0;
-        "net.ipv4.conf.default.accept_redirects" = 0;
-        "net.ipv4.conf.all.secure_redirects" = 0;
-        "net.ipv4.conf.default.secure_redirects" = 0;
-        "net.ipv6.conf.all.accept_redirects" = 0;
-        "net.ipv6.conf.default.accept_redirects" = 0;
+        "net.ipv4.conf.all.accept_redirects" = lib.mkDefault 0;
+        "net.ipv4.conf.default.accept_redirects" = lib.mkDefault 0;
+        "net.ipv4.conf.all.secure_redirects" = lib.mkDefault 0;
+        "net.ipv4.conf.default.secure_redirects" = lib.mkDefault 0;
+        "net.ipv6.conf.all.accept_redirects" = lib.mkDefault 0;
+        "net.ipv6.conf.default.accept_redirects" = lib.mkDefault 0;
         # Protect against tcp time-wait assassination hazards
-        "net.ipv4.tcp_rfc1337" = 1;
+        "net.ipv4.tcp_rfc1337" = lib.mkDefault 1;
         # TCP Fast Open (TFO)
-        "net.ipv4.tcp_fastopen" = 3;
+        "net.ipv4.tcp_fastopen" = lib.mkDefault 3;
         ## Bufferbloat mitigations
         # Requires >= 4.9 & kernel module
-        "net.ipv4.tcp_congestion_control" = "bbr";
+        "net.ipv4.tcp_congestion_control" = lib.mkDefault "bbr";
         # Requires >= 4.19
-        "net.core.default_qdisc" = "cake";
+        "net.core.default_qdisc" = lib.mkDefault "cake";
 
-        "net.ipv4.tcp_tw_recycle" = 1;
-        "net.ipv4.tcp_tw_reuse" = 1;
-        "net.ipv4.tcp_no_metrics_save" = 1;
-        "net.ipv4.tcp_sack" = 1;
+        "net.ipv4.tcp_tw_recycle" = lib.mkDefault 1;
+        "net.ipv4.tcp_tw_reuse" = lib.mkDefault 1;
+        "net.ipv4.tcp_no_metrics_save" = lib.mkDefault 1;
+        "net.ipv4.tcp_sack" = lib.mkDefault 1;
         "vm.overcommit_memory" = lib.mkDefault 1;
-        "vm.swappiness" = 1;
-        "net.ipv4.tcp_ecn" = 1;
+        "vm.swappiness" = lib.mkDefault 1;
+        "net.ipv4.tcp_ecn" = lib.mkDefault 1;
       };