8 changed files with 88 additions and 87 deletions
--- a/flake.lock
+++ b/flake.lock
@ -147,11 +147,11 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1748012719,
-        "narHash": "sha256-s6VG70nqLCzAOLRgZ3oETQ8VJcsrEUol2vjTiYyesK4=",
+        "lastModified": 1746786847,
+        "narHash": "sha256-QKb+8DHlceK62uPHd+KTI22efwUMJ8zI2eD6HOSw99s=",
        "owner": "deuxfleurs-org",
        "repo": "garage",
-        "rev": "37e5621dde5c25ccac4f6da4d7c60f45fc71ff88",
+        "rev": "a2a9e3cec4945c4f6bb93622b860ef696ed3c075",
        "type": "github"
      },
      "original": {
@ -189,11 +189,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1748529677,
-        "narHash": "sha256-MJEX3Skt5EAIs/aGHD8/aXXZPcceMMHheyIGSjvxZN0=",
+        "lastModified": 1747155932,
+        "narHash": "sha256-NnPzzXEqfYjfrimLzK0JOBItfdEJdP/i6SNTuunCGgw=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "da282034f4d30e787b8a10722431e8b650a907ef",
+        "rev": "8d832ddfda9facf538f3dda9b6985fb0234f151c",
        "type": "github"
      },
      "original": {
@ -257,11 +257,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1748145500,
-        "narHash": "sha256-t9fx0l61WOxtWxXCqlXPWSuG/0XMF9DtE2T7KXgMqJw=",
+        "lastModified": 1746934494,
+        "narHash": "sha256-3n6i+F0sDASjkhbvgFDpPDZGp7z19IrRtjfF9TwJpCA=",
        "owner": "nix-community",
        "repo": "nix-index-database",
-        "rev": "a98adbf54d663395df0b9929f6481d4d80fc8927",
+        "rev": "e9b21b01e4307176b9718a29ac514838e7f6f4ff",
        "type": "github"
      },
      "original": {
@ -277,11 +277,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1747646130,
-        "narHash": "sha256-B4+JyeF6u7FINPD1Fzc7QiDlmG1L06z/34MqMlBfPDQ=",
+        "lastModified": 1747037786,
+        "narHash": "sha256-nhOupZpHdrUYK2a2y1y238VEPVpUmJw/nEd212wyG0c=",
        "owner": "nix-community",
        "repo": "nix-ld",
-        "rev": "14ad0c0a26dae752c93fa9fa59437bfd2b8aaf69",
+        "rev": "90316ea7ffa3336547b85b3b2827d9d4552a4a79",
        "type": "github"
      },
      "original": {
@ -292,11 +292,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1748370509,
-        "narHash": "sha256-QlL8slIgc16W5UaI3w7xHQEP+Qmv/6vSNTpoZrrSlbk=",
+        "lastModified": 1746904237,
+        "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "4faa5f5321320e49a78ae7848582f684d64783e9",
+        "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956",
        "type": "github"
      },
      "original": {
@ -417,11 +417,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1748486227,
-        "narHash": "sha256-veMuFa9cq/XgUXp1S57oC8K0TIw3XyZWL2jIyGWlW0c=",
+        "lastModified": 1747103809,
+        "narHash": "sha256-a3Yk+CoFmNw7V8J/si/AM8WuI/qTxQhiJpuQ7HFl774=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "4bf1892eb81113e868efe67982b64f1da15c8c5a",
+        "rev": "fe36c63649875f391949e8b2ec33949d0cd8aa95",
        "type": "github"
      },
      "original": {
@ -437,11 +437,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1747603214,
-        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
+        "lastModified": 1746485181,
+        "narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
+        "rev": "e93ee1d900ad264d65e9701a5c6f895683433386",
        "type": "github"
      },
      "original": {
@ -503,11 +503,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1748397853,
-        "narHash": "sha256-tudGoP5caIJ5TzkV6wnsmUk7Spx21oWMKpkmPbjRNZc=",
+        "lastModified": 1747101711,
+        "narHash": "sha256-VJ6NkQAIXvNr+THN6TlNqlSY3lB1hv/o4yvfG82sHQI=",
        "owner": "nix-community",
        "repo": "nix-vscode-extensions",
-        "rev": "ac4fc8eb9a1ee5eeb3c0a30f57652e4c5428d3a5",
+        "rev": "1830b606ba0a839ab60f8465c23613620e9982de",
        "type": "github"
      },
      "original": {
--- a/home/kitty.nix
+++ b/home/kitty.nix
@ -13,7 +13,7 @@
      # for confirmation
      confirm_os_window_close = 0;
      clear_all_shortcuts = true;
-      background_opacity = 0.9;
+      background_opacity = 0.85;

