set router wlan channel; add home/{tmpfiles,nix-index.service}
This commit is contained in:
parent
a6edc08515
commit
ae8efef7b0
25
flake.lock
25
flake.lock
|
@ -164,11 +164,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1688951979,
|
"lastModified": 1689556975,
|
||||||
"narHash": "sha256-5wGEXjNjlrVhP1tQUsBLjfT64uQ+b+jgc57MK/IvsW8=",
|
"narHash": "sha256-0rft9zKuYa3dDpMywFHUTUl7+fKu7P9u8lsA1esMndA=",
|
||||||
"owner": "fufexan",
|
"owner": "fufexan",
|
||||||
"repo": "nix-gaming",
|
"repo": "nix-gaming",
|
||||||
"rev": "0bf7751f831cd2bd17b54805b96f91fadf00aca2",
|
"rev": "779075ec32036efc14fbcaa9a328bba860e964c6",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -202,7 +202,9 @@
|
||||||
"nixpkgs-22_11": [
|
"nixpkgs-22_11": [
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
],
|
],
|
||||||
"nixpkgs-23_05": "nixpkgs-23_05",
|
"nixpkgs-23_05": [
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
"utils": "utils"
|
"utils": "utils"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
|
@ -255,21 +257,6 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs-23_05": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1684782344,
|
|
||||||
"narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
|
|
||||||
"owner": "NixOS",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"id": "nixpkgs",
|
|
||||||
"ref": "nixos-23.05",
|
|
||||||
"type": "indirect"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nixpkgs-lib": {
|
"nixpkgs-lib": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"dir": "lib",
|
"dir": "lib",
|
||||||
|
|
|
@ -38,7 +38,10 @@
|
||||||
nixos-mailserver = {
|
nixos-mailserver = {
|
||||||
url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
|
url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
# prevent extra input from being in flake.lock
|
||||||
|
# (this doesn't affect any behavior)
|
||||||
inputs.nixpkgs-22_11.follows = "nixpkgs";
|
inputs.nixpkgs-22_11.follows = "nixpkgs";
|
||||||
|
inputs.nixpkgs-23_05.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
flake-compat = {
|
flake-compat = {
|
||||||
url = "github:edolstra/flake-compat";
|
url = "github:edolstra/flake-compat";
|
||||||
|
|
|
@ -16,6 +16,14 @@
|
||||||
s = "sudo -A";
|
s = "sudo -A";
|
||||||
se = "sudo -AE";
|
se = "sudo -AE";
|
||||||
l = "lsd";
|
l = "lsd";
|
||||||
|
g = "git";
|
||||||
|
gp = "git push";
|
||||||
|
gpuo = "git push -u origin";
|
||||||
|
gr = "git rebase";
|
||||||
|
gri = "git rebase -i";
|
||||||
|
gc = "git commit";
|
||||||
|
gca = "git commit --amend";
|
||||||
|
gm = "git merge";
|
||||||
};
|
};
|
||||||
|
|
||||||
programs = {
|
programs = {
|
||||||
|
@ -90,7 +98,9 @@
|
||||||
package = pkgs.gitAndTools.gitFull;
|
package = pkgs.gitAndTools.gitFull;
|
||||||
delta.enable = true;
|
delta.enable = true;
|
||||||
extraConfig = {
|
extraConfig = {
|
||||||
|
# disable the atrocious gui password prompt
|
||||||
core.askPass = "";
|
core.askPass = "";
|
||||||
|
# ...and prefer getting passwords from libsecret (and storing them there)
|
||||||
credential.helper = "${pkgs.gitAndTools.gitFull}/bin/git-credential-libsecret";
|
credential.helper = "${pkgs.gitAndTools.gitFull}/bin/git-credential-libsecret";
|
||||||
init.defaultBranch = "master";
|
init.defaultBranch = "master";
|
||||||
};
|
};
|
||||||
|
@ -130,16 +140,156 @@
|
||||||
mutableKeys = true;
|
mutableKeys = true;
|
||||||
mutableTrust = true;
|
mutableTrust = true;
|
||||||
};
|
};
|
||||||
nix-index.enable = true;
|
|
||||||
readline = {
|
readline = {
|
||||||
enable = true;
|
enable = true;
|
||||||
variables.editing-mode = "vi";
|
variables.editing-mode = "vi";
|
||||||
};
|
};
|
||||||
|
nix-index = {
|
||||||
|
enable = true;
|
||||||
|
