fix(ada): initrd & kernel fixes

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
2026-05-29 00:03:12 +03:00 · 2026-05-29 00:03:12 +03:00 · 08c9f53265
commit 08c9f53265
parent e97b9c6b95
2 changed files with 60 additions and 17 deletions
--- a/ada/boot/initrd.nix
+++ b/ada/boot/initrd.nix
@ -10,17 +10,18 @@ _: {
        "sd_mod"
        "btrfs"
        "cryptd"
+        "tpm"
+        "hid_generic"
      ];

      supportedFilesystems = {
-        ntfs = true;
+        bcachefs = true;
        vfat = true;
        btrfs = true;
      };

      kernelModules = [
        "amdgpu"
-        "zenpower"
        "i2c-dev"
      ];

@ -28,6 +29,13 @@ _: {
        devices = {
          cryptroot = {
            device = "/dev/disk/by-id/nvme-KINGSTON_SKC3000S_1024G_AA000000000000000013-part2";
+            crypttabExtraOpts = [
+              "fido2-device=auto"
+              "fido2-pin=true"
+              "tpm2-device=auto"
+              "tpm2-pin=true"
+              # "headless=true"
+            ];
          };
        };
      };
--- a/ada/boot/kernel.nix
+++ b/ada/boot/kernel.nix
@ -1,55 +1,85 @@
 {
  config,
-  pkgs,
+  self,
  ...
 }: {
  boot = {
    kernel = {
      sysctl = {
-        "vm.swappiness" = 100;
+        "vm.swappiness" = 150;
        "vm.dirty_background_bytes" = 67108864;
        "vm.dirty_bytes" = 268435456;
        "vm.dirty_expire_centisecs" = 1500;
        "vm.dirty_writeback_centisecs" = 100;
        "vm.vfs_cache_pressure" = 50;
        "vm.max_map_count" = 1048576;
+        "vm.page-cluster" = 0;
+
+        "net.core.bpf_jit_harden" = 1;
+
+        "dev.tty.ldisc_autoload" = 0;
+
+        "net.ipv4.conf.all.accept_redirects" = 0;
+        "net.ipv4.conf.default.accept_redirects" = 0;
+        "net.ipv4.conf.all.secure_redirects" = 0;
+        "net.ipv4.conf.default.secure_redirects" = 0;
+        "net.ipv6.conf.all.accept_redirects" = 0;
+        "net.ipv6.conf.default.accept_redirects" = 0;
+        "net.ipv4.tcp_rfc1337" = 1;
+        "net.ipv4.tcp_syncookies" = 1;
+        "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
+
+        "kernel.dmesg_restrict" = 1;
+        "kernel.kptr_restrict" = 2;
      };
    };

-    kernelPackages = pkgs.linuxPackages_latest;
+    kernelPackages = self.inputs."nix-cachyos-kernel".legacyPackages.x86_64-linux.linuxPackages-cachyos-latest-lto-x86_64-v3;
    extraModulePackages = with config.boot.kernelPackages; [
-      zenpower
      v4l2loopback
    ];

    kernelModules = [
      "amdgpu"
-      "zenpower"
      "v4l2loopback"
-      "i2c_dev"
+      "i2c-dev"
+      "ntsync"
    ];

    kernelParams = [
-      "amd_pstate=guided"
-      "udev.log_priority=3"
+      "amd_pstate=active"
+      "amd_iommu=force"
+
+      "iommu=pt"
+
+      "amdgpu.gpu_recovery=1"
+      "pcie_aspm=performance"
+
      "quiet"
      "splash"
      "boot.shell_on_fail"
      "loglevel=3"
      "rd.systemd.show_status=false"
      "rd.udev.log_level=3"
-
-      "page_alloc.shuffle=1"
-      "page_poison=1"
-      "slab_nomerge"
-      "zswap.enabled=0"
+      "udev.log_priority=3"

      "kernel.watchdog=0"
+      "mitigations=auto"
+      "lockdown=integrity"
+      "init_on_alloc=1"
+      "init_on_free=1"
+      "slab_nomerge"
+      "page_alloc.shuffle=1"
+      "vsyscall=none"
      "oops=panic"
    ];

    blacklistedKernelModules = [
-      "k10temp"
+      "dccp"
+      "sctp"
+      "rds"
+      "tipc"
+      "n-hdlc"
      "ax25"
      "netrom"
      "rose"
@ -77,12 +107,17 @@
      "ufs"
      "sp5100-tco"
      "iTCO_wdt"
+      "ntfs3"
+      "appletalk"
+      "psnap"
+      "p8022"
+      "p8023"
    ];

    supportedFilesystems = {
-      ntfs = true;
      vfat = true;
      btrfs = true;
+      bcachefs = true;
    };

    consoleLogLevel = 0;