refactor: split sysctl file

common/nixos/sysctl/file_system.nix

@@ -0,0 +1,41 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  boot.kernel.sysctl = {
+    # disallow core dumping by SUID/SGID programs
+    "fs.suid_dumpable" = 0;
+
+    # protect the creation of hard links
+    # one of the following conditions must be fulfilled
+    #   - the user can only link to files that he or she owns
+    #   - the user must first have read and write access to a file, that he/she wants to link to
+    "fs.protected_hardlinks" = 1;
+
+    # protect the creation of symbolic links
+    # one of the following conditions must be fulfilled
+    #   - the process following the symbolic link is the owner of the symbolic link
+    #   - the owner of the directory is also the owner of the symbolic link
+    "fs.protected_symlinks" = 1;
+
+    # enable extended FIFO protection
+    "fs.protected_fifos" = 2;
+
+    # similar to protected_fifos, but it avoids writes to an attacker-controlled regular file
+    "fs.protected_regular" = 2;
+
+    # increase system file descriptor limit
+    # this value can be up to:
+    #   - 2147483647 (0x7fffffff) on a 32-bit system
+    #   - 9223372036854775807 (0x7fffffffffffffff) on a 64-bit system
+    # be aware that the Linux kernel documentation suggests that inode-max should be 3-4 times
+    #   larger than this value
+    "fs.file-max" = 9223372036854775807;
+
+    # increase the amount of files that can be watched
+    # each file watch handle takes 1080 bytes
+    # up to 540 MiB of memory will be consumed if all 524288 handles are used
+    "fs.inotify.max_user_watches" = 524288;
+  };
+}