This prevents many time-of-check-time-of-use security bugs. Ubuntu enables these by default as well so they shouldn't cause many problems.
This adds an option ‘boot.kernel.sysctl’ and generates a file /etc/sysctl/nixos.conf read by systemd-sysctl.service.