From 78b56c7bf4bb1703c22321417f45420720ca5331 Mon Sep 17 00:00:00 2001 From: Aaron Bieber Date: Tue, 27 Sep 2022 09:46:15 -0600 Subject: [PATCH] box,europa,faf,h,stan: use hardened kernel --- hosts/box/default.nix | 2 +- hosts/europa/default.nix | 2 +- hosts/faf/default.nix | 2 ++ hosts/h/default.nix | 1 + hosts/stan/default.nix | 2 +- 5 files changed, 6 insertions(+), 3 deletions(-) diff --git a/hosts/box/default.nix b/hosts/box/default.nix index 48de31c..436e79a 100644 --- a/hosts/box/default.nix +++ b/hosts/box/default.nix @@ -96,7 +96,7 @@ in { boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - boot.kernelPackages = pkgs.linuxPackages; + boot.kernelPackages = pkgs.linuxPackages_hardened; doas.enable = true; diff --git a/hosts/europa/default.nix b/hosts/europa/default.nix index 0aeffe9..f15ecc5 100644 --- a/hosts/europa/default.nix +++ b/hosts/europa/default.nix @@ -57,7 +57,7 @@ in { efiSysMountPoint = "/boot/efi"; }; }; - kernelPackages = pkgs.linuxPackages; + kernelPackages = pkgs.linuxPackages_hardened; kernelParams = [ "boot.shell_on_fail" "mem_sleep_default=deep" ]; kernelModules = [ "kvm-intel" ]; }; diff --git a/hosts/faf/default.nix b/hosts/faf/default.nix index 3d00a15..9ee2f11 100644 --- a/hosts/faf/default.nix +++ b/hosts/faf/default.nix @@ -14,6 +14,8 @@ in { boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + boot.kernelPackages = pkgs.linuxPackages_hardened; + boot.supportedFilesystems = [ "zfs" ]; boot.zfs.devNodes = "/dev/"; diff --git a/hosts/h/default.nix b/hosts/h/default.nix index 9a81a0e..c07c783 100644 --- a/hosts/h/default.nix +++ b/hosts/h/default.nix @@ -33,6 +33,7 @@ in { boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/sda"; + boot.kernelPackages = pkgs.linuxPackages_hardened; boot.kernelParams = [ "net.ifnames=0" ]; tailscale.sshOnly = true; diff --git a/hosts/stan/default.nix b/hosts/stan/default.nix index 46723d0..ab70813 100644 --- a/hosts/stan/default.nix +++ b/hosts/stan/default.nix @@ -29,7 +29,7 @@ in { "/crypto_keyfile.bin"; secrets = { "/crypto_keyfile.bin" = null; }; }; - kernelPackages = pkgs.linuxPackages; + kernelPackages = pkgs.linuxPackages_hardened; kernelParams = [ "intel_idle.max_cstate=4" ]; };