feat(base): blacklist unused network kernel modules

Disable rxrpc, kafs, af_key, esp4, esp6 across all systems that enable metacfg.base. None of them are used on these hosts, and they have a history of CVEs — blacklisting reduces kernel attack surface.
2026-05-13 09:16:21 +02:00 · 2026-05-13 09:16:21 +02:00 · b9cfdc99a7
commit b9cfdc99a7
parent 67b7c3a9fd
1 changed files with 7 additions and 0 deletions
--- a/modules/nixos/services/base/default.nix
+++ b/modules/nixos/services/base/default.nix
@ -166,6 +166,13 @@ in
        timeout = 2;
      };
      initrd.systemd.enable = true;
+      blacklistedKernelModules = [
+        "rxrpc"
+        "kafs"
+        "af_key"
+        "esp4"
+        "esp6"
+      ];
    };

    system.autoUpgrade = {