idiosyn/nixos/module/kernel.nix

{ self, ... }: { lib, pkgs, ... }: {
  boot.consoleLogLevel = lib.mkDefault 3;

  boot.initrd = {
    checkJournalingFS = lib.mkDefault false;
    includeDefaultModules = lib.mkDefault false;
    luks.cryptoModules = lib.mkDefault [ ];
    verbose = lib.mkDefault false;
  };

  boot.kernelPackages = lib.mkDefault
    (pkgs.linuxPackagesFor self.packages.${pkgs.system}.linux-hardened);
  boot.modprobeConfig.enable = lib.mkDefault false;

  boot.kernelParams = [
    # Disable kernel messages on the console
    "quiet"

    # Zero‐fill page and slab allocations on free
    "init_on_free=1"

    # Disable I/O delay
    "io_delay=none"

    # Enable page allocator free list randomisation
    "page_alloc.shuffle=1"

    # Disable slab merging
    "slab_nomerge"

    # Disable vsyscall mechanism
    "vsyscall=none"

    # Enable transparent hugepages
    "transparent_hugepage=always"

    # Suspend USB devices without delay
    "usbcore.autosuspend=0"
  ];

  boot.kernel.sysctl = {
    # Mitigate some TOCTOU vulnerabilities
    "fs.protected_fifos" = 2;
    "fs.protected_hardlinks" = 1;
    "fs.protected_regular" = 2;
    "fs.protected_symlinks" = 1;

    # Disable automatic loading of TTY line disciplines
    "dev.tty.ldisc_autoload" = 0;

    # Disable first 64 KiB of virtual memory for allocation
    "vm.mmap_min_addr" = 65536;

    # Increase ASLR randomisation
    "vm.mmap_rnd_bits" = 32;
    "vm.mmap_rnd_compat_bits" = 16;

    # Restrict ptrace()
    "kernel.yama.ptrace_scope" = 1;

    # Hide kernel memory addresses
    "kernel.kptr_restrict" = 2;

    # Restrict kernel log access
    "kernel.dmesg_restrict" = 1;

    # Enable hardened eBPF JIT
    "kernel.unprivileged_bpf_disabled" = 1;
    "net.core.bpf_jit_enable" = 1;
    "net.core.bpf_jit_harden" = 2;

    # Ignore ICMP redirects
    "net.ipv4.conf.default.accept_redirects" = 0;
    "net.ipv6.conf.default.accept_redirects" = 0;
    "net.ipv4.conf.all.accept_redirects" = 0;
    "net.ipv6.conf.all.accept_redirects" = 0;

    # Set default Qdisc
    "net.core.default_qdisc" = "fq";

    # Increase minimum PMTU
    "net.ipv4.route.min_pmtu" = 1280;

    # Set default TCP congestion control algorithm
    "net.ipv4.tcp_congestion_control" = "bbr";

    # Enable ECN
    "net.ipv4.tcp_ecn" = 1;

    # Enable TCP fast open
    "net.ipv4.tcp_fastopen" = 3;

    # Disable TCP slow start after idling
    "net.ipv4.tcp_slow_start_after_idle" = 0;

    # Allow re‐use of TCP ports during TIME-WAIT
    "net.ipv4.tcp_tw_reuse" = 1;

    # Enable TCP MTU probing
    "net.ipv4.tcp_mtu_probing" = 1;
    "net.ipv4.tcp_mtu_probe_floor" = 1220;

    # Increase socket buffer space
    #  default of 16 MiB should be sufficient to saturate 1GE
    #  maximum for 54 MiB sufficient for 10GE
    "net.core.rmem_default" = 16777216;
    "net.core.rmem_max" = 56623104;
    "net.core.wmem_default" = 16777216;
    "net.core.wmem_max" = 56623104;
    "net.core.optmem_max" = 65536;
    "net.ipv4.tcp_rmem" = "4096 1048576 56623104";
    "net.ipv4.tcp_wmem" = "4096 65536 56623104";
    "net.ipv4.tcp_notsent_lowat" = 16384;
    "net.ipv4.udp_rmem_min" = 9216;
    "net.ipv4.udp_wmem_min" = 9216;

    # Reduce TCP keep‐alive time‐out to 2 minutes
    "net.ipv4.tcp_keepalive_time" = 60;
    "net.ipv4.tcp_keepalive_probes" = 6;
    "net.ipv4.tcp_keepalive_intvl" = 10;

    # Widen local port range
    "net.ipv4.ip_local_port_range" = "16384 65535";

    # Increase default MTU
    "net.ipv6.conf.default.mtu" = 1452;
    "net.ipv6.conf.all.mtu" = 1452;

    # Set traffic class for NDP to CS6 (network control)
    "net.ipv6.conf.default.ndisc_tclass" = 192;
    "net.ipv6.conf.all.ndisc_tclass" = 192;

    # Dirty page cache ratio
    "vm.dirty_background_ratio" = 3;
    "vm.dirty_ratio" = 6;
  };

  # Work around initrd generation bug
  environment.etc."modprobe.d/nixos.conf".text = "";

  systemd.tmpfiles.rules = [
    "w- /sys/kernel/mm/transparent_hugepage/enabled - - - - always"
    "w- /sys/kernel/mm/transparent_hugepage/defrag  - - - - defer"
  ];
}