default: set hardened kernel as default

default.nix

@@ -100,6 +100,8 @@ in {
     '';
     boot.cleanTmpDir = true;
 
+    boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_hardened;
+
     environment.systemPackages = with pkgs; [
       age
       apg

hosts/box/default.nix

@@ -96,8 +96,6 @@ in {
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
-  boot.kernelPackages = pkgs.linuxPackages_hardened;
-
   doas.enable = true;
 
   networking.hostName = "box";

hosts/europa/default.nix

@@ -57,7 +57,6 @@ in {
         efiSysMountPoint = "/boot/efi";
       };
     };
-    kernelPackages = pkgs.linuxPackages_hardened;
     kernelParams = [ "boot.shell_on_fail" "mem_sleep_default=deep" ];
     kernelModules = [ "kvm-intel" ];
   };

hosts/faf/default.nix

@@ -14,8 +14,6 @@ in {
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
-  boot.kernelPackages = pkgs.linuxPackages_hardened;
-
   boot.supportedFilesystems = [ "zfs" ];
   boot.zfs.devNodes = "/dev/";
 

hosts/h/default.nix

@@ -33,7 +33,6 @@ in {
   boot.loader.grub.version = 2;
   boot.loader.grub.device = "/dev/sda";
 
-  boot.kernelPackages = pkgs.linuxPackages_hardened;
   boot.kernelParams = [ "net.ifnames=0" ];
 
   tailscale.sshOnly = true;

hosts/stan/default.nix

@@ -29,7 +29,6 @@ in {
         "/crypto_keyfile.bin";
       secrets = { "/crypto_keyfile.bin" = null; };
     };
-    kernelPackages = pkgs.linuxPackages_hardened;
     kernelParams = [ "intel_idle.max_cstate=4" ];
 
   };