      # will probably lower this later but the max allowed is actually 4GB
      # this is NOT stored in memory and can only be viewed with scrollback_pager
@ -21,7 +21,7 @@
      # see https://github.com/sharkdp/bat/issues/1077#issuecomment-652785399
      "scrollback_pager" = "bat --pager='less -FR +G'";
      # "scrollback_lines" = 20000;
-      # wheel_scroll_multiplier = 50;
+      wheel_scroll_multiplier = 50;
    };
    keybindings = {
      # kitty_mod is ctrl+shift by default
--- a/home/yt/ytnix.nix
+++ b/home/yt/ytnix.nix
@ -57,6 +57,7 @@
      gdb
      fuzzel
      hugo
+      ghidra
      sccache
      awscli2
      p7zip
@ -83,10 +84,10 @@
      jujutsu
      ffmpeg
      typst
-      pavucontrol

      # reversing
      radare2
+      ida-free
      jadx
      frida-tools
      mitmproxy
--- a/hosts/chunk/default.nix
+++ b/hosts/chunk/default.nix
@ -1,5 +1,6 @@
 {
  pkgs,
+  lib,
  ...
 }:
 {
@ -69,10 +70,7 @@
    networkmanager.enable = true;
    firewall = {
      enable = true;
-      trustedInterfaces = [
-        "tailscale0"
-        "podman1"
-      ];
+      trustedInterfaces = [ "tailscale0" ];
      allowedTCPPorts = [
        22
        80
@ -81,6 +79,32 @@
      allowedUDPPorts = [
        443
      ];
+      extraCommands =
+        let
+          ethtool = lib.getExe pkgs.ethtool;
+          tc = lib.getExe' pkgs.iproute2 "tc";
+        in
+        ''
+          # disable TCP segmentation offload (https://wiki.archlinux.org/title/Advanced_traffic_control#Prerequisites)
+          ${ethtool} -K ens18 tso off
+
+          # clear existing rules
+          ${tc} qdisc del dev ens18 root || true
+
+          # create HTB hierarchy
+          ${tc} qdisc add dev ens18 root handle 1: htb default 10
+          ${tc} class add dev ens18 parent 1: classid 1:1 htb rate 100% ceil 100%
+          # rest
+          ${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 60% ceil 100%
+          # caddy
+          ${tc} class add dev ens18 parent 1:1 classid 1:30 htb rate 40% ceil 100%
+
+          # mark traffic
+          iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/caddy.service" -j MARK --set-mark 3
+
+          # route marked packets
+          ${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 3 fw flowid 1:30
+        '';
    };
    interfaces.ens18 = {
      ipv6.addresses = [
@ -133,7 +157,6 @@

  environment.systemPackages = with pkgs; [
    vim
-    neovim
    wget
    curl
    tree
--- a/hosts/common.nix
+++ b/hosts/common.nix
@ -39,7 +39,7 @@
  i18n.defaultLocale = "en_US.UTF-8";
  time.timeZone = "America/New_York";
  networking = {
-    firewall.logRefusedConnections = true;
+    firewall.logRefusedConnections = false;
    nameservers = [
      # quad9 (unfiltered)
      "2620:fe::10"
@ -56,7 +56,6 @@
      "nts.teambelgium.net"
      "c.st1.ntp.br"
    ];
-    nftables.enable = true;
  };
  services.chrony = {
    enable = true;
--- a/hosts/ytnix/default.nix
+++ b/hosts/ytnix/default.nix
@ -44,11 +44,10 @@
      efi.canTouchEfiVariables = true;
    };
    tmp.cleanOnBoot = true;
-    kernelPackages = pkgs.linuxPackages_6_14;
+    kernelPackages = pkgs.linuxKernel.packages.linux_zen;
    extraModulePackages = with config.boot.kernelPackages; [
      rtl8821ce
    ];
-    kernelModules = [ "8821ce" ];
    kernelParams = [
      # see https://github.com/tomaspinho/rtl8821ce#pcie-active-state-power-management
      "pcie_aspm=off"
@ -61,10 +60,7 @@
      enable = true;
      pkiBundle = "/var/lib/sbctl";
    };
-    kernel.sysctl = {
-      "kernel.sysrq" = 1;
-      # "net.ipv4.ip_forward" = 1;
-    };
+    kernel.sysctl."kernel.sysrq" = 1;
    binfmt.emulatedSystems = [ "aarch64-linux" ];
  };

