feat: bump flakes, enable Steam, update kernel/NVIDIA, refine net+security

flake.lock

@@ -46,11 +46,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1756022458,
-        "narHash": "sha256-J1i35r4HfNDdPpwL0vOBaZopQudAUVtartEerc1Jryc=",
+        "lastModified": 1756261190,
+        "narHash": "sha256-eiy0klFK5EVJLNilutR7grsZN/7Itj9DyD75eyOf83k=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "9e3a33c0bcbc25619e540b9dfea372282f8a9740",
+        "rev": "77f348da3176dc68b20a73dab94852a417daf361",
         "type": "github"
       },
       "original": {
@@ -90,11 +90,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1755615617,
-        "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=",
+        "lastModified": 1756266583,
+        "narHash": "sha256-cr748nSmpfvnhqSXPiCfUPxRz2FJnvf/RjJGvFfaCsM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "20075955deac2583bb12f07151c2df830ef346b4",
+        "rev": "8a6d5427d99ec71c64f0b93d45778c889005d9c2",
         "type": "github"
       },
       "original": {
@@ -114,11 +114,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1755924483,
-        "narHash": "sha256-wNqpEXZuAwPjW8hYKIYzmN+fgEZT/Qx+sUIWXg3EIWU=",
+        "lastModified": 1756305488,
+        "narHash": "sha256-+6cgFdac+DN5PAZg3YtRXAEdk++r6msy7wfFMNMNsEY=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "91f51aede7c9c769c19f74ba9042b8fdb4ed2989",
+        "rev": "b7e96214e8e7244eceae73c606dcd243f6d180a3",
         "type": "github"
       },
       "original": {

home-manager/home.nix

@@ -1,4 +1,5 @@
 { pkgs
+, lib
 , ...
 }:
 {
@@ -12,14 +13,14 @@
     config = {
       allowUnfree = true;
       # Workaround for https://github.com/nix-community/home-manager/issues/2942
-      #   nixpkgs.config.allowUnfreePredicate =
-      #     pkg:
-      #     builtins.elem (lib.getName pkg) [
-      #       "steam"
-      #       "steam-original"
-      #       "steam-run"
-      #       "steamtinkerlaunch"
-      #     ];
+        nixpkgs.config.allowUnfreePredicate =
+          pkg:
+          builtins.elem (lib.getName pkg) [
+            "steam"
+            "steam-original"
+            "steam-run"
+            "steamtinkerlaunch"
+          ];
     };
   };
 
@@ -32,6 +33,7 @@
       heroic
       hwinfo
       inkscape
+      keymapp
       lazygit
       libinput
       nerd-fonts.fira-code
@@ -43,6 +45,7 @@
       python3
       ripgrep
       statix
+      steam
       uget
       unzip
       waydroid

hosts/Nixstation/default.nix

@@ -12,7 +12,7 @@
   boot = {
     loader.systemd-boot.enable = true;
     loader.efi.canTouchEfiVariables = true;
-    # kernelPackages = pkgs.linuxPackages_6_16;
+    kernelPackages = pkgs.linuxPackages_latest;
   };
 
   environment = {
@@ -20,9 +20,6 @@
       act
       btrfs-progs
       cudatoolkit
-      networkmanagerapplet
-      libwacom
-      wacomtablet
     ];
   };
 
@@ -62,18 +59,21 @@
   };
 
   programs = {
-    # steam = {
-    #   enable = true;
-    #   remotePlay.openFirewall = true;
-    #   dedicatedServer.openFirewall = true;
-    #   localNetworkGameTransfers.openFirewall = true;
-
-    # };
     dconf.enable = true;
     virt-manager.enable = true;
   };
-  security.pam.services.gdm.enableGnomeKeyring = true;
-  security.rtkit.enable = true;
+  security = {
+    pam.services.gdm.enableGnomeKeyring = true;
+    polkit.enable = true;
+    polkit.extraConfig = ''
+      polkit.addRule(function(action, subject) {
+        if (action.id == "org.bluez.GattProfile1.Release") {
+          return polkit.Result.YES;
+        }
+      });
+    '';
+    rtkit.enable = true;
+  };
   services = {
     xserver = {
       xkb = {
@@ -82,7 +82,6 @@
       };
     };
     desktopManager.gnome.enable = true;
-
     displayManager = {
       gdm.enable = true;
       gdm.wayland = true;

hosts/Nixstation/hardware-configuration.nix

@@ -20,9 +20,9 @@
       "sd_mod"
       "xhci_pci"
     ];
-    kernelParams = [ "amd_pstate=active" ];
+    kernelParams = [ "amd_pstate=active" "usbcore.autosuspend=-1"];
     initrd.kernelModules = [ ];
-    kernelModules = [ "kvm-amd" ];
+    kernelModules = [ "kvm-amd" "iwlwifi" ];
     extraModulePackages = [ ];
   };
   fileSystems = {
@@ -59,5 +59,10 @@
     bluetooth.enable = true;
   };
 
