refactor(wireguard): set checkReversePath to loose instead of false

refactor(unfree): move the unfree setting to the settings module
refactor(packages): move installed packages to their respective nix modules
2026-03-21 16:45:09 +01:00 · 2026-03-21 16:43:43 +01:00 · 2026-03-21 16:43:05 +01:00 · 2026-03-21 16:41:34 +01:00 · 2026-03-21 16:40:24 +01:00 · 2026-03-21 16:39:30 +01:00
12 changed files with 57 additions and 92 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -28,11 +28,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1773898372,
-        "narHash": "sha256-PqeDgmyI/Df3/Mv0B81FP/ZC4KuO88YRQF5ZfeFyA4k=",
+        "lastModified": 1774007980,
+        "narHash": "sha256-FOnZjElEI8pqqCvB6K/1JRHTE8o4rer8driivTpq2uo=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "ecf019baf47df009937b5f8c4604cee10f410a76",
+        "rev": "9670de2921812bc4e0452f6e3efd8c859696c183",
        "type": "github"
      },
      "original": {
@@ -103,11 +103,11 @@
        "noctalia-qs": "noctalia-qs"
      },
      "locked": {
-        "lastModified": 1773907741,
-        "narHash": "sha256-VCOseUhojMawFh/O0ZlSftbiEql4kJn0+WjPqorvk9o=",
+        "lastModified": 1774014047,
+        "narHash": "sha256-pSbjavFqmHzbR4aG+22k81yGgjIUrV64UePEf4m/s5U=",
        "owner": "noctalia-dev",
        "repo": "noctalia-shell",
-        "rev": "5eb8b9cbcbf7f9ffcff8b75233bad6e80c721f4c",
+        "rev": "e2ba46ed122082a15841be9e2b9fb392395c5a4f",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -17,59 +17,29 @@
    };
  };

-  outputs = { self, nixpkgs, home-manager, nixvim, ... }@inputs: {
+  outputs = { self, nixpkgs, home-manager, nixvim, ... }@inputs:
+  let
+    mkHost = hostName: nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      specialArgs = { inherit inputs; };
+      modules = [
+        ./hosts/${hostName}/hardware-configuration.nix
+        ./hosts/${hostName}/configuration.nix
+        home-manager.nixosModules.home-manager
+        {
+          home-manager.extraSpecialArgs = { inherit inputs; };
+          home-manager.users.aaron.imports = [
+            nixvim.homeModules.nixvim
+            ./users/aaron/home.nix
+          ];
+        }
+      ];
+    };
+  in {
    nixosConfigurations = {
-
-      default = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        specialArgs = { inherit inputs; };
-        modules = [
-          ./hosts/default/hardware-configuration.nix
-          ./hosts/default/configuration.nix
-          home-manager.nixosModules.home-manager
-          {
-            home-manager.extraSpecialArgs = { inherit inputs; };
-            home-manager.users.aaron.imports = [
-              nixvim.homeModules.nixvim
-              ./users/aaron/home.nix
-            ];
-          }
-        ];
-      };
-      
-      neon = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        specialArgs = { inherit inputs; };
-        modules = [
-          ./hosts/neon/hardware-configuration.nix
-          ./hosts/neon/configuration.nix
-          home-manager.nixosModules.home-manager
-          {
-            home-manager.extraSpecialArgs = { inherit inputs; };
-            home-manager.users.aaron.imports = [
-              nixvim.homeModules.nixvim
-              ./users/aaron/home.nix
-            ];
-          }
-        ];
-      };
-
-      argon = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        specialArgs = { inherit inputs; };
-        modules = [
-          ./hosts/argon/hardware-configuration.nix
-          ./hosts/argon/configuration.nix
-          home-manager.nixosModules.home-manager
-          {
-            home-manager.extraSpecialArgs = { inherit inputs; };
-            home-manager.users.aaron.imports = [
-              nixvim.homeModules.nixvim
-              ./users/aaron/home.nix
-            ];
-          }
-        ];
-      };
+      default = mkHost "default";
+      neon    = mkHost "neon";
+      argon   = mkHost "argon";
    };
  };
 }
--- a/hosts/default/configuration.nix
+++ b/hosts/default/configuration.nix
@@ -3,11 +3,6 @@
 { pkgs, lib, ... }:

 {
-  imports =
-    [ 
-      ./hardware-configuration.nix
-    ];
-
  # use flakes
  nix.settings.experimental-features = [ "nix-command" "flakes" ];

--- a/modules/home-manager/programs.nix
+++ b/modules/home-manager/programs.nix
@@ -6,7 +6,6 @@
    discord
    fastfetch
    keepassxc
-    screenfetch
    devenv
  ];

--- a/modules/nixos/docker.nix
+++ b/modules/nixos/docker.nix
@@ -1,6 +1,9 @@
 { config, lib, pkgs, ...}:

 {
+  # add docker group to user
+  users.users.aaron.extraGroups = [ "docker" ];
+
  virtualisation.docker = {
    enable = true;
    # Customize Docker daemon settings
--- a/modules/nixos/locales.nix
+++ b/modules/nixos/locales.nix
@@ -4,18 +4,18 @@
  # set the time zone
  time.timeZone = "Europe/Zurich";

