Initial import
This commit is contained in:
commit
47278bc6f0
7
.gitignore
vendored
Normal file
7
.gitignore
vendored
Normal file
|
@ -0,0 +1,7 @@
|
|||
# Hidden files
|
||||
.*
|
||||
!.git*
|
||||
|
||||
# Nix
|
||||
/result
|
||||
/result-*
|
27
flake.lock
Normal file
27
flake.lock
Normal file
|
@ -0,0 +1,27 @@
|
|||
{
|
||||
"nodes": {
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1722415718,
|
||||
"narHash": "sha256-5US0/pgxbMksF92k1+eOa8arJTJiPvsdZj9Dl+vJkM4=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c3392ad349a5227f4a3464dce87bcc5046692fce",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
49
flake.nix
Normal file
49
flake.nix
Normal file
|
@ -0,0 +1,49 @@
|
|||
{
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||
};
|
||||
|
||||
nixConfig = {
|
||||
extra-substituters = [ "https://cache.kyouma.net" ];
|
||||
extra-trusted-public-keys = [ "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" ];
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, ... }:
|
||||
let
|
||||
inherit (nixpkgs) lib;
|
||||
inherit (lib) mapAttrs;
|
||||
profiles = import ./profiles.nix;
|
||||
|
||||
legacyPackages = mapAttrs
|
||||
(system: profile: import nixpkgs { inherit system; }) profiles;
|
||||
|
||||
linux-hardened = import ./linux-hardened.nix;
|
||||
in {
|
||||
packages = mapAttrs (system: profiles:
|
||||
mapAttrs (name: profile:
|
||||
linux-hardened legacyPackages.${system} profile) profiles)
|
||||
profiles;
|
||||
|
||||
devShells = mapAttrs (system: profile:
|
||||
let
|
||||
pkgs = legacyPackages.${system};
|
||||
dummy = linux-hardened pkgs
|
||||
{ arch = ""; config = "/dev/null"; firmware = [ ]; };
|
||||
|
||||
mkShell = packages: pkgs.mkShell {
|
||||
inherit packages;
|
||||
shellHook = ''
|
||||
exec $SHELL
|
||||
'';
|
||||
};
|
||||
in {
|
||||
default = mkShell
|
||||
(with pkgs; dummy.nativeBuildInputs ++ [ ncurses pkg-config ]);
|
||||
}) profiles;
|
||||
|
||||
hydraJobs = {
|
||||
kernel = self.packages;
|
||||
shell = self.devShells;
|
||||
};
|
||||
};
|
||||
}
|
71
linux-hardened.nix
Normal file
71
linux-hardened.nix
Normal file
|
@ -0,0 +1,71 @@
|
|||
pkgs: { arch, config, firmware }:
|
||||
let
|
||||
inherit (pkgs) lib linuxKernel fetchFromGitHub gccStdenv runCommand;
|
||||
|
||||
kernel = linuxKernel.manualConfig rec {
|
||||
inherit configfile;
|
||||
|
||||
pname = "linux-hardened";
|
||||
version = "6.10.2-hardened1";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "anthraxx";
|
||||
repo = pname;
|
||||
rev = "v${version}";
|
||||
hash = "sha256-a9kxt09pQjUJUsdqaIMyA7Us6sxueaacetWKv59Xy3s=";
|
||||
};
|
||||
|
||||
stdenv = gccStdenv;
|
||||
|
||||
extraMakeFlags = [ "KCFLAGS=-march=${arch}" ];
|
||||
isHardened = true;
|
||||
};
|
||||
|
||||
configfile =
|
||||
let
|
||||
firmwareCollection = runCommand "linux-firmware" {
|
||||
inherit firmware;
