7 files changed, 49 insertions, 57 deletions
diff --git a/private b/private
-Subproject 119c88419b0df280acc06fccd350dba20d85f53
+Subproject e3332f2321b33fd063e539199e60ba5c18f6340
diff --git a/system/nano-hardware.nix b/system/nano-hardware.nix
index 96a0a287..ce010ea2 100644
--- a/system/nano-hardware.nix
+++ b/system/nano-hardware.nix
@@ -16,27 +16,16 @@
 
   fileSystems."/" =
     {
-      device = "/dev/disk/by-uuid/3e2e984a-0f2d-4615-be50-cea40090b463";
+      device = "/dev/disk/by-uuid/7c2a0514-b94f-4369-8898-4d038740a2cd";
       fsType = "ext4";
     };
 
   fileSystems."/boot" =
     {
-      device = "/dev/disk/by-uuid/96FE-219D";
+      device = "/dev/disk/by-uuid/EFF6-3E55";
       fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
+      options = [ "fmask=0027" "dmask=0027" ];
     };
 
-  swapDevices =
-    [{ device = "/dev/disk/by-uuid/cfedef33-a711-42dd-8816-b1e119e20e55"; }];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.eth1.useDHCP = lib.mkDefault true;
-
   nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
 }
diff --git a/system/nano.nix b/system/nano.nix
index 5de5d887..d0177809 100644
--- a/system/nano.nix
+++ b/system/nano.nix
@@ -29,19 +29,6 @@ in
   };
 
   srvos.boot.consoles = [ "ttyS2,1500000" ];
-  boot.kernelPackages = pkgs.linuxWithBSDDisklabel;
-  nixpkgs = {
-    overlays = [
-      (self: super: {
-        linuxWithBSDDisklabel = super.linuxPackagesFor (super.linux.override {
-          structuredExtraConfig = with lib.kernel; {
-            BSD_DISKLABEL = yes;
-          };
-          ignoreConfigErrors = false;
-        });
-      })
-    ];
-  };
 
   hardware.deviceTree = {
     enable = true;
@@ -71,13 +58,12 @@ in
     hosts = {
       "fd7a:115c:a1e0::53" = [ "tailscale" "ts" ];
       "192.168.100.1" = [ "modem" "pyur" ];
-      "192.168.4.1" = [ "lte" ];
     };
     nameservers = [
-      "2620::fe:fe"
-      "2620::fe:9"
-      "9.9.9.9"
-      "149.112.112.112"
+      "9.9.9.11"
+      "149.112.112.11"
+      "2620:fe::11"
+      "2620:fe::fe:11"
     ];
     firewall = {
       trustedInterfaces = [
@@ -85,14 +71,20 @@ in
         "tailscale0"
       ];
       filterForward = true;
+      extraForwardRules = ''
+        iifname "tailscale0" oifname "${lan}" accept
+        iifname "${lan}" oifname "tailscale0" accept
+      '';
     };
     nftables.enable = true;
     nat = {
       enable = true;
       externalInterface = wan;
-      internalInterfaces = [ lan ];
+      internalInterfaces = [
+        lan
+        "tailscale0"
+      ];
     };
-    resolvconf.enable = false;
   };
   systemd.network = {
     enable = true;
@@ -112,7 +104,7 @@ in
       };
     };
     networks = {
-      "50-${lan}" = {
+      "50-${lan}" = rec {
         matchConfig.Name = lan;
         address = [
           "10.0.0.1/16"
@@ -128,11 +120,12 @@ in
           IPv6AcceptRA = false;
           DHCPPrefixDelegation = true;
           ConfigureWithoutCarrier = true;
-          LLMNR = true;
           MulticastDNS = true;
           Domains = [ config.networking.domain ];
           IPv6SendRA = !dnsmasqEnable;
           DHCPServer = !dnsmasqEnable;
+          DNS = map (a: builtins.head (lib.strings.splitString "/" a)) address;
+          DNSDefaultRoute = false;
         };
         dhcpPrefixDelegationConfig = {
           UplinkInterface = wan;
@@ -153,8 +146,10 @@ in
           DHCP = true;
           IPv6AcceptRA = true;
           IPv4Forwarding = true;
-          LLMNR = false;
           MulticastDNS = false;
+          DNSDefaultRoute = true;
+          DNSOverTLS = true;
+          DNS = map (ns: "${ns}#dns11.quad9.net") config.networking.nameservers;
         };
         dhcpV4Config = {
           UseDNS = false;
@@ -193,17 +188,22 @@ in
   };
   services.resolved = {
     enable = true;
-    llmnr = "false";
-    fallbackDns = config.networking.nameservers;
+    extraConfig = ''
+      DNS =
+      LLMNR = false
+      MulticastDNS = true
+    '';
   };
 
