atagen/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

this is where we're at now

Browse source
This commit is contained in:
atagen 2022-12-30 13:49:11 +11:00
parent 37a11e11ff
commit 06b48475d8
7 changed files with 272 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

97
system/configuration.nix
View file

@ -9,7 +9,6 @@
#./wollomi.nix
# ./adrift.nix
./quiver.nix
./docker.nix
# home manager should exist for users
<home-manager/nixos>
@ -26,7 +25,9 @@
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
keep-outputs = true
keep-derivations = true
'';
environment.pathsToLink = [ "/share/zsh" ];
boot.loader.systemd-boot.enable = true;
boot.loader.systemd-boot.configurationLimit = 2;
@ -34,6 +35,9 @@
boot.loader.timeout = 3;
boot.kernelPackages = pkgs.linuxPackages_xanmod_latest;
boot.tmpOnTmpfs = true;
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
@ -62,10 +66,28 @@
services.xserver.libinput.enable = true;
# kde time
services.xserver.desktopManager.plasma5.enable = true;
services.xserver.displayManager.sddm.enable = true;
services.xserver.displayManager.sddm = {
enable = true;
theme = "${(pkgs.fetchFromGitHub {
owner = "EricKotato";
repo = "sddm-slice";
rev = "763b8f4e01c00c1f8590fc7a103e14f6e8449443";
sha256 = "sha256-UW53ZdKb3RSrrcZ9GxZsJyjzS/uKR8lkaLLyi+2o27U=";
})}";
autoNumlock = true;
settings = {
General = {
InputMethod = "";
};
};
};
services.xserver.desktopManager.plasma5.runUsingSystemd = true;
# programs.xwayland.enable = true;
programs.dconf.enable = true;
services.resolved = {
enable = true;
fallbackDns = [ "103.1.206.179" "168.138.8.38" "168.138.12.137" ];
};
# Enable sound.
@ -79,21 +101,25 @@
};
# gtk compatibility
# qt5.enable = true;
# qt5.platformTheme = "gtk2";
# qt5.style = "gtk2";
qt5.enable = true;
qt5.platformTheme = "kde";
#qt5.style = "gtk2";
programs.zsh.enable = true;
users.defaultUserShell = pkgs.zsh;
services.tailscale.enable = true;
services.mullvad-vpn.enable = true;
environment.systemPackages = with pkgs; [
rnix-lsp
tailscale
mullvad
mullvad-vpn
cachix
helix
@ -106,17 +132,56 @@
zsh
libsForQt5.sddm-kcm
];
networking.firewall = {
# allowedUDPPorts = [ 41641 ];
trustedInterfaces = [ "tailscale0" ];
checkReversePath = "loose";
networking.nftables = {
enable = true;
ruleset = ''
table inet mullvad-ts {
chain exclude-outgoing {
type route hook output priority 0; policy accept;
ip daddr 100.64.0.0/10 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
ip daddr 100.100.100.100 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
}
chain allow-incoming {
type filter hook input priority -10; policy accept;
iif "tailscale0" ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
}
chain exclude-dns {
type filter hook output priority -10; policy accept;
ip daddr 100.100.100.100 udp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
ip daddr 100.100.100.100 tcp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
}
}
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
iifname "tailscale0" accept comment "allow all tailscale packets"
iif lo accept comment "accept loopback"
ip protocol icmp counter accept comment "accept all ICMP types"
ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
tcp dport 22 counter accept comment "accept SSH"
counter comment "count dropped packets"
}
chain forward {
type filter hook forward priority 0; policy drop;
}
}
'';
};
networking.firewall.enable = false;
# networking.firewall = {
# trustedInterfaces = [ "tailscale0" ];
# checkReversePath = "loose";
# };
system.stateVersion = "22.05"; # Did you read the comment?