# don't add pkgs.nix to PATH
|
||||||
|
# use the nix that's already in PATH
|
||||||
|
# (because I use nix plugins and plugins are nix version-specific)
|
||||||
|
package = pkgs.nix-index-unwrapped;
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.user.timers.nix-index = {
|
||||||
|
Install.WantedBy = [ "timers.target" ];
|
||||||
|
Unit = {
|
||||||
|
Description = "Update nix-index";
|
||||||
|
PartOf = [ "nix-index.service" ];
|
||||||
|
};
|
||||||
|
Timer = {
|
||||||
|
OnCalendar = "Mon *-*-* 00:00:00";
|
||||||
|
RandomizedDelaySec = 600;
|
||||||
|
Persistent = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd.user.services.nix-index = {
|
||||||
|
Unit.Description = "Update nix-index";
|
||||||
|
Service = {
|
||||||
|
Type = "oneshot";
|
||||||
|
ExecStart = "${config.programs.nix-index.package}/bin/nix-index";
|
||||||
|
Environment = [ "PATH=/home/${config.home.username}/.nix-profile/bin:/etc/profiles/per-user/${config.home.username}/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin" ];
|
||||||
|
TimeoutStartSec = 1800;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.user.tmpfiles.rules = builtins.map (file: "r! \"/home/${config.home.username}/${file}\"") [
|
||||||
|
".local/share/clipman.json"
|
||||||
|
".local/state/lesshst" # I don't need less search history to persist across boots...
|
||||||
|
".Xauthority"
|
||||||
|
".sqlite_history"
|
||||||
|
".local/share/krunnerstaterc"
|
||||||
|
".local/share/user-places.xbel.bak"
|
||||||
|
".local/share/user-places.xbel.tbcache"
|
||||||
|
".config/mimeapps.list"
|
||||||
|
".config/ncmpcpp/error.log"
|
||||||
|
".config/mozc/.server.lock"
|
||||||
|
".config/mozc/.session.ipc"
|
||||||
|
".config/mozc/.registry.db" # usage stats (seemingly disabled on my machine)
|
||||||
|
".config/looking-glass/imgui.ini"
|
||||||
|
".config/QtProject.conf"
|
||||||
|
".steampid"
|
||||||
|
".steampath"
|
||||||
|
".config/.xash_id"
|
||||||
|
".config/proton.conf"
|
||||||
|
".local/state/nvim/lsp.log" # this is never cleared...
|
||||||
|
".config/pavucontrol.ini"
|
||||||
|
] ++ builtins.map (dir: "e! \"/home/${config.home.username}/${dir}/\" - - - 60d") [
|
||||||
|
".cache"
|
||||||
|
".local/share/qalculate"
|
||||||
|
".local/share/nvfetcher"
|
||||||
|
".gradle"
|
||||||
|
".openjfx"
|
||||||
|
".mono"
|
||||||
|
".local/share/Trash"
|
||||||
|
".config/wireshark"
|
||||||
|
".config/qt5ct"
|
||||||
|
".config/procps"
|
||||||
|
".config/neofetch"
|
||||||
|
".config/matplotlib"
|
||||||
|
".local/share/arti"
|
||||||
|
# I use this dir as dumping grounds for random stuff
|
||||||
|
"tmp"
|
||||||
|
# games stuff
|
||||||
|
".local/share/vulkan"
|
||||||
|
".steam"
|
||||||
|
".paradoxlauncher"
|
||||||
|
".local/share/StardewValley" # only logs here
|
||||||
|
".local/share/GOG.com"
|
||||||
|
".local/share/Paradox Interactive/launcher-v2"
|
||||||
|
# faf
|
||||||
|
".com.faforever.client.FafClientApplication"
|
||||||
|
".org.testfx.toolkit.PrimaryStageApplication"
|
||||||
|
".faforever/logs"
|
||||||
|
# whatever this is (has a single file named cookie)
|
||||||
|
".config/pulse"
|
||||||
|
# Nextcloud logs
|
||||||
|
".config/Nextcloud/logs"
|
||||||
|
".local/share/Nextcloud"
|
||||||
|
# this might seem useful, but it's only for temporary dbus files actually
|
||||||
|
".config/fcitx"
|
||||||
|
".config/ibus"
|
||||||
|
# fcitx themes (come on would I ever theme something non-declaratively)
|
||||||
|
".local/share/fcitx5"
|
||||||
|
# RGB tooling that I barely use
|
||||||
|
".config/OpenRGB"
|
||||||
|
".config/ario"
|
||||||
|
# I don't use Firefox, I use Librewolf
|
||||||
|
".mozilla"
|
||||||
|
# dev stuff
|
||||||
|
".local/share/tvix"
|
||||||
|
".cargo"
|
||||||
|
".npm"
