2021-09-15 14:43:26 +03:00
|
|
|
{ config, pkgs, lib, ... }:
|
2017-04-06 17:12:21 +03:00
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
{
|
2018-10-14 23:42:01 +03:00
|
|
|
meta = {
|
|
|
|
maintainers = [ maintainers.joachifm ];
|
|
|
|
};
|
|
|
|
|
2017-04-06 17:12:21 +03:00
|
|
|
options = {
|
|
|
|
security.lockKernelModules = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
2022-07-20 13:32:04 +03:00
|
|
|
description = lib.mdDoc ''
|
2017-04-06 17:12:21 +03:00
|
|
|
Disable kernel module loading once the system is fully initialised.
|
2021-09-15 14:43:26 +03:00
|
|
|
Module loading is disabled until the next reboot. Problems caused
|
2017-04-06 17:12:21 +03:00
|
|
|
by delayed module loading can be fixed by adding the module(s) in
|
2022-07-20 13:32:04 +03:00
|
|
|
question to {option}`boot.kernelModules`.
|
2017-04-06 17:12:21 +03:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf config.security.lockKernelModules {
|
2017-09-23 00:45:04 +03:00
|
|
|
boot.kernelModules = concatMap (x:
|
2023-06-25 12:47:43 +03:00
|
|
|
optionals (x.device != null) (
|
|
|
|
if x.fsType == "vfat"
|
|
|
|
then [ "vfat" "nls-cp437" "nls-iso8859-1" ]
|
|
|
|
else [ x.fsType ])
|
|
|
|
) config.system.build.fileSystems;
|
2017-09-23 00:45:04 +03:00
|
|
|
|
2021-09-15 14:43:26 +03:00
|
|
|
systemd.services.disable-kernel-module-loading = {
|
2017-04-06 17:12:21 +03:00
|
|
|
description = "Disable kernel module loading";
|
|
|
|
|
2021-09-15 14:43:26 +03:00
|
|
|
wants = [ "systemd-udevd.service" ];
|
2017-04-06 17:12:21 +03:00
|
|
|
wantedBy = [ config.systemd.defaultUnit ];
|
|
|
|
|
2021-09-15 14:43:26 +03:00
|
|
|
after =
|
|
|
|
[ "firewall.service"
|
|
|
|
"systemd-modules-load.service"
|
2021-09-19 13:02:24 +03:00
|
|
|
config.systemd.defaultUnit
|
2021-09-15 14:43:26 +03:00
|
|
|
];
|
2017-04-06 17:12:21 +03:00
|
|
|
|
2017-04-30 15:42:15 +03:00
|
|
|
unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel";
|
2017-04-06 17:12:21 +03:00
|
|
|
|
2021-09-15 14:43:26 +03:00
|
|
|
serviceConfig =
|
|
|
|
{ Type = "oneshot";
|
|
|
|
RemainAfterExit = true;
|
|
|
|
TimeoutSec = 180;
|
|
|
|
};
|
|
|
|
|
|
|
|
script = ''
|
|
|
|
${pkgs.udev}/bin/udevadm settle
|
|
|
|
echo -n 1 >/proc/sys/kernel/modules_disabled
|
|
|
|
'';
|
2017-04-06 17:12:21 +03:00
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|