{ pkgs, config, lib, ... }:
{
  options.linux-kernel = {
    enableZen = lib.mkEnableOption "linux_zen kernel";
  };
  config =
    {
      boot.kernelPackages =
        if config.linux-kernel.enableZen then
          pkgs.linuxKernel.packages.linux_zen
        else
          pkgs.linuxPackages_latest;

let
  commonModule = {
    # Credits from me:
    # - https://github.com/RGBCube/ncc/blob/c5714110d951f57e66d5ee47a244c0a93f3406a1/modules/linux/kernel.nix
    # From RGBCube:
    # - https://github.com/NotAShelf/nyx/blob/main/modules/core/common/system/security/kernel.nix
    # - "hsslister" user - raf (NotAShelf) - "I actually forgot the dudes GitHub"
    boot.kernel.sysctl = {
      # The Magic SysRq key is a key combo that allows users connected to the
      # system console of a Linux kernel to perform some low-level commands.
      # Disable it, since we don't need it, and is a potential security concern.
      "kernel.sysrq" = 0;

      # Credits from me:
      # - https://github.com/RGBCube/ncc/blob/c5714110d951f57e66d5ee47a244c0a93f3406a1/modules/linux/kernel.nix
      # From RGBCube:
      # - https://github.com/NotAShelf/nyx/blob/main/modules/core/common/system/security/kernel.nix
      # - "hsslister" user - raf (NotAShelf) - "I actually forgot the dudes GitHub"
      boot.kernel.sysctl = {
        # The Magic SysRq key is a key combo that allows users connected to the
        # system console of a Linux kernel to perform some low-level commands.
        # Disable it, since we don't need it, and is a potential security concern.
        "kernel.sysrq" = 0;

      # Hide kptrs even for processes with CAP_SYSLOG.
      # Also prevents printing kernel pointers.
      "kernel.kptr_restrict" = 2;

        # Hide kptrs even for processes with CAP_SYSLOG.
        # Also prevents printing kernel pointers.
        "kernel.kptr_restrict" = 2;

      # Disable bpf() JIT (to eliminate spray attacks).
      "net.core.bpf_jit_enable" = false;

        # Disable bpf() JIT (to eliminate spray attacks).
        "net.core.bpf_jit_enable" = false;

      # Disable ftrace debugging.
      "kernel.ftrace_enabled" = false;

        # Disable ftrace debugging.
        "kernel.ftrace_enabled" = false;

      # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).
      "kernel.dmesg_restrict" = 1;

        # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).
        "kernel.dmesg_restrict" = 1;

      # Prevent unintentional fifo writes.
      "fs.protected_fifos" = 2;

        # Prevent unintentional fifo writes.
        "fs.protected_fifos" = 2;

      # Prevent unintended writes to already-created files.
      "fs.protected_regular" = 2;

        # Prevent unintended writes to already-created files.
        "fs.protected_regular" = 2;

      # Disable SUID binary dump.
      "fs.suid_dumpable" = 0;

        # Disable SUID binary dump.
        "fs.suid_dumpable" = 0;

      # Disallow profiling at all levels without CAP_SYS_ADMIN.
      "kernel.perf_event_paranoid" = 3;

        # Disallow profiling at all levels without CAP_SYS_ADMIN.
        "kernel.perf_event_paranoid" = 3;

      # Require CAP_BPF to use bpf.
      "kernel.unprvileged_bpf_disabled" = 1;
    };

        # Require CAP_BPF to use bpf.
        "kernel.unprvileged_bpf_disabled" = 1;
      };

    # https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
    boot.kernelParams = [
      # Make stack-based attacks on the kernel harder.
      "randomize_kstack_offset=on"

      # https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
      boot.kernelParams = [
        # Make stack-based attacks on the kernel harder.
        "randomize_kstack_offset=on"

      # Controls the behavior of vsyscalls. This has been defaulted to none back in 2016 - break really old binaries for security.
      "vsyscall=none"

        # Controls the behavior of vsyscalls. This has been defaulted to none back in 2016 - break really old binaries for security.
        "vsyscall=none"

      # Reduce most of the exposure of a heap attack to a single cache.
      "slab_nomerge"

        # Reduce most of the exposure of a heap attack to a single cache.
        "slab_nomerge"

      # Only allow signed modules.
      "module.sig_enforce=1"

        # Only allow signed modules.
        "module.sig_enforce=1"

      # Blocks access to all kernel memory, even preventing administrators from being able to inspect and probe the kernel.
      "lockdown=confidentiality"

