diff --git a/.github/workflows/check-flake.yml b/.github/workflows/check-flake.yml new file mode 100644 index 0000000..a5b9a16 --- /dev/null +++ b/.github/workflows/check-flake.yml @@ -0,0 +1,15 @@ +name: build-flake +on: + workflow_dispatch: + pull_request: + push: + branches: [main] + +jobs: + lints: + name: Build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: DeterminateSystems/nix-installer-action@main + - run: nix flake check diff --git a/.github/workflows/update-flake.yml b/.github/workflows/update-flake.yml new file mode 100644 index 0000000..e881cc8 --- /dev/null +++ b/.github/workflows/update-flake.yml @@ -0,0 +1,18 @@ +name: update-flake-lock +on: + workflow_dispatch: # allows manual triggering + schedule: + - cron: '0 0 * * 1,4' # Run twice a week + +jobs: + lockfile: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v1 + - name: Update flake.lock + uses: DeterminateSystems/update-flake-lock@v23 + with: + token: ${{ secrets.FLAKE_UPDATE_TOKEN }} diff --git a/modules/nixos/hw/razer/default.nix b/modules/nixos/hw/razer/default.nix index 29bc1f8..3f42e3c 100644 --- a/modules/nixos/hw/razer/default.nix +++ b/modules/nixos/hw/razer/default.nix @@ -18,13 +18,13 @@ in config = mkIf cfg.enable { services = { razer-laptop-control.enable = true; - udev.extraRules = '' - KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", GROUP="plugdev" - ''; # needed for correct permissions for razer-laptop-control + # udev.extraRules = '' + # KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", GROUP="plugdev" + # ''; # needed for correct permissions for razer-laptop-control }; environment.systemPackages = with pkgs; [ polychromatic ]; - dotties.user.extraGroups = [ "plugdev" ]; + # dotties.user.extraGroups = [ "plugdev" ]; }; } diff --git a/modules/nixos/system/firewall/default.nix b/modules/nixos/system/firewall/default.nix new file mode 100644 index 0000000..820cfda --- /dev/null +++ b/modules/nixos/system/firewall/default.nix @@ -0,0 +1,42 @@ +{ + pkgs, + namespace, + lib, + inputs, + config, + ... +}: +let + inherit (lib) mkOption types mkIf; + inherit (lib.${namespace}) mkBoolOpt; + + cfg = config.${namespace}.system.firewall; +in +{ + options.${namespace}.system.firewall.wireguard = { + enable = mkBoolOpt false "whether to set rules to allow all traffic to be routed through a wireguard connection."; + ports = mkOption { + type = types.listOf types.port; + default = [ 58844 ]; + description = "the allowed port numbers for wireguard to use."; + }; + }; + + config = mkIf cfg.wireguard.enable { + networking.firewall = { + logReversePathDrops = true; + extraCommands = lib.concatStringsSep "\n" ( + map (port: '' + ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport ${toString port} -j RETURN + ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport ${toString port} -j RETURN + '') cfg.wireguard.ports + ); + extraStopCommands = lib.concatStringsSep "\n" ( + map (port: '' + ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport ${toString port} -j RETURN || true + ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport ${toString port} -j RETURN || true + '') cfg.wireguard.ports + ); + }; + }; +} diff --git a/systems/x86_64-linux/blade/default.nix b/systems/x86_64-linux/blade/default.nix index bcc2fcc..56adb9d 100644 --- a/systems/x86_64-linux/blade/default.nix +++ b/systems/x86_64-linux/blade/default.nix @@ -60,6 +60,9 @@ in nixHelper = true; }; security.polkit = enabled; + firewall = { + wireguard = enabled; + }; }; cli = {