nixos/sysctl: sane inotify defaults globally

Currently, sane inotify limits are only set when graphical-desktop is enabled, but inotify is also used on servers by non-graphical applications

nixos/modules/config/sysctl.nix

@@ -72,12 +72,21 @@ in
       restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ];
     };
 
-    # Hide kernel pointers (e.g. in /proc/modules) for unprivileged
-    # users as these make it easier to exploit kernel vulnerabilities.
-    boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkDefault 1;
+    # NixOS wide defaults
+    boot.kernel.sysctl = {
+      # Hide kernel pointers (e.g. in /proc/modules) for unprivileged
+      # users as these make it easier to exploit kernel vulnerabilities.
+      "kernel.kptr_restrict" = lib.mkDefault 1;
 
-    # Improve compatibility with applications that allocate
-    # a lot of memory, like modern games
-    boot.kernel.sysctl."vm.max_map_count" = lib.mkDefault 1048576;
+      # Improve compatibility with applications that allocate
+      # a lot of memory, like modern games
+      "vm.max_map_count" = lib.mkDefault 1048576;
+
+      # The default max inotify watches is 8192.
+      # Nowadays most apps require a good number of inotify watches,
+      # the value below is used by default on several other distros.
+      "fs.inotify.max_user_instances" = lib.mkDefault 524288;
+      "fs.inotify.max_user_watches" = lib.mkDefault 524288;
+    };
   };
 }

nixos/modules/services/misc/graphical-desktop.nix

@@ -21,14 +21,6 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    # The default max inotify watches is 8192.
-    # Nowadays most apps require a good number of inotify watches,
-    # the value below is used by default on several other distros.
-    boot.kernel.sysctl = {
-      "fs.inotify.max_user_instances" = lib.mkDefault 524288;
-      "fs.inotify.max_user_watches" = lib.mkDefault 524288;
-    };
-
     environment = {
       # localectl looks into 00-keyboard.conf
       etc."X11/xorg.conf.d/00-keyboard.conf".text = ''