From a82a616f112f1ac788d85172bf6a1d87abb1222d Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sun, 23 Feb 2025 18:11:19 -0500
Subject: [PATCH] cleanup overlays, don't use prezto, remove wireguard code,
 some time and network stuff

---
 flake.lock              | 17 -----------------
 flake.nix               |  3 ---
 home/zsh/default.nix    |  9 +++++----
 hosts/chunk/default.nix | 19 +++++--------------
 hosts/chunk/rclone.nix  |  4 +---
 hosts/common.nix        | 33 +++++++++++++++++++++++---------
 hosts/ytnix/default.nix | 42 ++++++++++-------------------------------
 7 files changed, 45 insertions(+), 82 deletions(-)

diff --git a/flake.lock b/flake.lock
index b808228..2042b1e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,21 +1,5 @@
 {
   "nodes": {
-    "anki": {
-      "locked": {
-        "lastModified": 1739471491,
-        "narHash": "sha256-ZCKWgsNqKWkVOAQFaFSmK3EN/uDdamNOcSItzvooWYs=",
-        "owner": "cything",
-        "repo": "nixpkgs",
-        "rev": "1562f5286858b3c1e5ea7e60f4bf6b3578519248",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cything",
-        "repo": "nixpkgs",
-        "rev": "1562f5286858b3c1e5ea7e60f4bf6b3578519248",
-        "type": "github"
-      }
-    },
     "attic": {
       "inputs": {
         "crane": "crane",
@@ -1281,7 +1265,6 @@
     },
     "root": {
       "inputs": {
-        "anki": "anki",
         "conduwuit": "conduwuit",
         "crane": "crane_2",
         "disko": "disko",
diff --git a/flake.nix b/flake.nix
index f0989ac..13c9409 100644
--- a/flake.nix
+++ b/flake.nix
@@ -100,9 +100,6 @@
     flake-utils.url = "github:numtide/flake-utils";
     crane.url = "github:ipetkov/crane";
     flake-compat.url = "github:edolstra/flake-compat";
-
-    # unmerged PRs
-    anki.url = "github:cything/nixpkgs/1562f5286858b3c1e5ea7e60f4bf6b3578519248";
   };
 
   nixConfig = {
diff --git a/home/zsh/default.nix b/home/zsh/default.nix
index 1652219..0697fbc 100644
--- a/home/zsh/default.nix
+++ b/home/zsh/default.nix
@@ -37,10 +37,11 @@
       searchDownKey = "^n";
     };
 
-    prezto = {
-      enable = true;
-      caseSensitive = false;
-    };
+    # prezto = {
+    #   enable = true;
+    #   caseSensitive = false;
+    #   editor.keymap = "vi";
+    # };
 
     initExtra = ''
       # disable control+s to pause terminal
diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix
index aeb7906..acae89a 100644
--- a/hosts/chunk/default.nix
+++ b/hosts/chunk/default.nix
@@ -10,13 +10,11 @@
     ./backup.nix
     ./rclone.nix
     ./postgres.nix
-    ./wireguard.nix
     ./adguard.nix
     ./hedgedoc.nix
     ./miniflux.nix
     ./redlib.nix
     ./vaultwarden.nix
-    ./wireguard.nix
     ./grafana.nix
     ./conduwuit.nix
     ./immich.nix
@@ -48,15 +46,6 @@
     "hedgedoc/env" = {
       sopsFile = ../../secrets/services/hedgedoc.yaml;
     };
-    "wireguard/private" = {
-      sopsFile = ../../secrets/wireguard/chunk.yaml;
-    };
-    "wireguard/psk-yt" = {
-      sopsFile = ../../secrets/wireguard/chunk.yaml;
-    };
-    "wireguard/psk-phone" = {
-      sopsFile = ../../secrets/wireguard/chunk.yaml;
-    };
     "miniflux/env" = {
       sopsFile = ../../secrets/services/miniflux.yaml;
     };
@@ -100,11 +89,13 @@
     ];
     allowedUDPPorts = [
       443
-      51820
       53
       853
-    ]; # 51820 is wireguard
-    trustedInterfaces = [ "wg0" ];
+    ];
+    extraCommands = ''
+      iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/tailscaled.service" -j MARK --set-mark 1
+      iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/tor.service" -j MARK --set-mark 2
+    '';
   };
   networking.interfaces.ens18 = {
     ipv6.addresses = [
diff --git a/hosts/chunk/rclone.nix b/hosts/chunk/rclone.nix
index be833af..4b33e34 100644
--- a/hosts/chunk/rclone.nix
+++ b/hosts/chunk/rclone.nix
@@ -34,7 +34,7 @@
       ExecStartPre = "/usr/bin/env mkdir -p /mnt/attic";
       ExecStart = "${lib.getExe pkgs.rclone} mount --config ${
         config.sops.secrets."rclone/config".path
-      } --cache-dir /var/cache/rclone --transfers=32 --checkers=32 --vfs-cache-mode writes --vfs-cache-max-size 15G --allow-other rsyncnet:attic /mnt/attic ";
+      } --cache-dir /var/cache/rclone --transfers=32 --checkers=32 --vfs-cache-mode writes --vfs-cache-max-size 2G --allow-other rsyncnet:attic /mnt/attic ";
       ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/attic";
     };
   };
@@ -55,6 +55,4 @@
       ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/garage";
     };
   };
-
-  programs.fuse.userAllowOther = true;
 }
diff --git a/hosts/common.nix b/hosts/common.nix
index c4bc548..a891665 100644
--- a/hosts/common.nix
+++ b/hosts/common.nix
@@ -41,15 +41,30 @@
     '';
     registry.nixpkgs.flake = inputs.nixpkgs;
   };
-  time.timeZone = "America/Toronto";
-  networking.firewall.logRefusedConnections = false;
-  networking.nameservers = [
-    # quad9
-    "2620:fe::fe"
-    "2620:fe::9"
-    "9.9.9.9"
-    "149.112.112.112"
-  ];
+
+  time.timeZone = "America/New_York";
+  networking = {
+    firewall.logRefusedConnections = false;
+    nameservers = [
+      # quad9
+      "2620:fe::fe"
+      "2620:fe::9"
+      "9.9.9.9"
+      "149.112.112.112"
+    ];
+    timeServers = [
+      "ntppool1.time.nl"
+      "nts.netnod.se"
+      "ptbtime1.ptb.de"
+      "ohio.time.system76.com"
+      "time.txryan.com"
+      "time.dfm.dk"
+    ];
+  };
+  services.chrony = {
+    enable = true;
+    enableNTS = true;
+  };
 
