cleanup overlays, don't use prezto, remove wireguard code, some time and network stuff

2025-02-23 18:11:19 -05:00 · 2025-02-23 18:11:19 -05:00 · a82a616f11
commit a82a616f11
parent 2e7c178862
7 changed files with 45 additions and 82 deletions
--- a/hosts/chunk/default.nix
+++ b/hosts/chunk/default.nix
@ -10,13 +10,11 @@
    ./backup.nix
    ./rclone.nix
    ./postgres.nix
-    ./wireguard.nix
    ./adguard.nix
    ./hedgedoc.nix
    ./miniflux.nix
    ./redlib.nix
    ./vaultwarden.nix
-    ./wireguard.nix
    ./grafana.nix
    ./conduwuit.nix
    ./immich.nix
@ -48,15 +46,6 @@
    "hedgedoc/env" = {
      sopsFile = ../../secrets/services/hedgedoc.yaml;
    };
-    "wireguard/private" = {
-      sopsFile = ../../secrets/wireguard/chunk.yaml;
-    };
-    "wireguard/psk-yt" = {
-      sopsFile = ../../secrets/wireguard/chunk.yaml;
-    };
-    "wireguard/psk-phone" = {
-      sopsFile = ../../secrets/wireguard/chunk.yaml;
-    };
    "miniflux/env" = {
      sopsFile = ../../secrets/services/miniflux.yaml;
    };
@ -100,11 +89,13 @@
    ];
    allowedUDPPorts = [
      443
-      51820
      53
      853
-    ]; # 51820 is wireguard
-    trustedInterfaces = [ "wg0" ];
+    ];
+    extraCommands = ''
+      iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/tailscaled.service" -j MARK --set-mark 1
+      iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/tor.service" -j MARK --set-mark 2
+    '';
  };
  networking.interfaces.ens18 = {
    ipv6.addresses = [
--- a/hosts/chunk/rclone.nix
+++ b/hosts/chunk/rclone.nix
@ -34,7 +34,7 @@
      ExecStartPre = "/usr/bin/env mkdir -p /mnt/attic";
      ExecStart = "${lib.getExe pkgs.rclone} mount --config ${
        config.sops.secrets."rclone/config".path
-      } --cache-dir /var/cache/rclone --transfers=32 --checkers=32 --vfs-cache-mode writes --vfs-cache-max-size 15G --allow-other rsyncnet:attic /mnt/attic ";
+      } --cache-dir /var/cache/rclone --transfers=32 --checkers=32 --vfs-cache-mode writes --vfs-cache-max-size 2G --allow-other rsyncnet:attic /mnt/attic ";
      ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/attic";
    };
  };
@ -55,6 +55,4 @@
      ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/garage";
    };
  };
-
-  programs.fuse.userAllowOther = true;
 }
--- a/hosts/common.nix
+++ b/hosts/common.nix
@ -41,15 +41,30 @@
    '';
    registry.nixpkgs.flake = inputs.nixpkgs;
  };
-  time.timeZone = "America/Toronto";
-  networking.firewall.logRefusedConnections = false;
-  networking.nameservers = [
-    # quad9
-    "2620:fe::fe"
-    "2620:fe::9"
-    "9.9.9.9"
-    "149.112.112.112"
-  ];
+
+  time.timeZone = "America/New_York";
+  networking = {
+    firewall.logRefusedConnections = false;
+    nameservers = [
+      # quad9
+      "2620:fe::fe"
+      "2620:fe::9"
+      "9.9.9.9"
+      "149.112.112.112"
+    ];
+    timeServers = [
+      "ntppool1.time.nl"
+      "nts.netnod.se"
+      "ptbtime1.ptb.de"
+      "ohio.time.system76.com"
+      "time.txryan.com"
+      "time.dfm.dk"
+    ];
+  };
+  services.chrony = {
+    enable = true;
+    enableNTS = true;
+  };

  # this is true by default and mutually exclusive with
  # programs.nix-index
--- a/hosts/ytnix/default.nix
+++ b/hosts/ytnix/default.nix
@ -20,12 +20,6 @@
    "services/ntfy" = {
      sopsFile = ../../secrets/services/ntfy.yaml;
    };
-    "wireguard/private" = {
-      sopsFile = ../../secrets/wireguard/yt.yaml;
-    };
-    "wireguard/psk" = {
-      sopsFile = ../../secrets/wireguard/yt.yaml;
-    };
    "rsyncnet/id_ed25519" = {
      sopsFile = ../../secrets/zh5061/yt.yaml;
    };
@ -89,10 +83,14 @@
    networkmanager = {
      enable = true;
      dns = "none";
-      wifi.backend = "iwd";
+      wifi = {
+        backend = "iwd";
+        powersave = false;
+      };
    };
    resolvconf.enable = true;
    firewall = {
+      enable = true;
      allowedTCPPorts = [ 8080 ]; # for mitmproxy
    };
  };
@ -105,9 +103,7 @@
    alsa.enable = true;
    alsa.support32Bit = true;
    wireplumber.extraConfig.bluetoothEnhancements = {
-      "wireplumber.settings" = {
-        "bluetooth.autoswitch-to-headset-profile" = false;
-      };
+      # https://julian.pages.freedesktop.org/wireplumber/daemon/configuration/bluetooth.html#bluetooth-configuration
      "monitor.bluez.properties" = {
        "bluez5.enable-sbc-xq" = true;
        "bluez5.enable-msbc" = true;
@ -115,6 +111,10 @@
        "bluez5.roles" = [
          "a2dp_sink"
          "a2dp_source"
+          "hsp_hs"
+          "hsp_ag"
+          "hfp_hf"
+          "hfp_ag"
        ];
      };
    };
@ -375,28 +375,6 @@

  services.ollama.enable = false;

-  # wireguard setup
-  networking.wg-quick.interfaces.wg0 = {
-    autostart = false;
-    address = [
-      "10.0.0.2/24"
-      "fdc9:281f:04d7:9ee9::2/64"
-    ];
-    privateKeyFile = config.sops.secrets."wireguard/private".path;
-    peers = [
-      {
-        publicKey = "a16/F/wP7HQIUtFywebqPSXQAktPsLgsMLH9ZfevMy0=";
-        allowedIPs = [
-          "0.0.0.0/0"
-          "::/0"
-        ];
-        endpoint = "31.59.129.225:51820";
-        persistentKeepalive = 25;
-        presharedKeyFile = config.sops.secrets."wireguard/psk".path;
-      }
-    ];
-  };
-
  services.trezord.enable = false;

  programs.niri.enable = false;