diff --git a/hosts/common/hardware/x86_64.nix b/hosts/common/hardware/x86_64.nix
index d29a91a1..eec8314b 100644
--- a/hosts/common/hardware/x86_64.nix
+++ b/hosts/common/hardware/x86_64.nix
@@ -8,6 +8,11 @@
       "nvme"  # to boot from nvme devices
       # efi_pstore evivars
     ];
+    # moby has to run recent kernels (defined elsewhere).
+    # meanwhile, kernel variation plays some minor role in things like sandboxing (landlock) and capabilities.
+    # simpler to keep near the latest kernel on all devices,
+    # and also makes certain that any weird system-level bugs i see aren't likely to be stale kernel bugs.
+    boot.kernelPackages = lib.mkDefault (pkgs.linuxPackagesFor pkgs.linux_latest);
 
     hardware.cpu.amd.updateMicrocode = true;    # desktop
     hardware.cpu.intel.updateMicrocode = true;  # laptop