initial commit

2025-12-22 16:46:52 -03:00 · 2025-12-22 16:46:52 -03:00 · 120dbdbc64
commit 120dbdbc64
21 changed files with 2413 additions and 0 deletions
--- a/kernel/default.nix
+++ b/kernel/default.nix
@ -0,0 +1,77 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardened.nix
+    ./vfio.nix
+    # ./apparmor.nix
+  ];
+
+  custom.kernel.hardened.enable = true;
+  custom.kernel.vfio.enable = false;
+  # security.apparmor.enable = false;
+
+  specialisation.unhardened.configuration = {
+    custom.kernel.hardened.enable = lib.mkForce false;
+    # security.apparmor.enable = lib.mkForce false;
+  };
+
+  specialisation.vfio.configuration = {
+    custom.kernel.vfio.enable = lib.mkForce true;
+  };
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.enableRedistributableFirmware = true;
+  hardware.cpu.amd.updateMicrocode = true;
+
+  security.rtkit.enable = true;
+  security.sudo.enable = false;
+  security.doas = {
+    enable = true;
+
+    extraRules = [
+      {
+        users = [ "user" ];
+        keepEnv = true;
+        persist = true;
+      }
+    ];
+  };
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    kernelPackages = pkgs.linuxPackages_zen;
+    kernelParams = [
+      "amd_iommu=on"
+    ];
+    initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "ahci"
+      "usbhid"
+      "sd_mod"
+      "uas"
+      "usbcore"
+      "usb_storage"
+      "vfat"
+      "nls_cp437"
+      "nls_iso8859_1"
+      "virtio_pci"
+      "virtio_blk"
+      "virtio_net"
+      "virtio_ring"
+    ];
+    initrd.kernelModules = [
+      "amdgpu"
+      "nvidia"
+      "nvidia_modeset"
+      "nvidia_drm"
+    ];
+  };
+}