From 04be52d7b75eb62203a3af8d85e36e3584123f90 Mon Sep 17 00:00:00 2001
From: Azat Bahawi <azat@bahawi.net>
Date: Fri, 8 Mar 2024 21:30:37 +0300
Subject: 2024-03-08

---
 modules/common/emacs/doom/config.el        |  3 ++-
 modules/common/profiles/dev/containers.nix |  9 ---------
 modules/nixos/common/networking.nix        |  4 +++-
 modules/nixos/games/mangohud.nix           | 26 +++++++++++++++-----------
 modules/nixos/games/steam-run.nix          |  1 +
 modules/nixos/games/steam.nix              |  8 +++++++-
 modules/nixos/matrix/dendrite.nix          |  3 ++-
 modules/nixos/profiles/headless.nix        |  2 +-
 modules/nixos/shadowsocks.nix              |  9 +--------
 modules/nixos/soju.nix                     |  2 ++
 modules/nixos/unbound.nix                  |  9 ++++++---
 11 files changed, 40 insertions(+), 36 deletions(-)

(limited to 'modules')

diff --git a/modules/common/emacs/doom/config.el b/modules/common/emacs/doom/config.el
index 3b771ad..15bcdff 100644
--- a/modules/common/emacs/doom/config.el
+++ b/modules/common/emacs/doom/config.el
@@ -188,9 +188,10 @@
                   :host "azahi.cc"
                   :port 6697
                   :tls t
+                  :logging nil
                   :user ,(concat circe-default-user "/" server)
                   :pass ,(lambda (&rest _)
-                           (+pass-get-secret ""))))
+                           (+pass-get-secret "server/soju.shire.net/azahi"))))
               '("libera" "oftc" "hackint" "rizon")))
 
 ;;
diff --git a/modules/common/profiles/dev/containers.nix b/modules/common/profiles/dev/containers.nix
index d9b67d0..e90c88e 100644
--- a/modules/common/profiles/dev/containers.nix
+++ b/modules/common/profiles/dev/containers.nix
@@ -34,14 +34,7 @@ in {
       };
 
       packages = with pkgs; [
-        argocd
-        chart-testing
-        clusterctl
-        cmctl
-        datree
-        istioctl
         k9s
-        kubeconform
         kubectl
         kubectl-doctor
         kubectl-images
@@ -50,10 +43,8 @@ in {
         kubelogin-oidc
         kubent
         kubernetes-helm
-        kubeseal
         kubespy
         minikube
-        skaffold
         skopeo
         stern
         telepresence2
diff --git a/modules/nixos/common/networking.nix b/modules/nixos/common/networking.nix
index 91306be..fb7d9b2 100644
--- a/modules/nixos/common/networking.nix
+++ b/modules/nixos/common/networking.nix
@@ -36,13 +36,15 @@ in {
 
         useDHCP = false;
 
+        nftables.enable = true;
+
         firewall = {
           enable = true;
 
           rejectPackets = false;
 
           allowPing = true;
-          pingLimit = "--limit 1/minute --limit-burst 5";
+          pingLimit = "1/minute burst 5 packets";
 
           logRefusedConnections = false;
           logRefusedPackets = false;
diff --git a/modules/nixos/games/mangohud.nix b/modules/nixos/games/mangohud.nix
index d693c82..509e035 100644
--- a/modules/nixos/games/mangohud.nix
+++ b/modules/nixos/games/mangohud.nix
@@ -9,17 +9,21 @@ in {
   options.nixfiles.modules.games.mangohud.enable = mkEnableOption "MangoHud";
 
   config = mkIf cfg.enable {
-    hm.programs.mangohud = {
-      enable = true;
-      settings = {
-        fps = true;
-        frame_timing = true;
-        gpu_stats = true;
-        gpu_temp = true;
-        cpu_stats = true;
-        cpu_temp = true;
-        ram = true;
-        vram = true;
+    hm = {
+      stylix.targets.mangohud.enable = false;
+
+      programs.mangohud = {
+        enable = true;
+        settings = {
+          fps = true;
+          frame_timing = true;
+          gpu_stats = true;
+          gpu_temp = true;
+          cpu_stats = true;
+          cpu_temp = true;
+          ram = true;
+          vram = true;
+        };
       };
     };
   };
diff --git a/modules/nixos/games/steam-run.nix b/modules/nixos/games/steam-run.nix
index 2643c95..fc51c85 100644
--- a/modules/nixos/games/steam-run.nix
+++ b/modules/nixos/games/steam-run.nix
@@ -24,6 +24,7 @@ in {
       games = {
         enable32BitSupport = true;
         gamemode.enable = true;
+        mangohud.enable = true;
       };
     };
 
diff --git a/modules/nixos/games/steam.nix b/modules/nixos/games/steam.nix
index 8dfa72c..c81d344 100644
--- a/modules/nixos/games/steam.nix
+++ b/modules/nixos/games/steam.nix
@@ -17,9 +17,15 @@ in {
       games = {
         enable32BitSupport = true;
         gamemode.enable = true;
+        mangohud.enable = true;
       };
     };
 
