flake-update-20260505
1{ pkgs, ... }:
2{
3 boot = {
4 loader = {
5 systemd-boot = {
6 enable = true;
7 netbootxyz.enable = true;
8 configurationLimit = 10;
9 };
10 efi.canTouchEfiVariables = true;
11 };
12
13 # Latest kernel for best AMD support
14 kernelPackages = pkgs.linuxPackages_latest;
15
16 # LUKS with FIDO2 unlock
17 initrd = {
18 luks.devices."cryptroot" = {
19 crypttabExtraOpts = [ "fido2-device=auto" ];
20 };
21 systemd = {
22 fido2.enable = true;
23 };
24 # Kernel modules for AMD hardware
25 availableKernelModules = [
26 "nvme"
27 "xhci_pci"
28 "thunderbolt"
29 "usb_storage"
30 "sd_mod"
31 "rtsx_pci_sdmmc"
32 ];
33 };
34
35 kernelModules = [ "kvm-amd" ];
36
37 # Basic kernel parameters
38 kernelParams = [
39 # Optional: Deep sleep if you do use suspend occasionally
40 # "mem_sleep_default=deep"
41
42 # Disable memory allocation profiling to work around kernel slab
43 # allocator crashes in __alloc_tagging_slab_alloc_hook (CVE-2025-37774)
44 # https://www.cve.org/CVERecord?id=CVE-2025-37774
45 "sysctl.vm.mem_profiling=0"
46 ];
47
48 # Blacklist unnecessary wireless modules
49 blacklistedKernelModules = [
50 "sierra_net"
51 "cdc_mbim"
52 ];
53 };
54}