Modularise kernel configuration

audio.nix

@@ -0,0 +1,11 @@
+{ lib, ... }: with lib.kernel; {
+  SOUND = yes;
+  SND = yes;
+  SND_PCM_TIMER = yes;
+  SND_DYNAMIC_MINORS = yes;
+  SND_SUPPORT_OLD_API = no;
+  SND_PCI = yes;
+
+  SND_USB = yes;
+  SND_USB_AUDIO = yes;
+}

base.nix

@@ -0,0 +1,345 @@
+{ lib, hostPlatform, ... }@args: with lib.kernel;
+
+(import ./disable.nix args) //
+(import ./systemd.nix args) // {
+  KERNEL_ZSTD = yes;
+
+  SYSVIPC = yes;
+  POSIX_MQUEUE = yes;
+  AUDIT = no;
+
+  NO_HZ_IDLE = yes;
+  HIGH_RES_TIMERS = yes;
+
+  BPF_SYSCALL = yes;
+  BPF_JIT = yes;
+  BPF_JIT_ALWAYS_ON = yes;
+
+  SCHED_CORE = yes;
+  CPU_ISOLATION = yes;
+
+  UTS_NS = yes;
+  TIME_NS = yes;
+  USER_NS = yes;
+  PID_NS = yes;
+
+  SCHED_AUTOGROUP = yes;
+
+  BLK_DEV_INITRD = yes;
+  RD_GZIP = no;
+  RD_BZIP2 = no;
+  RD_LZMA = no;
+  RD_XZ = no;
+  RD_LZO = no;
+  RD_LZ4 = no;
+  RD_ZSTD = yes;
+  BOOT_CONFIG = yes;
+
+  EXPERT = yes;
+  SGETMASK_SYSCALL = no;
+  SYSFS_SYSCALL = no;
+  PCSPKR_PLATFORM = no;
+
+  KALLSYMS = yes;
+  KALLSYMS_ALL = no;
+
+  SMP = yes;
+  SCHED_MC = yes;
+  SCHED_CLUSTER = option yes;
+  SCHED_SMT = option yes;
+  NUMA = yes;
+
+  EFI = yes;
+  EFI_STUB = yes;
+
+  HZ_1000 = yes;
+
+  RELOCATABLE = yes;
+  RANDOMIZE_BASE = yes;
+  RANDOMIZE_MEMORY = yes;
+
+  PM = yes;
+  ENERGY_MODEL = yes;
+  ACPI = yes;
+  ACPI_APEI = yes;
+  ACPI_NUMA = yes;
+
+  CPU_FREQ = yes;
+  CPU_FREQ_STAT = yes;
+  CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = yes;
+  CPU_FREQ_GOV_SCHEDUTIL = yes;
+
+  CPU_IDLE = yes;
+  CPU_IDLE_GOV_MENU = no;
+  CPU_IDLE_GOV_TEO = yes;
+
+  JUMP_LABEL = yes;
+  SECCOMP = yes;
+
+  STACKPROTECTOR = yes;
+  STACKPROTECTOR_STRONG = yes;
+
+  LTO_CLANG_FULL = option yes;
+
+  VMAP_STACK = yes;
+  RANDOMIZE_KSTACK_OFFSET_DEFAULT = yes;
+
+  GCC_PLUGINS = yes;
+
+  BLK_DEV_WRITE_MOUNTED = yes;
+  BLK_WBT = yes;
+  BLK_WBT_MQ = yes;
+
+  PARTITION_ADVANCED = yes;
+  MSDOS_PARTITION = no;
+  EFI_PARTITION = yes;
+
+  MQ_IOSCHED_DEADLINE = yes;
+  MQ_IOSCHED_KYBER = yes;
+  IOSCHED_BFQ = yes;
+
+  BINFMT_ELF = yes;
+  CORE_DUMP_DEFAULT_ELF_HEADERS = yes;
+  BINFMT_SCRIPT = yes;
+  BINFMT_MISC = yes;
+  COREDUMP = yes;
+
+  SWAP = yes;
+
+  SLAB_FREELIST_RANDOM = yes;
+  SLAB_FREELIST_HARDENED = yes;
+  SLAB_CANARY = yes;
+  SLUB_CPU_PARTIAL = yes;
+  RANDOM_KMALLOC_CACHES = yes;
+
+  SHUFFLE_PAGE_ALLOCATOR = yes;
+  COMPAT_BRK = no;
+  SPARSEMEM_VMEMMAP = yes;
+  MEMORY_HOTPLUG = yes;
+  MEMORY_HOTREMOVE = yes;
+
+  COMPACTION = yes;
+  MIGRATION = yes;
+  KSM = yes;
+
+  TRANSPARENT_HUGEPAGE = yes;
+  TRANSPARENT_HUGEPAGE_ALWAYS = yes;
+  READ_ONLY_THP_FOR_FS = yes;
+  DEFERRED_STRUCT_PAGE_INIT = yes;
+
+  ZONE_DEVICE = yes;
+  DEVICE_PRIVATE = yes;
+
+  LRU_GEN = option yes;
+  LRU_GEN_ENABLED = option yes;
+
+  NET = yes;
+  PACKET = yes;
+  PACKET_DIAG = yes;
+  UNIX = yes;
+  UNIX_DIAG = yes;
+  XDP_SOCKETS = yes;
+  XDP_SOCKETS_DIAG = yes;
+  INET = yes;
+  SYN_COOKIES = yes;
+  INET_DIAG = yes;
+  INET_UDP_DIAG = yes;
+  INET_RAW_DIAG = yes;
+
+  TCP_CONG_ADVANCED = yes;
+  TCP_CONG_BIC = no;
+  TCP_CONG_CUBIC = no;
+  TCP_CONG_WESTWOOD = no;
+  TCP_CONG_HTCP = no;
+  TCP_CONG_BBR = yes;
+  DEFAULT_BBR = yes;
+
+  IPV6 = yes;
+
+  NETFILTER = yes;
+  NETFILTER_ADVANCED = yes;
+  NETFILTER_INGRESS = yes;
+  NETFILTER_EGRESS = yes;
+
+  NF_CONNTRACK = yes;
+  NF_TABLES = yes;
+  NF_TABLES_INET = yes;
+  NFT_CT = yes;
+  NFT_CONNLIMIT = yes;
+  NFT_LIMIT = yes;
+  NFT_LOG = yes;
+  NFT_REJECT = yes;
+  NFT_FIB_INET = yes;
+  NF_TABLES_IPV4 = yes;
