nixosMod/kernel: add boot.blockedKernelModules

1 year ago · e95d671491
parent 1f2866ffa2
commit e95d671491
2 changed files with 42 additions and 0 deletions
--- a/nix/nixos-modules/default.nix
+++ b/nix/nixos-modules/default.nix
@ -11,6 +11,7 @@
    ./debugMinimal.nix
    ./graphics.nix
    ./hwCommon.nix
+    ./kernel.nix
    ./options.nix
    ./privacy.nix
    ./secrix.nix
--- a/nix/nixos-modules/kernel.nix
+++ b/nix/nixos-modules/kernel.nix
@ -0,0 +1,41 @@
+{
+  config,
+  lib,
+  options,
+  pkgs,
+  ...
+}:
+let
+  blocked = config.boot.blockedKernelModules;
+in
+{
+
+  options = {
+    boot.blockedKernelModules = lib.mkOption {
+      description = ''
+        Kernel modules which are blocked from being loaded
+        by using a rather hacky workaround called "fake install".
+        Read in the [Debian Wiki](https://wiki.debian.org/KernelModuleBlacklisting) for more info.
+
+        Be aware that this should block all attempts
+        from loading that module at runtime,
+        *including other modules* depending on it.
+
+        Modules listed here are automatically blacklisted as well
+        by adding them to {option}`boot.blacklistedKernelModules`,
+        which should hinder them being loaded automatically
+        due to supported devices detected.
+      '';
+      type = options.boot.blacklistedKernelModules.type;
+      default = [ ];
+    };
+  };
+
+  config = {
+    boot.blacklistedKernelModules = blocked;
+    boot.extraModprobeConfig = lib.flip lib.concatMapStrings blocked (module: ''
+      install ${module} ${lib.getExe' pkgs.coreutils "true"}
+    '');
+  };
+
+}