Adjust networking to allow Wireguard client to work properly

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740679976,
+        "lastModified": 1742670145,
-        "narHash": "sha256-6U/zvgtcGJqpOTKsIgf+mRO7/djwV07ImU/t0nZBix8=",
+        "narHash": "sha256-xQ2F9f+ICAGBp/nNv3ddD2U4ZvzuLOci0u/5lyMXPvk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "343646e092696d94b6f22b6875ae685756fd4cf0",
+        "rev": "63e77d09a133ac641a0c204e7cfb0c97e133706d",
         "type": "github"
       },
       "original": {
@@ -22,11 +22,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1740560979,
+        "lastModified": 1742422364,
-        "narHash": "sha256-Vr3Qi346M+8CjedtbyUevIGDZW8LcA1fTG0ugPY/Hic=",
+        "narHash": "sha256-mNqIplmEohk5jRkqYqG19GA8MbQ/D4gQSK0Mu4LvfRQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5135c59491985879812717f4c9fea69604e7f26f",
+        "rev": "a84ebe20c6bc2ecbcfb000a50776219f48d134cc",
         "type": "github"
       },
       "original": {

hosts/default/configuration.nix

@@ -48,16 +48,16 @@
   boot.kernelModules = [ "kvm-amd" "nct6775" ];
 
   # Direct patching for enabling for async reprojection (for SteamVR) on AMD
-  boot.kernelPatches = [
+  #boot.kernelPatches = [
-    {
+  #  {
-      name = "amdgpu-ignore-ctx-privileges";
+  #    name = "amdgpu-ignore-ctx-privileges";
-      patch = pkgs.fetchpatch {
+  #    patch = pkgs.fetchpatch {
-        name = "cap_sys_nice_begone.patch";
+  #      name = "cap_sys_nice_begone.patch";
-        url = "https://github.com/Frogging-Family/community-patches/raw/master/linux61-tkg/cap_sys_nice_begone.mypatch";
+  #      url = "https://github.com/Frogging-Family/community-patches/raw/master/linux61-tkg/cap_sys_nice_begone.mypatch";
-        hash = "sha256-Y3a0+x2xvHsfLax/uwycdJf3xLxvVfkfDVqjkxNaYEo=";
+  #      hash = "sha256-Y3a0+x2xvHsfLax/uwycdJf3xLxvVfkfDVqjkxNaYEo=";
-      };
+  #    };
-    }
+  #  }
-  ];
+  #];
   services.fwupd.enable = true;
   services.hardware.openrgb.enable = true;
   # Add flakes
@@ -176,7 +176,24 @@
 
   # For xdebug...verify actual necessity
   # Have had to use this, but I think it can be disabled still - perhaps w/xdebug binding setting...don't know.
-  networking.firewall.allowedTCPPorts = [ 9003 ];
+  #networking.firewall.allowedTCPPorts = [ 9003 ];
+
+  networking.firewall = {
+    allowedTCPPorts = [ 9003 ];
+    allowedUDPPorts = [ 51820 ];
+    # if packets are still dropped, they will show up in dmesg
+    logReversePathDrops = true;
+    checkReversePath = "loose";
+    # wireguard trips rpfilter up
+    #extraCommands = ''
+    #  ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
+    #  ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
+    #'';
+    #extraStopCommands = ''
+    #  ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
+    #  ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
+    #'';
+  };
   # Allow unfree packages
   nixpkgs.config.allowUnfree = true;
 
@@ -243,11 +260,12 @@
     # why did these two disappear???
     usbutils # provide lsusb, etc.
     pciutils # provide lspci, etc.
-    rustdesk # the rustdesk remote desktop client
+    #rustdesk # the rustdesk remote desktop client
     vorta # borg backup UI
     ncdu # nncurses tool for examining disk usage
     psmisc # process tools like killall
     corectrl # provide hardware clock controls for AMDGPU
+    gimp # GIMP image manipulation proggy
   ];
   programs.zsh.enable = true;
   programs.git = {
@@ -259,9 +277,9 @@
   #  enable = true;
   #  openFirewall = true; # This is set true by default
   #};
-  nixpkgs.config.permittedInsecurePackages = [
+  #nixpkgs.config.permittedInsecurePackages = [
-    "electron-27.3.11"
+  #  "electron-27.3.11"
-  ];
+  #];
   fonts.packages = with pkgs; [
     anonymousPro
     corefonts

hosts/default/main-user.nix

@@ -2,6 +2,10 @@
 
 let 
   cfg = config.main-user;
+  # Create a customized version of logseq
+#  logseq-patch = pkgs.logseq.override {
+#    electron_27 = pkgs.electron_34;
+#  };
 in
 {
   options.main-user = {
@@ -28,7 +32,7 @@ in
         keepassxc # passwords!
         macchina # like *fetch - display basics
         z-lua # jump around directories (be careful with same-named ones!)
-        logseq # REQUIRES TEMPORARY INSECURE ELECTRON
+        # logseq-patch # REQUIRES TEMPORARY INSECURE ELECTRON
         signal-desktop # messaging
         ddev # local docker dev awesome
         vscodium # vs code editor, but free