this is where we're at now

system/configuration.nix

@@ -9,7 +9,6 @@
     #./wollomi.nix
     # ./adrift.nix
     ./quiver.nix
-    ./docker.nix
 
     # home manager should exist for users
     <home-manager/nixos>
@@ -26,7 +25,9 @@
   
   nix.extraOptions = ''
     experimental-features = nix-command flakes
-    '';
+    keep-outputs = true
+    keep-derivations = true
+  '';
   environment.pathsToLink = [ "/share/zsh" ];
   boot.loader.systemd-boot.enable = true;
   boot.loader.systemd-boot.configurationLimit = 2;
@@ -34,6 +35,9 @@
   boot.loader.timeout = 3;
   
   boot.kernelPackages = pkgs.linuxPackages_xanmod_latest;
+  
+  boot.tmpOnTmpfs = true;
+
 
   networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
 
@@ -62,10 +66,28 @@
   services.xserver.libinput.enable = true;
   # kde time
   services.xserver.desktopManager.plasma5.enable = true;
-  services.xserver.displayManager.sddm.enable = true;
+  services.xserver.displayManager.sddm = {
+    enable = true;
+    theme = "${(pkgs.fetchFromGitHub {
+      owner = "EricKotato";
+      repo = "sddm-slice";
+      rev = "763b8f4e01c00c1f8590fc7a103e14f6e8449443";
+      sha256 = "sha256-UW53ZdKb3RSrrcZ9GxZsJyjzS/uKR8lkaLLyi+2o27U=";
+    })}";
+    autoNumlock = true;
+    settings = {
+      General = {
+        InputMethod = "";
+      };
+    };
+  };
   services.xserver.desktopManager.plasma5.runUsingSystemd = true;
-  # programs.xwayland.enable = true;
   programs.dconf.enable = true;
+
+  services.resolved = {
+    enable = true;
+    fallbackDns = [ "103.1.206.179" "168.138.8.38" "168.138.12.137" ];
+  };
   
 
   # Enable sound.
@@ -79,21 +101,25 @@
   };
 
   # gtk compatibility
-  # qt5.enable = true;
-  # qt5.platformTheme = "gtk2";
-  # qt5.style = "gtk2";
+  qt5.enable = true;
+  qt5.platformTheme = "kde";
+  #qt5.style = "gtk2";
 
   programs.zsh.enable = true;
   users.defaultUserShell = pkgs.zsh;
   
   services.tailscale.enable = true;
 
+  services.mullvad-vpn.enable = true;
+
   environment.systemPackages = with pkgs; [
   
     rnix-lsp
 
     tailscale
-    
+    mullvad
+    mullvad-vpn
+
     cachix
 
     helix
@@ -106,17 +132,56 @@
 
     zsh
     
-    libsForQt5.sddm-kcm
-    
-    
   ];
   
-  
-  networking.firewall = {
-      # allowedUDPPorts = [ 41641 ];
-      trustedInterfaces = [ "tailscale0" ];
-      checkReversePath = "loose";
+  networking.nftables = {
+    enable = true;
+    ruleset = ''
+
+      table inet mullvad-ts {
+        chain exclude-outgoing {
+          type route hook output priority 0; policy accept;
+          ip daddr 100.64.0.0/10 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+          ip daddr 100.100.100.100 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+        }
+
+        chain allow-incoming {
+          type filter hook input priority -10; policy accept;
+          iif "tailscale0" ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+        }
+
+        chain exclude-dns {
+          type filter hook output priority -10; policy accept;
+          ip daddr 100.100.100.100 udp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+          ip daddr 100.100.100.100 tcp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+        }
+      }
+
+      table inet filter {
+      	chain input {
+      		type filter hook input priority 0; policy drop;
+      		ct state invalid counter drop comment "early drop of invalid packets"
+      		ct state {established, related} counter accept comment "accept all connections related to connections made by us"
+          iifname "tailscale0" accept comment "allow all tailscale packets"
+      		iif lo accept comment "accept loopback"
+      		ip protocol icmp counter accept comment "accept all ICMP types"
+      		ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
+      		tcp dport 22 counter accept comment "accept SSH"
+      		counter comment "count dropped packets"
+      	}
+
+      	chain forward {
+      		type filter hook forward priority 0; policy drop;
+      	}
+
+      }
+    '';
   };
+  networking.firewall.enable = false;
+  # networking.firewall = {
+  #   trustedInterfaces = [ "tailscale0" ];
+  #   checkReversePath = "loose";
+  # };
   
 
   system.stateVersion = "22.05"; # Did you read the comment?

system/quiver.nix

@@ -16,6 +16,8 @@
   
   boot.supportedFilesystems = [ "ntfs" ];
 
+  security.tpm2.enable = true;
+
   networking.useDHCP = lib.mkDefault true;
 
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
@@ -29,11 +31,28 @@
   };
 
   services.xserver.videoDrivers = [ "nvidia" ];
-  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.stable;
+  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.beta;
+  hardware.nvidia.modesetting.enable = true;
+  hardware.nvidia.powerManagement.enable = true;
+  programs.xwayland.enable = true;
+  
+  systemd.services.noRgb = {
+    wantedBy = [ "multi-user.target" ];
+    description = "rgb led turn-off-er";
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = ''${pkgs.openrgb}/bin/openrgb -c 000000'';
+    };
+  };
+  
   hardware.ckb-next.enable = true;  
   environment.systemPackages = with pkgs; [
+    xdg-desktop-portal-kde
     ckb-next
     openrgb
+    wl-clipboard
+    wl-clipboard-x11
+    xclip
   ];
 
   networking.hostName = "quiver"; # Define your hostname.
@@ -63,11 +82,15 @@
     options = [ "rw" "uid=1001" "gid=100" ];
   };
   
-  swapDevices = [ ];
+  swapDevices = [ {
+    device = "/home/swapfile";
+    size = 4096;
+    }
+  ];
 
   networking.firewall = {
     allowedUDPPorts = [ 1900 ];
-    allowedTCPPorts = [ 8200 ];
+    allowedTCPPorts = [ 8200 2234 ];
   };
 
 }

system/syspkgs/headscale-ui.nix

@@ -0,0 +1,23 @@
+{ lib, stdenv, fetchurl, unzip }:
+
+stdenv.mkDerivation rec {
+  pname = "headscale-ui";
+  version = "2022.12.23.2-beta";
+
+  src = fetchurl {
+    url = "https://github.com/gurucomputing/headscale-ui/releases/download/${version}/headscale-ui.zip";
+    sha256 = "sha256-QF10la68Rl2t0K53CH63Qiq54ynkySQACdELorZF/cY=";
+  };
+
+  nativeBuildInputs = [ unzip ];
+
+  unpackCmd = "unzip headscale-ui.zip";
+
+  dontConfigure = true;
+  dontBuild = true;
+  installPhase = ''
+    mkdir $out/
+    cp -R . $out
+  '';
+
+}