Adjust networking to allow Wireguard client to work properly

Change packages: -rustdesk, -logseq, +gimp
Disable kernel patching
2025-04-01 17:19:26 -04:00 · 2025-03-30 18:07:19 -04:00 · 2025-03-30 18:06:47 -04:00 · 2025-03-30 18:06:22 -04:00
3 changed files with 44 additions and 22 deletions
--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1740679976,
-        "narHash": "sha256-6U/zvgtcGJqpOTKsIgf+mRO7/djwV07ImU/t0nZBix8=",
+        "lastModified": 1742670145,
+        "narHash": "sha256-xQ2F9f+ICAGBp/nNv3ddD2U4ZvzuLOci0u/5lyMXPvk=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "343646e092696d94b6f22b6875ae685756fd4cf0",
+        "rev": "63e77d09a133ac641a0c204e7cfb0c97e133706d",
        "type": "github"
      },
      "original": {
@ -22,11 +22,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1740560979,
-        "narHash": "sha256-Vr3Qi346M+8CjedtbyUevIGDZW8LcA1fTG0ugPY/Hic=",
+        "lastModified": 1742422364,
+        "narHash": "sha256-mNqIplmEohk5jRkqYqG19GA8MbQ/D4gQSK0Mu4LvfRQ=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "5135c59491985879812717f4c9fea69604e7f26f",
+        "rev": "a84ebe20c6bc2ecbcfb000a50776219f48d134cc",
        "type": "github"
      },
      "original": {
--- a/hosts/default/configuration.nix
+++ b/hosts/default/configuration.nix
@ -48,16 +48,16 @@
  boot.kernelModules = [ "kvm-amd" "nct6775" ];

  # Direct patching for enabling for async reprojection (for SteamVR) on AMD
-  boot.kernelPatches = [
-    {
-      name = "amdgpu-ignore-ctx-privileges";
-      patch = pkgs.fetchpatch {
-        name = "cap_sys_nice_begone.patch";
-        url = "https://github.com/Frogging-Family/community-patches/raw/master/linux61-tkg/cap_sys_nice_begone.mypatch";
-        hash = "sha256-Y3a0+x2xvHsfLax/uwycdJf3xLxvVfkfDVqjkxNaYEo=";
-      };
-    }
-  ];
+  #boot.kernelPatches = [
+  #  {
+  #    name = "amdgpu-ignore-ctx-privileges";
+  #    patch = pkgs.fetchpatch {
+  #      name = "cap_sys_nice_begone.patch";
+  #      url = "https://github.com/Frogging-Family/community-patches/raw/master/linux61-tkg/cap_sys_nice_begone.mypatch";
+  #      hash = "sha256-Y3a0+x2xvHsfLax/uwycdJf3xLxvVfkfDVqjkxNaYEo=";
+  #    };
+  #  }
+  #];
  services.fwupd.enable = true;
  services.hardware.openrgb.enable = true;
  # Add flakes
@ -176,7 +176,24 @@

  # For xdebug...verify actual necessity
  # Have had to use this, but I think it can be disabled still - perhaps w/xdebug binding setting...don't know.
-  networking.firewall.allowedTCPPorts = [ 9003 ];
+  #networking.firewall.allowedTCPPorts = [ 9003 ];
+
+  networking.firewall = {
+    allowedTCPPorts = [ 9003 ];
+    allowedUDPPorts = [ 51820 ];
+    # if packets are still dropped, they will show up in dmesg
+    logReversePathDrops = true;
+    checkReversePath = "loose";
+    # wireguard trips rpfilter up
+    #extraCommands = ''
+    #  ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
+    #  ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
+    #'';
+    #extraStopCommands = ''
+    #  ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
+    #  ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
+    #'';
+  };
  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;

@ -243,11 +260,12 @@
    # why did these two disappear???
    usbutils # provide lsusb, etc.
    pciutils # provide lspci, etc.
-    rustdesk # the rustdesk remote desktop client
+    #rustdesk # the rustdesk remote desktop client
    vorta # borg backup UI
    ncdu # nncurses tool for examining disk usage
    psmisc # process tools like killall
    corectrl # provide hardware clock controls for AMDGPU
+    gimp # GIMP image manipulation proggy
  ];
  programs.zsh.enable = true;
  programs.git = {
@ -259,9 +277,9 @@
  #  enable = true;
  #  openFirewall = true; # This is set true by default
  #};
-  nixpkgs.config.permittedInsecurePackages = [
-    "electron-27.3.11"
-  ];
+  #nixpkgs.config.permittedInsecurePackages = [
+  #  "electron-27.3.11"
+  #];
  fonts.packages = with pkgs; [
    anonymousPro
    corefonts
--- a/hosts/default/main-user.nix
+++ b/hosts/default/main-user.nix
@ -2,6 +2,10 @@

 let 
  cfg = config.main-user;
+  # Create a customized version of logseq
+#  logseq-patch = pkgs.logseq.override {
+#    electron_27 = pkgs.electron_34;
+#  };
 in
 {
  options.main-user = {
@ -28,7 +32,7 @@ in
        keepassxc # passwords!
        macchina # like *fetch - display basics
        z-lua # jump around directories (be careful with same-named ones!)
-        logseq # REQUIRES TEMPORARY INSECURE ELECTRON
+        # logseq-patch # REQUIRES TEMPORARY INSECURE ELECTRON
        signal-desktop # messaging
        ddev # local docker dev awesome
        vscodium # vs code editor, but free
Author	SHA1	Message	Date
Chris Thompson	a06273419c	Adjust networking to allow Wireguard client to work properly	2025-04-01 17:19:26 -04:00
Chris Thompson	3f8c8df90a	Change packages: -rustdesk, -logseq, +gimp	2025-03-30 18:07:19 -04:00
Chris Thompson	770b184573	Disable kernel patching	2025-03-30 18:06:47 -04:00
Chris Thompson	da0a90751e	Update flake.lock	2025-03-30 18:06:22 -04:00