+  NFT_FIB_IPV4 = yes;
+  NF_TABLES_IPV6 = yes;
+  NFT_FIB_IPV6 = yes;
+
+  NET_SCH_CAKE = yes;
+  NET_SCH_FQ = yes;
+  NET_SCH_DEFAULT = yes;
+  DEFAULT_FQ = yes;
+  DEFAULT_NET_SCH = freeform "fq";
+
+  NETLINK_DIAG = yes;
+  ETHTOOL_NETLINK = yes;
+
+  PCI = yes;
+  PCI_MSI = yes;
+  PCIE_BUS_PERFORMANCE = option yes;
+
+  DEVTMPFS = yes;
+  DEVTMPFS_MOUNT = yes;
+  DEVTMPFS_SAFE = yes;
+
+  STANDALONE = yes;
+  PREVENT_FIRMWARE_BUILD = yes;
+
+  FW_LOADER_COMPRESS = yes;
+  FW_LOADER_COMPRESS_XZ = no;
+  FW_LOADER_COMPRESS_ZSTD = yes;
+  ALLOW_DEV_COREDUMP = yes;
+
+  SYSFB_SIMPLEFB = yes;
+
+  EFI_VARS_PSTORE = yes;
+  RESET_ATTACK_MITIGATION = yes;
+  EFI_DISABLE_PCI_DMA = yes;
+
+  BLK_DEV = yes;
+  ZRAM = yes;
+  ZRAM_DEF_COMP_ZSTD = yes;
+  ZRAM_WRITEBACK = yes;
+  BLK_DEV_LOOP = yes;
+
+  NETDEVICES = yes;
+  NET_CORE = yes;
+
+  INPUT = yes;
+  INPUT_SPARSEKMAP = yes;
+  INPUT_EVDEV = yes;
+  INPUT_KEYBOARD = yes;
+
+  TTY = yes;
+  VT = yes;
+  CONSOLE_TRANSLATIONS = yes;
+  VT_CONSOLE = yes;
+  UNIX98_PTYS = yes;
+
+  TCG_TPM = yes;
+  TCG_TPM2_HMAC = yes;
+  TCG_TIS = yes;
+
+  WATCHDOG = yes;
+  WATCHDOG_HANDLE_BOOT_ENABLED = yes;
+
+  FB = yes;
+  FB_EFI = yes;
+  FB_SIMPLE = yes;
+  FB_DEVICE = no;
+  VGA_CONSOLE = no;
+  FRAMEBUFFER_CONSOLE = yes;
+  FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = yes;
+
+  HID_SUPPORT = yes;
+  HID = yes;
+  HIDRAW = yes;
+  UHID = yes;
+  HID_GENERIC = yes;
+  USB_HID = yes;
+  USB_HIDDEV = yes;
+
+  USB_SUPPORT = yes;
+  USB = yes;
+  USB_PCI = yes;
+  USB_PCI_AMD = no;
+  USB_ANNOUNCE_NEW_DEVICES = yes;
+  USB_DEFAULT_PERSIST = yes;
+  USB_DYNAMIC_MINORS = yes;
+  USB_XHCI_HCD = yes;
+  USB_XHCI_PCI = yes;
+
+  RTC_CLASS  = yes;
+
+  DMADEVICES = yes;
+  ASYNC_TX_DMA = option yes;
+
+  STAGING = yes;
+
+  IOMMU_SUPPORT = yes;
+  IOMMU_DEFAULT_DMA_STRICT = yes;
+  IRQ_REMAP = yes;
+
+  MSDOS_FS = yes;
+  VFAT_FS = yes;
+  FAT_DEFAULT_UTF8 = yes;
+
+  PROC_FS = yes;
+  PROC_KCORE = no;
+  PROC_SYSCTL = yes;
+  PROC_PAGE_MONITOR = yes;
+  SYSFS = yes;
+  TMPFS = yes;
+  TMPFS_POSIX_ACL = yes;
+  HUGETLBFS = yes;
+  HUGETLB_PAGE_OPTIMIZE_VMEMMAP = yes;
+  HUGETLB_PAGE_OPTIMIZE_VMEMMAP_DEFAULT_ON = yes;
+  EFIVAR_FS = yes;
+
+  UNICODE = yes;
+
+  SECURITY_DMESG_RESTRICT = yes;
+  SECURITY_PERF_EVENTS_RESTRICT = yes;
+  SECURITY_TIOCSTI_RESTRICT = yes;
+  SECURITY = yes;
+  SECURITY_NETWORK = yes;
+  SECURITY_YAMA = yes;
+  SECURITY_LOCKDOWN_LSM = yes;
+  SECURITY_LOCKDOWN_LSM_EARLY = yes;
+  LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY = yes;
+  SECURITY_LANDLOCK = yes;
+
+  HARDENED_USERCOPY = yes;
+  FORTIFY_SOURCE = yes;
+
+  INIT_STACK_ALL_ZERO = yes;
+  GCC_PLUGIN_STACKLEAK = option yes;
+  INIT_ON_FREE_DEFAULT_ON = yes;
+  ZERO_CALL_USED_REGS = yes;
+
+  BUG_ON_DATA_CORRUPTION = yes;
+
+  RANDSTRUCT_PERFORMANCE = option yes;
+
+  CRYPTO_ZSTD = yes;
+
+  SWIOTLB_DYNAMIC = yes;
+
+  FONTS = yes;
+  FONT_TER16x32 = yes;
+
+  DEBUG_BUGVERBOSE = yes;
+  DEBUG_INFO_DWARF5 = yes;
+  DEBUG_INFO_SPLIT = yes;
+  STRIP_ASM_SYMS = yes;
+
+  UBSAN = yes;
+  UBSAN_BOUNDS = yes;
+  UBSAN_SIGNED_WRAP = no;
+  UBSAN_BOOL = no;
+  UBSAN_ENUM = no;
+
+  WARN_ALL_UNSEEDED_RANDOM = yes;
+  DEBUG_WX = yes;
+
+  KFENCE = yes;
+  KFENCE_DEFERRABLE = yes;
+  KFENCE_BUG_ON_DATA_CORRUPTION = yes;
+
+  PANIC_ON_OOPS = yes;
+  PANIC_TIMEOUT = freeform "-1";
+
+  EARLY_PRINTK = option no;
+} // lib.optionalAttrs hostPlatform.is64bit {
+  "64BIT" = option yes;
+} // lib.optionalAttrs hostPlatform.isx86 (import ./x86.nix args)

