nixos-blueprint/hosts/sarien/boot.nix

{
  pkgs,
  config,
  inputs,
  ...
}: {
  imports = with inputs; [
    chaotic.nixosModules.default
  ];
  boot = {
    # kernelPackages = pkgs.linuxPackages_latest;
    kernelPackages = pkgs.linuxPackages_cachyos;
    kernelModules = ["kvm-intel"];
    kernelParams = [
      "debugfs=off"
      "efi=disable_early_pci_dma"
      # "gather_data_sampling=force"
      "intel_iommu=on"
      "iommu.passthrough=0"
      "iommu.strict=1"
      "iommu=force"
      # "lockdown=confidentiality"
      # "module.sig_enforce=1"
      "page_alloc.shuffle=1"
      # "reg_file_data_sampling=on"
      # "spec_rstack_overflow=safe-ret"
      "vsyscall=none"
    ];
    loader.efi.canTouchEfiVariables = true;
    loader.systemd-boot = {
      enable = true;
      consoleMode = "auto";
    };
    plymouth.enable = true;
  };
  console = {
    earlySetup = true;
    packages = [pkgs.terminus_font];
    font = "${pkgs.terminus_font}/share/consolefonts/ter-c18n.psf.gz";
  };
}