{ config, lib, ... }: with lib; {
  boot.kernel.sysctl = mkIf config.kyouma.machine-type.physical (mkMerge [{
  "kernel.yama.ptrace_scope" = 1;
  "kernel.kptr_restric" = 2;
  "kernel.ftrace_enabled" = 0;
  "kernel.panic" = -1;

  "net.core.default_qdisc" = "fq";
  "net.ipv4.tcp_congestion_control" = "bbr";

  "net.ipv4.tcp_ecn" = 1;
  "net.ipv4.tcp_fastopen" = 3;
  "net.ipv4.tcp_slow_start_after_idle" = 0;
  "net.ipv4.tcp_tw_reuse" = 1;
  "net.ipv4.tcp_mtu_probing" = 1;
  "net.ipv4.tcp_mtu_probe_floor" = 1220;

  "net.ipv4.tcp_keepalive_time" = 60;
  "net.ipv4.tcp_keepalive_probes" = 6;
  "net.ipv4.tcp_keepalive_intvl" = 10;

  "net.core.rmem_default" = 16777216;
  "net.core.rmem_max" = 56623104;
  "net.core.wmem_default" = 16777216;
  "net.core.wmem_max" = 56623104;
  "net.core.optmem_max" = 65536;
  "net.ipv4.tcp_rmem" = "4096 1048576 56623104";
  "net.ipv4.tcp_wmem" = "4096 65536 56623104";
  "net.ipv4.tcp_notsent_lowat" = 16384;
  "net.ipv4.udp_rmem_min" = 9216;
  "net.ipv4.udp_wmem_min" = 9216;

  "net.ipv4.ip_local_port_range" = "16384 65535";

  "net.ipv6.conf.all.mtu" = 1452;
  "net.ipv6.conf.default.mtu" = 1452;

  "net.core.bpf_jit_enable" = 1;
  "net.core.bpf_jit_harden" = 1;

  "net.ipv4.conf.all.accept_redirects" = 0;
  "net.ipv6.conf.all.accept_redirects" = 0;
  "net.ipv4.conf.default.accept_redirects" = 0;
  "net.ipv6.conf.default.accept_redirects" = 0;

  "net.ipv4.conf.all.accept_source_route" = 0;

  } (mkIf (!config.kyouma.machine-type.router) {
    # Enable strict source route filtering
    #  Disable on BGP routers
    "net.ipv4.conf.all.rp_filter" = 1;
    "net.ipv4.conf.default.rp_filter" = 1;
    })
  ]);
}