{ lib, ... }: with lib.kernel; {
# Base requirements
DEVTMPFS = yes;
CGROUPS = yes;
INOTIFY_USER = yes;
SIGNALFD = yes;
TIMERFD = yes;
EPOLL = yes;
UNIX = yes;
PROC_FS = yes;
FHANDLE = yes;
# Legacy interfaces
UEVENT_HELPER = no;
FW_LOADER_USER_HELPER = no;
# udev & virtualisation
DMIID = yes;
# SCSI device serial number retrieval
BLK_DEV_BSG = option yes;
# PrivateNetwork
NET_NS = yes;
# PrivateUser
USER_NS = yes;
# Optional but recommended
IPV6 = yes;
AUTOFS_FS = yes;
TMPFS_XATTR = yes;
TMPFS_POSIX_ACL = yes;
SECCOMP = yes;
SECCOMP_FILTER = yes;
KCMP = yes;
NET_SCHED = yes;
# CPUShares
CGROUP_SCHED = yes;
FAIR_GROUP_SCHED = yes;
# CPUQuota
CFS_BANDWIDTH = yes;
# IPaddress{Allow,Deny}, SocketBind{Allow,Deny}, RestrictNetworkInterfaces
BPF = yes;
BPF_SYSCALL = yes;
BPF_JIT = yes;
CGROUP_BPF = yes;
# EFI
EFIVAR_FS = option yes;
EFI_PARTITION = option yes;
# SMBIOS credentials
DMI = yes;
DMI_SYSFS = yes;
# Real‐time scheduling
RT_GROUP_SCHED = no;
# systemd-oomd
PSI = yes;
MEMCG = yes;
}