disable.nix

@@ -0,0 +1,48 @@
+{ lib, ... }: with lib.kernel; {
+  X86_MPPARSE = option no;
+  AMD_NUMA = option no;
+
+  ACPI_BATTERY = option no;
+  ACPI_FAN = option no;
+
+  KVM_HYPERV = option no;
+
+  ATA_SFF = option no;
+
+  USB_NET_AX8817X = option no;
+  USB_NET_CDC_NCM = option no;
+  USB_NET_NET1080 = option no;
+  USB_BELKIN = option no;
+  USB_ARMLINUX = option no;
+  USB_NET_ZAURUS = option no;
+
+  MOUSE_PS2_ALPS = option no;
+  MOUSE_PS2_BYD = option no;
+  MOUSE_PS2_LOGIPS2PP = option no;
+  MOUSE_PS2_SYNAPTICS = option no;
+  MOUSE_PS2_CYPRESS = option no;
+  MOUSE_PS2_LIFEBOOK = option no;
+  MOUSE_PS2_TRACKPOINT = option no;
+  MOUSE_PS2_FOCALTECH = option no;
+
+  I2C_COMPAT = option no;
+
+  SND_SOC_INTEL_ATOM_HIFI2_PLATFORM_ACPI = option no;
+
+  SND_SOC_SOF_MERRIFIELD = option no;
+  SND_SOC_SOF_SKYLAKE = option no;
+  SND_SOC_SOF_KABYLAKE = option no;
+  SND_SOC_SOF_APOLLOLAKE = option no;
+  SND_SOC_SOF_GEMINILAKE = option no;
+  SND_SOC_SOF_CANNONLAKE = option no;
+  SND_SOC_SOF_COFFEELAKE = option no;
+  SND_SOC_SOF_COMETLAKE = option no;
+  SND_SOC_SOF_ICELAKE = option no;
+  SND_SOC_SOF_JASPERLAKE = option no;
+  SND_SOC_SOF_ELKHARTLAKE = option no;
+  SND_SOC_SOF_ALDERLAKE = option no;
+  SND_SOC_SOF_METEORLAKE = option no;
+  SND_SOC_SOF_LUNARLAKE = option no;
+
+  SECURITY_SELINUX = option no;
+}