|
||||||
|
# just when I thought ~ pollution couldn't get worse...
|
||||||
|
"go"
|
||||||
|
# android studio and related
|
||||||
|
".local/share/android"
|
||||||
|
".local/share/Google"
|
||||||
|
".java"
|
||||||
|
".local/share/Sentry"
|
||||||
|
".android/cache"
|
||||||
|
".m2"
|
||||||
|
# chromium
|
||||||
|
".config/chromium"
|
||||||
|
".config/cef_user_data"
|
||||||
|
".pki"
|
||||||
|
# a lib used by glow
|
||||||
|
".local/share/charm"
|
||||||
|
# I barely use FreeCAD, don't need its files
|
||||||
|
".config/FreeCAD"
|
||||||
|
".local/share/FreeCAD"
|
||||||
|
# some useless gui config
|
||||||
|
".config/gtk-2.0"
|
||||||
|
".config/gtk-3.0"
|
||||||
|
".config/kde.org"
|
||||||
|
# QtWebEngine cache
|
||||||
|
".local/share/Anki"
|
||||||
|
# kde connect contacts
|
||||||
|
".local/share/kpeoplevcard"
|
||||||
|
# repl history
|
||||||
|
".local/share/nix"
|
||||||
|
# iwctl history
|
||||||
|
".local/share/iwctl"
|
||||||
|
# non-home-manager-managed files
|
||||||
|
".local/share/applications"
|
||||||
|
".local/share/icons"
|
||||||
|
".local/share/mime"
|
||||||
|
".config/autostart"
|
||||||
|
# logs
|
||||||
|
".local/share/xorg"
|
||||||
|
# if I forgot it, it probably wasn't important
|
||||||
|
"Downloads"
|
||||||
|
] ++ builtins.map (dir: "x \"/home/${config.home.username}/${dir}/\"") [
|
||||||
|
# WHY DOES THIS KEEP PART OF THE CONFIG
|
||||||
|
".cache/keepassxc"
|
||||||
|
];
|
||||||
|
|
||||||
home.packages = with pkgs; [
|
home.packages = with pkgs; [
|
||||||
rclone sshfs fuse
|
rclone sshfs fuse
|
||||||
file jq python3Full killall
|
file jq python3Full killall
|
||||||
appimage-run comma nix-output-monitor
|
appimage-run comma nix-output-monitor
|
||||||
|
unzip p7zip unrar-wrapper
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -265,6 +265,8 @@ in rec {
|
||||||
COMMON_CLK_MEDIATEK_FHCTL = yes;
|
COMMON_CLK_MEDIATEK_FHCTL = yes;
|
||||||
COMMON_CLK_MT7986 = yes;
|
COMMON_CLK_MT7986 = yes;
|
||||||
COMMON_CLK_MT7986_ETHSYS = yes;
|
COMMON_CLK_MT7986_ETHSYS = yes;
|
||||||
|
CPU_THERMAL = yes;
|
||||||
|
THERMAL_OF = yes;
|
||||||
EINT_MTK = yes;
|
EINT_MTK = yes;
|
||||||
MEDIATEK_GE_PHY = yes;
|
MEDIATEK_GE_PHY = yes;
|
||||||
MEDIATEK_WATCHDOG = yes;
|
MEDIATEK_WATCHDOG = yes;
|
||||||
|
|
|
@ -282,8 +282,8 @@ in {
|
||||||
hostapd.settings = {
|
hostapd.settings = {
|
||||||
inherit (cfg) ssid;
|
inherit (cfg) ssid;
|
||||||
hw_mode = "g";
|
hw_mode = "g";
|
||||||
channel = 1;
|
channel = 3;
|
||||||
chanlist = [ 1 ];
|
chanlist = [ 3 ];
|
||||||
supported_rates = [ 60 90 120 180 240 360 480 540 ];
|
supported_rates = [ 60 90 120 180 240 360 480 540 ];
|
||||||
basic_rates = [ 60 120 240 ];
|
basic_rates = [ 60 120 240 ];
|
||||||
ht_capab = "[LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][MAX-AMSDU-7935]";
|
ht_capab = "[LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][MAX-AMSDU-7935]";
