let
  commonModule = {
    # Credits from me:
    # - https://github.com/RGBCube/ncc/blob/c5714110d951f57e66d5ee47a244c0a93f3406a1/modules/linux/kernel.nix
    # From RGBCube:
    # - https://github.com/NotAShelf/nyx/blob/main/modules/core/common/system/security/kernel.nix
    # - "hsslister" user - raf (NotAShelf) - "I actually forgot the dudes GitHub"
    boot.kernel.sysctl = {
      # The Magic SysRq key is a key combo that allows users connected to the
      # system console of a Linux kernel to perform some low-level commands.
      # Disable it, since we don't need it, and is a potential security concern.
      "kernel.sysrq" = 0;

      # Hide kptrs even for processes with CAP_SYSLOG.
      # Also prevents printing kernel pointers.
      "kernel.kptr_restrict" = 2;

      # Disable bpf() JIT (to eliminate spray attacks).
      "net.core.bpf_jit_enable" = false;

      # Disable ftrace debugging.
      "kernel.ftrace_enabled" = false;

      # Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).
      "kernel.dmesg_restrict" = 1;

      # Prevent unintentional fifo writes.
      "fs.protected_fifos" = 2;

      # Prevent unintended writes to already-created files.
      "fs.protected_regular" = 2;

      # Disable SUID binary dump.
      "fs.suid_dumpable" = 0;

      # Disallow profiling at all levels without CAP_SYS_ADMIN.
      "kernel.perf_event_paranoid" = 3;

      # Require CAP_BPF to use bpf.
      "kernel.unprvileged_bpf_disabled" = 1;
    };

    # https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
    boot.kernelParams = [
      # Make stack-based attacks on the kernel harder.
      "randomize_kstack_offset=on"

      # Controls the behavior of vsyscalls. This has been defaulted to none back in 2016 - break really old binaries for security.
      "vsyscall=none"

      # Reduce most of the exposure of a heap attack to a single cache.
      "slab_nomerge"

      # Only allow signed modules.
      "module.sig_enforce=1"

      # Blocks access to all kernel memory, even preventing administrators from being able to inspect and probe the kernel.
      "lockdown=confidentiality"

      # Enable buddy allocator free poisoning.
      "page_poison=1"

      # Performance improvement for direct-mapped memory-side-cache utilization, reduces the predictability of page allocations.
      "page_alloc.shuffle=1"

      # Disable sysrq keys. sysrq is seful for debugging, but also insecure.
      "sysrq_always_enabled=0"

      # Ignore access time (atime) updates on files, except when they coincide with updates to the ctime or mtime.
      "rootflags=noatime"

      # Linux security modules.
      "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"

      # Prevent the kernel from blanking plymouth out of the fb.
      "fbcon=nodefer"
    ];

    boot.blacklistedKernelModules = [
      # Obscure network protocols.
      "af_802154" # IEEE 802.15.4
      "appletalk" # Appletalk
      "atm" # ATM
      "ax25" # Amatuer X.25
      "can" # Controller Area Network
      "dccp" # Datagram Congestion Control Protocol
      "decnet" # DECnet
      "econet" # Econet
      "ipx" # Internetwork Packet Exchange
      "n-hdlc" # High-level Data Link Control
      "netrom" # NetRom
      "p8022" # IEEE 802.3
      "p8023" # Novell raw IEEE 802.3
      "psnap" # SubnetworkAccess Protocol
      "rds" # Reliable Datagram Sockets
      "rose" # ROSE
      "sctp" # Stream Control Transmission Protocol
      "tipc" # Transparent Inter-Process Communication
      "x25" # X.25

      # Old or rare or insufficiently audited filesystems.
      "adfs" # Active Directory Federation Services
      "affs" # Amiga Fast File System
      "befs" # "Be File System"
      "bfs" # BFS, used by SCO UnixWare OS for the /stand slice
      "cifs" # Common Internet File System
      "cramfs" # compressed ROM/RAM file system
      "efs" # Extent File System
      "erofs" # Enhanced Read-Only File System
      "exofs" # EXtended Object File System
      "f2fs" # Flash-Friendly File System
      "freevxfs" # Veritas filesystem driver
      "gfs2" # Global File System 2
      "hfs" # Hierarchical File System (Macintosh)
      "hfsplus" # Same as above, but with extended attributes.
      "hpfs" # High Performance File System (used by OS/2)
      "jffs2" # Journalling Flash File System (v2)
      "jfs" # Journaled File System - only useful for VMWare sessions
      "ksmbd" # SMB3 Kernel Server
      "minix" # minix fs - used by the minix OS
      "nfs" # Network File System
      "nfsv3" # Network File System (v3)
      "nfsv4" # Network File System (v4)
      "nilfs2" # New Implementation of a Log-structured File System
      "omfs" # Optimized MPEG Filesystem
      "qnx4" # Extent-based file system used by the QNX4 OS.
      "qnx6" # Extent-based file system used by the QNX6 OS.
      "squashfs" # compressed read-only file system (used by live CDs)
      "sysv" # implements all of Xenix FS, SystemV/386 FS and Coherent FS.
      "udf" # https://docs.kernel.org/5.15/filesystems/udf.html
      "vivid" # Virtual Video Test Driver (unnecessary)

      # Disable Thunderbolt and FireWire to prevent DMA attacks
      "firewire-core"
      "thunderbolt"
    ];

  };
in
{

  flake.modules.nixos.linux-kernel-latest =
    { pkgs, ... }:
    {
      imports = [ commonModule ];
      boot.kernelPackages = pkgs.linuxPackages_latest;
    };

  flake.modules.nixos.linux-kernel-zen =
    { pkgs, ... }:
    {
      imports = [ commonModule ];
      boot.kernelPackages = pkgs.linuxKernel.packages.linux_zen;
    };
}