From 5d515c04b33b4b833b0b33d9d7645e3a5f5278e5 Mon Sep 17 00:00:00 2001
From: Christoph Cullmann <christoph@cullmann.io>
Date: Sun, 30 Mar 2025 17:39:21 +0200
Subject: [PATCH] blacklist some stuff

---
 share/common.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/share/common.nix b/share/common.nix
index 48ce32f..ad0050c 100644
--- a/share/common.nix
+++ b/share/common.nix
@@ -70,6 +70,15 @@ in
     "net.core.bpf_jit_harden" = 2;
   };
 
+  # blacklist some stuff
+  boot.blacklistedKernelModules = [
+    # hardening
+    "dccp"
+    "sctp"
+    "rds"
+    "tipc"
+  ];
+
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;