|
||||||
|
@ -297,8 +297,8 @@ in {
|
||||||
ssid = "${cfg.ssid}_5G";
|
ssid = "${cfg.ssid}_5G";
|
||||||
ieee80211h = true;
|
ieee80211h = true;
|
||||||
hw_mode = "a";
|
hw_mode = "a";
|
||||||
channel = 36;
|
channel = 60;
|
||||||
chanlist = [ 36 ];
|
chanlist = [ 60 ];
|
||||||
tx_queue_data2_burst = 2;
|
tx_queue_data2_burst = 2;
|
||||||
ht_capab = "[HT40+][LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][MAX-AMSDU-7935]";
|
ht_capab = "[HT40+][LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][MAX-AMSDU-7935]";
|
||||||
vht_oper_chwidth = 1; # 80mhz ch width
|
vht_oper_chwidth = 1; # 80mhz ch width
|
||||||
|
@ -344,7 +344,20 @@ in {
|
||||||
];
|
];
|
||||||
systemdLinkLinkConfig.MACAddressPolicy = "none";
|
systemdLinkLinkConfig.MACAddressPolicy = "none";
|
||||||
systemdLinkLinkConfig.MACAddress = cfg.routerMac;
|
systemdLinkLinkConfig.MACAddress = cfg.routerMac;
|
||||||
dhcpcd.enable = true;
|
dhcpcd = {
|
||||||
|
enable = true;
|
||||||
|
# technically this should be assigned to br0 instead of veth-wan-b
|
||||||
|
# however, br0 is in a different namespace!
|
||||||
|
# Considering this doesn't work at all because my ISP doesn't offer IPv6,
|
||||||
|
# I'd say this is "good enough" since it might still work in the wan
|
||||||
|
# namespace, though I can't test it.
|
||||||
|
extraConfig = ''
|
||||||
|
interface wan
|
||||||
|
ipv6rs
|
||||||
|
ia_na 0
|
||||||
|
ia_pd 1 veth-wan-b/0
|
||||||
|
'';
|
||||||
|
};
|
||||||
networkNamespace = "wan";
|
networkNamespace = "wan";
|
||||||
};
|
};
|
||||||
# disable default firewall as it uses iptables
|
# disable default firewall as it uses iptables
|
||||||
|
@ -465,8 +478,9 @@ in {
|
||||||
allow_iot4 = add set { type = f: f.ipv4_addr; flags = f: with f; [ interval ]; };
|
allow_iot4 = add set { type = f: f.ipv4_addr; flags = f: with f; [ interval ]; };
|
||||||
allow_iot6 = add set { type = f: f.ipv6_addr; flags = f: with f; [ interval ]; };
|
allow_iot6 = add set { type = f: f.ipv6_addr; flags = f: with f; [ interval ]; };
|
||||||
|
|
||||||
# TODO: is type=route hook=output better? it might help get rid of the routing inconsistency
|
# TODO: is type=route hook=output better? It might help get rid of the routing inconsistency
|
||||||
# between router-originated and forwarded traffic
|
# between router-originated and forwarded traffic. The problem is type=route is only supported
|
||||||
|
# for family=inet, so I don't care enough to test it right now.
|
||||||
prerouting = add chain { type = f: f.filter; hook = f: f.prerouting; prio = f: f.filter; policy = f: f.accept; } ([
|
prerouting = add chain { type = f: f.filter; hook = f: f.prerouting; prio = f: f.filter; policy = f: f.accept; } ([
|
||||||
[(mangle meta.mark ct.mark)]
|
[(mangle meta.mark ct.mark)]
|
||||||
[(is.ne meta.mark 0) accept]
|
[(is.ne meta.mark 0) accept]
|
||||||
|
|
Loading…
Reference in a new issue