+  services.openssh.openFirewall = false;
+
   services.dnsmasq = {
     enable = dnsmasqEnable;
     alwaysKeepRunning = true;
-    resolveLocalQueries = true;
     settings = {
       inherit domain;
       interface = lan;
+      except-interface = "lo";
       bind-interfaces = true;
       dhcp-fqdn = true;
       dhcp-authoritative = true;
@@ -218,9 +218,9 @@ in
       quiet-ra = true;
       enable-ra = true;
 
-      dnssec = true;
-      trust-anchor = ".,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
-      server = config.networking.nameservers;
+      cache-size = 0;
+      no-resolv = true;
+      server = [ "127.0.0.53" ];
 
       expand-hosts = true;
       localise-queries = true;
@@ -231,7 +231,8 @@ in
       ];
     };
   };
-  systemd.services.dnsmasq.after = [ "network.target" ];
+  systemd.services.dnsmasq.after = [ "network-online.target" ];
+  systemd.services.dnsmasq.wants = [ "network-online.target" ];
 
   # TODO find script
   # systemd.services.dynamic-dns-update = {
@@ -281,7 +282,6 @@ in
   services.tailscale = {
     enable = true;
     extraUpFlags = [
-      "--accept-dns=false"
       "--advertise-exit-node"
       "--advertise-routes=10.0.0.0/16,fd12:d04f:65d:42::/56"
     ];
@@ -326,10 +326,6 @@ in
     ];
   };
 
-  services.sshguard = {
-    enable = true;
-  };
-
   services.caddy = {
     enable = true;
     globalConfig = ''
@@ -423,6 +419,9 @@ in
     settings = {
       max-jobs = 2;
       builders-use-substitutes = true;
+      trusted-public-keys = [
+        "mba-1:CxokFjx7YAQWPWMJJKcP50ZpcPUCAFEOrtWdNUMTVjw="
+      ];
     };
   };
 
@@ -478,6 +477,7 @@ in
     };
   };
 
+  services.timesyncd.enable = false;
   services.chrony = {
     enable = true;
     extraConfig = ''
diff --git a/user/marvin.nix b/user/marvin.nix
index f6a745c6..098b5f61 100644
--- a/user/marvin.nix
+++ b/user/marvin.nix
@@ -4,6 +4,7 @@
     ./settings/development/base.nix
     ./settings/development/javascript.nix
     ./settings/development/golang.nix
+    ./settings/development/vlang.nix
     ./settings/development/web.nix
     ./settings/darwin.nix
     ./settings/emacs.nix
diff --git a/user/settings/development/vlang.nix b/user/settings/development/vlang.nix
new file mode 100644
index 00000000..6d31634d
--- /dev/null
+++ b/user/settings/development/vlang.nix
@@ -0,0 +1,10 @@
+{ pkgs
+, ...
+}: {
+  home.packages = with pkgs; [
+    vlang
+  ];
+  programs.emacs.extraPackages = epkgs: (with epkgs; [
+    v-mode
+  ]);
+}
diff --git a/user/settings/development/web.nix b/user/settings/development/web.nix
index 24da1604..13b0ea5c 100644
--- a/user/settings/development/web.nix
+++ b/user/settings/development/web.nix
@@ -9,7 +9,6 @@
     stylelint
   ] ++ (with pkgs; [
     flyctl
-    prettierd
     personal.htmlformat
   ]);
   home.shellAliases = {
diff --git a/user/settings/emacs.nix b/user/settings/emacs.nix
index cf519354..72c2ee52 100644
--- a/user/settings/emacs.nix
+++ b/user/settings/emacs.nix
@@ -188,13 +188,6 @@ in
           license = pkgs.lib.licenses.gpl3;
         };
       };
-      apheleia = self.melpaPackages.apheleia.overrideAttrs
-        (old: {
-          patchPhase = ''
-            substituteInPlace apheleia-formatters.el \
-              --replace-fail '"prettier"' '"prettierd"'
-          '';
-        });
       treemacs-nerd-icons = self.melpaPackages.treemacs-nerd-icons.overrideAttrs (old: {
         src = pkgs.fetchFromGitHub {
           owner = "aaronmiller";