69 lines
1.1 KiB
Nix
69 lines
1.1 KiB
Nix
{ lib, ... }:
|
||
with lib.kernel;
|
||
{
|
||
# Base requirements
|
||
DEVTMPFS = yes;
|
||
CGROUPS = yes;
|
||
INOTIFY_USER = yes;
|
||
SIGNALFD = yes;
|
||
TIMERFD = yes;
|
||
EPOLL = yes;
|
||
UNIX = yes;
|
||
PROC_FS = yes;
|
||
FHANDLE = yes;
|
||
|
||
# Legacy interfaces
|
||
UEVENT_HELPER = no;
|
||
FW_LOADER_USER_HELPER = no;
|
||
|
||
# udev & virtualisation
|
||
DMIID = yes;
|
||
|
||
# SCSI device serial number retrieval
|
||
BLK_DEV_BSG = option yes;
|
||
|
||
# PrivateNetwork
|
||
NET_NS = yes;
|
||
|
||
# PrivateUser
|
||
USER_NS = yes;
|
||
|
||
# Optional but recommended
|
||
IPV6 = yes;
|
||
AUTOFS_FS = yes;
|
||
TMPFS_XATTR = yes;
|
||
TMPFS_POSIX_ACL = yes;
|
||
SECCOMP = yes;
|
||
SECCOMP_FILTER = yes;
|
||
KCMP = yes;
|
||
NET_SCHED = yes;
|
||
|
||
# CPUShares
|
||
CGROUP_SCHED = yes;
|
||
FAIR_GROUP_SCHED = yes;
|
||
|
||
# CPUQuota
|
||
CFS_BANDWIDTH = yes;
|
||
|
||
# IPaddress{Allow,Deny}, SocketBind{Allow,Deny}, RestrictNetworkInterfaces
|
||
BPF = yes;
|
||
BPF_SYSCALL = yes;
|
||
BPF_JIT = yes;
|
||
CGROUP_BPF = yes;
|
||
|
||
# EFI
|
||
EFIVAR_FS = option yes;
|
||
EFI_PARTITION = option yes;
|
||
|
||
# SMBIOS credentials
|
||
DMI = yes;
|
||
DMI_SYSFS = yes;
|
||
|
||
# Real‐time scheduling
|
||
RT_GROUP_SCHED = no;
|
||
|
||
# systemd-oomd
|
||
PSI = yes;
|
||
MEMCG = yes;
|
||
}
|