magpie/networking: iptables -> nftables

home/home.nix

@@ -254,6 +254,7 @@ in
           TMP_FILE=$(${pkgs.coreutils}/bin/mktemp /tmp/.swaylock_ss_XXXXXX.jpg)
           ${lib.getExe pkgs.grim} -t ppm - | ${pkgs.imagemagick}/bin/convert - -blur 0x12 "$TMP_FILE"
           ${lib.getExe pkgs.swaylock} -f -i "$TMP_FILE"
+          ${pkgs.coreutils}/bin/shred "$TMP_FILE"
           ${pkgs.coreutils}/bin/rm "$TMP_FILE"
         '';
       in
@@ -298,14 +299,17 @@ in
           profile.outputs = [
             {
               criteria = "eDP-1";
+              position = "3840,0";
             }
             {
               criteria = "Philips Consumer Electronics Company PHL 272S1 UHB2347026536";
               mode = "1920x1080@74.973Hz";
+              position = "5760,0";
             }
             {
               criteria = "Philips Consumer Electronics Company PHL 272S1 UHB2347026535";
               mode = "1920x1080@74.973Hz";
+              position = "7680,0";
             }
           ];
         }

magpie/configuration.nix

@@ -333,24 +333,28 @@
   };
 
   networking.hostName = "magpie";
+  networking.firewall = {
+    nftables.enable = true;
+    enable = true;
+    allowedTCPPorts = [
+      80
+      443
+      587
+      2049
+    ]; # http, mail, mail, nfs
+    allowedUDPPorts = [
+      443
+      51820
+    ]; # mail, wireguard
+    allowPing = true;
+    logRefusedConnections = lib.mkDefault false;
+  };
 
-  networking.firewall.enable = true;
+  networking.nat = {
-  networking.firewall.allowedTCPPorts = [
+    enable = true;
-    80
+    externalInterface = "enp1s0";
-    443
+    internalInterfaces = [ "wg0" ];
-    587
+  };
-    2049
-  ]; # http, mail, mail, nfs
-  networking.firewall.allowedUDPPorts = [
-    443
-    51820
-  ]; # mail, wireguard
-  networking.firewall.allowPing = true;
-  networking.firewall.logRefusedConnections = lib.mkDefault false;
-
-  networking.nat.enable = true;
-  networking.nat.externalInterface = "enp1s0";
-  networking.nat.internalInterfaces = [ "wg0" ];
 
   networking.networkmanager.enable = true;
   networking.wireless.enable = false;
@@ -363,11 +367,11 @@
       # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
       # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
       postSetup = ''
-        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        ${pkgs.nftables}/bin/nft add rule ip nat POSTROUTING oifname "eth0" ip saddr 10.100.0.0/24 counter masquerade
       '';
-      # This undoes the above command
+      # This undoes the above command, TODO fix command below to be more specific
       postShutdown = ''
-        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        ${pkgs.nftables}/bin/nft flush table ip nat
       '';
       privateKeyFile = config.sops.secrets."wg_privkey".path;