magpie/networking: iptables -> nftables

This reverts commit 350bcfed05.

common/packages.nix

@@ -9,6 +9,7 @@
     with pkgs;
     [
       acpi
+      aria2
       binutils
       binwalk
       bluez

flake.lock

@@ -126,11 +126,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1736200483,
-        "narHash": "sha256-JO+lFN2HsCwSLMUWXHeOad6QUxOuwe9UOAF/iSl1J4I=",
+        "lastModified": 1738574474,
+        "narHash": "sha256-rvyfF49e/k6vkrRTV4ILrWd92W+nmBDfRYZgctOyolQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3f0a8ac25fb674611b98089ca3a5dd6480175751",
+        "rev": "fecfeb86328381268e29e998ddd3ebc70bbd7f7c",
         "type": "github"
       },
       "original": {
@@ -243,11 +243,11 @@
         "nixpkgs-24_11": "nixpkgs-24_11"
       },
       "locked": {
-        "lastModified": 1735230346,
-        "narHash": "sha256-zgR8NTiNDPVNrfaiOlB9yHSmCqFDo7Ks2IavaJ2dZo4=",
+        "lastModified": 1737736848,
+        "narHash": "sha256-VrUfCXBXYV+YmQ2OvVTeML9EnmaPRtH+POrNIcJp6yo=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "dc0569066e79ae96184541da6fa28f35a33fbf7b",
+        "rev": "6b425d13f5a9d73cb63973d3609acacef4d1e261",
         "type": "gitlab"
       },
       "original": {
@@ -263,11 +263,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736515725,
-        "narHash": "sha256-4P99yL8vGehwzytkpP87eklBePt6aqeEC5JFsIzhfUs=",
+        "lastModified": 1738291974,
+        "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "f214c1b76c347a4e9c8fb68c73d4293a6820d125",
+        "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7",
         "type": "github"
       },
       "original": {
@@ -350,11 +350,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1721120316,
-        "narHash": "sha256-CaAMnU6LKqJrsZmR9k0/2brpULnAekpgG5S0BjtFhaQ=",
+        "lastModified": 1737802495,
+        "narHash": "sha256-Q+bZnH7uQM5T/G+xCGSRU3bTJqD70NeE4vLXLXLCm7k=",
         "ref": "refs/heads/master",
-        "rev": "8a7923bd4e5d36b186408d5432568a91ac67b695",
-        "revCount": 21,
+        "rev": "4962f12867b0b6c4c4d39b98e6016e7f925a802c",
+        "revCount": 23,
         "type": "git",
         "url": "https://git.project-cloud.net/asmir/zremap"
       },

flake.nix

@@ -155,6 +155,7 @@
             }
           ];
         };
+
         magpie = nixpkgs.lib.nixosSystem rec {
           system = "aarch64-linux";
           modules = [

home/home.nix

@@ -254,6 +254,7 @@ in
           TMP_FILE=$(${pkgs.coreutils}/bin/mktemp /tmp/.swaylock_ss_XXXXXX.jpg)
           ${lib.getExe pkgs.grim} -t ppm - | ${pkgs.imagemagick}/bin/convert - -blur 0x12 "$TMP_FILE"
           ${lib.getExe pkgs.swaylock} -f -i "$TMP_FILE"
+          ${pkgs.coreutils}/bin/shred "$TMP_FILE"
           ${pkgs.coreutils}/bin/rm "$TMP_FILE"
         '';
       in
@@ -298,14 +299,17 @@ in
           profile.outputs = [
             {
               criteria = "eDP-1";
+              position = "3840,0";
             }
             {
               criteria = "Philips Consumer Electronics Company PHL 272S1 UHB2347026536";
               mode = "1920x1080@74.973Hz";
+              position = "5760,0";
             }
             {
               criteria = "Philips Consumer Electronics Company PHL 272S1 UHB2347026535";
               mode = "1920x1080@74.973Hz";
+              position = "7680,0";
             }
           ];
         }
@@ -315,19 +319,17 @@ in
 
