it is what it is

system/configuration.nix

@@ -87,6 +87,7 @@
   services.resolved = {
     enable = true;
     fallbackDns = [ "103.1.206.179" "168.138.8.38" "168.138.12.137" ];
+    dnssec = "false";
   };
   
 
@@ -110,15 +111,11 @@
   
   services.tailscale.enable = true;
 
-  services.mullvad-vpn.enable = true;
-
   environment.systemPackages = with pkgs; [
   
     rnix-lsp
 
     tailscale
-    mullvad
-    mullvad-vpn
 
     cachix
 
@@ -131,57 +128,46 @@
     git
 
     zsh
+
+    nix-index
+    comma
     
   ];
   
-  networking.nftables = {
-    enable = true;
-    ruleset = ''
-
-      table inet mullvad-ts {
-        chain exclude-outgoing {
-          type route hook output priority 0; policy accept;
-          ip daddr 100.64.0.0/10 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
-          ip daddr 100.100.100.100 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+  networking.wg-quick.interfaces = {
+    mullvad = {
+      address = [ "10.66.224.186/32" ];
+      dns = [ "10.64.0.1" ];
+      privateKey = "WD0CNYazB8D19SJvwz/TdPqoWgWCGfTwA7mim16q7UM=";
+      peers = [
+        {
+          publicKey = "kOpdNLq/ePrlc2wXGinRvbQWRhy755cZ4G4S7xwsKiw=";
+          allowedIPs = [ "0.0.0.0/0" ];
+          endpoint = "43.245.162.234:51820";
+          persistentKeepalive = 25;
         }
-
-        chain allow-incoming {
-          type filter hook input priority -10; policy accept;
-          iif "tailscale0" ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
-        }
-
-        chain exclude-dns {
-          type filter hook output priority -10; policy accept;
-          ip daddr 100.100.100.100 udp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
-          ip daddr 100.100.100.100 tcp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
-        }
-      }
-
-      table inet filter {
-      	chain input {
-      		type filter hook input priority 0; policy drop;
-      		ct state invalid counter drop comment "early drop of invalid packets"
-      		ct state {established, related} counter accept comment "accept all connections related to connections made by us"
-          iifname "tailscale0" accept comment "allow all tailscale packets"
-      		iif lo accept comment "accept loopback"
-      		ip protocol icmp counter accept comment "accept all ICMP types"
-      		ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
-      		tcp dport 22 counter accept comment "accept SSH"
-      		counter comment "count dropped packets"
-      	}
-
-      	chain forward {
-      		type filter hook forward priority 0; policy drop;
-      	}
-
-      }
-    '';
+      ];
+    };
   };
+  
   networking.firewall.enable = false;
-  # networking.firewall = {
-  #   trustedInterfaces = [ "tailscale0" ];
-  #   checkReversePath = "loose";
-  # };
+  networking.firewall = {
+    trustedInterfaces = [ "tailscale0" ];
+    checkReversePath = "loose";
+  };
+
+  systemd.services.fixNetworkingForTailscaleGodDamnit = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" "wg-quick-mullvad.service" ];
+    description = "fix the damn routing table";
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
+      ExecStart = ''${pkgs.bash}/bin/bash -c 'if [[ "$( ${pkgs.iproute2}/bin/ip rule | grep -e "62:.*52" | wc -l)" -eq 0 ]]; then ${pkgs.iproute2}/bin/ip rule add pref 62 table 52; fi'''';
+      # ExecStop = ''${pkgs.iproute2}/bin/ip rule del pref 62 table 52'';
+    };
+  };
+
   
 
   system.stateVersion = "22.05"; # Did you read the comment?

system/quiver.nix

@@ -44,8 +44,17 @@
       ExecStart = ''${pkgs.openrgb}/bin/openrgb -c 000000'';
     };
   };
+
+  services.ananicy = {
+    enable = true;
+    package = pkgs.ananicy-cpp;
+    settings = {
+      check_freq = 5;
+    };
+  };
   
   hardware.ckb-next.enable = true;  
+  
   environment.systemPackages = with pkgs; [
     xdg-desktop-portal-kde
     ckb-next