linux-hardened/flake.nix

64 lines
1.7 KiB
Nix

{
inputs = {
nixpkgs.url = "github:nixOS/nixpkgs/nixpkgs-unstable";
};
nixConfig = {
extra-substituters = [ "https://cache.kyouma.net" ];
extra-trusted-public-keys = [ "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" ];
};
outputs = { self, nixpkgs, ... }:
let
inherit (nixpkgs) lib;
eachSystem = lib.genAttrs [ "x86_64-linux" ];
linux-hardened = pkgs: configfile:
let
inherit (pkgs) overrideCC;
inherit (pkgs.stdenv) hostPlatform;
inherit (pkgs.llvmPackages_latest) clangUseLLVM bintools;
kernel = pkgs.linuxKernel.manualConfig rec {
pname = "linux-hardened";
version = "6.10.2-hardened1";
src = pkgs.fetchFromGitHub {
owner = "anthraxx";
repo = pname;
rev = "v${version}";
hash = "sha256-a9kxt09pQjUJUsdqaIMyA7Us6sxueaacetWKv59Xy3s=";
};
stdenv = overrideCC pkgs.stdenv
(clangUseLLVM.override { inherit bintools; });
extraMakeFlags = [ "LLVM=1" ]
++ lib.optionals (hostPlatform ? gcc.arch)
[ "KCFLAGS=-march=${hostPlatform.gcc.arch}" ];
isHardened = true;
inherit configfile features;
};
features = { efiBootStub = true; };
in kernel.overrideAttrs (base: {
passthru = base.passthru // {
inherit features;
};
});
in {
legacyPackages = eachSystem
(system: import nixpkgs { inherit system; });
packages = eachSystem (system:
let
pkgs = self.legacyPackages.${system};
arch = (lib.systems.elaborate system).parsed.cpu.name;
in lib.mapAttrs
(profile: _: linux-hardened pkgs ./${arch}/${profile})
(builtins.readDir ./${arch}));
hydraJobs = self.packages;
};
}