diff options
| -rw-r--r-- | flake.lock | 70 | ||||
| -rw-r--r-- | flake.nix | 6 | ||||
| -rw-r--r-- | machines/firelink.nix | 20 | ||||
| -rw-r--r-- | machines/x1-pincer-2.nix | 106 | ||||
| -rw-r--r-- | machines/x1-pincer.nix | 2 | ||||
| -rw-r--r-- | modules/common.nix | 3 | ||||
| -rw-r--r-- | modules/desktop.nix | 32 | ||||
| -rw-r--r-- | modules/mullvad.nix | 9 | ||||
| -rw-r--r-- | modules/router.nix | 26 | ||||
| -rw-r--r-- | modules/yubikey.nix | 1 |
10 files changed, 203 insertions, 72 deletions
@@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1736955230, - "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", + "lastModified": 1762618334, + "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", "owner": "ryantm", "repo": "agenix", - "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", + "rev": "fcdea223397448d35d9b31f798479227e80183f6", "type": "github" }, "original": { @@ -53,11 +53,11 @@ ] }, "locked": { - "lastModified": 1700795494, - "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", "type": "github" }, "original": { @@ -73,11 +73,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1740850895, - "narHash": "sha256-hAP2ruVUWv38yy1eGd7yrcEuqlRtIMzA6ZcheN9n7qM=", + "lastModified": 1766510053, + "narHash": "sha256-X5glR8UEW+wfi2grkS0DN6apelCCLsqIW+EsWZlI/sA=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "317e9986ebfbcdccfe2c105557c8d724c394843a", + "rev": "04c7d5d0cb35ee346dbaf40987fbae7577537f8a", "type": "github" }, "original": { @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1703113217, - "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", "owner": "nix-community", "repo": "home-manager", - "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", "type": "github" }, "original": { @@ -162,11 +162,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1740720547, - "narHash": "sha256-Vh6Wi9qANzpSBxxdZIa4Kr85cTal0Y93Q5TFKm2mC3M=", + "lastModified": 1766225187, + "narHash": "sha256-6hcaU8qtmixsaEUbjPiOFd5aJPZxAIBokl5d7dkab3k=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "85902bc8c7b759080fac8906dd17298e29a3b20d", + "rev": "bb53a85db9210204a98f771f10f1f5b4e06ccb2d", "type": "github" }, "original": { @@ -223,11 +223,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1740646007, - "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=", + "lastModified": 1764440730, + "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49", + "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3", "type": "github" }, "original": { @@ -239,11 +239,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1740695751, - "narHash": "sha256-D+R+kFxy1KsheiIzkkx/6L63wEHBYX21OIwlFV8JvDs=", + "lastModified": 1766309749, + "narHash": "sha256-3xY8CZ4rSnQ0NqGhMKAy5vgC+2IVK0NoVEzDoOh4DA4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6313551cd05425cd5b3e63fe47dbc324eabb15e4", + "rev": "a6531044f6d0bef691ea18d4d4ce44d0daa6e816", "type": "github" }, "original": { @@ -255,27 +255,27 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1740743217, - "narHash": "sha256-brsCRzLqimpyhORma84c3W2xPbIidZlIc3JGIuQVSNI=", + "lastModified": 1766399428, + "narHash": "sha256-vS6LSOMDOB3s+L6tqw9IGujxnmUAZQnEG+Vi640LayI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b27ba4eb322d9d2bf2dc9ada9fd59442f50c8d7c", + "rev": "a6c3a6141ec1b367c58ead3f7f846c772a25f4e5", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.11", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1740695751, - "narHash": "sha256-D+R+kFxy1KsheiIzkkx/6L63wEHBYX21OIwlFV8JvDs=", + "lastModified": 1766309749, + "narHash": "sha256-3xY8CZ4rSnQ0NqGhMKAy5vgC+2IVK0NoVEzDoOh4DA4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6313551cd05425cd5b3e63fe47dbc324eabb15e4", + "rev": "a6531044f6d0bef691ea18d4d4ce44d0daa6e816", "type": "github" }, "original": { @@ -287,11 +287,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1739214665, - "narHash": "sha256-26L8VAu3/1YRxS8MHgBOyOM8xALdo6N0I04PgorE7UM=", + "lastModified": 