diff --git a/base/default.nix b/base/default.nix index b23b4ba..cf6f9fe 100644 --- a/base/default.nix +++ b/base/default.nix @@ -10,6 +10,8 @@ (fp /users) (fp /modules/snakeoil-certs.nix) + ./mitigations.nix + ./flake-input-exporter.nix ./networking.nix ./nix.nix diff --git a/base/mitigations.nix b/base/mitigations.nix new file mode 100644 index 0000000..27168fb --- /dev/null +++ b/base/mitigations.nix @@ -0,0 +1,17 @@ +{ ... }: + +{ + boot.blacklistedKernelModules = [ + "rxrpc" # dirtyfrag + "esp6" # dirtyfrag + "esp4" # dirtyfrag +]; +boot.extraModprobeConfig = '' + # dirtyfrag + install esp4 /bin/false + # dirtyfrag + install esp6 /bin/false + # dirtyfrag + install rxrpc /bin/false +''; +} diff --git a/flake.lock b/flake.lock index ae5203e..1596c0b 100644 --- a/flake.lock +++ b/flake.lock @@ -232,11 +232,11 @@ ] }, "locked": { - "lastModified": 1774824790, - "narHash": "sha256-3R2aoykbutdJ7YQaZiU7uO8w4O8b6RjztTPNo8isLTI=", + "lastModified": 1777808420, + "narHash": "sha256-hh9XBz0K1ypZ+neezgIPCSsnWFKEq8VfV/1aUSPu3OA=", "owner": "oddlama", "repo": "nix-topology", - "rev": "5765ce41be8a4fb5471a57671c2b740a350c5da0", + "rev": "28e9dc901ff38a8fa2d24bccd5f89511d6d8324e", "type": "github" }, "original": { @@ -248,11 +248,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1775064210, - "narHash": "sha256-bEqbUNAnoyNZzd8rrhS8QETdDWr+vYzZeaggBLmFLIA=", - "rev": "9d1c3efdc713c1ed9679796c08a1a8a193e4704e", + "lastModified": 1778125667, + "narHash": "sha256-swcxqlW+XrZFBqjcV3AV8AR64/eI234AZRFKs6q4DFo=", + "rev": "75636a69ad3115ff64d4cb3090e66c8275dda9c2", "type": "tarball", - "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.8497.9d1c3efdc713/nixexprs.tar.xz" + "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.10534.75636a69ad31/nixexprs.tar.xz" }, "original": { "type": "tarball", @@ -276,11 +276,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1777014002, - "narHash": "sha256-urhq48kYlNYbkGXQ/f3NjzJTGfMdG8GmJQbgFLcrcV0=", - "rev": "15ebe06759175c2e98dba23c0b125913589094e7", + "lastModified": 1778157832, + "narHash": "sha256-lSl05j1UzI5MioSJWUa7oUp5a88zzv3sXMwWC4d1N70=", + "rev": "ec299c6a33eee9baf5b4d72881ca2f15c06b4f01", "type": "tarball", - "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre986338.15ebe0675917/nixexprs.tar.xz" + "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre993859.ec299c6a33ee/nixexprs.tar.xz" }, "original": { "type": "tarball", @@ -390,6 +390,7 @@ }, "original": { "ref": "main", + "rev": "16b2bc5c2759e20ecb952374509f1e1f9d6c06e7", "type": "git", "url": "https://git.pvv.ntnu.no/Projects/roowho2.git" } @@ -464,11 +465,11 @@ ] }, "locked": { - "lastModified": 1774910634, - "narHash": "sha256-B+rZDPyktGEjOMt8PcHKYmgmKoF+GaNAFJhguktXAo0=", + "lastModified": 1777944972, + "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=", "owner": "Mic92", "repo": "sops-nix", - "rev": "19bf3d8678fbbfbc173beaa0b5b37d37938db301", + "rev": "c591bf665727040c6cc5cb409079acb22dcce33c", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 3f9522d..336bbc2 100644 --- a/flake.nix +++ b/flake.nix @@ -32,7 +32,7 @@ minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main"; minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs"; - roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main"; + roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main&rev=16b2bc5c2759e20ecb952374509f1e1f9d6c06e7"; roowho2.inputs.nixpkgs.follows = "nixpkgs"; greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main"; @@ -62,9 +62,11 @@ importantMachines = [ "bekkalokk" "bicep" - "brzeczyszczykiewicz" "georg" "ildkule" + "kommode" + "lupine-1" + "skrot" ]; in { inputs = lib.mapAttrs (_: src: src.outPath) inputs;