move off of hardened kernel to latest LTS

configuration.nix

@@ -133,8 +133,8 @@
   boot.kernel.sysctl."vm.nr_hugepages" = service_configs.hugepages_2m.total_pages;
 
   boot = {
-    # 6.12 LTS until 2026
-    kernelPackages = pkgs.linuxPackages_6_12_hardened;
+    # 6.18 LTS until 2027
+    kernelPackages = pkgs.linuxPackages_6_18;
 
     loader = {
       # Use the systemd-boot EFI boot loader.

modules/security.nix

@@ -13,12 +13,78 @@
   # disable coredumps
   systemd.coredump.enable = false;
 
-  # The hardened kernel defaults kernel.unprivileged_userns_clone to 0, which
-  # prevents the Nix sandbox from mapping UIDs/GIDs. Without this, any derivation
-  # that calls `id` in its build phase (e.g. logrotate checkPhase) fails when not
-  # served from the binary cache. See https://github.com/NixOS/nixpkgs/issues/287194
+  # Needed for Nix sandbox UID/GID mapping inside derivation builds.
+  # See https://github.com/NixOS/nixpkgs/issues/287194
   security.unprivilegedUsernsClone = true;
 
+  # Disable kexec to prevent replacing the running kernel at runtime.
+  security.protectKernelImage = true;
+
+  # Kernel hardening boot parameters. These recover most of the runtime-
+  # configurable protections that the linux-hardened patchset provided.
+  boot.kernelParams = [
+    # Zero all page allocator pages on free / alloc. Prevents info leaks
+    # and use-after-free from seeing stale data. Modest CPU overhead.
+    "init_on_alloc=1"
+    "init_on_free=1"
+
+    # Prevent SLUB allocator from merging caches with similar size/flags.
+    # Keeps different kernel object types in separate slabs, making heap
+    # exploitation (type confusion, spray, use-after-free) significantly harder.
+    "slab_nomerge"
+
+    # Randomize order of pages returned by the buddy allocator.
+    "page_alloc.shuffle=1"
+
+    # Disable debugfs entirely (exposes kernel internals).
+    "debugfs=off"
+
+    # Disable legacy vsyscall emulation (unused by any modern glibc).
+    "vsyscall=none"
+
+    # Strict IOMMU TLB invalidation (no batching). Prevents DMA-capable
+    # devices from accessing stale mappings after unmap.
+    "iommu.strict=1"
+  ];
+
+  boot.kernel.sysctl = {
+    # Immediately reboot on kernel oops (don't leave a compromised
+    # kernel running). Negative value = reboot without delay.
+    "kernel.panic" = -1;
+
+    # Hide kernel pointers from all processes, including CAP_SYSLOG.
+    # Prevents info leaks used to defeat KASLR.
+    "kernel.kptr_restrict" = 2;
+
+    # Disable bpf() JIT compiler (eliminates JIT spray attack vector).
+    "net.core.bpf_jit_enable" = false;
+
+    # Disable ftrace (kernel function tracer) at runtime.
+    "kernel.ftrace_enabled" = false;
+
+    # Strict reverse-path filtering: drop packets arriving on an interface
+    # where the source address isn't routable back via that interface.
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.conf.all.log_martians" = true;
+    "net.ipv4.conf.default.log_martians" = true;
+
+    # Ignore ICMP redirects (prevents route table poisoning).
+    "net.ipv4.conf.all.accept_redirects" = false;
+    "net.ipv4.conf.all.secure_redirects" = false;
+    "net.ipv4.conf.default.accept_redirects" = false;
+    "net.ipv4.conf.default.secure_redirects" = false;
+    "net.ipv6.conf.all.accept_redirects" = false;
+    "net.ipv6.conf.default.accept_redirects" = false;
+
+    # Don't send ICMP redirects (we are not a router).
+    "net.ipv4.conf.all.send_redirects" = false;
+    "net.ipv4.conf.default.send_redirects" = false;
+
+    # Ignore broadcast ICMP (SMURF amplification mitigation).
+    "net.ipv4.icmp_echo_ignore_broadcasts" = true;
+  };
+
   services = {
     dbus.implementation = "broker";
     /*