dm-crypt.nix

@@ -0,0 +1,27 @@
+{ lib, hostPlatform, ... }: with lib.kernel; {
+  MD = yes;
+  MD_BITMAP_FILE = no;
+  BLK_DEV_DM = yes;
+  DM_CRYPT = yes;
+  DM_UEVENT = yes;
+  DM_INTEGRITY = yes;
+
+  CRYPTO_AES = yes;
+  CRYPTO_XTS = yes;
+  CRYPTO_AEGIS128 = yes;
+  CRYPTO_SHA256 = yes;
+
+  CRYPTO_USER_API_HASH = yes;
+  CRYPTO_USER_API_SKCIPHER = yes;
+} // lib.optionalAttrs hostPlatform.isx86_64 {
+  CRYPTO_AES_NI_INTEL = yes;
+  CRYPTO_AEGIS128_AESNI_SSE2 = yes;
+  CRYPTO_SHA256_SSSE3 = yes;
+} // lib.optionalAttrs hostPlatform.isRiscV64 {
+  CRYPTO_AES_RISCV64 = yes;
+  CRYPTO_SHA256_RISCV64 = yes;
+} // lib.optionalAttrs hostPlatform.isAarch64 {
+  CRYPTO_AES_ARM64_CE = yes;
+  CRYPTO_AES_ARM64_CE_BLK = yes;
+  CRYPTO_AEGIS128_SIMD = yes;
+}

dummy.nix

@@ -0,0 +1 @@
+{ ... }: { }

flake.nix

@@ -28,7 +28,7 @@
     let
       pkgs = legacyPackages.${system};
       dummy = linux-hardened pkgs
-        { arch = ""; config = "/dev/null"; firmware = [ ]; };
+        { arch = ""; config = ./dummy.nix; firmware = [ ]; };
 
       mkShell = packages: pkgs.mkShell {
         inherit packages;

linux-hardened.nix

@@ -1,34 +1,15 @@
 pkgs: { arch, config, firmware }:
 let
-  inherit (pkgs) lib linuxKernel fetchFromGitHub gccStdenv runCommand;
+  inherit (pkgs) lib buildLinux fetchFromGitHub gccStdenv runCommand;
 
-  kernel = linuxKernel.manualConfig rec {
+  kernel =
-    inherit configfile;
-
-    pname = "linux-hardened";
-    version = "6.10.2-hardened1";
-
-    src = fetchFromGitHub {
-      owner = "anthraxx";
-      repo = pname;
-      rev = "v${version}";
-      hash = "sha256-a9kxt09pQjUJUsdqaIMyA7Us6sxueaacetWKv59Xy3s=";
-    };
-
-    stdenv = gccStdenv;
-
-    extraMakeFlags = [ "KCFLAGS=-march=${arch}" ];
-    isHardened = true;
-  };
-
-  configfile =
   let
+    args = { inherit (pkgs) lib hostPlatform; };
+
     firmwareCollection = runCommand "linux-firmware" {
       inherit firmware;
       firmwarePackages = with pkgs; [ linux-firmware sof-firmware wireless-regdb ];
     } ''
-      mkdir -p "$out/lib/firmware"
-
       for dir in ''${firmwarePackages[@]}; do
         pushd "$dir/lib/firmware"
 
@@ -43,19 +24,31 @@ let
         popd
       done
     '';
-  in runCommand "linux-config" {
+  in buildLinux rec {
-    env = {
+    pname = "linux-hardened";
-      extra_firmware = lib.concatStringsSep " " firmware;
+    version = "6.10.2-hardened1";
-      extra_firmware_dir = "${firmwareCollection}/lib/firmware";
-    };
-  } ''
-    substituteAll ${config} $out
-  '';
-in kernel.overrideAttrs (base: {
-  passthru = base.passthru or { } // {
-    features = { efiBootStub = true; };
-  };
 
+    src = fetchFromGitHub {
+      owner = "anthraxx";
+      repo = pname;
+      rev = "v${version}";
+      hash = "sha256-a9kxt09pQjUJUsdqaIMyA7Us6sxueaacetWKv59Xy3s=";
+    };
+
+    defconfig = "allnoconfig";
+    extraMakeFlags = [ "KCFLAGS=-march=${arch}" ];
+    enableCommonConfig = false;
+
+    structuredExtraConfig = (import ./base.nix args) // (import config args) // {
+      EXTRA_FIRMWARE = lib.kernel.freeform (toString firmware);
+      EXTRA_FIRMWARE_DIR = lib.kernel.freeform "${firmwareCollection}/lib/firmware";
+    };
+
+    features = { efiBootStub = true; };
+    isHardened = true;
+    stdenv = gccStdenv;
+  };
+in kernel.overrideAttrs (base: {
   installFlags = base.installFlags or [ ] ++
     [ "INSTALL_MOD_PATH=$(out)" ];
 