        # Blocks access to all kernel memory, even preventing administrators from being able to inspect and probe the kernel.
        "lockdown=confidentiality"

      # Enable buddy allocator free poisoning.
      "page_poison=1"

        # Enable buddy allocator free poisoning.
        "page_poison=1"

      # Performance improvement for direct-mapped memory-side-cache utilization, reduces the predictability of page allocations.
      "page_alloc.shuffle=1"

        # Performance improvement for direct-mapped memory-side-cache utilization, reduces the predictability of page allocations.
        "page_alloc.shuffle=1"

      # Disable sysrq keys. sysrq is seful for debugging, but also insecure.
      "sysrq_always_enabled=0"

        # Disable sysrq keys. sysrq is seful for debugging, but also insecure.
        "sysrq_always_enabled=0"

      # Ignore access time (atime) updates on files, except when they coincide with updates to the ctime or mtime.
      "rootflags=noatime"

        # Ignore access time (atime) updates on files, except when they coincide with updates to the ctime or mtime.
        "rootflags=noatime"

      # Linux security modules.
      "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"

        # Linux security modules.
        "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"

      # Prevent the kernel from blanking plymouth out of the fb.
      "fbcon=nodefer"
    ];

        # Prevent the kernel from blanking plymouth out of the fb.
        "fbcon=nodefer"
      ];

    boot.blacklistedKernelModules = [
      # Obscure network protocols.
      "af_802154" # IEEE 802.15.4
      "appletalk" # Appletalk
      "atm" # ATM
      "ax25" # Amatuer X.25
      "can" # Controller Area Network
      "dccp" # Datagram Congestion Control Protocol
      "decnet" # DECnet
      "econet" # Econet
      "ipx" # Internetwork Packet Exchange
      "n-hdlc" # High-level Data Link Control
      "netrom" # NetRom
      "p8022" # IEEE 802.3
      "p8023" # Novell raw IEEE 802.3
      "psnap" # SubnetworkAccess Protocol
      "rds" # Reliable Datagram Sockets
      "rose" # ROSE
      "sctp" # Stream Control Transmission Protocol
      "tipc" # Transparent Inter-Process Communication
      "x25" # X.25

      boot.blacklistedKernelModules = [
        # Obscure network protocols.
        "af_802154" # IEEE 802.15.4
        "appletalk" # Appletalk
        "atm" # ATM
        "ax25" # Amatuer X.25
        "can" # Controller Area Network
        "dccp" # Datagram Congestion Control Protocol
        "decnet" # DECnet
        "econet" # Econet
        "ipx" # Internetwork Packet Exchange
        "n-hdlc" # High-level Data Link Control
        "netrom" # NetRom
        "p8022" # IEEE 802.3
        "p8023" # Novell raw IEEE 802.3
        "psnap" # SubnetworkAccess Protocol
        "rds" # Reliable Datagram Sockets
        "rose" # ROSE
        "sctp" # Stream Control Transmission Protocol
        "tipc" # Transparent Inter-Process Communication
        "x25" # X.25

      # Old or rare or insufficiently audited filesystems.
      "adfs" # Active Directory Federation Services
      "affs" # Amiga Fast File System
      "befs" # "Be File System"
      "bfs" # BFS, used by SCO UnixWare OS for the /stand slice
      "cifs" # Common Internet File System
      "cramfs" # compressed ROM/RAM file system
      "efs" # Extent File System
      "erofs" # Enhanced Read-Only File System
      "exofs" # EXtended Object File System
      "f2fs" # Flash-Friendly File System
      "freevxfs" # Veritas filesystem driver
      "gfs2" # Global File System 2
      "hfs" # Hierarchical File System (Macintosh)
      "hfsplus" # Same as above, but with extended attributes.
      "hpfs" # High Performance File System (used by OS/2)
      "jffs2" # Journalling Flash File System (v2)
      "jfs" # Journaled File System - only useful for VMWare sessions
      "ksmbd" # SMB3 Kernel Server
      "minix" # minix fs - used by the minix OS
      "nfs" # Network File System
      "nfsv3" # Network File System (v3)
      "nfsv4" # Network File System (v4)
      "nilfs2" # New Implementation of a Log-structured File System
      "omfs" # Optimized MPEG Filesystem
      "qnx4" # Extent-based file system used by the QNX4 OS.
      "qnx6" # Extent-based file system used by the QNX6 OS.
      "squashfs" # compressed read-only file system (used by live CDs)
      "sysv" # implements all of Xenix FS, SystemV/386 FS and Coherent FS.
      "udf" # https://docs.kernel.org/5.15/filesystems/udf.html
      "vivid" # Virtual Video Test Driver (unnecessary)
      # Disable Thunderbolt and FireWire to prevent DMA attacks
      "firewire-core"
      "thunderbolt"
    ];
  };
in
{

