From f7e34c54d607d69a961cea53212510c23568c58f Mon Sep 17 00:00:00 2001 From: Thiago Sposito Date: Thu, 28 Aug 2025 14:09:53 -0300 Subject: [PATCH] feat: bump flakes, enable Steam, update kernel/NVIDIA, refine net+security --- flake.lock | 18 ++--- home-manager/home.nix | 19 +++-- hosts/Nixstation/default.nix | 27 ++++--- hosts/Nixstation/hardware-configuration.nix | 11 ++- hosts/common/network.nix | 84 +++++---------------- hosts/common/nvidia/default.nix | 3 +- 6 files changed, 61 insertions(+), 101 deletions(-) diff --git a/flake.lock b/flake.lock index 97321d5..f6d90b8 100644 --- a/flake.lock +++ b/flake.lock @@ -46,11 +46,11 @@ ] }, "locked": { - "lastModified": 1756022458, - "narHash": "sha256-J1i35r4HfNDdPpwL0vOBaZopQudAUVtartEerc1Jryc=", + "lastModified": 1756261190, + "narHash": "sha256-eiy0klFK5EVJLNilutR7grsZN/7Itj9DyD75eyOf83k=", "owner": "nix-community", "repo": "home-manager", - "rev": "9e3a33c0bcbc25619e540b9dfea372282f8a9740", + "rev": "77f348da3176dc68b20a73dab94852a417daf361", "type": "github" }, "original": { @@ -90,11 +90,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1755615617, - "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=", + "lastModified": 1756266583, + "narHash": "sha256-cr748nSmpfvnhqSXPiCfUPxRz2FJnvf/RjJGvFfaCsM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "20075955deac2583bb12f07151c2df830ef346b4", + "rev": "8a6d5427d99ec71c64f0b93d45778c889005d9c2", "type": "github" }, "original": { @@ -114,11 +114,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1755924483, - "narHash": "sha256-wNqpEXZuAwPjW8hYKIYzmN+fgEZT/Qx+sUIWXg3EIWU=", + "lastModified": 1756305488, + "narHash": "sha256-+6cgFdac+DN5PAZg3YtRXAEdk++r6msy7wfFMNMNsEY=", "owner": "nix-community", "repo": "nixvim", - "rev": "91f51aede7c9c769c19f74ba9042b8fdb4ed2989", + "rev": "b7e96214e8e7244eceae73c606dcd243f6d180a3", "type": "github" }, "original": { diff --git a/home-manager/home.nix b/home-manager/home.nix index 533cdeb..d126b5d 100644 --- a/home-manager/home.nix +++ b/home-manager/home.nix @@ -1,4 +1,5 @@ { pkgs +, lib , ... }: { @@ -12,14 +13,14 @@ config = { allowUnfree = true; # Workaround for https://github.com/nix-community/home-manager/issues/2942 - # nixpkgs.config.allowUnfreePredicate = - # pkg: - # builtins.elem (lib.getName pkg) [ - # "steam" - # "steam-original" - # "steam-run" - # "steamtinkerlaunch" - # ]; + nixpkgs.config.allowUnfreePredicate = + pkg: + builtins.elem (lib.getName pkg) [ + "steam" + "steam-original" + "steam-run" + "steamtinkerlaunch" + ]; }; }; @@ -32,6 +33,7 @@ heroic hwinfo inkscape + keymapp lazygit libinput nerd-fonts.fira-code @@ -43,6 +45,7 @@ python3 ripgrep statix + steam uget unzip waydroid diff --git a/hosts/Nixstation/default.nix b/hosts/Nixstation/default.nix index 2d16dc2..b8ba635 100644 --- a/hosts/Nixstation/default.nix +++ b/hosts/Nixstation/default.nix @@ -12,7 +12,7 @@ boot = { loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = true; - # kernelPackages = pkgs.linuxPackages_6_16; + kernelPackages = pkgs.linuxPackages_latest; }; environment = { @@ -20,9 +20,6 @@ act btrfs-progs cudatoolkit - networkmanagerapplet - libwacom - wacomtablet ]; }; @@ -62,18 +59,21 @@ }; programs = { - # steam = { - # enable = true; - # remotePlay.openFirewall = true; - # dedicatedServer.openFirewall = true; - # localNetworkGameTransfers.openFirewall = true; - - # }; dconf.enable = true; virt-manager.enable = true; }; - security.pam.services.gdm.enableGnomeKeyring = true; - security.rtkit.enable = true; + security = { + pam.services.gdm.enableGnomeKeyring = true; + polkit.enable = true; + polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if (action.id == "org.bluez.GattProfile1.Release") { + return polkit.Result.YES; + } + }); + ''; + rtkit.enable = true; + }; services = { xserver = { xkb = { @@ -82,7 +82,6 @@ }; }; desktopManager.gnome.enable = true; - displayManager = { gdm.enable = true; gdm.wayland = true; diff --git a/hosts/Nixstation/hardware-configuration.nix b/hosts/Nixstation/hardware-configuration.nix index 4410d63..a30ef9b 100644 --- a/hosts/Nixstation/hardware-configuration.nix +++ b/hosts/Nixstation/hardware-configuration.nix @@ -20,9 +20,9 @@ "sd_mod" "xhci_pci" ]; - kernelParams = [ "amd_pstate=active" ]; + kernelParams = [ "amd_pstate=active" "usbcore.autosuspend=-1"]; initrd.kernelModules = [ ]; - kernelModules = [ "kvm-amd" ]; + kernelModules = [ "kvm-amd" "iwlwifi" ]; extraModulePackages = [ ]; }; fileSystems = { @@ -59,5 +59,10 @@ bluetooth.enable = true; }; - services.blueman.enable = true; + services = { + blueman.enable = true; + udev.extraRules = '' + ACTION=="add", SUBSYSTEM=="usb", TEST=="power/control", ATTR{power/control}="on" + ''; + }; } diff --git a/hosts/common/network.nix b/hosts/common/network.nix index b814b38..5d3ea4f 100644 --- a/hosts/common/network.nix +++ b/hosts/common/network.nix @@ -7,27 +7,24 @@ firewall = { enable = true; allowPing = true; - allowedTCPPorts = [ - 2375 - 4780 - 11470 - 25565 - ]; - allowedUDPPorts = [ - 8888 - 8899 - ]; + allowedTCPPorts = [2375 4780 11470 25565]; + allowedUDPPorts = [3478 41641 8888 8899]; }; }; services = { - tailscale.enable = true; + tailscale = { + enable = true; + useRoutingFeatures = "client"; + extraUpFlags = [ "--accept-dns=false" "--reset" ]; + }; openssh.enable = true; # openssh.settings.X11Forwarding = true; }; virtualisation.docker = { enable = true; + logDriver = "journald"; package = pkgs.docker_25; storageDriver = "btrfs"; daemon.settings = { @@ -37,34 +34,6 @@ experimental = true; metrics-addr = "0.0.0.0:9323"; }; - - # daemon.settings = { - - # hosts = [ - # "unix:///var/run/docker.sock" - # ]; - - # features = { - # cdi = true; - # }; - - # userland-proxy = false; - # experimental = true; - # metrics-addr = "0.0.0.0:9323"; - - # default-runtime = "nvidia"; - # runtimes = { - # nvidia = { - # path = "nvidia-container-runtime"; - # }; - # nvidia-cdi = { - # path = "nvidia-container-runtime.cdi"; - # }; - # nvidia-legacy = { - # path = "nvidia-container-runtime.legacy"; - # }; - # }; - # }; }; services.samba = { @@ -76,41 +45,24 @@ "workgroup" = "WORKGROUP"; "server string" = "smbnix"; "netbios name" = "smbnix"; - - # "use sendfile" = "yes"; - # "max protocol" = "smb2"; - # note: localhost is the ipv6 localhost ::1 "hosts allow" = "192.168.0. 192.168. 192.168.122.55 127.0.0.1 localhost"; "hosts deny" = "0.0.0.0/0"; "guest account" = "nobody"; "map to guest" = "bad user"; security = "user"; - # shared = { - # path = "/home/thiago/Downloads/oblivion"; - # browseable = true; - # writable = false; - # guestOk = true; - # "force user" = "thiago"; - # }; }; - - # shares = { - # OneDrive = '' - # path = "/run/media/thiago/hdd0/OneDrive/" - # browseable = "yes" - # "read only" = "no" - # "guest ok" = "no" - # "create mask" = "0644" - # "directory mask" = "0755" - # "force user" = "thiago" - # "force group" = "users" - # ''; - # }; }; }; - services.samba-wsdd = { - enable = true; - openFirewall = true; + systemd = { + services.docker.serviceConfig = { + StandardOutput = "journal"; + StandardError = "journal"; + logFilterPatterns = [ ".*skip loading plugin.*" "skip plugin"]; + }; + tmpfiles.rules = [ + "d /usr/local/share/polkit-1 0755 root root -" + "d /usr/local/share/polkit-1/rules.d 0755 root root -" + ]; }; } diff --git a/hosts/common/nvidia/default.nix b/hosts/common/nvidia/default.nix index 971a192..ebce0c9 100644 --- a/hosts/common/nvidia/default.nix +++ b/hosts/common/nvidia/default.nix @@ -1,4 +1,5 @@ { pkgs +, config , ... }: { @@ -20,7 +21,7 @@ modesetting.enable = true; nvidiaSettings = true; open = false; - package = pkgs.linuxPackages.nvidiaPackages.vulkan_beta; + package = config.boot.kernelPackages.nvidiaPackages.latest; powerManagement.enable = true; powerManagement.finegrained = false; };