|
||||
firmwarePackages = with pkgs; [ linux-firmware sof-firmware wireless-regdb ];
|
||||
} ''
|
||||
for dir in ''${firmwarePackages[@]}; do
|
||||
pushd "$dir/lib/firmware"
|
||||
|
||||
for fw in ''${firmware}; do
|
||||
if [ -e "$fw" ]; then
|
||||
local base="$(dirname "$fw")"
|
||||
mkdir -p "$out/lib/firmware/$base"
|
||||
ln -s "$dir/lib/firmware/$fw" "$out/lib/firmware/$base"
|
||||
fi
|
||||
done
|
||||
|
||||
popd
|
||||
done
|
||||
'';
|
||||
in runCommand "linux-config" {
|
||||
env = {
|
||||
extra_firmware = lib.concatStringsSep " " firmware;
|
||||
extra_firmware_dir = "${firmwareCollection}/lib/firmware";
|
||||
};
|
||||
} ''
|
||||
substituteAll ${config} $out
|
||||
'';
|
||||
in kernel.overrideAttrs (base: {
|
||||
passthru = base.passthru or { } // {
|
||||
features = { efiBootStub = true; };
|
||||
};
|
||||
|
||||
installFlags = base.installFlags or [ ] ++
|
||||
[ "INSTALL_MOD_PATH=$(out)" ];
|
||||
|
||||
postInstall = ''
|
||||
if [ -z "''${dontStrip-}" ]; then
|
||||
installFlagsArray+=( "INSTALL_MOD_STRIP=1" )
|
||||
fi
|
||||
|
||||
make modules_install $makeFlags "''${makeFlagsArray[@]}" \
|
||||
$installFlags "''${installFlagsArray[@]}"
|
||||
|
||||
depmod -b $out ${base.version}
|
||||
touch $out/lib/modules/${base.version}/modules.order
|
||||
'';
|
||||
})
|
30
profiles.nix
Normal file
30
profiles.nix
Normal file
|
@ -0,0 +1,30 @@
|
|||
{
|
||||
x86_64-linux = {
|
||||
qemu-virtio = {
|
||||
arch = "x86-64-v3";
|
||||
config = ./x86-64/qemu-virtio;
|
||||
firmware = [ ];
|
||||
};
|
||||
|
||||
thinkpad-x1-extreme-gen5 = {
|
||||
arch = "alderlake";
|
||||
config = ./x86-64/thinkpad-x1-extreme-gen5;
|
||||
firmware = [
|
||||
"i915/adlp_dmc.bin" "i915/adlp_dmc_ver2_16.bin"
|
||||
"i915/adlp_guc_70.bin" "i915/tgl_huc.bin"
|
||||
"intel/ibt-0040-0041.sfi" "intel/ibt-0040-0041.ddc"
|
||||
"intel/sof/sof-adl.ri" "intel/sof-tplg/sof-hda-generic-2ch.tplg"
|
||||
"iwlwifi-so-a0-gf-a0-89.ucode" "iwlwifi-so-a0-gf-a0.pnvm"
|
||||
"nvidia/ga107/acr/ucode_unload.bin"
|
||||
"nvidia/ga107/acr/ucode_asb.bin" "nvidia/ga107/acr/ucode_ahesasc.bin"
|
||||
"nvidia/ga107/gr/fecs_bl.bin" "nvidia/ga107/gr/fecs_sig.bin"
|
||||
"nvidia/ga107/gr/gpccs_bl.bin" "nvidia/ga107/gr/gpccs_sig.bin"
|
||||
"nvidia/ga107/gr/NET_img.bin"
|
||||
"nvidia/ga107/sec2/desc.bin" "nvidia/ga107/sec2/image.bin"
|
||||
"nvidia/ga107/sec2/sig.bin" "nvidia/ga107/sec2/hs_bl_sig.bin"
|
||||
"nvidia/ga107/nvdec/scrubber.bin"
|
||||
"regulatory.db" "regulatory.db.p7s"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
4028
x86-64/qemu-virtio
Normal file
4028
x86-64/qemu-virtio
Normal file
File diff suppressed because it is too large
Load diff
6385
x86-64/thinkpad-x1-extreme-gen5
Normal file
6385
x86-64/thinkpad-x1-extreme-gen5
Normal file
File diff suppressed because it is too large
Load diff
Reference in a new issue