   # this is true by default and mutually exclusive with
   # programs.nix-index
diff --git a/hosts/ytnix/default.nix b/hosts/ytnix/default.nix
index 0fd41cf..b936a8b 100644
--- a/hosts/ytnix/default.nix
+++ b/hosts/ytnix/default.nix
@@ -20,12 +20,6 @@
     "services/ntfy" = {
       sopsFile = ../../secrets/services/ntfy.yaml;
     };
-    "wireguard/private" = {
-      sopsFile = ../../secrets/wireguard/yt.yaml;
-    };
-    "wireguard/psk" = {
-      sopsFile = ../../secrets/wireguard/yt.yaml;
-    };
     "rsyncnet/id_ed25519" = {
       sopsFile = ../../secrets/zh5061/yt.yaml;
     };
@@ -89,10 +83,14 @@
     networkmanager = {
       enable = true;
       dns = "none";
-      wifi.backend = "iwd";
+      wifi = {
+        backend = "iwd";
+        powersave = false;
+      };
     };
     resolvconf.enable = true;
     firewall = {
+      enable = true;
       allowedTCPPorts = [ 8080 ]; # for mitmproxy
     };
   };
@@ -105,9 +103,7 @@
     alsa.enable = true;
     alsa.support32Bit = true;
     wireplumber.extraConfig.bluetoothEnhancements = {
-      "wireplumber.settings" = {
-        "bluetooth.autoswitch-to-headset-profile" = false;
-      };
+      # https://julian.pages.freedesktop.org/wireplumber/daemon/configuration/bluetooth.html#bluetooth-configuration
       "monitor.bluez.properties" = {
         "bluez5.enable-sbc-xq" = true;
         "bluez5.enable-msbc" = true;
@@ -115,6 +111,10 @@
         "bluez5.roles" = [
           "a2dp_sink"
           "a2dp_source"
+          "hsp_hs"
+          "hsp_ag"
+          "hfp_hf"
+          "hfp_ag"
         ];
       };
     };
@@ -375,28 +375,6 @@
 
   services.ollama.enable = false;
 
-  # wireguard setup
-  networking.wg-quick.interfaces.wg0 = {
-    autostart = false;
-    address = [
-      "10.0.0.2/24"
-      "fdc9:281f:04d7:9ee9::2/64"
-    ];
-    privateKeyFile = config.sops.secrets."wireguard/private".path;
-    peers = [
-      {
-        publicKey = "a16/F/wP7HQIUtFywebqPSXQAktPsLgsMLH9ZfevMy0=";
-        allowedIPs = [
-          "0.0.0.0/0"
-          "::/0"
-        ];
-        endpoint = "31.59.129.225:51820";
-        persistentKeepalive = 25;
-        presharedKeyFile = config.sops.secrets."wireguard/psk".path;
-      }
-    ];
-  };
-
   services.trezord.enable = false;
 
   programs.niri.enable = false;