host: improve hardened configuration

nixos/hosts/home/default.nix

@@ -5,6 +5,7 @@
   imports = [
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
+    ../../shared/kernel.nix
     ../../shared/common.nix
     ../../shared/sound.nix
     ../../shared/window-manager.nix
@@ -15,14 +16,9 @@
     ../../shared/encrypted-dns.nix
   ];
 
-  # Configure kernel
-  boot = {
-    # I cannot use rtl88x2bu driver in stable
-    kernelPackages = pkgs.unstable.linuxPackages_6_6_hardened;
-    extraModulePackages = with config.boot.kernelPackages; [
-      rtl88x2bu
+  boot.extraModulePackages = with config.boot.kernelPackages; [
+    rtl88x2bu # wifi
   ];
-  };
 
   # Use the GRUB 2 boot loader.
   boot.loader.grub = {

nixos/hosts/istal/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ ... }:
 
 let
   data = import ../../../data.nix;
@@ -7,6 +7,8 @@ in
   imports = [
     ./hardware-configuration.nix
     ./networking.secret.nix # generated at runtime by nixos-infect
+    ../../shared/kernel.nix
+    ../../shared/headless.nix
 
     ../../modules/nix.nix
     ../../shared/common.nix
@@ -16,10 +18,6 @@ in
     ./services/wireguard.nix
   ];
 
-  boot.kernelPackages = pkgs.unstable.linuxPackages_6_6_hardened;
-  boot.tmp.cleanOnBoot = true;
-  zramSwap.enable = true;
-
   networking.hostName = "istal";
   networking.domain = "local";
 

nixos/hosts/tatos/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ ... }:
 
 let
   data = import ../../../data.nix;
@@ -7,6 +7,8 @@ in
   imports = [
     ./hardware-configuration.nix
     ./networking.secret.nix # generated at runtime by nixos-infect
+    ../../shared/kernel.nix
+    ../../shared/headless.nix
 
     ../../modules/nix.nix
     ../../shared/common.nix
@@ -16,11 +18,6 @@ in
     ./services/wireguard.nix
   ];
 
-  boot.kernelPackages = pkgs.unstable.linuxPackages_6_6_hardened;
-  boot.tmp.cleanOnBoot = true;
-
-  zramSwap.enable = true;
-
   networking.hostName = "tatos";
 
   services.openssh.enable = true;

nixos/shared/headless.nix

@@ -0,0 +1,12 @@
+{ inputs, ... }:
+
+{
+  imports = [
+    "${inputs.nixpkgs}/nixos/modules/profiles/headless.nix"
+  ];
+
+  environment.memoryAllocator.provider = "libc";
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+}

nixos/shared/kernel.nix

@@ -0,0 +1,9 @@
+{ inputs, pkgs, ... }:
+
+{
+  imports = [
+    "${inputs.nixpkgs-unstable}/nixos/modules/profiles/hardened.nix"
+  ];
+
+  boot.kernelPackages = pkgs.unstable.linuxPackages_6_6_hardened;
+}