From 86ca8dcdc36eae231dd2c1c70b45ec95980c673f Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Fri, 8 May 2026 16:02:54 +0900
Subject: [PATCH] base/hardening: ban a bunch more unimportant kernel modules

---
 base/default.nix   |  1 +
 base/hardening.nix | 61 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 base/hardening.nix

diff --git a/base/default.nix b/base/default.nix
index cf6f9fe..83a6be7 100644
--- a/base/default.nix
+++ b/base/default.nix
@@ -13,6 +13,7 @@
     ./mitigations.nix
 
     ./flake-input-exporter.nix
+    ./hardening.nix
     ./networking.nix
     ./nix.nix
     ./programs.nix
diff --git a/base/hardening.nix b/base/hardening.nix
new file mode 100644
index 0000000..9e163f3
--- /dev/null
+++ b/base/hardening.nix
@@ -0,0 +1,61 @@
+{ ... }:
+{
+  boot.blacklistedKernelModules = [
+    # Obscure network protocols
+    "appletalk"
+    "atm"
+    "ax25"
+    "batman-adv"
+    "can"
+    "netrom"
+    "psnap"
+    "rds"
+    "rose"
+    "sctp"
+    "tipc"
+
+    # Filesystems we don't use
+    "adfs"
+    "affs"
+    "befs"
+    "bfs"
+    "cifs"
+    "cramfs"
+    "efs"
+    "exofs"
+    "orangefs"
+    "freevxfs"
+    "gfs2"
+    "hfs"
+    "hfsplus"
+    "hpfs"
+    "jffs2"
+    "jfs"
+    "minix"
+    "nilfs2"
+    "ntfs"
+    "omfs"
+    "qnx4"
+    "qnx6"
+    "sysv"
+    "ubifs"
+    "ufs"
+
+    # Legacy hardware
+    "pcspkr"
+    "floppy"
+    "parport"
+    "ppdev"
+
+    # Other stuff we don't use
+    "firewire-core"
+    "firewire-ohci"
+    "ksmbd"
+    "ib_core"
+    "l2tp_eth"
+    "l2tp_netlink"
+    "l2tp_ppp"
+    "nfc"
+    "soundwire"
+  ];
+}