64 lines
1.7 KiB
Nix
64 lines
1.7 KiB
Nix
{
|
|
inputs = {
|
|
nixpkgs.url = "github:nixOS/nixpkgs/nixpkgs-unstable";
|
|
};
|
|
|
|
nixConfig = {
|
|
extra-substituters = [ "https://cache.kyouma.net" ];
|
|
extra-trusted-public-keys = [ "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" ];
|
|
};
|
|
|
|
outputs = { self, nixpkgs, ... }:
|
|
let
|
|
inherit (nixpkgs) lib;
|
|
eachSystem = lib.genAttrs [ "x86_64-linux" ];
|
|
|
|
linux-hardened = pkgs: configfile:
|
|
let
|
|
inherit (pkgs) overrideCC;
|
|
inherit (pkgs.stdenv) hostPlatform;
|
|
inherit (pkgs.llvmPackages_latest) clangUseLLVM bintools;
|
|
|
|
kernel = pkgs.linuxKernel.manualConfig rec {
|
|
pname = "linux-hardened";
|
|
version = "6.10.2-hardened1";
|
|
|
|
src = pkgs.fetchFromGitHub {
|
|
owner = "anthraxx";
|
|
repo = pname;
|
|
rev = "v${version}";
|
|
hash = "sha256-a9kxt09pQjUJUsdqaIMyA7Us6sxueaacetWKv59Xy3s=";
|
|
};
|
|
|
|
stdenv = overrideCC pkgs.stdenv
|
|
(clangUseLLVM.override { inherit bintools; });
|
|
|
|
extraMakeFlags = [ "LLVM=1" ]
|
|
++ lib.optionals (hostPlatform ? gcc.arch)
|
|
[ "KCFLAGS=-march=${hostPlatform.gcc.arch}" ];
|
|
|
|
isHardened = true;
|
|
inherit configfile features;
|
|
};
|
|
|
|
features = { efiBootStub = true; };
|
|
in kernel.overrideAttrs (base: {
|
|
passthru = base.passthru // {
|
|
inherit features;
|
|
};
|
|
});
|
|
in {
|
|
legacyPackages = eachSystem
|
|
(system: import nixpkgs { inherit system; });
|
|
|
|
packages = eachSystem (system:
|
|
let
|
|
pkgs = self.legacyPackages.${system};
|
|
arch = (lib.systems.elaborate system).parsed.cpu.name;
|
|
in lib.mapAttrs
|
|
(profile: _: linux-hardened pkgs ./${arch}/${profile})
|
|
(builtins.readDir ./${arch}));
|
|
|
|
hydraJobs = self.packages;
|
|
};
|
|
}
|