mynix/system
1
1
Fork 0
Code Issues 2 Pull requests Activity

host: improve hardened configuration

Browse source
This commit is contained in:
Dmitriy Pleshevskiy 2024-03-29 17:14:53 +03:00
parent 17fe26dd41
commit be7a2338ae
Signed by: pleshevskiy
GPG key ID: 17041163DA10A9A2
5 changed files with 31 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
nixos/hosts/home/default.nix
View file

@ -5,6 +5,7 @@
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../shared/kernel.nix
../../shared/common.nix ../../shared/common.nix
../../shared/sound.nix ../../shared/sound.nix
../../shared/window-manager.nix ../../shared/window-manager.nix
@ -15,14 +16,9 @@
../../shared/encrypted-dns.nix ../../shared/encrypted-dns.nix
]; ];
# Configure kernel boot.extraModulePackages = with config.boot.kernelPackages; [
boot = { rtl88x2bu # wifi
# I cannot use rtl88x2bu driver in stable
kernelPackages = pkgs.unstable.linuxPackages_6_6_hardened;
extraModulePackages = with config.boot.kernelPackages; [
rtl88x2bu
]; ];
};
# Use the GRUB 2 boot loader. # Use the GRUB 2 boot loader.
boot.loader.grub = { boot.loader.grub = {

8
nixos/hosts/istal/default.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }: { ... }:
let let
data = import ../../../data.nix; data = import ../../../data.nix;
@ -7,6 +7,8 @@ in
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./networking.secret.nix # generated at runtime by nixos-infect ./networking.secret.nix # generated at runtime by nixos-infect
../../shared/kernel.nix
../../shared/headless.nix
../../modules/nix.nix ../../modules/nix.nix
../../shared/common.nix ../../shared/common.nix
@ -16,10 +18,6 @@ in
./services/wireguard.nix ./services/wireguard.nix
]; ];
boot.kernelPackages = pkgs.unstable.linuxPackages_6_6_hardened;
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking.hostName = "istal"; networking.hostName = "istal";
networking.domain = "local"; networking.domain = "local";

9
nixos/hosts/tatos/default.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }: { ... }:
let let
data = import ../../../data.nix; data = import ../../../data.nix;
@ -7,6 +7,8 @@ in
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./networking.secret.nix # generated at runtime by nixos-infect ./networking.secret.nix # generated at runtime by nixos-infect
../../shared/kernel.nix
../../shared/headless.nix
../../modules/nix.nix ../../modules/nix.nix
../../shared/common.nix ../../shared/common.nix
@ -16,11 +18,6 @@ in
./services/wireguard.nix ./services/wireguard.nix
]; ];
boot.kernelPackages = pkgs.unstable.linuxPackages_6_6_hardened;
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking.hostName = "tatos"; networking.hostName = "tatos";
services.openssh.enable = true; services.openssh.enable = true;

12
nixos/shared/headless.nix Normal file
View file

@ -0,0 +1,12 @@
{ inputs, ... }:
{
imports = [
"${inputs.nixpkgs}/nixos/modules/profiles/headless.nix"
];
environment.memoryAllocator.provider = "libc";
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
}

9
nixos/shared/kernel.nix Normal file
View file

@ -0,0 +1,9 @@
{ inputs, pkgs, ... }:
{
imports = [
"${inputs.nixpkgs-unstable}/nixos/modules/profiles/hardened.nix"
];
boot.kernelPackages = pkgs.unstable.linuxPackages_6_6_hardened;
}