refactor(wireguard): set checkReversePath to loose instead of false

Reviewed-on: #32

flake.lock

@@ -28,11 +28,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1773332277,
+        "lastModified": 1774007980,
-        "narHash": "sha256-1V+wRrZD9Sw12AQBUWk9CR+XhDZQ8q6yBE0S3Wjbd1M=",
+        "narHash": "sha256-FOnZjElEI8pqqCvB6K/1JRHTE8o4rer8driivTpq2uo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "4aeef1941f862fe3a70d1b8264b4e289358c2325",
+        "rev": "9670de2921812bc4e0452f6e3efd8c859696c183",
         "type": "github"
       },
       "original": {
@@ -43,11 +43,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1773122722,
+        "lastModified": 1773821835,
-        "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=",
+        "narHash": "sha256-TJ3lSQtW0E2JrznGVm8hOQGVpXjJyXY2guAxku2O9A4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50",
+        "rev": "b40629efe5d6ec48dd1efba650c797ddbd39ace0",
         "type": "github"
       },
       "original": {
@@ -57,6 +57,22 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1770107345,
+        "narHash": "sha256-tbS0Ebx2PiA1FRW8mt8oejR0qMXmziJmPaU1d4kYY9g=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "4533d9293756b63904b7238acb84ac8fe4c8c2c4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixvim": {
       "inputs": {
         "flake-parts": "flake-parts",
@@ -87,11 +103,11 @@
         "noctalia-qs": "noctalia-qs"
       },
       "locked": {
-        "lastModified": 1773336753,
+        "lastModified": 1774014047,
-        "narHash": "sha256-f5UoaExHUvoFuixpxcDXmTL+8UT+VkjwNAuh88/MOrU=",
+        "narHash": "sha256-pSbjavFqmHzbR4aG+22k81yGgjIUrV64UePEf4m/s5U=",
         "owner": "noctalia-dev",
         "repo": "noctalia-shell",
-        "rev": "5ee84e3ab386727eaf4b2381adfdcd86ad94553b",
+        "rev": "e2ba46ed122082a15841be9e2b9fb392395c5a4f",
         "type": "github"
       },
       "original": {
@@ -106,14 +122,15 @@
           "noctalia",
           "nixpkgs"
         ],
-        "systems": "systems_2"
+        "systems": "systems_2",
+        "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1773175685,
+        "lastModified": 1773842483,
-        "narHash": "sha256-YOkWzVq7opym1ovJvSCvqpG6OCDGJwPo/EPeRxcGay4=",
+        "narHash": "sha256-oRqz+5AbNKfUWWwN5c83CsSOsUWVGITh0HZg+wX5Q/8=",
         "owner": "noctalia-dev",
         "repo": "noctalia-qs",
-        "rev": "6b9eceefde3d47ca83c544b54bcdd358be4cbd2f",
+        "rev": "3962ff1e0b59ef067c57199d31271ddbf23b29cd",
         "type": "github"
       },
       "original": {
@@ -159,6 +176,24 @@
         "repo": "default-linux",
         "type": "github"
       }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1772660329,
+        "narHash": "sha256-IjU1FxYqm+VDe5qIOxoW+pISBlGvVApRjiw/Y/ttJzY=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "3710e0e1218041bbad640352a0440114b1e10428",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -1,6 +1,6 @@
 {
   description = "0x29a NixOS flake";
-  
+
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     home-manager = {
@@ -16,60 +16,30 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
-  
+
-  outputs = { self, nixpkgs, home-manager, nixvim, ... }@inputs: {
+  outputs = { self, nixpkgs, home-manager, nixvim, ... }@inputs:
+  let
+    mkHost = hostName: nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      specialArgs = { inherit inputs; };
+      modules = [
+        ./hosts/${hostName}/hardware-configuration.nix
+        ./hosts/${hostName}/configuration.nix
+        home-manager.nixosModules.home-manager
+        {
+          home-manager.extraSpecialArgs = { inherit inputs; };
+          home-manager.users.aaron.imports = [
+            nixvim.homeModules.nixvim
+            ./users/aaron/home.nix
+          ];
+        }
+      ];
+    };
+  in {
     nixosConfigurations = {
-
+      default = mkHost "default";
-      default = nixpkgs.lib.nixosSystem {
+      neon    = mkHost "neon";
-        system = "x86_64-linux";
+      argon   = mkHost "argon";
-        specialArgs = { inherit inputs; };
-        modules = [
-          ./hosts/default/hardware-configuration.nix
-          ./hosts/default/configuration.nix
-          home-manager.nixosModules.home-manager
-          {
-            home-manager.extraSpecialArgs = { inherit inputs; };
-            home-manager.users.aaron.imports = [
-              nixvim.homeModules.nixvim
-              ./users/aaron/home.nix
-            ];
-          }
-        ];
-      };
-      
-      neon = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        specialArgs = { inherit inputs; };
-        modules = [
-          ./hosts/neon/hardware-configuration.nix
-          ./hosts/neon/configuration.nix
-          home-manager.nixosModules.home-manager
-          {
-            home-manager.extraSpecialArgs = { inherit inputs; };
-            home-manager.users.aaron.imports = [
-              nixvim.homeModules.nixvim
-              ./users/aaron/home.nix
-            ];
-          }
-        ];
-      };
-
-      argon = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        specialArgs = { inherit inputs; };
-        modules = [
-          ./hosts/argon/hardware-configuration.nix
-          ./hosts/argon/configuration.nix
-          home-manager.nixosModules.home-manager
-          {
-            home-manager.extraSpecialArgs = { inherit inputs; };
-            home-manager.users.aaron.imports = [
-              nixvim.homeModules.nixvim
-              ./users/aaron/home.nix
-            ];
-          }
-        ];
-      };
     };
   };
 }

hosts/default/configuration.nix

@@ -3,11 +3,6 @@
 { pkgs, lib, ... }:
 