        # Old or rare or insufficiently audited filesystems.
        "adfs" # Active Directory Federation Services
        "affs" # Amiga Fast File System
        "befs" # "Be File System"
        "bfs" # BFS, used by SCO UnixWare OS for the /stand slice
        "cifs" # Common Internet File System
        "cramfs" # compressed ROM/RAM file system
        "efs" # Extent File System
        "erofs" # Enhanced Read-Only File System
        "exofs" # EXtended Object File System
        "f2fs" # Flash-Friendly File System
        "freevxfs" # Veritas filesystem driver
        "gfs2" # Global File System 2
        "hfs" # Hierarchical File System (Macintosh)
        "hfsplus" # Same as above, but with extended attributes.
        "hpfs" # High Performance File System (used by OS/2)
        "jffs2" # Journalling Flash File System (v2)
        "jfs" # Journaled File System - only useful for VMWare sessions
        "ksmbd" # SMB3 Kernel Server
        "minix" # minix fs - used by the minix OS
        "nfs" # Network File System
        "nfsv3" # Network File System (v3)
        "nfsv4" # Network File System (v4)
        "nilfs2" # New Implementation of a Log-structured File System
        "omfs" # Optimized MPEG Filesystem
        "qnx4" # Extent-based file system used by the QNX4 OS.
        "qnx6" # Extent-based file system used by the QNX6 OS.
        "squashfs" # compressed read-only file system (used by live CDs)
        "sysv" # implements all of Xenix FS, SystemV/386 FS and Coherent FS.
        "udf" # https://docs.kernel.org/5.15/filesystems/udf.html
        "vivid" # Virtual Video Test Driver (unnecessary)

  config.flake.modules.nixos.linux-kernel =
    { pkgs, ... }:
    commonModule // {
      boot.kernelPackages = pkgs.linuxPackages_latest;
    };

        # Disable Thunderbolt and FireWire to prevent DMA attacks
        "firewire-core"
        "thunderbolt"
      ];

  config.flake.modules.nixos.linux-kernel-desktop =
    { pkgs, ... }:
    commonModule // {
      boot.kernelPackages = pkgs.linuxKernel.packages.linux_zen;

