From be7a2338aee43026cf464b0906c572ee7f57cf41 Mon Sep 17 00:00:00 2001
From: Dmitriy Pleshevskiy <dmitriy@pleshevski.ru>
Date: Fri, 29 Mar 2024 17:14:53 +0300
Subject: [PATCH] host: improve hardened configuration

---
 nixos/hosts/home/default.nix  | 12 ++++--------
 nixos/hosts/istal/default.nix |  8 +++-----
 nixos/hosts/tatos/default.nix |  9 +++------
 nixos/shared/headless.nix     | 12 ++++++++++++
 nixos/shared/kernel.nix       |  9 +++++++++
 5 files changed, 31 insertions(+), 19 deletions(-)
 create mode 100644 nixos/shared/headless.nix
 create mode 100644 nixos/shared/kernel.nix

diff --git a/nixos/hosts/home/default.nix b/nixos/hosts/home/default.nix
index 8493c88..93f87d2 100644
--- a/nixos/hosts/home/default.nix
+++ b/nixos/hosts/home/default.nix
@@ -5,6 +5,7 @@
   imports = [
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
+    ../../shared/kernel.nix
     ../../shared/common.nix
     ../../shared/sound.nix
     ../../shared/window-manager.nix
@@ -15,14 +16,9 @@
     ../../shared/encrypted-dns.nix
   ];
 
-  # Configure kernel
-  boot = {
-    # I cannot use rtl88x2bu driver in stable
-    kernelPackages = pkgs.unstable.linuxPackages_6_6_hardened;
-    extraModulePackages = with config.boot.kernelPackages; [
-      rtl88x2bu
-    ];
-  };
+  boot.extraModulePackages = with config.boot.kernelPackages; [
+    rtl88x2bu # wifi
+  ];
 
   # Use the GRUB 2 boot loader.
   boot.loader.grub = {
diff --git a/nixos/hosts/istal/default.nix b/nixos/hosts/istal/default.nix
index aaef110..032ed71 100644
--- a/nixos/hosts/istal/default.nix
+++ b/nixos/hosts/istal/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ ... }:
 
 let
   data = import ../../../data.nix;
@@ -7,6 +7,8 @@ in
   imports = [
     ./hardware-configuration.nix
     ./networking.secret.nix # generated at runtime by nixos-infect
+    ../../shared/kernel.nix
+    ../../shared/headless.nix
 
     ../../modules/nix.nix
     ../../shared/common.nix
@@ -16,10 +18,6 @@ in
     ./services/wireguard.nix
   ];
 
-  boot.kernelPackages = pkgs.unstable.linuxPackages_6_6_hardened;
-  boot.tmp.cleanOnBoot = true;
-  zramSwap.enable = true;
-
   networking.hostName = "istal";
   networking.domain = "local";
 
diff --git a/nixos/hosts/tatos/default.nix b/nixos/hosts/tatos/default.nix
index 9e513f0..8383dfd 100644
--- a/nixos/hosts/tatos/default.nix
+++ b/nixos/hosts/tatos/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ ... }:
 
 let
   data = import ../../../data.nix;
@@ -7,6 +7,8 @@ in
   imports = [
     ./hardware-configuration.nix
     ./networking.secret.nix # generated at runtime by nixos-infect
+    ../../shared/kernel.nix
+    ../../shared/headless.nix
 
     ../../modules/nix.nix
     ../../shared/common.nix
@@ -16,11 +18,6 @@ in
     ./services/wireguard.nix
   ];
 
-  boot.kernelPackages = pkgs.unstable.linuxPackages_6_6_hardened;
-  boot.tmp.cleanOnBoot = true;
-
-  zramSwap.enable = true;
-
   networking.hostName = "tatos";
 
   services.openssh.enable = true;
diff --git a/nixos/shared/headless.nix b/nixos/shared/headless.nix
new file mode 100644
index 0000000..f9955af
--- /dev/null
+++ b/nixos/shared/headless.nix
@@ -0,0 +1,12 @@
+{ inputs, ... }:
+
+{
+  imports = [
+    "${inputs.nixpkgs}/nixos/modules/profiles/headless.nix"
+  ];
+
+  environment.memoryAllocator.provider = "libc";
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+}
diff --git a/nixos/shared/kernel.nix b/nixos/shared/kernel.nix
new file mode 100644
index 0000000..2dab4d2
--- /dev/null
+++ b/nixos/shared/kernel.nix
@@ -0,0 +1,9 @@
+{ inputs, pkgs, ... }:
+
+{
+  imports = [
+    "${inputs.nixpkgs-unstable}/nixos/modules/profiles/hardened.nix"
+  ];
+
+  boot.kernelPackages = pkgs.unstable.linuxPackages_6_6_hardened;
+}