isabelroses.com
my over complex system configurations
dotfiles.isabelroses.com/
nixos
nix
flake
dotfiles
linux
1{
2 security = {
3 protectKernelImage = true;
4 lockKernelModules = false; # breaks virtd, wireguard and iptables
5
6 # force-enable the Page Table Isolation (PTI) Linux kernel feature
7 forcePageTableIsolation = true;
8
9 # User namespaces are required for sandboxing.
10 # this means you cannot set `"user.max_user_namespaces" = 0;` in sysctl
11 allowUserNamespaces = true;
12
13 # Disable unprivileged user namespaces, unless containers are enabled
14 unprivilegedUsernsClone = false;
15
16 allowSimultaneousMultithreading = true;
17 };
18}