diff --git a/nixos/boot.nix b/nixos/boot.nix index 08adf58b..8a582e0a 100644 --- a/nixos/boot.nix +++ b/nixos/boot.nix @@ -8,6 +8,11 @@ kernel.sysctl = { "vm.swappiness" = 1; "max_user_watches" = 524288; + "kernel.dmesg_restrict" = true; + "kernel.unprivileged_bpf_disabled" = true; + "kernel.unprivileged_userns_clone" = 1; + "net.core.bpf_jit_enable" = pkgs.lib.mkDefault false; + "net.core.bpf_jit_harden" = true; }; loader.grub = { enable = true; @@ -15,4 +20,5 @@ useOSProber = true; }; }; + } diff --git a/nixos/boxes/foureighty.nix b/nixos/boxes/foureighty.nix index 43fea1ca..51e947c5 100644 --- a/nixos/boxes/foureighty.nix +++ b/nixos/boxes/foureighty.nix @@ -2,8 +2,20 @@ { networking.hostName = "foureighty"; + nixpkgs.config.packageOverrides = pkgs: { + linux_latest_hardened = pkgs.linux_latest_hardened.override { + extraConfig = '' + IA32_EMULATION y + KVM m + KVM_INTEL m + ''; + features.ia32Emulation = true; + enableParallelBuilding = true; + }; + }; + boot = { - kernelPackages = pkgs.linuxPackages_latest_hardened; + kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest_hardened; extraModulePackages = with config.boot.kernelPackages; [ wireguard ]; initrd.kernelModules = [ "i915" ]; @@ -43,7 +55,9 @@ hardware.nvidiaOptimus.disable = true; hardware.opengl.extraPackages = [ pkgs.linuxPackages.nvidia_x11.out ]; - hardware.opengl.extraPackages32 = [ pkgs.linuxPackages.nvidia_x11.lib32 ]; + hardware.opengl.extraPackages32 = [ pkgs.linuxPackages.nvidia_x11.lib32 pkgs.pkgsi686Linux.libva ]; + hardware.opengl.driSupport32Bit = true; + hardware.pulseaudio.support32Bit = true; imports = [ /etc/nixos/hardware-configuration.nix diff --git a/nixos/common.nix b/nixos/common.nix index fe4f8736..153f3501 100644 --- a/nixos/common.nix +++ b/nixos/common.nix @@ -46,6 +46,8 @@ in fonts.fonts = with pkgs; [ powerline-fonts weather-icons material-icons source-code-pro fira-code noto-fonts-emoji emojione iosevka ]; + services.haveged.enable = true; + nix = { autoOptimiseStore = true; daemonIONiceLevel = 7; diff --git a/nixos/gui.nix b/nixos/gui.nix index 929f9353..3106bd3f 100644 --- a/nixos/gui.nix +++ b/nixos/gui.nix @@ -9,10 +9,12 @@ notable evince signal-desktop libreoffice unstable.tor-browser-bundle-bin vlc jetbrains.goland unstable.jetbrains.clion jetbrains.idea-ultimate unstable.android-studio - (wine.override { wineBuild = "wineWow"; }) winetricks yubico-piv-tool yubikey-personalization yubikey-personalization-gui yubikey-manager-qt slack discord obs-studio gnome3.nautilus gnome3.eog hopper + (wine.override { wineBuild = "wineWow"; }) winetricks + steam +# (steam.override { withPrimus = true; extraPkgs = pkgs: [ bumblebee glxinfo ]; nativeOnly = true; }) ]; }