physical.nix

@@ -0,0 +1,35 @@
+{ lib, ... }: with lib.kernel; {
+  MICROCODE = yes;
+
+  ENERGY_MODEL = yes;
+  ACPI_BUTTON = yes;
+  ACPI_VIDEO = yes;
+  ACPI_FAN = yes;
+  ACPI_TAD = yes;
+  ACPI_PROCESSOR_AGGREGATOR = yes;
+  ACPI_THERMAL = yes;
+  ACPI_PCI_SLOT = yes;
+
+  SCSI = yes;
+  BLK_DEV_SD = yes;
+  CHR_DEV_SG = yes;
+  SCSI_CONSTANTS = yes;
+  SCSI_SCAN_ASYNC = yes;
+
+  USB_STORAGE = yes;
+  USB_UAS = yes;
+
+  LEDS_CLASS = yes;
+  LEDS_TRIGGERS = yes;
+  LEDS_TRIGGER_PANIC = yes;
+  LEDS_TRIGGER_NETDEV = yes;
+
+  THERMAL = yes;
+  THERMAL_NETLINK = yes;
+  THERMAL_DEFAULT_GOV_FAIR_SHARE = yes;
+  THERMAL_GOV_FAIR_SHARE = yes;
+
+  WDAT_WDT = yes;
+
+  POWERCAP = yes;
+}

portable.nix

@@ -0,0 +1,44 @@
+{ lib, ... }: with lib.kernel; {
+  PREEMPT_VOLUNTARY = yes;
+
+  SUSPEND = yes;
+  PM_AUTOSLEEP = yes;
+  WQ_POWER_EFFICIENT_DEFAULT = yes;
+  ACPI_BATTERY = yes;
+
+  PCIEASPM_POWER_SUPERSAVE = option yes;
+  PCIEPORTBUS = yes;
+  HOTPLUG_PCI_PCIE = yes;
+  HOTPLUG_PCI = yes;
+
+  MEDIA_SUPPORT = yes;
+  MEDIA_SUPPORT_FILTER = yes;
+  MEDIA_SUBDRV_AUTOSELECT = yes;
+  MEDIA_CAMERA_SUPPORT = yes;
+  MEDIA_USB_SUPPORT = yes;
+  USB_VIDEO_CLASS = yes;
+  USB_VIDEO_CLASS_INPUT_EVDEV = yes;
+
+  HID_BATTERY_STRENGTH = yes;
+
+  USB_NET_DRIVERS = yes;
+  USB_RTL8152 = yes;
+  USB_USBNET = yes;
+  USB_NET_AX88179_178A = yes;
+  USB_NET_CDCETHER = yes;
+  USB_NET_CDC_SUBSET = yes;
+
+  BACKLIGHT_CLASS_DEVICE = yes;
+
+  TYPEC = yes;
+  TYPEC_UCSI = yes;
+  UCSI_ACPI = yes;
+  TYPEC_DP_ALTMODE = yes;
+
+  MMC = yes;
+  MMC_BLOCK = yes;
+
+  USB4 = yes;
+
+  KFENCE_SAMPLE_INTERVAL = freeform "500";
+}

profiles.nix

@@ -2,13 +2,13 @@
   x86_64-linux = {
     qemu-virtio = {
       arch = "x86-64-v3";
-      config = ./x86-64/qemu-virtio;
+      config = ./x86-64/qemu-virtio.nix;
       firmware = [ ];
     };
 
     thinkpad-x1-extreme-gen5 = {
       arch = "alderlake";
-      config = ./x86-64/thinkpad-x1-extreme-gen5;
+      config = ./x86-64/thinkpad-x1-extreme-gen5.nix;
       firmware = [
         "i915/adlp_dmc.bin" "i915/adlp_dmc_ver2_16.bin"
         "i915/adlp_guc_70.bin" "i915/tgl_huc.bin"
@@ -29,7 +29,7 @@
 
     zen3-stub = {
       arch = "znver3";
-      config = ./x86-64/zen3-stub;
+      config = ./x86-64/zen3-stub.nix;
       firmware = [ ];
     };
   };

router.nix

@@ -0,0 +1,11 @@
+{ lib, ... }:
+
+with lib.kernel; {
+  IP_ADVANCED_ROUTER = yes;
+  IP_MULTIPLE_TABLES = yes;
+  IP_ROUTE_MULTIPATH = yes;
+  IP_ROUTE_VERBOSE = yes;
+
+  IPV6_MULTIPLE_TABLES = yes;
+  IPV6_SUBTREES = yes;
+}

