From 4ce363374ecd48e963e0a317a000f4641f66b55c Mon Sep 17 00:00:00 2001
From: NullBite <me@nullbite.com>
Date: Fri, 29 Mar 2024 22:02:47 +0000
Subject: [PATCH] kernel mitigation

---
 backports/default.nix  |  6 +++++-
 flake.lock             | 17 +++++++++++++++++
 flake.nix              |  2 ++
 system/mitigations.nix | 12 ++++++++++++
 4 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/backports/default.nix b/backports/default.nix
index 6115284..7b1f8cf 100644
--- a/backports/default.nix
+++ b/backports/default.nix
@@ -3,6 +3,9 @@ let
   inherit (prev) callPackage fetchFromGitHub;
   inherit (prev.lib) recurseIntoAttrs optionalAttrs;
 
+  xz-hold = nixfiles.inputs.nixpkgs-unstable.legacyPackages.${prev.system}.xz.version == "5.6.1";
+  xz-fixed = (nixfiles.inputs.nixpkgs-staging-next.legacyPackages.${prev.system}.xz);
+
   # if you can't do version based just make it time based and deal with it in a
   # month if it's not fixed
   # 2024-04-10T08:11:11
@@ -15,4 +18,5 @@ let
       hash="sha256-oat4TwOorFevUMZdBFgaQHx/UKqGW7CGMoOHVgQxVdM="; 
     };
   in recurseIntoAttrs (callPackage "${src}/pkgs/applications/graphics/gimp/plugins" {});
-in (optionalAttrs gap-hold { gimpPlugins = gimpPlugins-gap; })
+in (optionalAttrs gap-hold { gimpPlugins = gimpPlugins-gap; }) //
+  (optionalAttrs xz-hold { xz=xz-fixed; })
diff --git a/flake.lock b/flake.lock
index f39b8d7..1177630 100644
--- a/flake.lock
+++ b/flake.lock
@@ -417,6 +417,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-staging-next": {
+      "locked": {
+        "lastModified": 1711735267,
+        "narHash": "sha256-Zj44dQ38cqN3NddIE/eA8t36eAKv0SVoMZPK8FF1pQ0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "1149e1edb772e5f8e87d1a9be91bc34795fdafe8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "staging-next",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-unstable": {
       "locked": {
         "lastModified": 1711593151,
@@ -477,6 +493,7 @@
         "nix-wsl": "nix-wsl",
         "nixfiles-assets": "nixfiles-assets",
         "nixpkgs": "nixpkgs_2",
+        "nixpkgs-staging-next": "nixpkgs-staging-next",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "pkg-android-tools": "pkg-android-tools",
         "rust-overlay": "rust-overlay",
diff --git a/flake.nix b/flake.nix
index 555ed3d..e69a027 100644
--- a/flake.nix
+++ b/flake.nix
@@ -6,6 +6,8 @@
                  # ^^^^^^^^^^^^^ this part is optional
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
 
+    nixpkgs-staging-next.url = "github:NixOS/nixpkgs/staging-next";
+
     # this seems to be a popular way to declare systems
     systems.url = "github:nix-systems/default";
 
diff --git a/system/mitigations.nix b/system/mitigations.nix
index 1c5f8e0..eb396dd 100644
--- a/system/mitigations.nix
+++ b/system/mitigations.nix
@@ -2,8 +2,20 @@
 let
   p5 = config.services.xserver.desktopManager.plasma5.enable;
   p6 = config.services.desktopManager.plasma6.enable;
+
+  isNewer = ref: ver: ((builtins.compareVersions ver ref) == 1);
+
+  # kernel update
+  newKernelPackages = inputs.nixpkgs-staging-next.legacyPackages.${pkgs.system}.linuxPackages_latest;
 in
 {
   config = lib.mkMerge [
+    {
+      boot.kernelPackages = newKernelPackages;
+      assertions = [
+        { assertion = (!(isNewer "6.8" nixpkgs.legacyPackages.${pkgs.system}.linuxPackages.kernel.version));
+          message = "Kernel is no longer outdated. Please remove this."; }
+      ];
+    }
   ];
 }