-  # set internationalisation properties
+  # keep system language in english, but use swiss locale for formatting
  i18n.defaultLocale = "en_US.UTF-8";
  i18n.extraLocaleSettings = {
-    LC_ADDRESS = "en_US.UTF-8";
-    LC_IDENTIFICATION = "en_US.UTF-8";
-    LC_MEASUREMENT = "en_US.UTF-8";
-    LC_MONETARY = "en_US.UTF-8";
-    LC_NAME = "en_US.UTF-8";
-    LC_NUMERIC = "en_US.UTF-8";
-    LC_PAPER = "en_US.UTF-8";
-    LC_TELEPHONE = "en_US.UTF-8";
-    LC_TIME = "en_US.UTF-8";
+    LC_ADDRESS = "de_CH.UTF-8";
+    LC_IDENTIFICATION = "de_CH.UTF-8";
+    LC_MEASUREMENT = "de_CH.UTF-8";
+    LC_MONETARY = "de_CH.UTF-8";
+    LC_NAME = "de_CH.UTF-8";
+    LC_NUMERIC = "de_CH.UTF-8";
+    LC_PAPER = "de_CH.UTF-8";
+    LC_TELEPHONE = "de_CH.UTF-8";
+    LC_TIME = "de_CH.UTF-8";
  };

  # set console font and keymap
--- a/modules/nixos/networking.nix
+++ b/modules/nixos/networking.nix
@@ -8,6 +8,9 @@
  networking.firewall.allowedTCPPorts = [ ];
  networking.firewall.allowedUDPPorts = [ ];

+  # enable wifi firmware
+  hardware.enableAllFirmware = true;
+
  # enable bluetooth
  hardware.bluetooth.enable = true;
  
--- a/modules/nixos/packages.nix
+++ b/modules/nixos/packages.nix
@@ -1,24 +1,19 @@
 { config, lib, pkgs, ... }:

 {
-  # system packges
+  # system packages
  environment.systemPackages = with pkgs; [
-    alacritty
    btop
    cowsay
    dnsutils
    ethtool
    file
-    fwupd
-    fwupd-efi
-    ghostty
    git
    imagemagick
    imv
    iperf3
    jq
    kdePackages.qtmultimedia
-    kitty
    ldns
    lm_sensors
    lsof
@@ -31,12 +26,10 @@
    nvd
    p7zip
    pciutils
-    sddm-astronaut
    socat
    sof-firmware
    strace
    sysstat
-    terminus_font
    tree
    unzip
    usbutils
--- a/modules/nixos/protonvpn.nix
+++ b/modules/nixos/protonvpn.nix
@@ -1,9 +1,13 @@
 { config, lib, pkgs, ... }:

 {
-  networking.firewall.checkReversePath = false;
+  # protonvpn uses wireguard tunnels, which break strict reverse path filtering
+  # because packets arrive on the tunnel interface but may be routed back differently.
+  # "loose" checks that the source is routable through *any* interface (not necessarily
+  # the same one), which is sufficient for wireguard while still preventing IP spoofing.
+  networking.firewall.checkReversePath = "loose";
+
  environment.systemPackages = with pkgs; [
-    wireguard-tools
    protonvpn-gui
  ];
 }
--- a/modules/nixos/settings.nix
+++ b/modules/nixos/settings.nix
@@ -32,10 +32,11 @@
    };
  };

+  # allow unfree packages (steam, protonvpn, discord, etc.)
+  nixpkgs.config.allowUnfree = true;
+
  # links /libexec from derivations to /run/current-system/sw
  environment.pathsToLink = [ "/libexec" ];
-  # set the default editor to vim
-  environment.variables.EDITOR = "vim";

  # enable home-manager globally
  home-manager.useGlobalPkgs = true;
--- a/modules/nixos/steam.nix
+++ b/modules/nixos/steam.nix
@@ -1,9 +1,6 @@
 { config, lib, pkgs, ... }:

 {
-  # allow unfree to install steam
-  nixpkgs.config.allowUnfree = true;
-
  # enable steam and open firewall
  programs.steam = {
    enable = true;
--- a/modules/nixos/users.nix
+++ b/modules/nixos/users.nix
@@ -5,7 +5,7 @@
  users.users.aaron = {
    isNormalUser = true;
    group = "users";
-    extraGroups = [ "wheel" "networkmanager" "docker" ];
+    extraGroups = [ "wheel" "networkmanager" ];
    shell = pkgs.zsh;
  };
Author	SHA1	Message	Date
aaron	9a8090dac2	refactor(wireguard): set checkReversePath to loose instead of false	2026-03-21 16:45:09 +01:00
aaron	4e9ffcf6bd	refactor(unfree): move the unfree setting to the settings module	2026-03-21 16:43:43 +01:00
aaron	02a5d03d1a	refactor(packages): move installed packages to their respective nix modules	2026-03-21 16:43:05 +01:00
aaron	b480e8224d	refactor(flake): simplify nix flake by deduplication	2026-03-21 16:41:34 +01:00
aaron	32a62aadd4	refactor(networking): drop wireless enable since it installs wpa_supplicant and rely on networkmanager instead	2026-03-21 16:40:24 +01:00
aaron	619c00e678	refactor(locales): fix internationalisation to switzerland norms	2026-03-21 16:39:30 +01:00
aaron	a02da7f66d	refactor(programs): uninstall screenfetch since it is unmaintained software	2026-03-21 16:38:55 +01:00
aaron	8b616b65af	refactor(default): remove hardware import from default target since it is a dublicate	2026-03-21 16:38:17 +01:00
aaron	17158618ee	refactor(docker): move the docker group to the respective nix module instead of adding the user per default	2026-03-21 16:37:31 +01:00
aaron	2fb937b19f	feature(wifi): enable more firmware to support my wifi chip	2026-03-20 18:17:43 +01:00
aaron	a7c5cbad41	chore(update): update flake file	2026-03-20 17:51:08 +01:00