From f605c9c843c5033e325931ed2dc3664e0cbcbf5d Mon Sep 17 00:00:00 2001
From: Kjetil Orbekk <kj@orbekk.com>
Date: Mon, 8 Mar 2021 17:39:28 -0500
Subject: Disable jack audio on firelink

---
 machines/firelink.nix       | 34 +++++++++++++++++-----------------
 modules/simple-firewall.nix | 11 ++++++-----
 2 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/machines/firelink.nix b/machines/firelink.nix
index 6276ffe..ca35fc9 100644
--- a/machines/firelink.nix
+++ b/machines/firelink.nix
@@ -58,11 +58,11 @@ in
     enable = true;
     extraModules = [ pkgs.pulseaudio-modules-bt ];
     package = lib.mkForce pkgs.pulseaudioFull;
-    extraConfig = ''
-      load-module module-dbus-protocol
-      load-module module-jack-sink channels=2
-      load-module module-jack-source channels=1
-    '';
+    # extraConfig = ''
+    #   load-module module-dbus-protocol
+    #   load-module module-jack-sink channels=2
+    #   load-module module-jack-source channels=1
+    # '';
     systemWide = true;
     # configFile = pkgs.writeText "default.pa" ''
     #   load-module module-bluetooth-policy
@@ -75,12 +75,12 @@ in
     # '';
   };
   systemd.services.pulseaudio = {
-    environment."JACK_PROMISCUOUS_SERVER" = "jackaudio";
+    # environment."JACK_PROMISCUOUS_SERVER" = "jackaudio";
     serviceConfig = {
       LimitMEMLOCK = "infinity";
     };
   };
-  users.extraUsers.pulse.extraGroups = [ "jackaudio" ];
+  # users.extraUsers.pulse.extraGroups = [ "jackaudio" ];
 
   networking.firewall.allowedTCPPorts = [ 22 4713 ];
   networking.networkmanager.enable = true;
@@ -104,18 +104,18 @@ in
       value = "1048576";
   }];
 
-  virtualisation.libvirtd.enable = true;
+  # virtualisation.libvirtd.enable = true;
   # virtualisation.virtualbox.host.enable = true;
-  virtualisation.virtualbox.host.enableExtensionPack = true;
+  # virtualisation.virtualbox.host.enableExtensionPack = true;
 
-  services.jack = {
-    jackd.enable = true;
-    jackd.extraOptions = [ "-dalsa" "-dhw:M2" ];
-    alsa.enable = false;
-    loopback.enable = true;
-  };
-  users.extraUsers.guest.extraGroups = [ "jackaudio" ];
-  users.extraUsers.orbekk.extraGroups = [ "jackaudio" ];
+  # services.jack = {
+  #   jackd.enable = true;
+  #   jackd.extraOptions = [ "-dalsa" "-dhw:M2" ];
+  #   alsa.enable = false;
+  #   loopback.enable = true;
+  # };
+  # users.extraUsers.guest.extraGroups = [ "jackaudio" ];
+  # users.extraUsers.orbekk.extraGroups = [ "jackaudio" ];
 
   # Streaming test
   # services.nginx.enable = true;
diff --git a/modules/simple-firewall.nix b/modules/simple-firewall.nix
index 2585a5d..f2b4405 100644
--- a/modules/simple-firewall.nix
+++ b/modules/simple-firewall.nix
@@ -24,6 +24,7 @@ in
   config = lib.mkIf cfg.enable {
     networking.firewall.enable = lib.mkForce false;
 
+    boot.blacklistedKernelModules = ["ip_tables"];
     networking.nftables.enable = true;
 
     networking.nftables.ruleset =
@@ -51,13 +52,13 @@ in
 
           ct state {established, related} accept
 
-          ip protocol icmp limit rate 4/second counter accept
-          ip6 nexthdr ipv6-icmp limit rate 4/second counter accept
+          ip protocol icmp limit rate 4/second counter name icmp-allowed accept
+          ip6 nexthdr ipv6-icmp limit rate 4/second counter name icmp6-allowed accept
 
-          tcp dport @allowed_tcp_ports counter accept
-          udp dport @allowed_udp_ports counter accept
+          tcp dport @allowed_tcp_ports counter name tcp-allowed accept
+          udp dport @allowed_udp_ports counter name udp-allowed accept
 
-          counter drop
+          counter name dropped drop
         }
 
         chain output {
-- 
cgit v1.2.3