qbit/xin
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

box,europa,faf,h,stan: use hardened kernel

Browse Source
This commit is contained in:
Aaron Bieber 2022-09-27 09:46:15 -06:00
parent 470e3252bb
commit 78b56c7bf4
No known key found for this signature in database
5 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/box/default.nix
View File

@ -96,7 +96,7 @@ in {
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelPackages = pkgs.linuxPackages;
boot.kernelPackages = pkgs.linuxPackages_hardened;
doas.enable = true;

2
hosts/europa/default.nix
View File

@ -57,7 +57,7 @@ in {
efiSysMountPoint = "/boot/efi";
};
};
kernelPackages = pkgs.linuxPackages;
kernelPackages = pkgs.linuxPackages_hardened;
kernelParams = [ "boot.shell_on_fail" "mem_sleep_default=deep" ];
kernelModules = [ "kvm-intel" ];
};

2
hosts/faf/default.nix
View File

@ -14,6 +14,8 @@ in {
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelPackages = pkgs.linuxPackages_hardened;
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.devNodes = "/dev/";

1
hosts/h/default.nix
View File

@ -33,6 +33,7 @@ in {
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
boot.kernelPackages = pkgs.linuxPackages_hardened;
boot.kernelParams = [ "net.ifnames=0" ];
tailscale.sshOnly = true;

2
hosts/stan/default.nix
View File

@ -29,7 +29,7 @@ in {
"/crypto_keyfile.bin";
secrets = { "/crypto_keyfile.bin" = null; };
};
kernelPackages = pkgs.linuxPackages;
kernelPackages = pkgs.linuxPackages_hardened;
kernelParams = [ "intel_idle.max_cstate=4" ];
};