desktop/kernel/default.nix

{
  lib,
  pkgs,
  ...
}:
let
  nsExec = pkgs.writeShellScriptBin "ns-raw" ''
    ns="$1"
    shift
    exec ${pkgs.iproute2}/bin/ip netns exec "$ns" \
        ${pkgs.util-linux}/bin/setpriv \
          --reuid="$DOAS_USER" --regid="$DOAS_USER" \
          --clear-groups \
          --inh-caps=-all \
        "$@"
  '';
  nsWrapper = pkgs.writeShellScriptBin "ns" ''

    exec /run/wrappers/bin/doas ${nsExec}/bin/ns-raw "$@"
  '';
in
{
  imports = [
    ./hardened.nix
    ./vfio.nix
    ./standard.nix
    # ./apparmor.nix
  ];

  custom.kernel.hardened.enable = true;
  custom.kernel.vfio.enable = false;
  custom.kernel.standard.enable = true;
  # security.apparmor.enable = false;

  specialisation.unhardened.configuration = {
    custom.kernel.hardened.enable = lib.mkForce false;
    # security.apparmor.enable = lib.mkForce false;
  };

  specialisation.vfio.configuration = {
    custom.kernel.vfio.enable = lib.mkForce true;
    custom.kernel.standard.enable = lib.mkForce false;
  };

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.enableRedistributableFirmware = true;
  hardware.cpu.amd.updateMicrocode = true;

  security.rtkit.enable = true;
  security.sudo.enable = false;
  security.doas = {
    enable = true;

    extraRules = [
      {
        users = [ "user" ];
        runAs = "root";
        keepEnv = true;
        persist = true;
      }
      {
        users = [ "user" ];
        runAs = "work";
        noPass = true;
        keepEnv = false;
      }
      {
        users = [ "user" ];
        runAs = "agent";
        noPass = true;
        keepEnv = true;
      }
      {
        users = [
          "user"
          "agent"
          "work"
        ];
        runAs = "root";
        noPass = true;
        keepEnv = true;
        cmd = "${nsExec}/bin/ns-raw";
      }
    ];
  };

  environment.systemPackages = [ nsWrapper ];

  security.pam.services.su.requireWheel = true;
  security.pam.services.newgrp.requireWheel = true;

  boot = {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
    kernelPackages = pkgs.linuxPackages_latest;
    kernelParams = [
      "amd_iommu=on"
    ];
  };
}