@ -91,12 +87,12 @@
    resolvconf.enable = true;
    firewall = {
      enable = true;
-      trustedInterfaces = [
-        "tailscale0"
-      ];
-      extraInputRules = ''
-        ip saddr 192.168.100.0/24 tcp dport 9234 accept
-      '';
+      trustedInterfaces = [ "tailscale0" "virbr0" "virbr1" ];
+      # allowedTCPPorts = [
+      #   8080 # mitmproxy
+      #   22000 # syncthing
+      #   3003 # immich-ml
+      # ];
    };
    hosts = {
      "100.122.132.30" = [ "s3.cy7.sh" ];
@ -109,10 +105,8 @@
    pulse.enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
-    wireplumber.extraConfig."10-bluetooth-enhancements" = {
-      "wireplumber.settings" = {
-        "bluetooth.autoswitch-to-headset-profile" = false;
-      };
+    wireplumber.extraConfig.bluetoothEnhancements = {
+      # https://julian.pages.freedesktop.org/wireplumber/daemon/configuration/bluetooth.html#bluetooth-configuration
      "monitor.bluez.properties" = {
        "bluez5.enable-sbc-xq" = true;
        "bluez5.enable-msbc" = true;
@ -120,27 +114,27 @@
        "bluez5.roles" = [
          "a2dp_sink"
          "a2dp_source"
+          "hsp_hs"
+          "hsp_ag"
          "hfp_hf"
          "hfp_ag"
        ];
      };
    };
    # https://wiki.archlinux.org/title/Bluetooth_headset#Connecting_works,_sound_plays_fine_until_headphones_become_idle,_then_stutters
-    wireplumber.extraConfig."11-disable-suspend" = {
-      "monitor.bluez.rules" = [
-        {
-          matches = [
-            {
-              "device.name" = "bluez_card.*";
-            }
-          ];
-          actions = {
-            update-props = {
-              "session.suspend-timeout-seconds" = 0;
-            };
-          };
-        }
-      ];
+    wireplumber.extraConfig.disableSuspend = {
+      "monitor.bluez.rules" = {
+        matches = [
+          {
+            "node.name" = "bluez_output.*";
+          }
+        ];
+      };
+      actions = {
+        update-props = {
+          "session.suspend-timeout-seconds" = 0;
+        };
+      };
    };
  };

@ -219,14 +213,10 @@
  };

  fonts = {
-    packages =
-      (with pkgs; [
-        ibm-plex
-      ])
-      ++ (with pkgs.nerd-fonts; [
-        roboto-mono
-        jetbrains-mono
-      ]);
+    packages = with pkgs; [
+      nerd-fonts.roboto-mono
+      ibm-plex
+    ];
    enableDefaultPackages = true;
  };

@ -277,10 +267,6 @@
    enable = true;
    qemu.vhostUserPackages = with pkgs; [ virtiofsd ];
  };
-  # virtualisation.vmware.host = {
-  #   enable = true;
-  #   package = pkgs.vmware-workstation;
-  # };
  programs.virt-manager.enable = true;
  my.containerization.enable = true;

@ -420,12 +406,4 @@
      wl-clipboard
    ];
  };
-
-  programs.ghidra = {
-    enable = true;
-    package = pkgs.ghidra.withExtensions (p: with p; [
-      findcrypt
-      ret-sync
-    ]);
-  };
 }
--- a/hosts/ytnix/hardware-configuration.nix
+++ b/hosts/ytnix/hardware-configuration.nix
@ -82,5 +82,5 @@
  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault true;
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/modules/backup.nix
+++ b/modules/backup.nix
@ -21,7 +21,7 @@ let
    "/var/lib/docker"
    "/var/lib/containers" # podman
    "/var/lib/systemd"
-    "/var/lib/libvirt/images"
+    "/var/lib/libvirt"
    "**/.rustup"
    "**/.cargo"
    "**/.docker"