From ad36f9455d7deed4372b755a5425fbb75e59ea45 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cyryl=20P=C5=82otnicki?= <cyplo@cyplo.net>
Date: Sat, 9 May 2020 11:02:36 +0100
Subject: [PATCH] port to new settings style

---
 nixos/boxes/foureighty.nix |  2 +-
 nixos/common-hardware.nix  |  7 +++---
 nixos/security-kernel.nix  | 46 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 50 insertions(+), 5 deletions(-)
 create mode 100644 nixos/security-kernel.nix

diff --git a/nixos/boxes/foureighty.nix b/nixos/boxes/foureighty.nix
index 71139bb6..661f19a8 100644
--- a/nixos/boxes/foureighty.nix
+++ b/nixos/boxes/foureighty.nix
@@ -31,7 +31,7 @@
   };
 
   hardware.nvidiaOptimus.disable = true;
-  hardware.nvidia.optimus_prime.enable = false;
+  hardware.nvidia.prime.sync.enable = false;
   hardware.bumblebee.enable = false;
 
   imports = [
diff --git a/nixos/common-hardware.nix b/nixos/common-hardware.nix
index 70cf0335..510d8328 100644
--- a/nixos/common-hardware.nix
+++ b/nixos/common-hardware.nix
@@ -20,10 +20,9 @@
   hardware.bluetooth = {
     enable = true;
     package = pkgs.bluezFull;
-    extraConfig = ''
-            [General]
-            Enable=Source,Sink,Media,Socket
-    '';
+    config = {
+      General = { Enable = "Source,Sink,Media,Socket"; };
+    };
   };
 
   services.printing = {
diff --git a/nixos/security-kernel.nix b/nixos/security-kernel.nix
new file mode 100644
index 00000000..33406cd0
--- /dev/null
+++ b/nixos/security-kernel.nix
@@ -0,0 +1,46 @@
+{ config, pkgs, ... }:
+{
+  boot.kernelPatches = [ {
+    name = "cyplo-hardened";
+    patch = null;
+    extraConfig = ''
+      LOCKUP_DETECTOR y
+      HARDLOCKUP_DETECTOR y
+      BUG y
+
+      SECURITY_SELINUX_DISABLE  n
+
+      STRICT_KERNEL_RWX  y
+
+      DEBUG_CREDENTIALS      y
+      DEBUG_NOTIFIERS        y
+      DEBUG_SG               y
+      SCHED_STACK_END_CHECK  y
+
+      SHUFFLE_PAGE_ALLOCATOR  y
+
+      SLUB_DEBUG  y
+
+      PAGE_POISONING            y
+      PAGE_POISONING_NO_SANITY  y
+      PAGE_POISONING_ZERO       y
+
+      SECURITY_SAFESETID  y
+
+      PANIC_TIMEOUT  -1
+
+      GCC_PLUGINS  y
+      GCC_PLUGIN_LATENT_ENTROPY  y
+
+      GCC_PLUGIN_STRUCTLEAK  y
+      GCC_PLUGIN_STRUCTLEAK_BYREF_ALL  y
+      GCC_PLUGIN_STACKLEAK  y
+      GCC_PLUGIN_RANDSTRUCT y
+      GCC_PLUGIN_RANDSTRUCT_PERFORMANCE  y
+
+      ACPI_CUSTOM_METHOD  n
+      PROC_KCORE          n
+      INET_DIAG           n
+    '';
+  } ];
+}