1766070988, + "narHash": "sha256-G/WVghka6c4bAzMhTwT2vjLccg/awmHkdKSd2JrycLc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "64e75cd44acf21c7933d61d7721e812eac1b5a0a", + "rev": "c6245e83d836d0433170a16eb185cefe0572f8b8", "type": "github" }, "original": { @@ -319,16 +319,16 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1740743217, - "narHash": "sha256-brsCRzLqimpyhORma84c3W2xPbIidZlIc3JGIuQVSNI=", + "lastModified": 1766473571, + "narHash": "sha256-5G1NDO2PulBx1RoaA6U1YoUDX0qZslpPxv+n5GX6Qto=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b27ba4eb322d9d2bf2dc9ada9fd59442f50c8d7c", + "rev": "76701a179d3a98b07653e2b0409847499b2a07d3", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.11", + "ref": "nixos-25.11", "repo": "nixpkgs", "type": "github" } @@ -4,7 +4,7 @@ extra-trusted-public-keys = "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="; }; - inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; + inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; inputs.nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; inputs.nixos-hardware.url = "github:NixOS/nixos-hardware/master"; inputs.emacs-overlay.url = "github:nix-community/emacs-overlay"; @@ -84,6 +84,10 @@ hostName = "pincer"; module = ./machines/x1-pincer.nix; } + { + hostName = "pincer2"; + module = ./machines/x1-pincer-2.nix; + } { hostName = "dragon"; } { hostName = "firelink"; } { hostName = "tiny1"; } diff --git a/machines/firelink.nix b/machines/firelink.nix index e6d7673..e4297e0 100644 --- a/machines/firelink.nix +++ b/machines/firelink.nix @@ -13,14 +13,16 @@ in { orbekk.rtc-wakeup.enable = true; orbekk.vpn.enable = true; + programs.adb.enable = true; + # Don't run gc on startup. nix.gc.persistent = false; - services.logind.extraConfig = '' - HandlePowerKey=suspend - IdleAction=suspend - IdleActionSec=30m - ''; + # services.logind.extraConfig = '' + # HandlePowerKey=suspend + # IdleAction=suspend + # IdleActionSec=30m + # ''; systemd.watchdog.runtimeTime = "30s"; services.fwupd.enable = true; @@ -32,10 +34,14 @@ in { networking.firewall.allowedTCPPorts = [ 22 4713 # Baldur's Gate 3 23253 + # Grim Dawn + 27016 ]; networking.firewall.allowedUDPPorts = [ # Baldur's Gate 3 - 23253 + 23253 + # Grim Dawn + 27016 ]; networking.networkmanager.enable = true; networking.networkmanager.wifi.powersave = false; @@ -47,8 +53,6 @@ in { }; networking.interfaces."enp37s0.admin".useDHCP = true; - systemd.extraConfig = "DefaultLimitNOFILE=1048576"; - security.pam.loginLimits = [{ domain = "*"; type = "hard"; diff --git a/machines/x1-pincer-2.nix b/machines/x1-pincer-2.nix new file mode 100644 index 0000000..483fcd8 --- /dev/null +++ b/machines/x1-pincer-2.nix @@ -0,0 +1,106 @@ +{ config, lib, pkgs, ... }: +{ + orbekk.gaming.enable = true; + orbekk.desktop.enable = true; + orbekk.thinkpad.enable = true; + orbekk.development.enable = true; + orbekk.simple-firewall.enable = lib.mkForce false; + + system.autoUpgrade.enable = lib.mkForce false; + services.printing.enable = true; + services.printing.drivers = with pkgs; [ gutenprint brlaser ]; + services.openssh.enable = true; + + networking.networkmanager.enable = false; + networking.hostName = "pincer"; + networking.useDHCP = false; + networking.interfaces.enp0s25.ipv4.addresses = [ + {address = "80.100.100.1"; prefixLength = 24; } + ]; + networking.interfaces.wlp4s0 = { + ipv4.addresses = [{ address = "172.20.71.1"; prefixLength = 24; }]; + }; + networking.firewall.enable = true; + networking.firewall.trustedInterfaces = ["wlp4s0"]; + networking.nat.enable = true; + networking.nat.internalInterfaces = ["wlp4s0"]; + networking.nat.externalInterface = "enp0s25"; + + services.dnsmasq = { + enable = true; + settings.server = [ "1.1.1.1" "8.8.8.8" "8.8.4.4" ]; + resolveLocalQueries = false; + settings = { + no-resolv = true; + no-hosts = true; + log-debug = true; + + dhcp-authoritative = true; + enable-ra = true; + + "address" = ["/localhost/::1" "/localhost/127.0.0.1"]; + + dhcp-range = ["172.20.71.10,172.20.71.254,5m"]; + }; + }; + + services.hostapd = { + enable = true; + radios = { + wlp4s0 = { + channel = 6; # Automatic + countryCode = "US"; + networks.wlp4s0 = { + ssid = "Merry"; + authentication.mode = "none"; + }; + }; + }; + }; + + services.miniupnpd.enable = true; + services.miniupnpd.externalInterface = "enp0s25"; + services.miniupnpd.internalIPs = [ + "wlp4s0" + ]; + services.miniupnpd.appendConfig = '' + ipv6_disable=true + ''; + + boot.kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + "net.ipv6.conf.all.accept_ra" = 0; + "net.ipv6.conf.all.autoconf" = 0; + "net.ipv6.conf.all.use_tempaddr" = 0; + }; + +# Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.initrd.luks.devices."luks-e7d79bb8-2c57-45f9-a958-9ee16a63c85a".device = "/dev/disk/by-uuid/e7d79bb8-2c57-45f9-a958-9ee16a63c85a"; + + # hardware-configuration.nix + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" ]; + hardware.enableRedistributableFirmware = lib.mkDefault true; + boot.kernelModules = [ "kvm-intel" ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/13de8c13-4f2f-4495-b1aa-6bae3f2d7979"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/ADFD-B161"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/7f4492ff-bdd4-41b0-a81d-f190781add9d"; } + ]; + + system.stateVersion = "17.04"; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/machines/x1-pincer.nix b/machines/x1-pincer.nix index 6438a17..563b15a 100644 --- a/machines/x1-pincer.nix +++ b/machines/x1-pincer.nix @@ -11,8 +11,6 @@ services.printing.drivers = with pkgs; [ gutenprint brlaser ]; services.openssh.enable = true; - services.desktopManager.autoLogin.user = "guest"; - networking.networkmanager.enable = true; networking.hostName = "pincer"; diff --git a/modules/common.nix b/modules/common.nix index cc60640..35d7c59 100644 --- a/modules/common.nix +++ b/modules/common.nix @@ -80,6 +80,9 @@ nix-index p7zip jq + (python3.withPackages (py-pkgs: with py-pkgs; [ + plotly numpy + ])) pass ripgrep rustup diff --git a/modules/desktop.nix b/modules/desktop.nix index ebe30e6..b7ac14c 100644 --- a/modules/desktop.nix +++ b/modules/desktop.nix @@ -11,12 +11,17 @@ in { orbekk.yubikey.enable = lib.mkDefault true; orbekk.simple-firewall.enable = true; + networking.firewall = rec { + # 1714-1764: KDE connect. + allowedTCPPortRanges = [ { from = 1714; to = 1764; } ]; + allowedUDPPortRanges = allowedTCPPortRanges; + }; + programs.kdeconnect.enable = true; - # Performs some setup needed by river. programs.xwayland.enable = true; programs.dconf.enable = true; - xdg.portal.extraPortals = with pkgs; [ xdg-desktop-portal-kde ]; + xdg.portal.extraPortals = with pkgs; [ kdePackages.xdg-desktop-portal-kde ]; services.dbus.enable = true; services.udisks2.enable = true; @@ -66,7 +71,6 @@ in { jetbrains-mono wqy_microhei noto-fonts - noto-fonts-extra ]; fontconfig = { defaultFonts = { @@ -85,11 +89,10 @@ in { anki gimp opencpn - # Wayland packages - river waybar light playerctl + gnucash grim slurp wlr-randr @@ -99,8 +102,8 @@ in { kanshi wlopm wl-clipboard - breeze-icons - breeze-gtk + kdePackages.breeze-icons + kdePackages.breeze-gtk wezterm autorandr chromium @@ -155,16 +158,12 @@ in { services = { udev.extraRules = '' # Anne Pro 2 - SUBSYSTEM=="usb", ATTRS{idVendor}=="04d9", ATTRS{idProduct}=="8008", - MODE="0666", GROUP="plugdev" - KERNEL=="hidraw*", ATTRS{idVendor}=="04d9", ATTRS{idProduct}=="8008", - MODE="0666", GROUP="plugdev" + SUBSYSTEM=="usb", ATTRS{idVendor}=="04d9", ATTRS{idProduct}=="8008", MODE="0666", GROUP="plugdev" + KERNEL=="hidraw*", ATTRS{idVendor}=="04d9", ATTRS{idProduct}=="8008", MODE="0666", GROUP="plugdev" # Planck - SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", - MODE="0666", GROUP="plugdev" - KERNEL=="hidraw*", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", - MODE="0666", GROUP="plugdev" + SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE="0666", GROUP="plugdev" + KERNEL=="hidraw*", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE="0666", GROUP="plugdev" ''; avahi.enable = true; @@ -179,14 +178,13 @@ in { displayManager.sddm.enable = true; displayManager.sddm.wayland.enable = true; + desktopManager.plasma6.enable = true; xserver = { enable = true; xkb.layout = "us"; xkb.options = "caps:ctrl_modifier"; - desktopManager.plasma6.enable = true; - windowManager.xmonad = { enable = true; enableContribAndExtras = true; diff --git a/modules/mullvad.nix b/modules/mullvad.nix index 5d53157..a634905 100644 --- a/modules/mullvad.nix +++ b/modules/mullvad.nix @@ -23,7 +23,7 @@ in enable = true; interfaces.mullvad = { privateKeyFile = "/opt/secret/wireguard/mullvad.private"; - ips = [ "10.64.128.156/32" "fc00:bbbb:bbbb:bb01::1:809b/128" ]; + ips = [ "10.74.12.93/32" "fc00:bbbb:bbbb:bb01::b:c5c/128" ]; allowedIPsAsRoutes = false; listenPort = cfg.listenPort; peers = [ @@ -33,11 +33,10 @@ in # publicKey = "veeEoYS9a2T6K8WMs/MvRCdNJG580XbhnLfbFjp3B0M="; # allowedIPs = [ "0.0.0.0/0" "::0/0" ]; # } - # NYC { - # us276 - endpoint = "146.70.171.130:51820"; - publicKey = "78nFhfPEjrfOxBkUf2ylM7w6upYBEcHXm93sr8CMTE4="; + # se-got-wg-004 + endpoint = "185.213.154.69:51820"; + publicKey = "veGD6/aEY6sMfN3Ls7YWPmNgu3AheO7nQqsFT47YSws="; allowedIPs = [ "0.0.0.0/0" "::0/0" ]; } ]; diff --git a/modules/router.nix b/modules/router.nix index e6cbacb..a919974 100644 --- a/modules/router.nix +++ b/modules/router.nix @@ -82,6 +82,15 @@ let services.avahi.publish.hinfo = true; services.avahi.publish.userServices = true; + services.miniupnpd.enable = true; + services.miniupnpd.externalInterface = "wan-vport"; + services.miniupnpd.internalIPs = [ + "lan-vport" + ]; + services.miniupnpd.appendConfig = '' + ipv6_disable=true + ''; + networking.interfaces.eno1 = {}; networking.interfaces.eno2 = {}; networking.interfaces.wan-vport = { @@ -212,7 +221,7 @@ let "tag:lan-vport,option:router,172.20.100.1" "tag:lan-vport,option:dns-server,172.20.100.1" "tag:vpnlan-vport,option:router,172.20.30.1" - "tag:vpnlan-vport,option:dns-server,193.138.218.74"]; + "tag:vpnlan-vport,option:dns-server,10.64.0.1"]; dhcp-host = [ @@ -263,7 +272,7 @@ let ct state {established, related} counter accept meta l4proto {tcp, udp} th dport {bootps, bootpc, domain, dhcpv6-client, dhcpv6-server, ${toString vpnPort}} counter accept - iifname $LAN_INTERFACES meta l4proto {tcp, udp} th dport mdns counter accept comment "avahi/mdns" + iifname $LAN_INTERFACES meta l4proto {tcp, udp} th dport { mdns, llmnr } counter accept comment "avahi/mdns" ip protocol ipv6 counter accept comment "sit tunnel" ip protocol icmp limit rate 4/second counter accept comment "icmp v4" @@ -282,10 +291,12 @@ let chain forward { type filter hook forward priority 0; policy drop - ip protocol icmp limit rate 4/second counter accept comment "icmp v4" +ip protocol icmp limit rate 4/second counter accept comment "icmp v4" ip6 nexthdr ipv6-icmp limit rate 4/second counter accept comment "accept all ICMP types" ct state vmap { established : accept, related : accept, invalid : drop } + # For miniupnpd. + ct status dnat counter accept # Don't allow accidental vpn forwarding to wan. iifname vpnlan-vport oifname wan-vport counter reject @@ -337,6 +348,15 @@ let meta nfproto ipv6 oifname {"mullvad"} counter masquerade } } + table inet miniupnpd { + chain miniupnpd {} + chain prerouting_miniupnpd { + type nat hook prerouting priority dstnat; policy accept; + } + chain postrouting_miniupnpd { + type nat hook postrouting priority srcnat; policy accept; + } + } ''; }; in { diff --git a/modules/yubikey.nix b/modules/yubikey.nix index 1ccdab5..5c6bf7b 100644 --- a/modules/yubikey.nix +++ b/modules/yubikey.nix @@ -10,7 +10,6 @@ let yubikey-manager yubikey-personalization gnupg - pinentry ]; in { |