systemd.nix

@@ -0,0 +1,66 @@
+{ lib, ... }: with lib.kernel; {
+  # Base requirements
+  DEVTMPFS = yes;
+  CGROUPS = yes;
+  INOTIFY_USER = yes;
+  SIGNALFD = yes;
+  TIMERFD = yes;
+  EPOLL = yes;
+  UNIX = yes;
+  PROC_FS = yes;
+  FHANDLE = yes;
+
+  # Legacy interfaces
+  UEVENT_HELPER = no;
+  FW_LOADER_USER_HELPER = no;
+
+  # udev & virtualisation
+  DMIID = yes;
+
+  # SCSI device serial number retrieval
+  BLK_DEV_BSG = option yes;
+
+  # PrivateNetwork
+  NET_NS = yes;
+
+  # PrivateUser
+  USER_NS = yes;
+
+  # Optional but recommended
+  IPV6 = yes;
+  AUTOFS_FS = yes;
+  TMPFS_XATTR = yes;
+  TMPFS_POSIX_ACL = yes;
+  SECCOMP = yes;
+  SECCOMP_FILTER = yes;
+  KCMP = yes;
+  NET_SCHED = yes;
+
+  # CPUShares
+  CGROUP_SCHED = yes;
+  FAIR_GROUP_SCHED = yes;
+
+  # CPUQuota
+  CFS_BANDWIDTH = yes;
+
+  # IPaddress{Allow,Deny}, SocketBind{Allow,Deny}, RestrictNetworkInterfaces
+  BPF = yes;
+  BPF_SYSCALL = yes;
+  BPF_JIT = yes;
+  CGROUP_BPF = yes;
+
+  # EFI
+  EFIVAR_FS = option yes;
+  EFI_PARTITION = option yes;
+
+  # SMBIOS credentials
+  DMI = yes;
+  DMI_SYSFS = yes;
+
+  # Real‐time scheduling
+  RT_GROUP_SCHED = no;
+
+  # systemd-oomd
+  PSI = yes;
+  MEMCG = yes;
+}

wireless.nix

@@ -0,0 +1,62 @@
+{ lib, hostPlatform, ... }: with lib.kernel; {
+  WIRELESS = yes;
+  CFG80211 = yes;
+  CFG80211_DEFAULT_PS = yes;
+  CFG80211_CRDA_SUPPORT = yes;
+  MAC80211 = yes;
+  MAC80211_RC_MINSTREL = yes;
+  MAC80211_RC_DEFAULT_MINSTREL = yes;
+  MAC80211_LEDS = yes;
+
+  BT = yes;
+  BT_BREDR = yes;
+  BT_RFCOMM = yes;
+  BT_HIDP = yes;
+  BT_LE = yes;
+  BT_LEDS = yes;
+
+  BT_HCIBTUSB_AUTOSUSPEND = option yes;
+  BT_HCIBTUSB_BCM = option no;
+  BT_HCIBTUSB_RTL = option no;
+
+  RFKILL = yes;
+  RFKILL_INPUT = yes;
+
+  # iwd
+  KEYS = yes;
+  CRYPTO_USER_API_SKCIPHER = yes;
+  CRYPTO_USER_API_HASH = yes;
+  CRYPTO_HMAC = yes;
+  CRYPTO_CMAC = yes;
+  CRYPTO_MD4 = yes;
+  CRYPTO_MD5 = yes;
+  CRYPTO_SHA1 = yes;
+  CRYPTO_SHA256 = yes;
+  CRYPTO_SHA512 = yes;
+  CRYPTO_AES = yes;
+  CRYPTO_ECB = yes;
+  CRYPTO_DES = yes;
+  CRYPTO_CBC = yes;
+
+  ASYMMETRIC_KEY_TYPE = option yes;
+  ASYMMETRIC_PUBLIC_KEY_SUBTYPE = option yes;
+  X509_CERTIFICATE_PARSER = option yes;
+  PKCS7_MESSAGE_PARSER = option yes;
+  PKCS8_PRIVATE_KEY_PARSER = option yes;
+} // lib.optionalAttrs hostPlatform.isx86_64 {
+  CRYPTO_AES_NI_INTEL = option yes;
+  CRYPTO_DES3_EDE_X86_64 = option yes;
+  CRYPTO_SHA1_SSSE3 = option yes;
+  CRYPTO_SHA256_SSSE3 = option yes;
+  CRYPTO_SHA512_SSSE3 = option yes;
+} // lib.optionalAttrs hostPlatform.isRiscV64 {
+  CRYPTO_AES_RISCV64 = option yes;
+  CRYPTO_SHA256_RISCV64 = option yes;
+  CRYPTO_SHA512_RISCV64 = option yes;
+} // lib.optionalAttrs hostPlatform.isAarch64 {
+  CRYPTO_AES_ARM64_CE = option yes;
+  CRYPTO_AES_ARM64_CE_BLK = option yes;
+  CRYPTO_SHA1_ARM64_CE = option yes;
+  CRYPTO_SHA2_ARM64_CE = option yes;
+  CRYPTO_SHA512_ARM64_CE = option yes;
+}

