From f9d175fc439b704eaa1d95767ac3b02e6c02cfa0 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Mon, 2 Dec 2024 08:25:20 +0100
Subject: [PATCH] common: disable a bunch of kernel modules by default

---
 hosts/common/default.nix | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/hosts/common/default.nix b/hosts/common/default.nix
index f927bab..3135535 100644
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -195,4 +195,35 @@ in {
     Defaults    lecture = always
     Defaults    lecture_file = ${sudoLecture}
   '';
+
+  # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/profiles/hardened.nix
+  boot.blacklistedKernelModules = [
+    # Obscure network protocols
+    "ax25"
+    "netrom"
+    "rose"
+
+    # Old or rare or insufficiently audited filesystems
+    "adfs"
+    "affs"
+    "bfs"
+    "befs"
+    "cramfs"
+    "efs"
+    # "erofs" // used by systemd
+    "exofs"
+    "freevxfs"
+    "f2fs"
+    "hfs"
+    "hpfs"
+    "jfs"
+    "minix"
+    "nilfs2"
+    "ntfs"
+    "omfs"
+    "qnx4"
+    "qnx6"
+    "sysv"
+    "ufs"
+  ];
 }