 {
-  imports =
-    [ 
-      ./hardware-configuration.nix
-    ];
-
   # use flakes
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
 

modules/home-manager/programs.nix

@@ -6,7 +6,6 @@
     discord
     fastfetch
     keepassxc
-    screenfetch
     devenv
   ];
 

modules/nixos/docker.nix

@@ -1,6 +1,9 @@
 { config, lib, pkgs, ...}:
 
 {
+  # add docker group to user
+  users.users.aaron.extraGroups = [ "docker" ];
+
   virtualisation.docker = {
     enable = true;
     # Customize Docker daemon settings

modules/nixos/locales.nix

@@ -4,18 +4,18 @@
   # set the time zone
   time.timeZone = "Europe/Zurich";
 
-  # set internationalisation properties
+  # keep system language in english, but use swiss locale for formatting
   i18n.defaultLocale = "en_US.UTF-8";
   i18n.extraLocaleSettings = {
-    LC_ADDRESS = "en_US.UTF-8";
+    LC_ADDRESS = "de_CH.UTF-8";
-    LC_IDENTIFICATION = "en_US.UTF-8";
+    LC_IDENTIFICATION = "de_CH.UTF-8";
-    LC_MEASUREMENT = "en_US.UTF-8";
+    LC_MEASUREMENT = "de_CH.UTF-8";
-    LC_MONETARY = "en_US.UTF-8";
+    LC_MONETARY = "de_CH.UTF-8";
-    LC_NAME = "en_US.UTF-8";
+    LC_NAME = "de_CH.UTF-8";
-    LC_NUMERIC = "en_US.UTF-8";
+    LC_NUMERIC = "de_CH.UTF-8";
-    LC_PAPER = "en_US.UTF-8";
+    LC_PAPER = "de_CH.UTF-8";
-    LC_TELEPHONE = "en_US.UTF-8";
+    LC_TELEPHONE = "de_CH.UTF-8";
-    LC_TIME = "en_US.UTF-8";
+    LC_TIME = "de_CH.UTF-8";
   };
 
   # set console font and keymap

modules/nixos/networking.nix

@@ -8,6 +8,9 @@
   networking.firewall.allowedTCPPorts = [ ];
   networking.firewall.allowedUDPPorts = [ ];
 
+  # enable wifi firmware
+  hardware.enableAllFirmware = true;
+
   # enable bluetooth
   hardware.bluetooth.enable = true;
   

modules/nixos/packages.nix

@@ -1,24 +1,19 @@
 { config, lib, pkgs, ... }:
 
 {
-  # system packges
+  # system packages
   environment.systemPackages = with pkgs; [
-    alacritty
     btop
     cowsay
     dnsutils
     ethtool
     file
-    fwupd
-    fwupd-efi
-    ghostty
     git
     imagemagick
     imv
     iperf3
     jq
     kdePackages.qtmultimedia
-    kitty
     ldns
     lm_sensors
     lsof
@@ -31,12 +26,10 @@
     nvd
     p7zip
     pciutils
-    sddm-astronaut
     socat
     sof-firmware
     strace
     sysstat
-    terminus_font
     tree
     unzip
     usbutils

modules/nixos/protonvpn.nix

@@ -1,9 +1,13 @@
 { config, lib, pkgs, ... }:
 
 {
-  networking.firewall.checkReversePath = false;
+  # protonvpn uses wireguard tunnels, which break strict reverse path filtering
+  # because packets arrive on the tunnel interface but may be routed back differently.
+  # "loose" checks that the source is routable through *any* interface (not necessarily
+  # the same one), which is sufficient for wireguard while still preventing IP spoofing.
+  networking.firewall.checkReversePath = "loose";
+
   environment.systemPackages = with pkgs; [
-    wireguard-tools
     protonvpn-gui
   ];
 }

modules/nixos/settings.nix

@@ -32,10 +32,11 @@
     };
   };
 
+  # allow unfree packages (steam, protonvpn, discord, etc.)
+  nixpkgs.config.allowUnfree = true;
+
   # links /libexec from derivations to /run/current-system/sw
   environment.pathsToLink = [ "/libexec" ];
-  # set the default editor to vim
-  environment.variables.EDITOR = "vim";
 
   # enable home-manager globally
   home-manager.useGlobalPkgs = true;

modules/nixos/steam.nix

@@ -1,9 +1,6 @@
 { config, lib, pkgs, ... }:
 
 {
-  # allow unfree to install steam
-  nixpkgs.config.allowUnfree = true;
-
   # enable steam and open firewall
   programs.steam = {
     enable = true;

modules/nixos/users.nix

@@ -5,7 +5,7 @@
   users.users.aaron = {
     isNormalUser = true;
     group = "users";
-    extraGroups = [ "wheel" "networkmanager" "docker" ];
+    extraGroups = [ "wheel" "networkmanager" ];
     shell = pkgs.zsh;
   };