-  services.blueman.enable = true;
+  services = {
+    blueman.enable = true;
+    udev.extraRules = ''
+      ACTION=="add", SUBSYSTEM=="usb", TEST=="power/control", ATTR{power/control}="on"
+    '';
+  };
 }

hosts/common/network.nix

@@ -7,27 +7,24 @@
     firewall = {
       enable = true;
       allowPing = true;
-      allowedTCPPorts = [
-        2375
-        4780
-        11470
-        25565
-      ];
-      allowedUDPPorts = [
-        8888
-        8899
-      ];
+      allowedTCPPorts = [2375 4780 11470 25565];
+      allowedUDPPorts = [3478 41641 8888 8899];
     };
   };
 
   services = {
-    tailscale.enable = true;
+    tailscale = {
+      enable = true;
+      useRoutingFeatures = "client";
+      extraUpFlags = [ "--accept-dns=false" "--reset" ];
+    };
     openssh.enable = true;
     # openssh.settings.X11Forwarding = true;
   };
 
   virtualisation.docker = {
     enable = true;
+    logDriver = "journald";
     package = pkgs.docker_25;
     storageDriver = "btrfs";
     daemon.settings = {
@@ -37,34 +34,6 @@
       experimental = true;
       metrics-addr = "0.0.0.0:9323";
     };
-
-    # daemon.settings = {
-
-    #   hosts = [
-    #     "unix:///var/run/docker.sock"
-    #   ];
-
-    #   features = {
-    #     cdi = true;
-    #   };
-
-    #   userland-proxy = false;
-    #   experimental = true;
-    #   metrics-addr = "0.0.0.0:9323";
-
-    #   default-runtime = "nvidia";
-    #   runtimes = {
-    #     nvidia = {
-    #       path = "nvidia-container-runtime";
-    #     };
-    #     nvidia-cdi = {
-    #       path = "nvidia-container-runtime.cdi";
-    #     };
-    #     nvidia-legacy = {
-    #       path = "nvidia-container-runtime.legacy";
-    #     };
-    #   };
-    # };
   };
 
   services.samba = {
@@ -76,41 +45,24 @@
         "workgroup" = "WORKGROUP";
         "server string" = "smbnix";
         "netbios name" = "smbnix";
-
-        # "use sendfile" = "yes";
-        # "max protocol" = "smb2";
-        # note: localhost is the ipv6 localhost ::1
         "hosts allow" = "192.168.0. 192.168. 192.168.122.55 127.0.0.1 localhost";
         "hosts deny" = "0.0.0.0/0";
         "guest account" = "nobody";
         "map to guest" = "bad user";
         security = "user";
-        # shared = {
-        #  path = "/home/thiago/Downloads/oblivion";
-        #  browseable = true;
-        #  writable = false;
-        #  guestOk = true;
-        #  "force user" = "thiago";
-        # };
       };
-
-      # shares = {
-      #   OneDrive = ''
-      #     path = "/run/media/thiago/hdd0/OneDrive/"
-      #     browseable = "yes"
-      #     "read only" = "no"
-      #     "guest ok" = "no"
-      #     "create mask" = "0644"
-      #     "directory mask" = "0755"
-      #     "force user" = "thiago"
-      #     "force group" = "users"
-      #   '';
-      # };
     };
   };
 
-  services.samba-wsdd = {
-    enable = true;
-    openFirewall = true;
+  systemd = {
+    services.docker.serviceConfig = {
+      StandardOutput = "journal";
+      StandardError = "journal";
+      logFilterPatterns = [ ".*skip loading plugin.*" "skip plugin"];
+    };
+    tmpfiles.rules = [
+      "d /usr/local/share/polkit-1 0755 root root -"
+      "d /usr/local/share/polkit-1/rules.d 0755 root root -"
+    ];
   };
 }

hosts/common/nvidia/default.nix

@@ -1,4 +1,5 @@
 { pkgs
+, config
 , ...
 }:
 {
@@ -20,7 +21,7 @@
       modesetting.enable = true;
       nvidiaSettings = true;
       open = false;
-      package = pkgs.linuxPackages.nvidiaPackages.vulkan_beta;
+      package = config.boot.kernelPackages.nvidiaPackages.latest;
       powerManagement.enable = true;
       powerManagement.finegrained = false;
     };