63 lines
1.3 KiB
Nix
63 lines
1.3 KiB
Nix
{
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
{
|
|
imports = [
|
|
./hardened.nix
|
|
./vfio.nix
|
|
./standard.nix
|
|
# ./apparmor.nix
|
|
];
|
|
|
|
custom.kernel.hardened.enable = true;
|
|
custom.kernel.vfio.enable = false;
|
|
custom.kernel.standard.enable = true;
|
|
# security.apparmor.enable = false;
|
|
|
|
specialisation.unhardened.configuration = {
|
|
custom.kernel.hardened.enable = lib.mkForce false;
|
|
# security.apparmor.enable = lib.mkForce false;
|
|
};
|
|
|
|
specialisation.vfio.configuration = {
|
|
custom.kernel.vfio.enable = lib.mkForce true;
|
|
custom.kernel.standard.enable = lib.mkForce false;
|
|
};
|
|
|
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
|
hardware.enableRedistributableFirmware = true;
|
|
hardware.cpu.amd.updateMicrocode = true;
|
|
|
|
security.rtkit.enable = true;
|
|
security.sudo.enable = false;
|
|
security.doas = {
|
|
enable = true;
|
|
|
|
extraRules = [
|
|
{
|
|
users = [ "user" ];
|
|
keepEnv = true;
|
|
persist = true;
|
|
}
|
|
{
|
|
users = [ "user" ];
|
|
runAs = "agent";
|
|
noPass = true;
|
|
keepEnv = false;
|
|
}
|
|
];
|
|
};
|
|
|
|
boot = {
|
|
loader = {
|
|
systemd-boot.enable = true;
|
|
efi.canTouchEfiVariables = true;
|
|
};
|
|
kernelPackages = pkgs.linuxPackages_zen;
|
|
kernelParams = [
|
|
"amd_iommu=on"
|
|
];
|
|
};
|
|
}
|