main
1{ pkgs, ... }:
2{
3 boot = {
4 loader = {
5 systemd-boot = {
6 enable = true;
7 netbootxyz.enable = true;
8 configurationLimit = 10;
9 };
10 efi.canTouchEfiVariables = true;
11 };
12
13 # Latest kernel for best AMD support
14 kernelPackages = pkgs.cachyosKernels.linuxPackages-cachyos-latest-lto-x86_64-v3;
15
16 # LUKS with FIDO2 unlock
17 initrd = {
18 luks.devices."cryptroot" = {
19 crypttabExtraOpts = [ "fido2-device=auto" ];
20 };
21 systemd = {
22 fido2.enable = true;
23 };
24 # Load amdgpu early for Plymouth
25 kernelModules = [ "amdgpu" ];
26 # Kernel modules for AMD hardware
27 availableKernelModules = [
28 "nvme"
29 "xhci_pci"
30 "thunderbolt"
31 "usb_storage"
32 "sd_mod"
33 "rtsx_pci_sdmmc"
34 ];
35 };
36
37 kernelModules = [ "kvm-amd" ];
38
39 # Basic kernel parameters
40 kernelParams = [
41 # Optional: Deep sleep if you do use suspend occasionally
42 # "mem_sleep_default=deep"
43
44 # Disable memory allocation profiling to work around kernel slab
45 # allocator crashes in __alloc_tagging_slab_alloc_hook (CVE-2025-37774)
46 # https://www.cve.org/CVERecord?id=CVE-2025-37774
47 "sysctl.vm.mem_profiling=0"
48 ];
49
50 # Blacklist unnecessary wireless modules
51 blacklistedKernelModules = [
52 "sierra_net"
53 "cdc_mbim"
54 ];
55 };
56}