refactor(wireguard): set checkReversePath to loose instead of false

flake.nix

@@ -17,59 +17,29 @@
     };
   };
 
-  outputs = { self, nixpkgs, home-manager, nixvim, ... }@inputs: {
+  outputs = { self, nixpkgs, home-manager, nixvim, ... }@inputs:
+  let
+    mkHost = hostName: nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      specialArgs = { inherit inputs; };
+      modules = [
+        ./hosts/${hostName}/hardware-configuration.nix
+        ./hosts/${hostName}/configuration.nix
+        home-manager.nixosModules.home-manager
+        {
+          home-manager.extraSpecialArgs = { inherit inputs; };
+          home-manager.users.aaron.imports = [
+            nixvim.homeModules.nixvim
+            ./users/aaron/home.nix
+          ];
+        }
+      ];
+    };
+  in {
     nixosConfigurations = {
-
+      default = mkHost "default";
-      default = nixpkgs.lib.nixosSystem {
+      neon    = mkHost "neon";
-        system = "x86_64-linux";
+      argon   = mkHost "argon";
-        specialArgs = { inherit inputs; };
-        modules = [
-          ./hosts/default/hardware-configuration.nix
-          ./hosts/default/configuration.nix
-          home-manager.nixosModules.home-manager
-          {
-            home-manager.extraSpecialArgs = { inherit inputs; };
-            home-manager.users.aaron.imports = [
-              nixvim.homeModules.nixvim
-              ./users/aaron/home.nix
-            ];
-          }
-        ];
-      };
-      
-      neon = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        specialArgs = { inherit inputs; };
-        modules = [
-          ./hosts/neon/hardware-configuration.nix
-          ./hosts/neon/configuration.nix
-          home-manager.nixosModules.home-manager
-          {
-            home-manager.extraSpecialArgs = { inherit inputs; };
-            home-manager.users.aaron.imports = [
-              nixvim.homeModules.nixvim
-              ./users/aaron/home.nix
-            ];
-          }
-        ];
-      };
-
-      argon = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        specialArgs = { inherit inputs; };
-        modules = [
-          ./hosts/argon/hardware-configuration.nix
-          ./hosts/argon/configuration.nix
-          home-manager.nixosModules.home-manager
-          {
-            home-manager.extraSpecialArgs = { inherit inputs; };
-            home-manager.users.aaron.imports = [
-              nixvim.homeModules.nixvim
-              ./users/aaron/home.nix
-            ];
-          }
-        ];
-      };
     };
   };
 }

hosts/default/configuration.nix

@@ -3,11 +3,6 @@
 { pkgs, lib, ... }:
 
 {
-  imports =
-    [ 
-      ./hardware-configuration.nix
-    ];
-
   # use flakes
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
 

modules/home-manager/programs.nix

@@ -6,7 +6,6 @@
     discord
     fastfetch
     keepassxc
-    screenfetch
     devenv
   ];
 

modules/nixos/docker.nix

@@ -1,6 +1,9 @@
 { config, lib, pkgs, ...}:
 
 {
+  # add docker group to user
+  users.users.aaron.extraGroups = [ "docker" ];
+
   virtualisation.docker = {
     enable = true;
     # Customize Docker daemon settings

modules/nixos/locales.nix

@@ -4,18 +4,18 @@
   # set the time zone
   time.timeZone = "Europe/Zurich";
 
-  # set internationalisation properties
+  # keep system language in english, but use swiss locale for formatting
   i18n.defaultLocale = "en_US.UTF-8";
   i18n.extraLocaleSettings = {
-    LC_ADDRESS = "en_US.UTF-8";
+    LC_ADDRESS = "de_CH.UTF-8";
-    LC_IDENTIFICATION = "en_US.UTF-8";
+    LC_IDENTIFICATION = "de_CH.UTF-8";
-    LC_MEASUREMENT = "en_US.UTF-8";
+    LC_MEASUREMENT = "de_CH.UTF-8";
-    LC_MONETARY = "en_US.UTF-8";
+    LC_MONETARY = "de_CH.UTF-8";
-    LC_NAME = "en_US.UTF-8";
+    LC_NAME = "de_CH.UTF-8";
-    LC_NUMERIC = "en_US.UTF-8";
+    LC_NUMERIC = "de_CH.UTF-8";
-    LC_PAPER = "en_US.UTF-8";
+    LC_PAPER = "de_CH.UTF-8";
-    LC_TELEPHONE = "en_US.UTF-8";
+    LC_TELEPHONE = "de_CH.UTF-8";
-    LC_TIME = "en_US.UTF-8";
+    LC_TIME = "de_CH.UTF-8";
   };
 
   # set console font and keymap

modules/nixos/networking.nix

@@ -8,9 +8,8 @@
   networking.firewall.allowedTCPPorts = [ ];
   networking.firewall.allowedUDPPorts = [ ];
 
-  # enable wifi
+  # enable wifi firmware
   hardware.enableAllFirmware = true;
-  networking.wireless.enable = true;
 
   # enable bluetooth
   hardware.bluetooth.enable = true;

modules/nixos/packages.nix

@@ -1,24 +1,19 @@
 { config, lib, pkgs, ... }:
 
 {
-  # system packges
+  # system packages
   environment.systemPackages = with pkgs; [
-    alacritty
     btop
     cowsay
     dnsutils
     ethtool
     file
-    fwupd
-    fwupd-efi
-    ghostty
     git
     imagemagick
     imv
     iperf3
     jq
     kdePackages.qtmultimedia
-    kitty
     ldns
     lm_sensors
     lsof
@@ -31,12 +26,10 @@
     nvd
     p7zip
     pciutils
-    sddm-astronaut
     socat
     sof-firmware
     strace
     sysstat
-    terminus_font
     tree
     unzip
     usbutils

modules/nixos/protonvpn.nix

@@ -1,9 +1,13 @@
 { config, lib, pkgs, ... }:
 
 {
-  networking.firewall.checkReversePath = false;
+  # protonvpn uses wireguard tunnels, which break strict reverse path filtering
+  # because packets arrive on the tunnel interface but may be routed back differently.
+  # "loose" checks that the source is routable through *any* interface (not necessarily
+  # the same one), which is sufficient for wireguard while still preventing IP spoofing.
+  networking.firewall.checkReversePath = "loose";
+
   environment.systemPackages = with pkgs; [
-    wireguard-tools
     protonvpn-gui
   ];
 }

modules/nixos/settings.nix

@@ -32,10 +32,11 @@
     };
   };
 
+  # allow unfree packages (steam, protonvpn, discord, etc.)
+  nixpkgs.config.allowUnfree = true;
+
   # links /libexec from derivations to /run/current-system/sw
   environment.pathsToLink = [ "/libexec" ];
-  # set the default editor to vim
-  environment.variables.EDITOR = "vim";
 
   # enable home-manager globally
   home-manager.useGlobalPkgs = true;

modules/nixos/steam.nix

@@ -1,9 +1,6 @@
 { config, lib, pkgs, ... }:
 
 {
-  # allow unfree to install steam
-  nixpkgs.config.allowUnfree = true;
-
   # enable steam and open firewall
   programs.steam = {
     enable = true;

modules/nixos/users.nix

@@ -5,7 +5,7 @@
   users.users.aaron = {
     isNormalUser = true;
     group = "users";
-    extraGroups = [ "wheel" "networkmanager" "docker" ];
+    extraGroups = [ "wheel" "networkmanager" ];
     shell = pkgs.zsh;
   };