port to new settings style

nixos/boxes/foureighty.nix

@@ -31,7 +31,7 @@
   };
 
   hardware.nvidiaOptimus.disable = true;
-  hardware.nvidia.optimus_prime.enable = false;
+  hardware.nvidia.prime.sync.enable = false;
   hardware.bumblebee.enable = false;
 
   imports = [

nixos/common-hardware.nix

@@ -20,10 +20,9 @@
   hardware.bluetooth = {
     enable = true;
     package = pkgs.bluezFull;
-    extraConfig = ''
-            [General]
-            Enable=Source,Sink,Media,Socket
-    '';
+    config = {
+      General = { Enable = "Source,Sink,Media,Socket"; };
+    };
   };
 
   services.printing = {

nixos/security-kernel.nix

@@ -0,0 +1,46 @@
+{ config, pkgs, ... }:
+{
+  boot.kernelPatches = [ {
+    name = "cyplo-hardened";
+    patch = null;
+    extraConfig = ''
+      LOCKUP_DETECTOR y
+      HARDLOCKUP_DETECTOR y
+      BUG y
+
+      SECURITY_SELINUX_DISABLE  n
+
+      STRICT_KERNEL_RWX  y
+
+      DEBUG_CREDENTIALS      y
+      DEBUG_NOTIFIERS        y
+      DEBUG_SG               y
+      SCHED_STACK_END_CHECK  y
+
+      SHUFFLE_PAGE_ALLOCATOR  y
+
+      SLUB_DEBUG  y
+
+      PAGE_POISONING            y
+      PAGE_POISONING_NO_SANITY  y
+      PAGE_POISONING_ZERO       y
+
+      SECURITY_SAFESETID  y
+
+      PANIC_TIMEOUT  -1
+
+      GCC_PLUGINS  y
+      GCC_PLUGIN_LATENT_ENTROPY  y
+
+      GCC_PLUGIN_STRUCTLEAK  y
+      GCC_PLUGIN_STRUCTLEAK_BYREF_ALL  y
+      GCC_PLUGIN_STACKLEAK  y
+      GCC_PLUGIN_RANDSTRUCT y
+      GCC_PLUGIN_RANDSTRUCT_PERFORMANCE  y
+
+      ACPI_CUSTOM_METHOD  n
+      PROC_KCORE          n
+      INET_DIAG           n
+    '';
+  } ];
+}