{ config, pkgs, ... }: {
  boot.kernelPackages = if config.isDesktopNotWsl then
    pkgs.linuxKernel.packages.linux_zen
  else
    pkgs.linuxPackages_latest;
  # Credits from me:
  # - https://github.com/RGBCube/ncc/blob/c5714110d951f57e66d5ee47a244c0a93f3406a1/modules/linux/kernel.nix
  # From RGBCube:
  # - https://github.com/NotAShelf/nyx/blob/main/modules/core/common/system/security/kernel.nix
  # - "hsslister" user - raf (NotAShelf) - "I actually forgot the dudes GitHub"
  boot.kernel.sysctl = {
    # The Magic SysRq key is a key combo that allows users connected to the
    # system console of a Linux kernel to perform some low-level commands.
    # Disable it, since we don't need it, and is a potential security concern.
    "kernel.sysrq" = 0;
    # Hide kptrs even for processes with CAP_SYSLOG.
    # Also prevents printing kernel pointers.
    "kernel.kptr_restrict" = 2;
    # Disable bpf() JIT (to eliminate spray attacks).
    "net.core.bpf_jit_enable" = false;
    # Disable ftrace debugging.
    "kernel.ftrace_enabled" = false;
    # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).
    "kernel.dmesg_restrict" = 1;
    # Prevent unintentional fifo writes.
    "fs.protected_fifos" = 2;
    # Prevent unintended writes to already-created files.
    "fs.protected_regular" = 2;
    # Disable SUID binary dump.
    "fs.suid_dumpable" = 0;
    # Disallow profiling at all levels without CAP_SYS_ADMIN.
    "kernel.perf_event_paranoid" = 3;
    # Require CAP_BPF to use bpf.
    "kernel.unprvileged_bpf_disabled" = 1;
  };
  # https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
  boot.kernelParams = [
    # Make stack-based attacks on the kernel harder.
    "randomize_kstack_offset=on"
    # Controls the behavior of vsyscalls. This has been defaulted to none back in 2016 - break really old binaries for security.
    "vsyscall=none"
    # Reduce most of the exposure of a heap attack to a single cache.
    "slab_nomerge"
    # Only allow signed modules.
    "module.sig_enforce=1"
    # Blocks access to all kernel memory, even preventing administrators from being able to inspect and probe the kernel.
    "lockdown=confidentiality"
    # Enable buddy allocator free poisoning.
    "page_poison=1"
    # Performance improvement for direct-mapped memory-side-cache utilization, reduces the predictability of page allocations.
    "page_alloc.shuffle=1"
    # Disable sysrq keys. sysrq is seful for debugging, but also insecure.
    "sysrq_always_enabled=0"
    # Ignore access time (atime) updates on files, except when they coincide with updates to the ctime or mtime.
    "rootflags=noatime"
    # Linux security modules.
    "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"
    # Prevent the kernel from blanking plymouth out of the fb.
    "fbcon=nodefer"
  ];
  boot.blacklistedKernelModules = [
      # Obscure network protocols.
      "af_802154" # IEEE 802.15.4
      "appletalk" # Appletalk
      "atm"       # ATM
      "ax25"      # Amatuer X.25
      "can"       # Controller Area Network
      "dccp"      # Datagram Congestion Control Protocol
      "decnet"    # DECnet
      "econet"    # Econet
      "ipx"       # Internetwork Packet Exchange
      "n-hdlc"    # High-level Data Link Control
      "netrom"    # NetRom
      "p8022"     # IEEE 802.3
      "p8023"     # Novell raw IEEE 802.3
      "psnap"     # SubnetworkAccess Protocol
      "rds"       # Reliable Datagram Sockets
      "rose"      # ROSE
      "sctp"      # Stream Control Transmission Protocol
      "tipc"      # Transparent Inter-Process Communication
      "x25"       # X.25
      # Old or rare or insufficiently audited filesystems.
      "adfs"     # Active Directory Federation Services
      "affs"     # Amiga Fast File System
      "befs"     # "Be File System"
      "bfs"      # BFS, used by SCO UnixWare OS for the /stand slice
      "cifs"     # Common Internet File System
      "cramfs"   # compressed ROM/RAM file system
      "efs"      # Extent File System
      "erofs"    # Enhanced Read-Only File System
      "exofs"    # EXtended Object File System
      "f2fs"     # Flash-Friendly File System
      "freevxfs" # Veritas filesystem driver
      "gfs2"     # Global File System 2
      "hfs"      # Hierarchical File System (Macintosh)
      "hfsplus"  # Same as above, but with extended attributes.
      "hpfs"     # High Performance File System (used by OS/2)
      "jffs2"    # Journalling Flash File System (v2)
      "jfs"      # Journaled File System - only useful for VMWare sessions
      "ksmbd"    # SMB3 Kernel Server
      "minix"    # minix fs - used by the minix OS
      "nfs"      # Network File System
      "nfsv3"    # Network File System (v3)
      "nfsv4"    # Network File System (v4)
      "nilfs2"   # New Implementation of a Log-structured File System
      "omfs"     # Optimized MPEG Filesystem
      "qnx4"     # Extent-based file system used by the QNX4 OS.
      "qnx6"     # Extent-based file system used by the QNX6 OS.
      "squashfs" # compressed read-only file system (used by live CDs)
      "sysv"     # implements all of Xenix FS, SystemV/386 FS and Coherent FS.
      "udf"      # https://docs.kernel.org/5.15/filesystems/udf.html
      "vivid"    # Virtual Video Test Driver (unnecessary)
      # Disable Thunderbolt and FireWire to prevent DMA attacks
      "firewire-core"
      "thunderbolt"
    ];
}