feat: bump flakes, enable Steam, update kernel/NVIDIA, refine net+security

2025-08-28 14:09:53 -03:00 · 2025-08-28 14:09:53 -03:00 · f7e34c54d6
commit f7e34c54d6
parent 4cf9e1efac
6 changed files with 61 additions and 101 deletions
--- a/hosts/Nixstation/default.nix
+++ b/hosts/Nixstation/default.nix
@ -12,7 +12,7 @@
  boot = {
    loader.systemd-boot.enable = true;
    loader.efi.canTouchEfiVariables = true;
-    # kernelPackages = pkgs.linuxPackages_6_16;
+    kernelPackages = pkgs.linuxPackages_latest;
  };

  environment = {
@ -20,9 +20,6 @@
      act
      btrfs-progs
      cudatoolkit
-      networkmanagerapplet
-      libwacom
-      wacomtablet
    ];
  };

@ -62,18 +59,21 @@
  };

  programs = {
-    # steam = {
-    #   enable = true;
-    #   remotePlay.openFirewall = true;
-    #   dedicatedServer.openFirewall = true;
-    #   localNetworkGameTransfers.openFirewall = true;
-
-    # };
    dconf.enable = true;
    virt-manager.enable = true;
  };
-  security.pam.services.gdm.enableGnomeKeyring = true;
-  security.rtkit.enable = true;
+  security = {
+    pam.services.gdm.enableGnomeKeyring = true;
+    polkit.enable = true;
+    polkit.extraConfig = ''
+      polkit.addRule(function(action, subject) {
+        if (action.id == "org.bluez.GattProfile1.Release") {
+          return polkit.Result.YES;
+        }
+      });
+    '';
+    rtkit.enable = true;
+  };
  services = {
    xserver = {
      xkb = {
@ -82,7 +82,6 @@
      };
    };
    desktopManager.gnome.enable = true;
-
    displayManager = {
      gdm.enable = true;
      gdm.wayland = true;
--- a/hosts/Nixstation/hardware-configuration.nix
+++ b/hosts/Nixstation/hardware-configuration.nix
@ -20,9 +20,9 @@
      "sd_mod"
      "xhci_pci"
    ];
-    kernelParams = [ "amd_pstate=active" ];
+    kernelParams = [ "amd_pstate=active" "usbcore.autosuspend=-1"];
    initrd.kernelModules = [ ];
-    kernelModules = [ "kvm-amd" ];
+    kernelModules = [ "kvm-amd" "iwlwifi" ];
    extraModulePackages = [ ];
  };
  fileSystems = {
@ -59,5 +59,10 @@
    bluetooth.enable = true;
  };

-  services.blueman.enable = true;
+  services = {
+    blueman.enable = true;
+    udev.extraRules = ''
+      ACTION=="add", SUBSYSTEM=="usb", TEST=="power/control", ATTR{power/control}="on"
+    '';
+  };
 }
--- a/hosts/common/network.nix
+++ b/hosts/common/network.nix
@ -7,27 +7,24 @@
    firewall = {
      enable = true;
      allowPing = true;
-      allowedTCPPorts = [
-        2375
-        4780
-        11470
-        25565
-      ];
-      allowedUDPPorts = [
-        8888
-        8899
-      ];
+      allowedTCPPorts = [2375 4780 11470 25565];
+      allowedUDPPorts = [3478 41641 8888 8899];
    };
  };

  services = {
-    tailscale.enable = true;
+    tailscale = {
+      enable = true;
+      useRoutingFeatures = "client";
+      extraUpFlags = [ "--accept-dns=false" "--reset" ];
+    };
    openssh.enable = true;
    # openssh.settings.X11Forwarding = true;
  };

  virtualisation.docker = {
    enable = true;
+    logDriver = "journald";
    package = pkgs.docker_25;
    storageDriver = "btrfs";
    daemon.settings = {
@ -37,34 +34,6 @@
      experimental = true;
      metrics-addr = "0.0.0.0:9323";
    };
-
-    # daemon.settings = {
-
-    #   hosts = [
-    #     "unix:///var/run/docker.sock"
-    #   ];
-
-    #   features = {
-    #     cdi = true;
-    #   };
-
-    #   userland-proxy = false;
-    #   experimental = true;
-    #   metrics-addr = "0.0.0.0:9323";
-
-    #   default-runtime = "nvidia";
-    #   runtimes = {
-    #     nvidia = {
-    #       path = "nvidia-container-runtime";
-    #     };
-    #     nvidia-cdi = {
-    #       path = "nvidia-container-runtime.cdi";
-    #     };
-    #     nvidia-legacy = {
-    #       path = "nvidia-container-runtime.legacy";
-    #     };
-    #   };
-    # };
  };

  services.samba = {
@ -76,41 +45,24 @@
        "workgroup" = "WORKGROUP";
        "server string" = "smbnix";
        "netbios name" = "smbnix";
-
-        # "use sendfile" = "yes";
-        # "max protocol" = "smb2";
-        # note: localhost is the ipv6 localhost ::1
        "hosts allow" = "192.168.0. 192.168. 192.168.122.55 127.0.0.1 localhost";
        "hosts deny" = "0.0.0.0/0";
        "guest account" = "nobody";
        "map to guest" = "bad user";
        security = "user";
-        # shared = {
-        #  path = "/home/thiago/Downloads/oblivion";
-        #  browseable = true;
-        #  writable = false;
-        #  guestOk = true;
-        #  "force user" = "thiago";
-        # };
      };
-
-      # shares = {
-      #   OneDrive = ''
-      #     path = "/run/media/thiago/hdd0/OneDrive/"
-      #     browseable = "yes"
-      #     "read only" = "no"
-      #     "guest ok" = "no"
-      #     "create mask" = "0644"
-      #     "directory mask" = "0755"
-      #     "force user" = "thiago"
-      #     "force group" = "users"
-      #   '';
-      # };
    };
  };

-  services.samba-wsdd = {
-    enable = true;
-    openFirewall = true;
+  systemd = {
+    services.docker.serviceConfig = {
+      StandardOutput = "journal";
+      StandardError = "journal";
+      logFilterPatterns = [ ".*skip loading plugin.*" "skip plugin"];
+    };
+    tmpfiles.rules = [
+      "d /usr/local/share/polkit-1 0755 root root -"
+      "d /usr/local/share/polkit-1/rules.d 0755 root root -"
+    ];
  };
 }
--- a/hosts/common/nvidia/default.nix
+++ b/hosts/common/nvidia/default.nix
@ -1,4 +1,5 @@
 { pkgs
+, config
 , ...
 }:
 {
@ -20,7 +21,7 @@
      modesetting.enable = true;
      nvidiaSettings = true;
      open = false;
-      package = pkgs.linuxPackages.nvidiaPackages.vulkan_beta;
+      package = config.boot.kernelPackages.nvidiaPackages.latest;
      powerManagement.enable = true;
      powerManagement.finegrained = false;
    };