x86-64/qemu-virtio.nix

@@ -0,0 +1,49 @@
+{ lib, ... }:
+
+with lib.kernel; {
+  NR_CPUS = freeform "8";
+
+  HYPERVISOR_GUEST = yes;
+  PARAVIRT = yes;
+  PARAVIRT_SPINLOCKS = yes;
+  KVM_GUEST = yes;
+  ARCH_CPUIDLE_HALTPOLL = yes;
+  PARAVIRT_CLOCK = yes;
+
+  HALTPOLL_CPUIDLE = yes;
+
+  FW_CFG_SYSFS = yes;
+
+  BLK_MQ_VIRTIO = yes;
+  VIRTIO_BLK = yes;
+  VIRTIO_NET = yes;
+  VIRTIO_CONSOLE = yes;
+
+  HW_RANDOM = yes;
+  HW_RANDOM_VIRTIO = yes;
+
+  I6300ESB_WDT = yes;
+
+  DRM = yes;
+  DRM_FBDEV_EMULATION = yes;
+  DRM_BOCHS = yes;
+  DRM_SIMPLEDRM = yes;
+
+  VIRT_DRIVERS = yes;
+  VMGENID = yes;
+  VIRTIO = yes;
+  VIRTIO_PCI = yes;
+  VIRTIO_BALLOON = yes;
+
+  VIRTIO_IOMMU = yes;
+
+  EXT4_FS = yes;
+  EXT4_USE_FOR_EXT2 = yes;
+  EXT4_FS_POSIX_ACL = yes;
+  BTRFS_FS = yes;
+  BTRFS_FS_POSIX_ACL = yes;
+  VIRTIO_FS = yes;
+
+  CRYPTO_HW = yes;
+  CRYPTO_DEV_VIRTIO = yes;
+}

x86-64/thinkpad-x1-extreme-gen5.nix

@@ -0,0 +1,141 @@
+{ lib, ... }@args: with lib.kernel;
+
+(import ../physical.nix args) //
+(import ../portable.nix args) //
+(import ../dm-crypt.nix args) //
+(import ../audio.nix args) //
+(import ../wireless.nix args) // {
+  X86_INTEL_LPSS = yes;
+
+  CPU_SUP_INTEL = yes;
+  CPU_SUP_AMD = no;
+  NR_CPUS = freeform "20";
+  X86_MCE_INTEL = yes;
+
+  INTEL_IDLE = yes;
+
+  VIRTUALIZATION = yes;
+  KVM = yes;
+  KVM_INTEL = yes;
+  KVM_SMM = yes;
+
+  IP_MULTICAST = yes;
+
+  IPV6_ROUTER_PREF = yes;
+  IPV6_ROUTE_INFO = yes;
+  IPV6_OPTIMISTIC_DAD = yes;
+
+  BT_INTEL = yes;
+  BT_HCIBTUSB = yes;
+
+  EISA = yes;
+  EISA_PCI_EISA = yes;
+  EISA_VIRTUAL_ROOT = no;
+  EISA_NAMES = yes;
+
+  NVME_CORE = yes;
+  BLK_DEV_NVME = yes;
+  NVME_VERBOSE_ERRORS = yes;
+  NVME_HWMON = yes;
+
+  MISC_RTSX = yes;
+  INTEL_MEI = yes;
+  MISC_RTSX_PCI = yes;
+
+  ETHERNET = yes;
+  AQTION = yes;
+
+  WLAN = yes;
+  IWLWIFI = yes;
+  IWLMVM = yes;
+
+  INPUT_MOUSEDEV = yes;
+  INPUT_JOYDEV = yes;
+
+  KEYBOARD_ATKBD = yes;
+
+  INPUT_MOUSE = yes;
+  MOUSE_PS2 = yes;
+  MOUSE_PS2_TRACKPOINT = yes;
+
+  INPUT_JOYSTICK = yes;
+
+  INTEL_PCH_THERMAL = yes;
+
+  MFD_CORE = yes;
+  MFD_INTEL_LPSS_PCI = yes;
+
+  I2C = yes;
+  I2C_I801 = yes;
+
+  SPI = yes;
+  SPI_MEM = yes;
+  SPI_INTEL_PCI = yes;
+
+  INT340X_THERMAL = yes;
+
+  VIDEO = yes;
+  VGA_SWITCHEROO = yes;
+  DRM = yes;
+  DRM_FBDEV_EMULATION = yes;
+  DRM_NOUVEAU = yes;
+  DRM_NOUVEAU_SVM = yes;
+  DRM_NOUVEAU_GSP_DEFAULT = yes;
+  DRM_I915 = yes;
+
+  BACKLIGHT_CLASS_DEVICE = yes;
+
+  HDMI = yes;
+
+  SND_HDA_INTEL = yes;
+  SND_HDA_HWDEP = yes;
+  SND_HDA_CODEC_REALTEK = yes;
+  SND_HDA_CODEC_HDMI = yes;
+  SND_HDA_POWER_SAVE_DEFAULT = freeform "2";
+
+  SND_SOC = yes;
+  SND_SOC_SOF_TOPLEVEL = yes;
+  SND_SOC_SOF_PCI = yes;
+  SND_SOC_SOF_INTEL_TOPLEVEL = yes;
+  SND_SOC_SOF_TIGERLAKE = yes;
+  SND_SOC_SOF_HDA_LINK = yes;
+  SND_SOC_SOF_HDA_AUDIO_CODEC = yes;
+  SND_SOC_DMIC = yes;
+
+  HID_LENOVO = yes;
+  HID_LOGITECH = yes;
+
+  USB_ACM = yes;
+
+  USB_SERIAL = yes;
+  USB_SERIAL_PL2303 = yes;
+
+  ACPI_WMI = yes;
+  MXM_WMI = yes;
+  THINKPAD_ACPI = yes;
+  THINKPAD_ACPI_ALSA_SUPPORT = yes;
+  THINKPAD_ACPI_VIDEO = yes;
+
+  INTEL_TURBO_MAX_3 = yes;
+
+  INTEL_IOMMU = yes;
+  INTEL_IOMMU_DEFAULT_ON = yes;
+
+  SOUNDWIRE = yes;
+  SOUNDWIRE_INTEL = yes;
+
+  INTEL_IDMA64 = yes;
+
+  INTEL_RAPL = yes;
+
+  EXT4_FS = yes;
+  EXT4_USE_FOR_EXT2 = yes;
+  EXT4_FS_POSIX_ACL = yes;
+  BTRFS_FS = yes;
+  BTRFS_FS_POSIX_ACL = yes;
+  FUSE_FS = yes;
+  ISO9660_FS = yes;
+  JOLIET = yes;
+  UDF_FS = yes;
+  EXFAT_FS = yes;
+}

