.

configuration.nix

@@ -7,19 +7,17 @@
 {
   imports =
     [ # Include the results of the hardware scan.
-      ./bevuta-config/bevuta.nix
+      # NOTE: Required bevuta config is part of this file here, and not bevuta specific.
+      # ./bevuta-config/bevuta.nix
       ./hardware-configuration.nix
       "${builtins.fetchTarball "https://github.com/nix-community/disko/archive/master.tar.gz"}/module.nix"
       ./disko-config.nix
     ];
 
   # Use the systemd-boot EFI boot loader.
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  boot.initrd.luks.devices."root".preLVM = lib.mkForce false;
 
   boot = {
+    kernel.sysctl."kernel.sysrq" = 0;
     loader = {
       systemd-boot.enable = true;
       efi.canTouchEfiVariables = true;
@@ -79,6 +77,35 @@
   # hardware.pulseaudio.enable = true;
   # rtkit is optional but recommended
   security.rtkit.enable = true;
+  security = {
+    rtkit.enable = true;
+    apparmor = {
+      enable = true;
+      policies.dummy.profile = ''
+      /dummy {
+      }
+      '';
+    };
+    # This blacklist is from bevuta
+    pki.caCertificateBlacklist = [
+    "certSIGN ROOT CA"
+    "certSIGN Root CA G2"
+    "CFCA EV ROOT"
+    "ePKI Root Certification Authority"
+    "SecureSign RootCA11"
+    "GDCA TrustAUTH R5 ROOT"
+    "Hongkong Post Root CA 3"
+    "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
+    "Hellenic Academic and Research Institutions ECC RootCA 2015"
+    "Hellenic Academic and Research Institutions RootCA 2015"
+    "NAVER Global Root Certification Authority"
+    "UCA Extended Validation Root"
+    "UCA Global G2 Root"
+    "TWCA Global Root CA"
+    "TWCA Root Certification Authority"
+    ];
+  };
+
   services.pipewire = {
     enable = true;
     alsa.enable = true;