From b9cfdc99a7a7549f0fc5e4b5a07430a38433685b Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@hoyer.xyz>
Date: Wed, 13 May 2026 09:16:21 +0200
Subject: [PATCH] feat(base): blacklist unused network kernel modules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Disable rxrpc, kafs, af_key, esp4, esp6 across all systems that enable
metacfg.base. None of them are used on these hosts, and they have a
history of CVEs — blacklisting reduces kernel attack surface.
---
 modules/nixos/services/base/default.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/nixos/services/base/default.nix b/modules/nixos/services/base/default.nix
index 1361a2c..45acb9e 100644
--- a/modules/nixos/services/base/default.nix
+++ b/modules/nixos/services/base/default.nix
@@ -166,6 +166,13 @@ in
         timeout = 2;
       };
       initrd.systemd.enable = true;
+      blacklistedKernelModules = [
+        "rxrpc"
+        "kafs"
+        "af_key"
+        "esp4"
+        "esp6"
+      ];
     };
 
     system.autoUpgrade = {