   systemd.user = {
     services = {
-      /*
-         himalaya = {
-        Unit.Description = "Himalaya new messages notifier";
+      wayland-pipewire-idle-inhibit = {
+        Unit.Description = "inhibit sleep while audio output is active";
         Service = {
-        ExecStart = "himalaya notify";
-        Restart = "always";
-        RestartSec = 10;
+          ExecStart = "${lib.getExe pkgs.wayland-pipewire-idle-inhibit}";
+          Restart = "always";
+          RestartSec = 10;
         };
         Install = {
-        WantedBy = [ "multi-user.target" ];
+          WantedBy = [ "graphical-session.target" ];
         };
-        };
-      */
+      };
     };
   };
 }

home/zsh.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, lib, ... }:
 {
   programs.z-lua = {
     enableAliases = true;
@@ -11,13 +11,13 @@
     defaultKeymap = "viins";
 
     shellAliases = {
-      cfind = "cscope -C -R -L1";
+      cfind = "${pkgs.cscope}/bin/cscope -C -R -L1";
       chmod = "chmod -v";
       chown = "chown -v";
       cp = "cp -v";
       rm = "rm -v";
       ip = "ip --color=auto";
-      f = "''$(pay-respects zsh)";
+      f = "''$(${lib.getExe pkgs.pay-respects} zsh)";
     };
 
     history = {
@@ -92,11 +92,23 @@
         ls;
       }
 
+      function osc7-pwd() {
+       emulate -L zsh # also sets localoptions for us
+       setopt extendedglob
+       local LC_ALL=C
+       printf '\e]7;file://%s%s\e\' $HOST ''${PWD//(#m)([^@-Za-z&-;_~])/%''${(l:2::0:)''$(([##16]#MATCH))}}
+      }
+
+      function chpwd-osc7-pwd() {
+        (( ZSH_SUBSHELL )) || osc7-pwd
+      }
+      add-zsh-hook -Uz chpwd chpwd-osc7-pwd
+
       eval "$(direnv hook zsh)"
       zstyle ':completion:*' matcher-list 'm:{a-z}={A-Za-z}'
 
       if [[ -n "$PS1" ]] && [[ -z "$TMUX" ]] && [[ -n "$SSH_CONNECTION" ]]; then
-        TMUX_EXE="${pkgs.tmux}/bin/tmux"
+        TMUX_EXE="${lib.getExe pkgs.tmux}"
         systemd-run --scope --user $TMUX_EXE attach-session -t $USER || systemd-run --scope --user $TMUX_EXE new-session -s $USER
       fi
 

magpie/configuration.nix

@@ -333,24 +333,28 @@
   };
 
   networking.hostName = "magpie";
+  networking.firewall = {
+    nftables.enable = true;
+    enable = true;
+    allowedTCPPorts = [
+      80
+      443
+      587
+      2049
+    ]; # http, mail, mail, nfs
+    allowedUDPPorts = [
+      443
+      51820
+    ]; # mail, wireguard
+    allowPing = true;
+    logRefusedConnections = lib.mkDefault false;
+  };
 
-  networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-    587
-    2049
-  ]; # http, mail, mail, nfs
-  networking.firewall.allowedUDPPorts = [
-    443
-    51820
-  ]; # mail, wireguard
-  networking.firewall.allowPing = true;
-  networking.firewall.logRefusedConnections = lib.mkDefault false;
-
-  networking.nat.enable = true;
-  networking.nat.externalInterface = "enp1s0";
-  networking.nat.internalInterfaces = [ "wg0" ];
+  networking.nat = {
+    enable = true;
+    externalInterface = "enp1s0";
+    internalInterfaces = [ "wg0" ];
+  };
 
   networking.networkmanager.enable = true;
   networking.wireless.enable = false;
@@ -363,11 +367,11 @@
       # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
       # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
       postSetup = ''
-        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        ${pkgs.nftables}/bin/nft add rule ip nat POSTROUTING oifname "eth0" ip saddr 10.100.0.0/24 counter masquerade
       '';
-      # This undoes the above command
+      # This undoes the above command, TODO fix command below to be more specific
       postShutdown = ''
-        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        ${pkgs.nftables}/bin/nft flush table ip nat
       '';
       privateKeyFile = config.sops.secrets."wg_privkey".path;
 

nixy/configuration.nix

@@ -88,6 +88,7 @@ in
       "psmouse.synaptics_intertouch=0"
       "mem_sleep_default=deep"
     ];
+    kernelPackages = pkgs.linuxPackages_latest;
     kernel.sysctl = {
       "net.core.default_qdisc" = "fq";
       "net.ipv4.tcp_congestion_control" = "bbr";