diff --git a/faucet/kernel/default.nix b/faucet/kernel/default.nix
new file mode 100644
index 00000000..9a3e7e08
--- /dev/null
+++ b/faucet/kernel/default.nix
@@ -0,0 +1,28 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.faucet.kernel;
+in {
+  options.faucet.kernel = {
+    enable = mkEnableOption "kernel version and configuration" // { default = true; };
+    lts = mkEnableOption "longterm kernel releases";
+    sysctl = {
+      enable = mkEnableOption "sysctl presets" // { default = true; };
+      harden = mkEnableOption "hardening sysctls" // { default = true; };
+      swappiness = mkOption {
+        type = with types; int;
+        default = 0;
+        description = "vm.swappiness value, should be zero for low memory SSD systems";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    boot.kernel.sysctl = {
+      "kernel.dmesg_restrict" = mkIf cfg.sysctl.harden 1;
+      "vm.swappiness" = cfg.sysctl.swappiness;
+    };
+    boot.kernelPackages = with pkgs; mkDefault (if cfg.lts then linuxPackages else linuxPackages_latest);
+  };
+}