x86-64/zen3-stub.nix

@@ -0,0 +1,47 @@
+{ lib, ... }@args: with lib.kernel;
+
+(import ../physical.nix args) //
+(import ../router.nix args) // {
+  CPU_SUP_INTEL = no;
+  NR_CPUS = freeform "256";
+  PERF_EVENTS_AMD_BRS = yes;
+  X86_MCE_AMD = yes;
+  AMD_MEM_ENCRYPT = yes;
+
+  MEMORY_FAILURE = yes;
+
+  VIRTUALIZATION = yes;
+  KVM = yes;
+  KVM_AMD = yes;
+  KVM_SMM = yes;
+
+  NVME_CORE = yes;
+  BLK_DEV_NVME = yes;
+  NVME_VERBOSE_ERRORS = yes;
+  NVME_HWMON = yes;
+
+  ATA = yes;
+  ATA_VERBOSE_ERROR = yes;
+  ATA_ACPI = yes;
+  SATA_AHCI = yes;
+  ATA_SFF = no;
+
+  IXGBE = yes;
+
+  IPMI_HANDLER = yes;
+  IMPI_PANIC_EVENT = yes;
+  IMPI_PANIC_STRING = yes;
+  IPMI_WATCHDOG = yes;
+
+  BCACHEFS_FS = yes;
+  BCACHEFS_POSIX_ACL = yes;
+  FUSE_FS = yes;
+
+  CRYPTO_CHACHA20_X86_64 = yes;
+  CONFIG_POLY1305_X86_64 = yes;
+
+  CRYPTO_DEV_CCP = yes;
+  CRYPTO_DEV_CCP_DD = yes;
+  CRYPTO_DEV_SP_CCP = yes;
+  CRYPTO_DEV_CCP_CRYPTO = yes;
+}

x86.nix

@@ -0,0 +1,45 @@
+{ lib, hostPlatform, ... }: with lib.kernel; {
+  SCHED_OMIT_FRAME_POINTER = yes;
+
+  X86_FRED = yes;
+
+  PROCESSOR_SELECT = yes;
+  CPU_SUP_HYGON = no;
+  CPU_SUP_CENTAUR = no;
+  CPU_SUP_ZHAOXIN = no;
+
+  SCHED_CLUSTER = yes;
+  SCHED_MC_PRIO = yes;
+
+  X86_MCE = yes;
+  X86_MCE_INTEL = yes;
+
+  X86_5LEVEL = option no;
+
+  X86_VSYSCALL_EMULATION = no;
+  LEGACY_VSYSCALL_NONE = yes;
+
+  X86_INTEL_TSX_MODE_AUTO = yes;
+  X86_USER_SHADOW_STACK = yes;
+
+  EFI_HANDOVER_PROTOCOL = no;
+
+  STRICT_SIGALTSTACK_SIZE = yes;
+
+  CPU_MITIGATIONS = yes;
+  MITIGATION_SLS = yes;
+
+  X86_ACPI_CPUFREQ = yes;
+  X86_ACPI_CPUFREQ_CPB = option no;
+
+  HPET = yes;
+  HPET_MMAP = yes;
+  HPET_MMAP_DEFAULT = yes;
+
+  X86_PLATFORM_DEVICES = yes;
+
+  IO_DELAY_NONE = yes;
+
+  X86_DEBUG_FPU = option no;
+  UNWINDER_ORC = yes;
+}