-    hm.home.packages = with pkgs; [steam];
+    hm.home.packages = with pkgs; [
+      (steam.override {extraEnv.MANGOHUD = 1;})
+      protontricks
+    ];
+
+    hardware.steam-hardware.enable = true;
   };
 }
diff --git a/modules/nixos/matrix/dendrite.nix b/modules/nixos/matrix/dendrite.nix
index d5c9308..c65b55b 100644
--- a/modules/nixos/matrix/dendrite.nix
+++ b/modules/nixos/matrix/dendrite.nix
@@ -106,8 +106,9 @@ in {
 
       systemd.services.dendrite = {
         description = "Dendrite Matrix homeserver";
-        requires = ["network.target"];
         wantedBy = ["multi-user.target"];
+        requires = ["network.target" "postgresql.service"];
+        after = ["network.target" "postgresql.service"];
         serviceConfig = let
           needsPrivileges = cfg.port < 1024;
           capabilities = [""] ++ optionals needsPrivileges ["CAP_NET_BIND_SERVICE"];
diff --git a/modules/nixos/profiles/headless.nix b/modules/nixos/profiles/headless.nix
index f0357ab..d1fcfa4 100644
--- a/modules/nixos/profiles/headless.nix
+++ b/modules/nixos/profiles/headless.nix
@@ -22,7 +22,7 @@ in {
     # the latest LTS release + hardened patches (just in case).
     #
     # [1]: https://kernel.org
-    boot.kernelPackages = pkgs.linuxPackages_5_15_hardened;
+    boot.kernelPackages = pkgs.linuxPackages_6_6_hardened;
 
     nix = {
       gc = {
diff --git a/modules/nixos/shadowsocks.nix b/modules/nixos/shadowsocks.nix
index 97eb17f..69688da 100644
--- a/modules/nixos/shadowsocks.nix
+++ b/modules/nixos/shadowsocks.nix
@@ -100,14 +100,7 @@ in {
       '';
     };
 
-    networking.firewall = {
-      allowedTCPPorts = [cfg.port];
-      extraCommands = ''
-        iptables -A nixos-fw -p tcp --syn --dport ${
-          toString cfg.port
-        } -m connlimit --connlimit-above 32 -j nixos-fw-refuse
-      '';
-    };
+    networking.firewall.allowedTCPPorts = [cfg.port];
 
     # https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks
     boot.kernel.sysctl = {
diff --git a/modules/nixos/soju.nix b/modules/nixos/soju.nix
index ea95bb3..71dff86 100644
--- a/modules/nixos/soju.nix
+++ b/modules/nixos/soju.nix
@@ -70,6 +70,8 @@ in {
       systemd.services.soju = {
         description = "soju IRC bouncer";
         wantedBy = ["multi-user.target"];
+        wants = ["network-online.target"];
+        requires = ["postgresql.service"];
         after = ["network-online.target" "postgresql.service"];
         serviceConfig = {
           ExecStart = let
diff --git a/modules/nixos/unbound.nix b/modules/nixos/unbound.nix
index e6cad81..5aaf104 100644
--- a/modules/nixos/unbound.nix
+++ b/modules/nixos/unbound.nix
@@ -35,6 +35,7 @@ in {
             withTFO = true;
           };
 
+          checkconf = false;
           settings = {
             server = {
               interface = with this.wireguard; [
@@ -164,9 +165,10 @@ in {
                 name = "unbound-adblock-update";
                 runtimeInputs = [pkgs.curl package];
                 text = ''
-                  curl -s \
-                    "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" \
-                    >${adblock-conf}
+                  curl \
+                    -s \
+                    -o ${adblock-conf} \
+                    "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/multi.blacklist.conf"
 
                   if [[ -f "${localControlSocketPath}" ]]; then
                     unbound-control reload
@@ -179,6 +181,7 @@ in {
 
         timers.unbound-adblock-update = {
           requires = ["network-online.target"];
+          after = ["network-online.target"];
           timerConfig = {
             OnCalendar = "daily";
             Persistent = true;
-- 
cgit v1.2.3