re-ship linux 6.7 to lappy/desko/servo

now that landlock-sandboxer builds against the correct linux headers, this can actually work.
2024-01-31 20:33:15 +00:00 · 2024-01-31 20:33:15 +00:00 · a9810e7343
commit a9810e7343
parent 4f352c5725
1 changed files with 5 additions and 0 deletions
--- a/hosts/common/hardware/x86_64.nix
+++ b/hosts/common/hardware/x86_64.nix
@ -8,6 +8,11 @@
      "nvme"  # to boot from nvme devices
      # efi_pstore evivars
    ];
+    # moby has to run recent kernels (defined elsewhere).
+    # meanwhile, kernel variation plays some minor role in things like sandboxing (landlock) and capabilities.
+    # simpler to keep near the latest kernel on all devices,
+    # and also makes certain that any weird system-level bugs i see aren't likely to be stale kernel bugs.
+    boot.kernelPackages = lib.mkDefault (pkgs.linuxPackagesFor pkgs.linux_latest);

    hardware.cpu.amd.updateMicrocode = true;    # desktop
    hardware.cpu.intel.updateMicrocode = true;  # laptop